Designing, and implementing a security program/posture is influenced and pressured by multiple and often contrary sources. This can include managers, customers, budget, IT guys, and even public opinion. But anyway, an organization is less able to please all these various parties (at least on paper) and deploy a “super-strong security package” to stop malicious cyber attacks: audit and compliance checkings all passing with green status, vulnerability management programs and patch management systems are put into production, penetration testings are conducted, nice boxes and solutions with different vendors are maintained and supported, and in general the organization seems to have good security hygiene. These are all good steps from defending for low-level attacks, but unfortunately, they fail in the detection and response to advanced threats, because simply they do not understand enough about these. Consider the following, does a real threat know a target has a robust security perimeter? Do advanced threats will trigger an alert or get them caught? Why are threats still being so good into breaching if organizations apparently have robust programs?
In order to evolve our security posture despite the organization we belong to, it is imperative (and vital) to first understand how adversaries operate. Going into offensive security techniques can help us explain how organizations are being targeted and compromised, and we should start with the assumption that advanced adversaries will have enough resources to succeed in the initial intrusion always.
When these kinds of threats have a considerable amount of time to prepare themselves and execute an initial intrusion attack, assuming it is successful will force us to start thinking laterally as they are doing. And as a matter of fact, in the real-life, their intrusions will be effective, regardless of how good your EDR, nextgen-firewalls, IPS/IDS, SIEM, SOC, TIP, SOAR or defenders are. A persistent threat will have the resources to exploit them no matter their complexity. The moment a defense considers tactics, techniques and procedures of intelligent APT’s, they will begin to understand how to defend for real.
Consider the initial vectors of the majority of attacks nowadays which can involve phishing or just executing a malicious macro in a link for example, from a random user. After malicious code is executed many things can happen including a C2, new enumerations of the internal network, lateral movements, escalations, exfiltration, etc. Is this scenario reasonable? Were chances presented to detect or prevent the initial vector? Organizations quite often blame the user who clicked the malicious link, but what about all the actions that succeeded after the user did it? This scenario is 100% real outside and indicates that an organization’s entire security model may depend on users not clicking a link in an email (without mentioning that many email security solutions can be bypassed in a lot of ways).
Why it was successful?
Again, because they have a wrong mindset to defend: users are blamed for clicking links, they rely a lot on policies, procedures and compliance to measure security, log everything (even if it’s not useful), or “our AV, EDR next-generation firewall/IPS will save us”. An advanced APT knows all of this and exactly this is the key to stop them because we need to cut their TTP’s. This can lead us to focus on the detection of the TTP’s of the adversaries after the initial intrusion. Even though the attacker could have successfully completed the first steps of the kill chain, we might be able to stop a more damaging phase such as sensitive data exfiltration from happening.
The moment an organization has evolved into a mature security posture towards intelligent threats, a red team is created and used to provide the required threat emulation and stimulus to grow their defensive program. A professional red team has the ability to emulate threat actors TTP’s in exercises that iteratively launch realistic attacks to engage with security defenders. Red teams concentrate completely on TTPs. Much of this information is compiled in ATT&CK and everybody can use this to measure their ability to defend against specific tactics and techniques. It can also give a good understanding of specific risk and defenders can verify how well they are able to defend against the different threat actors listed with their respective TTP’s.
Why go for Red team?
Truly measures the effectiveness of the people, processes, and technology used to defend a network, specifically the blue team. Trains the ability of the defenders to react to a threat with real practice. Helps to test and understand very specific threats and scenarios with different malicious actors or unique attacks. Red teaming provides defenders ways to battle against advanced adversaries in a safe controlled environment.