Microsoft admitted SolarWinds hackers were responsible for the infiltration of some of their customer service tools. Microsoft informed Reuters that the representative had restricted gain access to, and had the ability to see things like what services consumers utilized, and their billing contact details. According to Microsoft, the hackers utilized the details obtained from the tools to begin “extremely targeted” attacks on particular Microsoft clients.
The attacks, Microsoft states, belonged to a bigger Nobelium project mostly concentrated on IT business and federal governments throughout the world. The business states it’s connected to the consumers who were affected by the hacking group’s usage of the tools, which Nobelium no longer has access to the client assistance representative’s gadget.
Microsoft has actually spoken about security a lot today, particularly in relation to its approaching Windows 11, as the business attempts to make the case for needing users to have particular hardware in order to update. Occurrences like these, where one jeopardized computer system might offer hackers a running start on future attacks, are illustrative of the cat-and-mouse video game that Microsoft has fun with those wanting to breach its security.
SolarWinds is one of the largest and most successful cyber security firms in the world, with a market cap of over $2 billion. Their products have been adopted by some of the largest organizations in the world, including Microsoft, Google, Oracle, Intel, and Cisco. SolarWinds hacker team trains thousands of security professionals around the world every year through their VENDETTA red team exercises.
They are considered one of the best red teams out there because they have an incredibly high success rate (95%) and a low exposure rate (5%). This blog post is intended to be a concise list of why other red teams don’t succeed as SolarWinds does. If your organization is considering implementing a cyber security red team exercise program, hopefully, this will help you identify which aspects are most important to consider from an outside source.
Focus on the why not the what
Cyber security professionals are notorious for being overly focused on the “what”, while ignoring the “why”. This is particularly true when it comes to the technical aspects of the red team exercise. Your red team should be focused on why a certain technique or tool is being used, not on the specific technology being used. A good example is a technique to avoid detection known as domain fronting.
Many organizations block access to common websites like Amazon and Google as a means of preventing nefarious users from accessing internal resources. Most of these organizations are unaware that domain fronting exists. If your red team just uses this technique without an understanding of why it works, it’s likely that the hosts and domains being tested won’t have any idea it’s happening. People don’t like being tricked, so don’t trick the hosts, trick the decision-makers.
User and Entity Behavior Analysis (UEBA)
User and entity behavior analysis is the process of analyzing user and entity behavior to identify anomalies, fraudulent behavior, and bad actor indicators. This is an incredibly powerful technique used to identify malicious activity, but it’s also a process that many red teams don’t adequately prepare for.
If you have an analyst who is skilled in UEBA working as part of your red team, they’ll not only be able to identify the weaknesses in your existing detection methods, but also provide a list of recommended changes that can be turned into a test plan.
There are many UEBA solutions on the market, and SolarWinds has a powerful solution called ThreatIQ that is available via their cloud-based security platform. ThreatIQ was designed to help security teams detect, investigate, and mitigate advanced threats including Advanced Persistent Threats (APTs), ransomware, cryptocurrency mining, and harmful insider threats.
Full Red Teaming with Live Network Exploration
Full red teaming is the process of assessing the security of an environment through the lens of an external attacker. This is typically done by connecting to the target network via a VPN. If your red team is just running scans, they’re only performing a very small part of the full red teaming process.
They’re only testing the technical controls, not the security culture or the people behind the controls. Since most modern organizations rely heavily on virtual machines, you need to have the ability to test the host’s security as well. This can be achieved through the use of a fully-featured red team operating system (R-OS) such as the VENDETTA R-OS. If your red team is only testing the network, you’re only testing a small part of the network, not the entire environment. You need to test the entire environment to be effective.
Unlimited Live Runs
The key to any red team exercise is to enable as many simulations as possible. A good rule of thumb is that a red team should be able to run the simulation as many times as it takes to succeed. If you’re only running a simulation once, you’re not doing your job. For example, if you’ve been hired to test the security of a payment gateway, you might decide to test the authentication mechanisms. If authentication is based on the use of user IDs and passwords, you’ll likely want to engage in some form of synthetic authentication testing using real people. Many organizations have strict policies surrounding synthetic authentication, restricting the number of times a single user can be used in a given period.
Continuous Integration and Continuous Deployment (CI/CD)
One of the best ways to ensure that your red team doesn’t become complacent is to implement a continuous integration and continuous deployment (CI/CD) process. This will ensure that the red team knows they’re always being tested. If you have a large organization with multiple teams, it can be difficult to determine which teams have been tested in a given period. The best way to overcome this challenge is to implement a central team that is responsible for determining when each team has been tested. There’s no one right way to implement a CI/CD process. It can be as simple as having the red team communicate when they’ve tested a specific team or they’ve tested all the teams. It can also be much more complex, with multiple testing phases and simulated incident response exercises.
Weekly Steering Committee Meetings
If you want to truly emulate the environment of a large corporation, you need to implement a weekly steering committee meeting to discuss what’s happening throughout the company. This will ensure that nobody is left out and that everybody gets the attention they need. If you want to ensure that your red team is truly testing everything, they should be in charge of running the meetings. This means that they’re responsible for determining what needs to be tested and how it needs to be tested. The red team should be given full control over the meeting agenda, but they should also be responsible for taking notes. This will help to ensure that everyone is included in the discussion and that nobody is left out.
Conclusion
Ultimately, the best way to succeed is to focus on the way. This is particularly true with regards to red team exercises. Your red team should be focused on why a certain technique or tool is being used, not on the specific technology being used. Additionally, they should be given the resources to be successful, including the authority to test any part of the organization at any time. With the right team, red team exercises are an incredibly effective way to improve your organization’s cyber security posture.