Scenario based attack simulation
Whilst conventional assessments remain valuable tools for network security, they often miss those flaws that were previously known or for which no fix is available (it should be noted that these flaws have been proven to be effective against fully patched systems).
Scenario-based attack simulation is a specialisation of security assessments where, in addition to the uncovering of vulnerabilities as with traditional penetration testing, we aim to verify that security controls and response mechanisms are properly implemented against a specific scenario.
Security assessments should simulate real-world cyber threat actors and their motivations. As an example, the following cyber threat actors could be used as a reference:
- Nation-states – Espionage for geopolitical gain
- Cybercriminals – Financial gain or notoriety
- Hacktivists – Exposing secrets and/or disrupting services
- Insiders – Various motives such as revenge, with aims to bypass cybersecurity
All these cyber threat actors will always use the path of least resistance while attacking an organisation. One of the most common attack paths to gain access to internal networks is phishing, as the likelihood of success increases with the number of targeted end-users as well as being an attack that low-skilled individuals can launch. A simple vulnerability scan of the external/internal network would never be able to identify what would happen after a successful phishing attack. For the same reason, limiting security assessments to the network perimeter, as some organisations opt for, will only give a limited vision of the security posture of an organisation. Moreover, many organisations do not have adequate security controls to stop or detect attacks from their internal perimeter, such as internal networks, workstations, and other end-users devices, so many security questions would remain unanswered by just following traditional security testing methodologies.
Similarly, traditional scoping practices do not properly address all security questions that could arise inside an organisation. As an example, the following questions can be used as a reference:
- What security concerns are being addressed with the security assessment?
- What keeps you up at night when thinking about the security of your organisation?
- Are there any scenarios that would cause severe damage to the business, such as:
- theft of sensitive information
- critical resources being taken offline
- alteration or defacement of the company website
- How effective is the organisation at preventing, detecting, and responding to attacks?
By addressing such questions, it is possible to have a better understanding of what can be expected from a security assessment, attain more valuable information from it and ultimately improve the organisation’s security posture.
Scenario-based attack simulations are highly customisable assessments. The Adversarial Tactics, Techniques and Common Knowledge (MITRE ATT&CK) outlines the methodologies that threat actors employ to compromise, exploit, and traverse networks. The MITRE ATT&CK framework can be used to help when defining scenarios and the associated rules of engagement. As such, scenario-based attack simulation can be seen as a targeted approach to Red Teaming, where scenarios limit the scope and the time required for the assessment.
Examples of scenarios
Are services exposed and/or disclosing data that could be abused by an attacker to
gain access to sensitive information?
In this scenario, ad-hoc reconnaissance and attack vectors are used to gain access to the internal
network or an organisation’s data. The simulated attack can originate from the Internet, secondary office location or a third-party network.
What would happen if a malicious attacker is able to connect to the internal infrastructure (e.g., connects a laptop to the internal LAN/Wi-Fi)?
From a laptop connected to the internal LAN/Wi-Fi, techniques and methodologies to gain an additional foothold on the network will be used. Example objectives of such scenarios could be
- gaining administrative access to certain resource
- measure the response of the Security Operations Centre (SOC) or Intrusion Detection System (IDS) solution
What would happen if malware (e.g., ransomware such as WannaCry) is executed on one of the workstations?
From one of the organisation’s laptops (connected to the internal LAN/WiFi), privilege escalation and lateral movement techniques will be used to gain additional footholds on the network. Antivirus and Endpoint Detection and Response (EDR) solution bypasses could be in-scope of such assessments.
What would happen if a user disclosed their credentials to a malicious entity?
In this scenario, valid domain credentials are used to move laterally on the organisation’s network and its systems. Escalation of privileges, weak security controls and excessive trust are normally covered by this scenario.
What would happen if a user left their laptop on the train? Would the organisation’s data/systems be safe?
In this scenario, the attack path begins with access to one of the organisation’s laptops and its data. If successful, additional tests are made to reach sensitive systems with the newly achieved access.
Author: Dr Michele Peroli