DeepSec 2023 Talk: Improving Cyber Resilience Through Micro Attack Simulations – Christian Schneider & Kevin Ott
With the increasing adoption of Red Teaming and Purple Teaming in the cybersecurity industry, organizations that have achieved high levels of security maturity can greatly benefit from these activities. However, organizations at the onset of building a security program are often left out. This talk introduces Micro Attack Simulations, an innovative approach that allows organizations to validate specific security controls without waiting for full-blown Red Teaming exercises.
Micro Attack Simulations focus on assessing single or multiple security controls that are already implemented, providing a valuable approach for organizations aiming to bolster their cyber resilience. These simulations not only focus on technical aspects but also consider non-technical security controls such as escalation procedures and reporting paths during security incidents. As a result, organizations can derive specific Red Team unit tests and perform a gap analysis of existing security controls.
The talk will include an anonymized case study that shows the modeling of potential attack trees and the technical execution of a Micro Attack Simulation. The simulation’s goal was to validate security controls around a successful ransomware attack on the server infrastructure, including the encryption and exfiltration of sensitive customer data. The simulation involved actual data encryption, multi-node compromise using Cobalt Strike, separate custom-written out-of-band command-and-control channels, and even placing ransom notes and sending ransom emails to the organization’s official press and communication channels to test crisis management processes.
We asked Christian and Kevin a few more questions about their talk.
Please tell us the top 5 facts about your talk.
- The talk introduces the novel concept of Micro Attack Simulations, a focused approach to validate individual or multiple security controls in an organization’s security setup, which is combined with Attack Tree modeling.
- The simulations are designed to assess not only the technical security controls like firewalls and intrusion detection systems, but also non-technical aspects like escalation procedures and crisis management.
- The simulation uses a multi-method approach, incorporating tools like Cobalt Strike and custom-written out-of-band command-and-control channels for a comprehensive assessment.
- By combining the Micro Attack Simulations with an Attack Tree approach, the holistic view of an organization’s cybersecurity resilience is still maintained.
- The talk will feature a real-world, anonymized case study involving an elaborate simulation of a ransomware attack, aiming to validate the security controls related to detection, response, data encryption, C2 and exfiltration.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
The initial spark came from observing a gap in the industry; while well-established organizations with mature security programs were benefiting from Red and Purple Teaming exercises, smaller organizations or those in the early or intermediate stages of building their security programs were often left behind. When combined with Attack Tree modeling, Micro Attack Simulations can bridge this gap and provide a tailored, modular approach to validate security controls even at the nascent stages of a security program
Why do you think this is an important topic?
The topic is crucial because as cyber threats evolve, so must our defensive strategies. Traditional security assessment methods often require a high level of maturity and resources, making them inaccessible for organizations that are still maturing their security posture. Micro Attack Simulations streamline the validation process, making it easier, quicker, and more cost-effective for organizations at varying levels of security maturity.
Is there something you want everybody to know – some good advice for our readers maybe?
Always consider security as a multi-faceted problem; it’s not just about technology but also about processes and people. One overlooked security control or a poorly designed escalation process (kicking in too late for effective defense) can render even the most advanced technical defenses useless. Never underestimate the importance of non-technical controls in your security architecture.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
In the future, we believe we’ll see a move towards automated Micro Attack Simulations, with machine learning algorithms helping to predict potential vulnerable spots and adjust security controls in real-time. However, the downfall could be an over-reliance on automated systems, which might lead to a lack of human oversight and potentially new, unanticipated types of vulnerabilities. As always, it keeps to be challenging.
Christian Schneider is a renowned security architect, experienced whitehat hacker and dedicated trainer in the field of IT security. With his expertise, he supports companies through penetration testing and security architecture consulting. In addition, Christian guides teams in implementing agile threat modeling practices to promote a proactive approach to security. As an experienced trainer, Christian provides his participants with practical knowledge and best practices to further develop their IT security skills.
Kevin Ott works as a senior red team engineer at Exploit Labs in Germany. He is currently focused on further developing the offensive capabilities, automate deployments and countermeasures, developing custom TTPs and offerings such as “assumed breach” engagements to measure a company’s abilities to detect and react to digital attacks. Before joining the offensive security community, Kevin worked as a technical analyst in the network engineering department of a global financial institution.