The Transcendence of Breach Assessments
December 23, 2014
This blog post isn’t intended to be a panacea that will resolve past, present and future organization security breaches. That is a tall order many feel is unachievable, whether an accurate statement or not. However, a more focused approach to security and safety can help companies’ vested interests (e.g., employees, intellectual property, physical dwellings and information resources).
The Sony breach is just the most recent case that embodies the need for enhanced security assessment techniques. The details of the breach are still rather restricted, but numerous speculations concerning an insider threat have surfaced along with established persistent covert command and control access.
The hacking group coined the “Guardians of Peace (GOP)” have made numerous claims to continually disclose acquired Sony intellectual property in the form of unreleased movies, executive email correspondence details, personal information associated with employees, threatening to bankrupt Sony Pictures if demands aren’t met in accordance with the GOP.
Whether you agree or disagree with Sony’s choice to halt the release of The Interview (the movie that allegedly motivated the attackers to act), one thing is certain: the breach and its subsequent blackmail has caused significant damage to the Sony organization, its clients and its partners.
It is often the case that a successful breach greatly impacts the organization’s gross profit and overall revenue. Again, this manifests in many interesting varied statistical analysis outcomes, but I want to pause for a moment and look past the normality; maybe take a step back and look at the larger picture. A good portion of a Fortune organization’s security budget/spend is associated with logical security and implementation of mitigation strategies (e.g., hardware and software).
Organizations tend to be disjointed, decentralized and have disparate technologies within various geographic regions. This is often a byproduct of years of acquisitions, mergers or even growing the company’s footprint organically. The environment, as described, provides a challenging problem for any information/security technology group to reign in, and results in catastrophic outcomes if not appropriately addressed prior to an untimely breach.
The Sony breach demonstrates an unusual windfall of devastation. Movie release dates have been affected, the cast has incurred financial impact, executives have had compromising emails released to the public and the enterprise network was reduced to literally using pen and paper for conducting business. In fear of implied violent retribution, theaters backed out of movie release dates. Take all of this and the fact that this is presumably tied to a “nation state”, and this is no longer an austere case of financial loss or brand defamation. This has strong financial, personal safety and political implications.
What, if anything, are we doing wrong?
What follows is a personal manifesto and a sentiment I feel many share whether they know it or not. The traditional security assessment techniques are effective to an extent, but assessments should demand focus, albeit not in the same assessment. That statement may seem nebulous on the surface, but think about traditional penetration tests and their overall objective.
The traditional penetration test is often scoped for a selection of resources subject to review. To further simplify the point, the resources are associated with an organization’s perimeter environment, and the assessor is given a goal of “find all the vulnerabilities and validate exploitability”. That is fair to an extent as the perimeter is one of many attack surfaces and holds numerous potential attack vectors. The problem is that the traditional test is limited by perspective within the capacity that the assessment is performed. The assessor simply doesn’t know or have the opportunity to move vertically within the network. Obviously there are exceptions, but this is typically a standard approach. Furthermore, the act of performing comprehensive testing is viewed as a lateral approach.
This doesn’t discount the need for traditional assessment techniques, as mentioned previously, since information resources need to be validated as an ongoing cyclical effort, not only for due diligence purposes but to fulfill other requirements as well (e.g. governance). Traditional testing has its place in any self respecting security program. Organizations should be performing network penetration tests, application security tests, incident response exercises, and overall security evaluation. Additionally…
Focus, focus, focus…breach
With an emphasis on "additionally," the Breach Assessment methodology is something that we at FishNet Security feel should be added as assessment criteria in response to ongoing public security breaches. This assessment technique is designed to demonstrate actual breach techniques used to evaluate an organization’s most business-critical resources.
I know that similar terminology, such as “Red Team,” has been used; however, that term can be loosely used to represent offensive assessment techniques in general. The intent of the Breach Assessment is not to be transparent or synonymous, it is malicious testing intended to assess the security controls necessary to prevent imminent compromise.
The breach is “focus” and on the item or items that are designated as critical soft/hard targets. A concept of “chained composite attacks (CCA)” is used throughout the assessment. The CCA is dissimilar from a traditional penetration test scenario in that the CCA provides a chronology of attack progression from initial unauthorized entry to final compromise. The events are demonstrated in a CCA so the critical points of compromise are identified while they provide relevance about how each event lead to subsequent compromise.
Unlike a traditional penetration test, a Breach Assessment, for example, focuses on moving vertically rather than laterally within the network. Specifically, an initial attack vector that leads to unauthorized entry would then move inward towards a critical resource that has notable significance to the end state/goal/target. A traditional penetration test would note the initial entry vector vulnerability and move laterally to assess the next asset, irrespective of its value or importance specific to the organization. Essentially, the lateral asset could be a resource that does not provide value or is simply arbitrary and unrepresentative of a venerable attack target.
Additionally, the breach methodology is intended to be complimentary of traditional testing techniques but not comprehensive. Physical security circumvention, and social engineering techniques may be required to gain an attack foothold, but will not lead to comprehensive testing of all physical or social assets. Instead, the initial entry point may have presented the opportunity to transition over to establishing a persistent covert network presence, create custom code, and exfiltrate intellectual property outside of the organization.
Finally, new attack techniques provide opportunity to surface vulnerabilities that may not be present using traditional testing techniques. This is often a byproduct of unique and focused testing while remaining unconfined by scope restrictions, allowing the Breach Assessment team to navigate the target landscape as necessary.
Consider an analogy a colleague used to summarize the difference between a traditional penetration test and a Breach Assessment. Figuratively, let’s think in terms of a toolbox and house. In a traditional penetration test, you (the client) provide that toolbox. You put a single hammer inside and tell us where to swing it and how hard as we look for weaknesses in the exterior siding of the east side of that house. You do this perhaps because a governing body tells you that someone needs to swing a hammer at it.
Here’s how a Breach Assessment differs: in a Breach Assessment, we (FishNet Security) bring our own toolbox. We decide a hammer isn’t the right tool for the job, so instead we use a screwdriver. We determine that the north side of the house is the path of least resistance and enter through it accordingly. After gaining access to the house, we then utilize a wrench, vice grips and duct tape to navigate the inside of the house until we arrive at the east side, the protected area that was impenetrable by hammer. This is a contrived example of a CCA that would never materialize if you only hit the east side exterior wall with a hammer.
The Breach Assessment is not a replacement for traditional testing and was never conceptualized as such. However, it is a great complement for organizations that want to demonstrate their resilience to more advanced and focused attack techniques presented in an actual breach, such as those in the recent Sony incident. As mentioned at the start of this post, the Breach Assessment isn’t a panacea, but our clients have gleaned very real and actionable results from the testing approach.