Validate the effectiveness of security operations with scenario-based assessments
Measuring the success of security operations on efficiency alone often fails to address the key question organizations want answered – how good are security teams, tools, and procedures at detecting and responding to threats?
Scenario-based testing, performed by experienced ‘red team’ ethical hackers and designed to mirror common cybersecurity threat scenarios, can help to validate the effectiveness of in-place controls and drive improvements to threat hunting, breach detection, and incident response.
With a slow and deliberate approach, we experiment with an array of breach simulation tactics and conduct war room-style exercises to assess your organization’s processes, defenders, and overall security controls. Collaborating in interactive working sessions with stakeholders from your Security, IT Operations, and Incident Response teams, wargaming helps teams more effectively identify security strengths and weaknesses during live breach simulations.
Benefits of scenario-based testing
Scenario-based testing is a specialist form of offensive security assessment. Unlike traditional penetration testing, which aims to uncover as many vulnerabilities as possible, scenario-based testing is designed to benchmark the performance of cybersecurity controls to safeguard against specific adversarial behaviors.
Scenario-based testing helps to answer important questions such as:
How suitable and well-configured are monitoring technologies to prevent and identify threats?
Are there any network security blind spots that persistent attackers could exploit?
Are ‘blue team’ security analysts able to shut down advanced and sophisticated attacks?
How good are security analysts at differentiating genuine threats from false positives?
Are incident response plans in place to escalate threats and manage compromises?
Do teams have the know-how to remediate breaches?
Antares' scenario-based testing service can be tailored to specific client requirements. Our experienced ethical hackers work closely with your in-house team to identify key security risks and develop a testing strategy to address them. Adversarial scenarios and tactics that we can help to assess include:
A supply chain compromise
Data exfiltration by a malicious insider
A spear-phishing campaign to harvest credentials
Exploitation of vulnerabilities to install malware
The MITRE ATT&CK™ framework
Scenario-based testing can be aligned to a range of adversarial behavior frameworks. One of the most useful is the Adversarial Tactics, Techniques and Common Knowledge (MITRE ATT&CK), which describes the methods utilized by adversaries to compromise, exploit and traverse networks.
The MITRE ATT&CK framework is divided into 11 groups of TTPs. Scenario-based testing can accurately replicate each of these.
Gaining a foothold in the target network using tactics such as spearphishing and supply-chain compromise.
Executing code on a target system once access has been obtained. Includes the abuse of legitimate applications and systems such as Control Panel items and PowerShell.
Establishing and maintaining a persistent presence on a network, overcoming interruptions such as system restarts and updated account credentials.
Increasing permission levels to access additional parts of a compromised network through techniques such as hooking, process injection and access token manipulation.
Avoiding detection through techniques such as the disablement of security defenses, prevention of endpoint inspection or and the bypassing of application whitelisting.
Seeking to gain access to or control a system or domain by obtaining legitimate credentials, including the use of brute force and credential dumping.
Acquiring knowledge of target systems and networks. Includes account, application, browser, and directory reconnaissance techniques.
Traversing a network and gaining control of remote systems. Includes Pass the Ticket (PtT) and remote service effects techniques.
Identifying and gathering sensitive information through audio, keystroke, screen and video capture.
Removing files and information from the target network, often using a combination of compression, encryption and legitimate protocol abuse.
Command and Control
Establishing communication with target systems, through the abuse of existing, legitimate protocols.
Red vs blue: continuous review and improvement
Adversarial tactics do not always follow a linear sequence – hackers will typically use a wide range of techniques throughout the course of an attack. Security teams need to be prepared to defend against any and all of them.
Scenario-based tests differ from red team operations with respect to their core goals and methodology. While a red team operation adopts a’ no holds barred’ approach to replicate a full-scale attack, a scenario-based test is more focused, often devised around a single, specific adversarial tactic.
Once information about in-place technologies and processes has been researched, ethical hackers will launch the attack exercise, with in-house blue teams tasked with detecting and responding to it.
Regular scenario-based testing creates a process of continuous review and improvement, ensuring blue teams are prepared to identify and mitigate the latest cyber security threats.