Case Study – When Threat Intelligence and Red Team Get Married

As the Cybersecurity industry and the talent pool within it is in such high demand, AttackIQ has had a number of customers that have moved from one company to the next, and as they have moved, have brought AttackIQ as a platform to their new teams as a fundamental decision… Read More

As the Cybersecurity industry and the talent pool within it is in such high demand, AttackIQ has had a number of customers that have moved from one company to the next, and as they have moved, have brought AttackIQ as a platform to their new teams as a fundamental decision system to accelerate and improve the security program. In this blog, I talk to one of our customers to review their use case of AttackIQ.

Note: For privacy reasons, I am leaving out our customer’s name and the companies he has worked for, and focusing on discussing how he has operationalized AttackIQ and the value he has brought to his teams. For the purpose of this blog, we’re going to name this customer “Bob”.

In this case study, we’ll talk to Bob, who’s background of 15+ years in security had used AttackIQ in multiple organizations and industries. As Bob phrased it, he has “married threat intelligence to red teaming” to help his organization continuously and automatically expose gaps within his security IT infrastructure. Bob will talk about how has built a transparent process to allow red team and blue team members to reproduce attack techniques in a more repeatable fashion and how this has improved their security posture and ability to prevent, detect and respond.

How has AttackIQ changed the way you think about security?

The early days to today

Bob: Early in my career of red teaming and penetration testing for the government and private sector, I had a friend and mentor who taught me attack techniques that, at the time, were novel around exploiting SSH and SMB to gain further access and show weaknesses in the network. At the time, there wasn’t a corpus of public knowledge for attack techniques we could reference and learn from, so we had to rely on sharing knowledge and learning from each other in smaller vetted groups. As we continued our careers, the techniques we were using were becoming more publicly documented and more widely known. Back then, the issue was obtaining the knowledge used for red teaming exercises; today, we have an opposite issue of information overload. Today, via Internet resources like the MITRE ATT&CK framework, there are more than enough resources to learn from, but as the industry continues to grow we still see teams of red teamers and pentesters running around and breaking everything under the sun – it’s a primitive concept and doesn’t scale. You can’t reproduce that methodology over and over again manually, and the results you find are just a snapshot of the network and how it responded at that time. The network should be treated as a living, breathing creature. The attack techniques that worked two weeks ago might not work today.

Today we have a plethora of attack techniques that are widely known, we have an issue of information overload without a mechanism to understand what is important and test those techniques in a repeatable, scalable fashion.

In the last 10 to 15 years, attack techniques have scaled, but the ability to replicate those techniques as a red teamer/pen tester in a repeatable fashion have not.

Enter AttackIQ

Bob: Part of the major problem we were trying to solve was how to replicate 10s or 100s of attack techniques consistently and then how to capture the network response so that we could identify where our gaps were and prioritize what to fix. This is the reason why we bought AttackIQ.

Where does AttackIQ fit today in your Enterprise security program?

Bob: The most important part of what I’m responsible for on our security teams has been understanding the attack decision tree. It’s key to understanding how your network responds to particular techniques and events as they are executed. I worked at “a tech company” that was being attacked daily and constantly had to quickly detect attackers inside of our network and minimize their impact or damage.

In working at “the tech company”, we were able to determine from threat intelligence, the top 20 attack techniques that were relevant to our organization. From there, we selecting the relevant attack scenarios from AttackIQ’s platform and emulated those techniques within key network segments of our production environment. I married threat intelligence and red teams and operationalized threat intelligence to understand how our network defenses responded. This essentially helped to make it obvious to the rest of the organization that this is what the bad guys would do to us and this is how our network defenses would respond. Since AttackIQ is an agent-based technology, I placed the agents in different parts of the network infrastructure so I could get much wider visibility and be able to reproduce the same scenarios again and again. I set up AttackIQ in such a way that members of our IT teams got alerts when we found gaps and were empowered to be able to rerun the scenarios to expose the gaps themselves. Everything I did was transparent, and, because of that, I was able to create enablement between teams. It wasn’t just about breaking and defending, it was about working together to build a more resilient security program.

AttckIQ has helped us accelerated our security operations through transparent results, a testing harness that is repeatable and a process that is actionable by the blue team.

In determining the best detection method against key attack techniques, we found that there wasn’t a one-to-one relationship between an attack technique and a detection rule. There might be multiple rules that would catch certain phases of an attack.

By being able to replicate an attack, we could have strategic conversations as to the best way to detect such an attack. It allowed us to have a true red team (thinking about the attack) and blue team (thinking about the defensive strategy) approach. Our ability to repeatedly, rapidly and widely test within our infrastructure brought up various interesting conversations around how to catch malicious use of RunDLL or InstallUtil. And because AttackIQ supports multi-phase scenarios, we were able to see where in the attack chain we could detect an attack path and if a simple query would detect the event or if we needed to rely on security technologies that incorporated more heuristic modeling. It also helped us understand which security products from our security stack were able to catch certain types of attack techniques.

As we have progressed using AttackIQ, we have made full use of AttackIQ’s API integrating it into our CI/CD SecOps processes. It made testing faster, more repeatable, and more automatable.

Today AttackIQ is a platform we rely on to test, validate and optimize our prevention, detection and alerting capabilities. It’s relied on by the technical teams and it’s used by the strategic leadership to make data-driven decisions from.