ASSUMED BREACH campaign

embrace the breach™

How far does the rabbit hole go?

It is extremely critical to know just how far and exactly what an external adversary could do and access once your peremiter is breached. How well and fast do your internal security and IT teams respond? Are you using MSPs or EDR/MDRs? Have you tested how quick their response is within your organization? Or do one of your internal teams have an adversary employed, what do they have access to?

Key elements of our Assumed Breach Campaigns

  • Adversary has breached
  • Insider Threat (Employees/Partners)
  • Active Directory-based
  • MITRE ATT&CK LAPSUS$-based
  • Timesaver (there will always be new exploits)
  • Atomic Red Team Tests

An often overlooked vector for assumed breach is from within. Be it an employee that is disgruntled or potentially blackmailed, insider threat is very real. How far do their keys to the kingdom actually take them?

Luke Secrist

CEO

What all is at risk?

BuddoBot’s Assumed Breach Campaign is a four-week service designed to emulate insider access and assess the readiness of internal security controls and processes.

The reality is that there will always be new exploits against technology, premises, and employees:

  • 0-day exploits like Heartbleed and log4j will continue to be discovered.
  • Social Engineering attacks and tools continue to grow in sophistication.
  • Even in the most secure organizations, the possibility of an insider threat exists.
  • Even something as innocuous as a meeting room ethernet jack can give privileged access.

The Assumed Breach Campaign assumes one of these eventualities and lets our Offensive Security Engineers loose on the internal network. This type of testing is advantageous to the externally-security-mature organization, saving time by going directly to addressing readiness.

Industry Standard Approach

In our Assumed Breach Campaigns, we leverage two methodologies. In the first methodology, we execute industry standard red team and penetration testing methodologies. This includes:

  • Access through manipulation of protocols and technology (Golden/Silver Tickets, Kerberoasting, Pass the Hash/Ticket, NetBIOS, Dsync, LLMNR/NBNS/WPAD, EFS, SMB Relay, COM/DCOM, WMI, AD Trusts, and ACL Review)
  • Credential theft, brute force, and cracking
  • Privilege escalation
  • Pivoting through advanced Windows or Linux networks
  • Exploiting services
  • Exploiting abuse primitives in Azure or O365
  • EDR/AV bypass
  • And much more…

While the above methodology is very technical and advanced sometimes it doesn’t match up with current attacker TTPs (tools, techniques, and processes).

The Next Gen Adversary Approach

We also perform a second, unique, methodology. This methodology is based off a mixture of certain MITRE ATT&CK framework modules and our personal experience with modern adversaries.  These adversaries never install software, they hardly exploit, avoid EDR, and they look like regular users to your SoC.  

They leverage granted access, code repositories, internal documentation, shares, logs, ticketing systems, chat, and hard-coded secrets to build a map of your internal systems. While not attracting any attention, they gather this recon data and pile it up until they strike all at once. Too quickly for your SoC to respond.  

Often these adversaries are not looking for ransom. They seek to disrupt your business simply for the fun of it because they can.

We find using these two separate methodologies really helps us advise a customer on practical defenses against the most modern breach types.