How far does the rabbit hole go?
Understanding the extent of an external adversary’s capabilities and access becomes immensely crucial when your security perimeter is breached. What is the speed and effectiveness of your internal security and IT teams’ response? Are you using MSPs or EDR/MDRs? Have you tested how quick their response is within your organization? Or does one of your internal teams have an adversary employed? What do they have access to?
Elements of Assumed Breach Campaigns
- Realistic Scenario Simulation: These campaigns simulate real-world attack scenarios, assuming that an adversary has already gained access to the network. This realistic testing helps organizations understand their vulnerabilities and how attackers might move within their systems.
- Incident Response Evaluation: One of the primary goals is to assess an organization’s incident response capabilities. How quickly can they detect the assumed breach, and how effectively can they contain and remediate it?
- Continuous Learning: Assumed Breach Campaigns are not one-time events. They are an ongoing commitment to learning from each exercise and applying those lessons to improve security measures.
An often overlooked vector for assumed breach is from within. Be it an employee that is disgruntled or potentially blackmailed, insider threat is very real. How far do their keys to the kingdom actually take them?
Preparing for the Inevitable
BuddoBot’s Assumed Breach Campaign is designed to emulate post breach and/or insider access and evaluate the readiness of internal security controls and processes.
The reality is that there will always be new exploits against technology, premises, and employees:
- 0-day exploits like Heartbleed and log4j will continue to be discovered.
- Social Engineering attacks and tools continue to grow in sophistication.
- Even in the most secure organizations, the possibility of an insider threat exists.
- Even something as innocuous as a meeting room ethernet jack can give privileged access.
In order to anticipate such scenarios, our Assumed Breach Campaign operates under the assumption of a potential breach and deploys our Offensive Security Engineers within the internal network. This type of testing is beneficial for organizations that have already established a strong external security system. It saves time by directly addressing the organization’s readiness in the event of a breach.
Next Gen Adversary Approach
This methodology is based on a mixture of certain MITRE ATT&CK framework modules and our experience with modern adversaries. These adversaries never install software, they hardly exploit, avoid EDR, and they look like regular users to your SoC. While not attracting any attention, they gather this recon data and pile it up until they strike all at once, too quickly for your SoC to respond.
Adversaries frequently have motivations beyond financial ransom. Instead, they may seek to disrupt your business for fun, simply because they can.
Industry Standard Approach
In our Assumed Breach Campaigns, we leverage two methodologies. In the first methodology, we execute industry standard red team and penetration testing methodologies. This includes:
- Access through manipulation of protocols and technology (Golden/Silver Tickets, Kerberoasting, Pass the Hash/Ticket, NetBIOS, Dsync, LLMNR/NBNS/WPAD, EFS, SMB Relay, COM/DCOM, WMI, AD Trusts, and ACL Review)
- Credential theft, brute force, and cracking
- Privilege escalation
- Pivoting through advanced Windows or Linux networks
- Exploiting services
- Exploiting abuse primitives in Azure or O365
- EDR/AV bypass
- And much more…
While the above methodology is very technical and advanced sometimes it doesn’t match up with current attacker TTPs (tools, techniques, and processes).
