Support 416-591-6711 option 1 or Email Us

Security for Businesses with Limited IT Resources Part 3

This is the third blog in a four-part series that will explore how you can strengthen your own organizations' cybersecurity. The first two topics already covered were threat intelligence and detection and analytics, this post focuses on adversary emulation and red teaming, and the final post will discuss risk assessment for your company’s protection. We aim to fill each article with practical cyber techniques for companies that have limited IT resources and analysts. At ISA, we aim to protect the cyber presence of all Canadian businesses. The safer your company's cyber is, the safer all Canadian cyber is. 

Security for Businesses with Limited IT Resources Part 3

Part 3: Adversary Emulation and Red Teaming

Adversary emulation or red teaming is the practice of using tactics, techniques, and procedures (TTPs) to mimic real-world advanced attackers or advanced persistent threats (APTs) in order to train and evaluate the effectiveness of the people, processes, and technologies used in defence of organizations.

Red teams play an important role in evaluating a network’s security by actively probing it for weaknesses and vulnerabilities. It differs from penetration testing and vulnerability assessment, which are usually focused on manipulating vulnerabilities. Whereas, red teaming assesses the state of the entire network by mimicking the actions that real adversaries might take, including their TTPs and goals. Red teaming means assuming the persona of a threat group or actor and carrying out the adversary’s TTPs – emulating them along the cyber kill chain. Once you successfully breach your network, work your way deeper, seeing what information you can access, what malware you could install (but don’t really) or in what ways you could manipulate the system to wreak havoc or further nefarious purposes.

Red teaming can help you answer the following questions:

  • How might a targeted attack on your environment manifest?
  • What could a targeted attacker potentially do with access to your network?
  • How effective is your current cybersecurity position and incident response plan at preventing, detecting, and responding to a targeted attack?

Red Team End Game

Your goal in conducting adversary emulation is to give your company the experience of a sophisticated cyberattack, without the damage that accompanies a real event. Once you find where your vulnerabilities are, you are better equipped to strengthen your system and prevent future attacks. Be sure to mirror, as best as possible, the current threat landscape. This includes acquiring and using the adversary’s tools, as long as the tools aren’t malicious, or using tools that closely mimic those that the adversary uses. You want to mirror as closely as possible how a real attack would manifest in your system. 

Before you conduct adversary emulation or red teaming, you must first gather threat intelligence on the threat groups and adversarial techniques you’re most likely to face based on your industry and gather analytics so that you understand your cyber environment and how it operates day-to-day. Prior to conducting an adversary emulation, you need to have identified where your high-value assets are stored as they are likely targets for threat groups.

Adversarial emulation attacks can include

  • Spear Phishing, Phishing and Whaling
  • Malware
  • Open-Source Intelligence Reconnaissance (gathering information through public sources, ex. social media apps)
  • Social Engineering
  • Targeted Web Application Attacks
  • Physical Security Attacks
  • Wireless Attacks

Starting Small Can Net Big Gains

Begin by thinking like a hacker or threat actor. What could they get out of your system that would be of value? Are there financial records that employees can access? Would getting their hands on employee passwords let them steal your intellectual property? What information could they sell to competitors? In other words, what do you have that will make them the most money? Money is the motivation for 76 percent of IT security breaches.[i]

An easy, yet practical, way to start red teaming is to emulate a phishing or whaling campaign at your company and see how employees react. Use a phishing scheme that is reflective of those being used to target your industry currently, based on your threat intelligence. Users are part of your system – it’s not just hardware and software that you need to consider.

Set up an unfamiliar email account and email employees either asking them to click on a link that you can track or instructing them to send you an important file. How they respond will tell you a lot about your first line of cyber defence. Do not think of this as tricking your employees. Moreover, your aim is not to punish those who do click on the link or send the file. This is basic red teaming to check your defences and then educate where there were gaps. The reality is that 91 percent of cyberattacks begin with a phishing scheme.[ii] Educating your employees on what to look for, and how to respond when they encounter a real phishing scheme (whether by email, text, or phone), is essential. 

Final Thoughts

The third post in the series examined adversary emulation and how red teaming can benefit your company by highlighting weaknesses in your system. Once you've found your vulnerabilities, you are better able to defend your business from cyber attacks. This article builds on the previous threat intelligence and analytics posts to illustrate that once you understand who the adversary may be, and what the adversary can do, you can use that information to test your system.

Cyber threat intelligence, detection and analytics, and adversary emulation all work together to the benefit of any sized business. Start small, with socially engineered attacks or phishing campaigns. As you get more comfortable, try hacking into your system and see how far you can get and what you could get your digital hands on. Adversary emulation is hard. If resources allow, your best defence is to partner with cybersecurity experts who have vast threat intelligence specific to your industry, know how to extract the most from your analytics and can test your system in the same capacities as hackers can attack.


‹ Back