The present disclosure is directed toward a system and method of assessing security of a network, and performing security threat simulations.
In the field of cyber security, threats have evolved such that they are usually complex interactions between an assailant (the “threat actor”) and the target system, such as a computer network (the “target network”) and/or devices (e.g., user devices, intermediate target devices, or defensive devices) that they are attacking.
At a high level, the threat actor can use a number of techniques to breach the target network, bypassing the defensive devices and either installing malicious code on a target system or directly accessing the target system. During this process, one or more intermediate target devices (e.g., DNS servers, routers, etc.) may be used to gain progressively deeper access to the target network in order to approach the target system. Once the target system is compromised, the threat actor can then act upon target data and/or target systems or intermediate systems in some way that achieves a malicious goal. Exemplary actions on the target data can include, but are not limited to: theft (or data exfiltration), destruction of data, modification of data, preventing access to information, or some combination thereof.
There are a number of means by which a threat actor can gain access to a target network, some of which include: gaining access to credentials for normal or privileged access to the target network, gaining access to credentials for normal or privileged access to the target devices or systems on the target network, locating and exploiting flaws in the target network or external systems, and conspiring with users who have legitimate access to the target network or target devices or systems. There are numerous combinations of these mechanisms which can be used to access, exfiltrate, modify, or destroy data on target systems.
Due to the wide variety of mechanisms that can be used by a threat actor to attack a network, many defensive devices have been created in an attempt to block or monitor these mechanisms. For example: Firewalls, for blocking access from or to unwanted locations to or from the defended networks; Intrusion Detection Systems (IDS), for detecting suspicious traffic on the defended networks; Intrusion Prevention Systems (IPS), for actively disrupting suspicious traffic on the defended networks; Data Loss Prevention (DLP), for actively disrupting the transmission of specific data from the defended networks (or defended devices or other devices on the network); Anti-Virus (AV), for detection and removal of malicious code which is downloaded onto network devices such as user devices; Domain Name System Filtering (DNS Filters), for the prevention of access by network devices such as user devices, to known-malicious systems, or suspect locations on the Internet; and Security Incident and Event Management, for the aggregation of event data and the coordination of incident response.
Each of these defensive devices has been created to act upon specific types of threats and when used in combination with others can theoretically help prevent, limit, or detect the attack of a threat actor, resulting in better safety for target data and target systems. These systems, when layered together, create a system of defense known as Defense-in-Depth, where each layered defensive device prevents a deeper level of attack. As described in Hutchins et al., “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” Lockheed Martin Corporation, pp. 1-14, which is incorporated herein by reference in its entirety, a good practice of using these defenses is to use a layered defense to stop the threat actors at the earliest point in the attack, and to provide the earliest warning of the presence of threat actors attempting to access a defended network.
The effectiveness of such a defense-in-depth is predicated upon the effectiveness of every layer of security. Much like the layers of an onion, if there is one opening in each layer, it can be permeated, and a liquid will locate any opening in a layer. However, if any one layer has no holes, it can keep back the intrusion. If any of the defensive devices is ineffective or misconfigured, it can create an opening sufficient for the threat actor to successfully attack the target network, access the target system(s) and reach the target data.
To maintain an adequate defense-in-depth, a target organization (also described as a target entity) should take measures to maintain each of its defensive devices in accordance with best practices, making sure that software is up-to-date, systems are appropriately configured on its network, and access is appropriately controlled. Cooperative systems may need to be configured to communicate and cooperate correctly with each other.
Because of this complexity, target organizations typically take action to prepare and assess their security posture in order to locate holes in their security systems. Over time, there have developed two key practices for this assessment: tabletop exercises and penetration tests. The two are used, often together, to attempt to assess the vulnerabilities in a defended network and to act as a jumping-off point for remediation of such vulnerabilities. However, despite these practices, a steady stream of successful cyber attacks still occurs, targeted toward organizations that spend millions of dollars pursuing each of these avenues.
Tabletop exercises typically include a detailed scenario or “war game” played out on a literal or figurative table between people who know how the security systems are supposed to respond. By having an internal security team walk through the threat scenario(s), they attempt to locate holes in how the systems will work to defend them. One problem with tabletop exercises is that they test the theoretical function of the systems under test, not the actual function. In actual operation, a manufacturer's defensive device may not be effective against a specific class of threat, or even a specific threat. However, if a tabletop exercise concludes erroneously that the defensive device is expected to successfully defend against the threat, this would lead to a false sense of security and decrease the likelihood that appropriate mitigation would be implemented. In addition, even if the defensive device would be effective against the threat when correctly installed, tabletop exercises do not actively test the placement, configuration and installation of defensive devices, leaving open the possibility of a capable, but inappropriately configured or installed, defensive device not being as effective as portrayed in the tabletop exercise. Tabletop exercises may not require additional equipment, but typically require time from cyber-security personnel to execute, and often require substantial investment of time or external resources to create the scenario(s) ahead of time. They are thus costly and usually done infrequently.
Penetration tests are “live fire” exercises in which “White Hat Hackers” perform as threat actors and are tasked with attempting to infiltrate the target network, access the target systems, and retrieve a sample of target data to prove that network defense is ineffective, thus locating a route that should be remediated. The result of a penetration test is often the target data (as proof) and a list of the successful and unsuccessful measures taken to gain access to the target data. Penetration tests often involve actual hackers acting from outside the target network and hacking into the network (hopefully while maintaining good intentions) in order to assess security.
Due to the external nature of the penetration tests, they tend to be expensive to execute and are typically undertaken infrequently (usually once or twice a year). In addition, they usually stop at the first successful breach, resulting in a single successful breach log and one or more failed breach attempts. The successful breach log contains information that might be used to prevent a similar attack in the future, while the failed breach logs provide some insight into what worked against the penetration testers attempts. These tests often uncover only very specific paths that may result in security breaches, such that those specific paths can be addressed by a security solution. However, they are less likely to discover patterns or more general, pervasive security holes in a system. In addition, because these are “live fire” exercises, it is possible that data or systems will be harmed or degraded during or after a penetration test. For example, even if the tester has good intentions, these tests often involve installing harmful software programs onto end user computer systems or other target system devices, that may continue to serve as a security threat even after the testing is complete. These software programs typically need to be searched for by a user or network administrator and manually removed in order to remove them as potential security threats after testing is complete.
As discussed above, each of these above two methods has limitations in effectiveness and may also cause unintended problems. In addition, due to the expense and coordination, both of these testing methodologies are infrequently used by organizations, perhaps one to four times per year. They also typically require significant human involvement at all stages. In today's rapidly-changing world, networks change daily, software is updated weekly, and threats may change by the hour. Each of these factors may render invalid the results of the most recent penetration test or tabletop exercise, all while requiring significant investment in time and resources, thus leaving the target organization with little or no reasonable knowledge of their current defensive posture.
To fill some gaps between penetration tests and tabletop exercises, a number of services have evolved that can provide some interim testing capability. In particular, online vulnerability scanning provides for testing of specific known vulnerabilities against equipment visible and accessible from the network. These scanners tend to target Internet-facing servers and seek out well-known problems to prevent unauthorized access to those systems, and are thus external online vulnerability scanning. Some providers have extended this concept into the intranet space, providing vulnerability scanning aimed at targeting internal servers and even clients for known vulnerabilities, thus internal online vulnerability scanning. Vulnerability scanning, however, is not a passive operation, and as such can produce real-world failures that can impact operations inside of the organization. Further, for use on intranets, these scanners typically require the introduction of hardware or software to the defended network, which are often remotely controlled and updated, potentially creating an increased external presence from which a network can be attacked.
Thus, it would be beneficial to perform network security assessment in a manner that avoids various of the inadequacies described above.