Validation of Red Team Case Studies

The data, analysis and results of this chapter were validated through a semi-structured interview with Francisco Dominguez Santos, Fox-IT’s Red Team Lead. The interviewee was first concisely briefed on the research question, the methodology and the specific Red Team assignments which were sampled. The interview was conducted based on 9 open ended questions (detailed in Appendix D), which left room for follow-up questions.

Dominguez exhibited knowledge of multiple attack lifecycle models, including but not limited to Lockheed Martin’s Cyber Kill Chain (CKC). Dominguez stated that a kill chain model should provide decision makers with insight into the overall process and steps of an attack, which would allow them to better prioritize their investments in security capabilities. More specifically, Dominguez explained that some risks in the preventive controls could be accepted, because every organization should expect the compromise of individual systems at some point. Instead, Dominguez argued that investments should be focused on detection and response capabilities, to limit the risks that one compromised system can be leveraged to expand the compromise to other systems in the network. The interviewee affirmed that the attack visualizations, attack analysis and the identification of tactics, the formulation of attack specific kill chains and the generalization of the Red Team MO generally provided accurate representations of the Red Team assignments. The following remarks were chronologically made regarding these elements by Dominguez:

• The attack visualization, which is represented using an interpretation of the CORAS methodology, could prove very useful to provide insight into attacks in future customer reports.

• The presence of multiple attack paths in the visualization shows that the Red Team aims to provide additional value to its customers. However, executing phases in attack paths that are redundant to achieve the objectives can inadvertently and unnecessarily raise the

detectability of the attack. However, most customers struggle to detect attacks even in the face of multiple attack paths, so this downside may also provide organizations with more opportunities to practice detection and response. As such, raising detectability by identifying multiple attack paths in the execution of the attack, may be the appropriate choice in some assignments.

• In contrast to APT attacks, the Red Team attacks typically end after a certain level of access has been obtained and do not perform malicious actions towards the attacker’s objectives, such as the exfiltrating objective-specific sensitive data.

• The use of zero-days is sensationalized and rarely necessary to compromise organizations.

• Access to the target network and pivoting points form bottlenecks in the attack paths, which are most clearly visualized by the attack visualization in section 3.4.1.

When asked if Dominguez regards Red Team attacks as an accurate emulation of APT attacks,

Dominguez pointed out there are many relevant differences between Red Teams and APTs. Elements that differ include their strategic objectives, available resources, attacker mindset, time available, level of persistence and ethical and legal restrictions that affect the scope and possible attack vectors. Dominguez argues that it is important to retain the essence of APT attacks, namely a creative approach with as little restrictions of the scope as possible to achieve representative objectives. Given the applicable limitations, Red Team assignments are thought to be particularly useful to identify potential bottlenecks in the execution of attacks; certain points that an attacker must go through or tactics that are hard to replace in the execution of an attack.

The limitations that apply to Red Team emulations may in part be overcome if organizations provide active support in the execution of attacks. For example, legal and ethical restrictions in performing supply chain based attacks may emulated by providing a Red Team with a Virtual Private Network (VPN) connection to the targeted network, similar to the level of access that is provided to suppliers. Furthermore, an organization may provide support regarding the function and normal use of critical assets, to overcome restrictions in resources and the time available to perform an attack. As such, active support from a targeted organization could make a Red Team attack more predictive for actual APT attacks.

According to Dominguez, a kill chain model should encompass all activities starting from external reconnaissance up to the exfiltration of sensitive data or other objective-specific actions. From a technical perspective, a lot of intermediate phases are missing from Lockheed Martin’s Kill Chain. As a result, organizations that rely on kill chain approaches in marketing materials from the security industry may misalign their investments by focusing primarily on preventing the compromise of individual systems and blocking Command & Control traffic. For the previously mentioned objective of a kill chain model however, Dominguez nonetheless regards the Cyber Kill Chain as a valuable tool to provide decision makers with relevant insights. A more technically correct approach, such as the UKC, may benefit from further abstraction to allow decision makers on a management level to comprehend the attack lifecycle and to realign their security investments.