In this chapter, the author proposes a unique security assessment model-CAPTR. The main idea of this evaluation model is hierarchical thinking, first delineating the most important assets in the organization, and then inferring from these assets to the external network, so as to find the path of the APT attack.
CAPTR teaming is a method of reverse red teaming proposed, designed and evaluated in the research and thesis during my PhD. As mentioned in the previous chapters, the red team is at a great disadvantage in appropriately imitating and appropriately mitigating advanced persistent threats. When we talk about red team exercises, simulating APT attacks has become a special challenge, which is faced by even the most talented offensive security professionals. In addition, even if the skills of an ethical hacker and a malicious hacker are in a level playing field, the modern offensive security state in almost every aspect tends to be actual attackers rather than simulated attackers. In an attempt to solve this problem, I finally proposed an offensive security assessment method. Although driven by the APT challenge, this method is beneficial in many ways compared with the traditional red team.
In the security industry, red teams or penetration testing are widely accepted and even expected in the larger security agencies of the organization. Many people even require some form of offensive security activities to verify and verify other information security technologies and activities. As a necessary mechanism for the entire information security, red-blue exercises have unfortunately produced by-products. Many people seek red teams or penetration testing, and need to have as little impact on time and resources as possible; client organizations require very few resources for short Time exercises to try to meet any demand that requires offensive security practices.
My goal is to solve these problems by improving the typical red team process. Really smart attackers do not follow any rules, except those who push them to reach their targets. Attackers deceive and exploit loopholes to destroy their targets at all costs. Why shouldn’t ethical hackers deceive normal procedures to mitigate APT? Obviously, when pursuing the scope of the exercise, we must still follow the ROE and not violate any laws in the process. However, if we can deceive the typical exercise process in a way that benefits us and still provide all the benefits of offensive security assessment, then deception is certainly worth considering. If the organization intends to save time and resources within a very short evaluation window, we should strive to provide them with an evaluation method for efficient and effective evaluation in this limited evaluation environment. This requirement prompted me to develop a red team process that reversed and changed red team activities to respond to advanced threats in extremely restricted assessments. In this chapter, I will explain CAPTR, my motivation and inspiration for creating this idea, and compare its advantages and general disadvantages with the red team.
Anti-Red Team (CAPTR)
Initially, my goal was to provide protection from the fatal damage that APT attacks in certain organizations can cause. A fatal damage condition is an attack that causes the death of a human or causes the organization to stop functioning or fail to function as expected. I believe that protecting these targets from APT attacks is an ability worthy of the organization’s own continuous strengthening of the evaluation process. The fatal damage may be the loss of control of the SCADA equipment, leading to the death of assembly line workers, the meltdown of the nuclear power plant, or the loss or leakage of data after being attacked, resulting in immeasurable impact, so that the organization basically moves towards die. When designing a process that can effectively solve such attacks and mitigate APT threats, I proposed the concept of CAPTR (anti-red team). I have also found that although the mitigation of critical attacks has been adjusted specifically, it is beneficial in many other ways and is worth incorporating into overall offensive security practices. In fact, CAPTR is essentially an extremely efficient and effective way to prioritize a subset of the organization, which means that it helps to deal with APT threats, and helps to make it unlikely to be APT targets but hopes to target them. Organizations that conduct key asset assessments successfully carried out their work. This may be a new application, data center, business unit, acquisition, or other specific scope that requires a quick and effective attack security assessment.
Offensive security assessors should do their best to surpass competitors. Both malicious attackers and traditional threat simulators spend a lot of time and energy attacking the entire organization to search for valuable machines and data. Security assessors should use many technical and operational resources to identify and prioritize these key items. Offensive security assessors should start from a relatively high position and start assessing from high-risk items instead of wasting time on the way to these items. It is in this spirit that CAPTR transfers operational advantages from APT to detection and prevention. CAPTR is an offensive security evaluation model that implements three new evaluation attributes:
1. Worst-case risk analysis to determine the scope
2. The key attack initialization perspective
3. Use reverse springboard chains for vulnerability analysis and attacks
Worst-case risk analysis and scoping
CAPTR works with operations and security personnel in the organization to determine the appropriate scope of the assessment. The scope of CAPTR is to prioritize key items that will have a significant impact when attacked, regardless of the possibility of such an attack. This strategy allows assessment resources to be used for the worst-case subset of the entire organization in an efficient and effective manner. Successfully identifying high-risk items requires the participation of stakeholders in the target organization’s functions and security fields. Operations personnel may know which objects may cause devastating damage to the organization once they are attacked. However, these security personnel may not know to what extent the equipment and data in the network represent high-risk items. This is as important as the knowledge of IT infrastructure and security personnel for determining the complete initial scope as possible. Restricting the initial scope of CAPTR evaluation to high-risk objects allows the evaluator to focus on small attack surfaces composed entirely of important assets, and prevents wasted resources on any aspect other than the most important attack surface. In the scoping phase, fully identifying priority assets can successfully assess critical damage items, thereby improving the overall security posture by mitigating worst-case threats.
Key initialization perspective
The initial perspective is the starting point for the offensive security assessment to scan and enumerate vulnerabilities. Examples of common initialization perspectives come from the Internet (outside the organization) or different locations within the organization. The position of the initial perspective affects many attributes of the security assessment, such as the type of attack surface evaluated first, the type of threats simulated, and the identified vulnerabilities.
From the perspective of Internet-based threats, compromised DMZ servers, and even the initialization of successful phishing attacks on internal user machines, the evaluation of a series of high-risk items may hinder the progress and success of the evaluation. In order to most effectively solve the vulnerabilities that APT may use for key items, concessions must be made so that these threats have or will be able to penetrate the perimeter and subsequent defense layers of the organization. After identifying the damaged objects with greater impact and creating the scope, the CAPTR evaluation model begins to evaluate the priority risk items themselves. This is called “utilizing a critical initialization perspective” and allows CAPTR assessments to perform immediate assessments of high-risk compromised objects, rather than spending time pre-determining their path in the first place.
Reverse axis chain
The reverse axis chain is a two-part process used to identify the findings that have the greatest impact on the damaged objects that were originally determined. Perform a partial assessment of the damaged items in each range. Then, use these compromised objects as a key initial perspective for external evaluation of the host organization. This external evaluation is carried out in an atypical, targeted, and unobtrusive manner. It determines the hierarchical level of the correspondent and its relationship with the initial scope. These relationships ultimately represent a risk chain network that spreads outward from priority high-risk items.
The reverse axis chain describes the threat relationship in the risk link network, which puts the key damage items at the center. Even if the first or more external communications cannot be utilized remotely, the communication link will still be identified as having an appropriate level of risk related to its potential risk, allowing attackers to access key compromised objects. This information is essential for authorized organizations to mitigate and monitor threats discovered by CAPTR. This risk chain network is a unique step forward in cooperation between offensive and defensive security teams based on the assessment results to improve the security posture.
When one only relies on traditional red team assessments to assess network security and mitigate the impact of APT, there are several reasons for deficiencies. These issues are the result of an evolving threat landscape. The list of vulnerabilities exposed during the evaluation may expire within a few days after the end of the test. Another reason is that typical red team activities focus on simulating attackers rather than all aspects of insider threats. In view of the disadvantages of traditional red teams that contrast sharply with the potential advantages of CAPTR in these and other situations, the position of the CAPTR method in established practice should be consolidated to a large extent.
Zero-day attacks are code that exploits zero-day vulnerabilities. Zero-day vulnerabilities are vulnerabilities unknown to software manufacturers or security vendors. During the exercise, the red team scanned for vulnerabilities and tried to use the vulnerabilities to gain access to the organization. One problem here is that this process may not include zero-day exploits because they have not yet been disclosed or discovered. It can be conservatively assumed that after the red team completes the penetration test, it is possible that within a few days, a weaponized vulnerability will appear as a new threat to the organization.
There must also be a hypothetical concept that the parts of the network that the red team cannot access may have high-risk vulnerabilities that cannot be evaluated, because the evaluator found no vulnerabilities between these devices and the inaccessible network. In this case, if devices that the red team cannot assess are vulnerable to new zero-day attacks, then attackers can use these high-risk vulnerabilities to have unprecedented impact. This is usually the recognized part of the red team, and the unassessed part may also contain loopholes. Obviously, the possibility of a zero-day vulnerability being transformed into a zero-day vulnerability Exp indicates that there is a vulnerability in the defense and cannot be analyzed. The CAPTR method allows to mitigate the impact of the new zero-day vulnerability on the effectiveness of the assessment to a certain extent. Consider Figure 9-1. Here is an example of a simplified red team exercise:
In this picture, the red team attacked the web application server facing the Internet, and then when the web application manager logs in to the server to check, after capturing the credentials and identifying the IP address, it goes from there to the individual of the web application manager computer. Next, the red team tried to penetrate the network and launch a fatal attack. In this case, this is a SCADA device that controls the distribution of biohazardous waste. Unfortunately, the Windows 2012 gateway is located between the pivot point of the red team and the fatally compromised target. There are currently no known remote code execution vulnerabilities. In this example, the red team never listed the SCADA controller to determine whether it is vulnerable to common remote code execution vulnerabilities (such as MS08-067). Soon after the assessment, the MS17-010 zero-day vulnerability and vulnerability Exp were disclosed on the Internet. An APT attacker invaded another user on the network through phishing and used it to access the Windows 2012 gateway. Now, APT attackers can easily exploit the vulnerable SCADA controller, and finally use the SCADA device itself to attack, because the device is vulnerable to a privilege escalation vulnerability called semtex, which allows invisible attackers to cause huge disasters .
The Links: ADP3336ARMZ BSM300GA120DN2 MY LCD