Although it was large Wall Street firms and government agencies that in July gained national media coverage for participating in a massive cyber-attack readiness test, small and medium-sized organizations can do the same, and for a reasonable price.
About 50 Wall Street firms and government agencies participated in a stream of simulated cyber-attacks, dubbed “Quantum Dawn 2,” that attempted to disrupt trading in the U.S. equities markets. Participants were able to run through the ways in which they would mitigate various threats against their firm, coordinate with the financial sector as a whole to share information and coordinate with government agencies.
Unlike a vulnerability assessment, which identifies vulnerabilities on a network, or a penetration “pen” test, which is conducted by security specialists employed to simulate an attack and test the network and systems’ resistance, cyber war exercises go much further. It is truly an all-out war, the way an organized hacker group would battle, except it’s done by ethical hackers who cause no harm to your systems.
War, What is it Good For?
All organizations have trade secrets: financial data or personal information belonging to the company or its customers, or have political beliefs or company policies that some people may find offensive, are targets for cyber-attacks. Cyber war exercises, commonly known as a Red Team tests, help you to prepare for that attack before it occurs. Think of a Red Team test as boot camp. It’s a time when your security team, the blue team, battles with experienced ethical hackers who are security consultants, the red team. Each team performs reconnaissance on the other trying to stop them in their tracks. In the military, these types of exercises are called force-readiness, as they test how ready your force is to do battle, deter potential foes and rapidly respond. The blue team will be at battle as the red team will do all it can to get to your prized possessions, the servers and data you hold most valuable. Once the red team enters your network, it might also be able to gain access to one of your partner’s networks and cause damage there. Additionally, if your servers control any machines or products, it’s possible hackers could turn those on or off. Of course, unlike in a real-life situation, a Red Team test is conducted under controlled conditions so the cyber-attacks should not actually harm a thing on the network. Your mission, if you choose to accept it, is to fight the battle and stop the red team as soon as possible before they access your crown jewels or can cause major damage to your network. At Dell SecureWorks, our Red Team has been able to breach a network every time. Ideally, once you see the red team enter your network, you will take actions to stop them from delving any further.
Once the game is over, no matter how much you lose—meaning no matter how many servers the attackers were able to access or how many passwords they were able to find—you win, because that’s when the make-up session starts. The security consultants will sit down with your team and review with you how they got in each server and will share what they could have done to your network with the access they gained. Whether they could have shut down your entire website, exfiltrated documents or accessed your banking accounts, they will review it all and let you know the different tactics you could take to help prevent such deep access into your network and how you could effectively respond if it ever occurs again. In the end, the Red Team test will improve operating procedures and will instill the confidence your team will need to succeed in a variety of challenging situations.
Rehearsal
A Red Team test allows organizations to test their responses before real attacks and to position themselves to prevent or mitigate future attacks. It enhances a security team’s ability to adapt to new and oncoming security threats, and to better understand the landscape of its industrial control systems, its equipment and devices, and its security configurations so it can evaluate networks and controls. The test could also show how quickly a hacker could complete a mapping of an organization’s full external network and how readily he could control or destroy critical infrastructure.
In a Red Team test, an information security consultant devises cyber-attack strategies based on the types of targeted threats of greatest concern to an organization.
Key activities include the following:
- Advanced Persistent Threats
- Cybercrime
- Threats to its executives
- Distributed Denial-of-Service (DDoS) attacks
- Spear-phishing
- Social engineering
- Web application attacks
- Use of specialized malware that real cyber attackers use
Security is Security
A Red Team tests more than just cyber security. In a recent cyber simulation we conducted for one customer, our security consultant, dressed like a truck driver, crawled through a hole in the organization’s fence to enter the organization’s property, walked down a hill across the employee parking lot and into the smoking pavilion, and followed three employees into the company’s facility. He then found an empty office where he plugged his laptop into the network, allowing him access to the organization’s network. In a real-world attack against this customer, the attacker would have been able to taint physical products, which could have impacted civilians in a 100-mile radius. The attacker also would have been able to remove or destroy corporate information, or to render the network inoperable. It may sound like we did the unthinkable in the way we accessed this company’s network, but it happens in real life.
Eye Spy
On another recent Red Team test we conducted for a company, we found almost 200 company email addresses for employees, one of which belonged to an IT director. Our red team sent a spear phishing email to the other email addresses on hand, claiming that the organization was undergoing a webmail transition and that everyone needed to click on the link to a website in the email to sign up. The link we created was designed to capture login and password credentials. When employees clicked on the website, our testers captured about 15 different email/password combinations, which ultimately led to our being able to tap into the company’s wireless network. Our consultants were then able to access account data on the company’s customers, including customer financial information, contact names, addresses, phone numbers, email addresses, and information that a real attacker could have sold to cyber thieves for fraudulent purposes or to the company’s competitor.
An Ounce of Prevention
Recovering from a breach is way more expensive than preventing one. Aside from the cost of hiring a specialist to come in to investigate and remediate—it’s unlikely that most companies could remove all the malware and close all the back doors without help from a specialist—there are plenty of other fees associated with a breach, such as customer notification, payment card fines, and fraud losses, not to mention the loss of an organization’s most prized possessions, such as customer data, intellectual property and brand reputation. Costs for a full-blown Red Team test are under $50,000. The average cost of a breach, according to the Pomemon Institute, $7.2 million.
With more than 20 years in IT, Rick Hayes oversees Red Team tests and other risk tests. For more information on Red Team tests, please contact [email protected] and write “Red Team” in the subject line.