Vulnerability Scanning

Organizations need a vulnerability management program for identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. As a result, vulnerability scanning has become vital to determining potential weaknesses in a computer system or network. Moreover, vulnerability scanning establishes an inventory of the entire infrastructure, seeking to identify the operating system and installed software. Vulnerability-scanning tools can perform authenticated and nonauthenticated scans. Therefore, be sure to configure the credentials during the configuration phase, and the scanner will handle the rest. Many organizations favor using multiple vulnerability scanners interchangeably to offer full coverage of every asset, creating a complete picture of the organizations’ infrastructure. Some scanners are built with a specific scope in mind, whereas others provide broader incorporation of various technologies. Assess your organization’s needs and determine the best choice that supports your defense goals.

The following is a list of commonly known vulnerability scanners:

Nessus

Nessus is a remote security-scanning tool developed by Tenable that examines a computer and shows an alert if it uncovers any vulnerabilities that malicious hackers could exploit. It runs checks on a given host, scanning for over 57,000 Common Vulnerabilities and Exposures (CVE).

Nexpose

Nexpose was developed by Rapid7, and it scans for vulnerabilities while collecting data in real time to provide a live view of an organization’s infrastructure. It has its own scoring scaled from 1 to 1,000, allowing it to provide a more extensive scope and better prioritization of issues. It supports on-premises physical, virtual, mobile, and cloud environments. It is widely used due to its integration with Rapid7’s Metasploit for vulnerability assessment and validation, which helps security teams reduce false positives.

Qualys

Qualys is an advanced cybersecurity tool designed to pinpoint and quantify software security weaknesses and remediate them before threat actors can exploit them. In addition, it supports host discovery and helps internal teams better organize assets by tracking vulnerabilities over time and continually showing status and changes.

Vulnerability Assessment

According to the National Institute of Standards and Technology (NIST), vulnerability assessment is a “systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.”⁷ Vulnerability assessment is more advanced than scanning; findings are verified manually, sometimes including benchmark comparisons or procedure reviews. Vulnerability assessment evaluates whether the system is exposed to any vulnerabilities, assigns severity levels to those weaknesses, and recommends remediation or mitigation. During the manual verification, it is essential to note that no exploitation is involved; this is the main difference between vulnerability scanning and penetration testing, which is discussed next.

Penetration Testing

A penetration test is a simulated cyberattack against a computer system that is performed for the purpose of inspecting exploitable vulnerabilities and determining whether the technology solutions used by the organization can stand up to a cyberattack. Unlike vulnerability assessors, penetration testers take pride in their ability to validate weaknesses and, under controlled circumstances, exploit those flaws.

During a penetration test, a cyber expert examines any identified issues to determine whether an attacker can utilize them to compromise targeted systems or gain access to sensitive information. Host and service discovery involves compiling a comprehensive list of all accessible systems and their respective services to obtain as many details on assets as possible. It includes initial live host detection, service enumeration, as well as operating system and application fingerprinting. Note, however, that penetration testing is heavily determined by the scope of work and is usually time-boxed, which is one of its distinguishing characteristics when compared with red team assessments (discussed next). Thus, the limited scope restricts the tester to a specific host address or range, and often, it can be significantly concentrated on web applications or API endpoints.

Delivering a successful engagement is not simply a test of vulnerability-finding capabilities but also requires a deeper understanding of why the client is requesting the pentest.⁸ Many cybersecurity companies have their own distinct process for executing penetration-testing assessments. From my vast experience, I have chosen to define focus, paradigm, and methodology when building the scope of work:

Focus

Focus is an essential factor for penetration testing because it will define how restricted the scope of work will be. For example, the focus can be a specific API endpoint or an extensive range of IP addresses with many applications running. If the focus is narrow, you have a restricted scope; if it is wide, you have more freedom, optimally providing a broader perspective of the security posture.

Paradigm

A paradigm, or model, of penetration testing will help an organization identify the type of defense process it wants to invest in. For example, if clients request a test of the internal infrastructure, they have an “assume breach” mentality, orienting their strategy toward active defense that aligns with the mindset, “Do not assume that an attack might occur, but assume that it is occurring.” In comparison, clients who request an external pentest usually want to see whether attackers can compromise their defense. This tests the effectiveness of perimeter security controls to prevent and detect attacks against an organization’s public-facing infrastructure.

Methodology

Having a clear methodology for penetration testing leads to realistic goals, expected outcomes, and sound budgeting. Two of the most common approaches are white-box and black-box testing. If a client requires white-box penetration testing, it has to share details and documentation regarding the target system. This guarantees much more extensive and detailed testing coverage but is not as realistic as other methods. In comparison, black-box testing requires no prior information about the target network or application. It enables security experts to look at different security control levels from an attacker’s perspective. However, it is not the best path to follow when you want to test a specific feature or application.

Red Team

Working on a red team (also known as red teaming or just red team) is a practice as old as the role of the devil’s advocate, dating from the eleventh century.⁹ In medieval Europe, to test a candidate’s merit for canonization (into sainthood), the Vatican appointed an official known colloquially as advocatus diaboli (Latin for “devil’s advocate”). This role came with the responsibility to argue against the canonization candidate, hoping to uncover any character flaws or misrepresentation of evidence.

In everyday language, playing devil’s advocate describes a situation where someone, given a particular point of view, takes an alternative position from the accepted norm to explore the thought further using valid reasoning. Military and intelligence leaders started using a similar concept to appoint people to a group they called the red team, to realistically evaluate the strength and quality of various strategies.¹⁰ Since then, red teaming has become common in many fields, including cybersecurity, and organizations use red teams to assess their security by thinking like adversaries.

Red teaming is a stealthy procedure aiming to test people, processes, and technology (PPT), where defenders are unaware of the engagement. It is an assumption-based assessment structured with engagement objectives that can be specific (for example, extracting sensitive data or accessing business-critical applications) or general (for example, assessing whether an adversary can compromise the corporate domain controller). The activity’s success will be measured by how well a red teamer can accomplish these objectives, showing whether or not the organization is capable of detecting and responding to threat actors. During red teaming, the focus shifts from the CVE approach to executing adversary TTP, not to test technology vulnerabilities but to evaluate whether the adversary can achieve a goal, moving from prevention toward measuring detection and response. As Jorge Orchilles put it, “Red Teams may leverage exploits, but they are just a means to an end. Many times, the Red Team may not even need to exploit anything.”¹¹

Framework and Evaluations for Adversary Emulation

If you already have some level of protection, AE can provide valuable insight by allowing you to measure even the security appliances you use for your defense. Therefore, many vendors share the assessment results of their AE to provide transparency for their clients as well as push the industry forward by highlighting potential gaps. These efforts can be better contextualized using standards and frameworks such as the ones offered by MITRE.

MITRE is a nonprofit organization that operates multiple federally funded research and development centers. One of the resources developed by MITRE is the MITRE ATT&CK framework, which provides a common language and taxonomy for describing cyberattacks and the TTPs used by adversaries. The ATT&CK framework is organized around the various stages of an adversary’s attack life cycle, including reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. Cybersecurity professionals widely use the framework to understand and defend against cyber threats and to evaluate the effectiveness of different cybersecurity measures.

MITRE Engenuity is a division of the MITRE Corporation that focuses on advancing the state of the art in cybersecurity through independent evaluations and assessments. Annually, MITRE Engenuity conducts independent evaluations of cybersecurity products through a systemic methodology to help defenders make better decisions. Adversaries are carefully selected to ensure the assessment is realistic and unbiased when estimating the outcomes. The activities focus on the tools’ ability to prevent and detect cyberattacker behaviors and help reflect on their solutions. There are no scores or rankings because the evaluations are not competitive analyses, but they show how the tools approach threat detection.¹⁶

Before you deploy a specific technology, during the procurement phase, you can request AE results or use platforms like ATT&CK Evaluations and compare how much coverage different technologies offer for a particular APT. To review these evaluations, navigate to the MITRE Engenuity website. Then, on the left side, select the adversary and the vendors you want to compare (see Figure 1-3), then wait for a list of all executed TTPs to show. Products receive one of the following detection categories for every substep, allowing you to filter the results based on whether to include or exclude specific detections and providing context to your analysis:

None

The vendor cannot detect activity due to capacity limitations or other reasons.

Telemetry

Detection of this type is usually basic logging of activity, and telemetry alone might not be sufficient.

General

This leaves the security analyst to investigate and determine the next steps because no details are provided as to why the action was performed.

Tactic

This helps answer why an action occurred and provides information on the potential intent of the activity.

Technique

This provides the context and details required to answer why an adversary performed an action and precisely what action they used to achieve their objective.

Figure 1-3 compares FireEye with CrowdStrike on their detection of and response to Wizard Spider and Sandworm.

Figure 1-3. MITRE Engenuity ATT&CK Evaluation results for Wizard Spider and Sandworm emulation plans

You can choose and review the results for a specific technique by selecting a category from the table. You will only find vendors that have requested MITRE Engenuity evaluations. However, even if they are not on this platform, you can directly ask them to deliver AE reports from other third-party providers. When analyzing a technique’s coverage, you must consider its relevance based on the adversary groups and threats your organization encounters.

Currently available emulations on MITRE Engenuity are:

• Wizard Spider and Sandworm

• Carbanak and FIN7

• APT29

• APT3

As shown in Figure 1-3, I’m reviewing the results for Remote Services (T1021), where the adversary connects to 10.0.0.8 using the Remote Desktop Protocol (RDP) on port number 3389. Based on the data, I can conclude that both vendors have the same classification for this technique. This way, you can compare other behavior in the list and decide which solution meets your organization’s security goals.

Benefits of Adversary Emulation

On an organizational level, AE benefits range from managerial (people, processes, and technologies) to developmental (teams adding new tools and skills to their repertoire).

The key benefits of AE are as follows:

• AE involves assessing people, which helps you train them to be more vigilant and technologically prepared to defend the organization.

• AE aids in identifying and assessing potential risks an organization may face. Emulating the TTPs of an adversary enhances understanding of likely threats and their potential impact. This insight informs risk assessments, prioritizes risk reduction efforts, and ensures alignment with business objectives. Evaluating defense effectiveness helps identify areas of over- or underinvestment in security, allowing the organization to adjust efforts accordingly.

• Technology provides the tools to build its defenses and is linked with people and processes. Evaluating technology will help you see what coverage you have and understand whether there is a need for supported means so you can have an ideal security posture.

During the emulation, in many cases, you will need to build tools or automate jobs, resulting in a robust list of resources that can aid in future tasks for you and the blue team. It can be an automated list of TTPs you have specifically developed for the scenario you are executing or a script that helps you collect artifacts in a network system. These resources will benefit you in future activities by saving research time and enabling you to become a better cybersecurity practitioner.

This pattern of benefits is the same regardless of the industry in which you operate. Usually, every organization with some security grade is a good candidate and should be interested in this type of assessment. An interesting hypothetical use case for AE would be if you are operating in the finance sector and you have recently seen increased attacks on your employees through spearphishing campaigns. In addition, your threat intelligence department has notified you that a criminal group classified with the name Carbanak is targeting similar organizations. After analyzing their known behavior, you have reason to suspect it is also a genuine concern to you. Working closely with the CTI department, an adversary emulator will build a detailed plan of operation and help you understand how much defense coverage you have while executing real-world TTPs seen during Carbanak activities.

You can apply this approach to any industry, including critical infrastructures with industrial control systems (ICS) that want transparency to clarify anomaly and threat detection capabilities. Suppose you are investigating some abnormalities in an organization that is part of the electric utility sector. During the investigation, you conclude there is a good chance some of your employees have been visiting suspicious links. As a result, an adversary has attempted to gain access to electric utilities by leveraging watering hole attacks. Thankfully, the threat has been prevented, but after CTI analysis, you have decided to emulate the ALLANITE adversary group, which is known to conduct similar operations.

Transparency and Relevance

One of the critical attributes of AE is transparency, and as straightforward as it may sound, this attribute is one of the hardest to achieve. As discussed earlier, in many traditional cybersecurity disciplines, blue and red teams are discouraged from working together. Even though you will receive reports with reproduction steps and details of the verified issues, there is much valuable telemetry that is not shared with the blue team and, thus, not utilized for defense.

Similarly, blue teams build their own knowledge pools that could help red teamers advance their knowledge and procedures if shared with them—but that rarely happens. Moreover, sometimes follow-up tests can be delayed for months, putting the organization at risk of a real-world cybercriminal discovering or exploiting weaknesses. Because transparency is at the core of AE and there is no need to withhold information, the findings can be mitigated immediately.

Relevance is another crucial factor because the tests conducted must conform to the organization’s needs to increase the likelihood of finding security gaps that constitute vulnerabilities. Even if you mimic an adversary’s behavior, you must ensure that the threat actor applies to that industry. A threat intelligence approach ensures that all tests conducted are relevant, indicating that you are focused on the same objectives an APT would have. You achieve this by collecting data about an organization’s cyber threats and performing analytics to extract usable intelligence (see Chapter 9).

Engagement Planning

When planning AE, you must align it with the organization’s goals. First, you need to understand why the client requires an assessment and what is the current state regarding security. As previously discussed, AE is frequently used to evaluate technology and vendor claims or doubts about a process or human capacities. To standardize the engagement, you can employ the following phases:

Defining engagement objectives

Engagement planning starts with defining engagement objectives, which is the process of identifying and clarifying the goals and objectives of a particular engagement or project. In the context of AE, this might involve understanding the client’s business and its specific security needs, as well as determining what the client hopes to achieve through the emulation. Defining engagement objectives also involves evaluating whether the client is eligible for an AE and determining whether other types of security assessments, such as penetration testing, might be more appropriate.

Researching adversary tradecraft

You will then start to break down adversary behavior and potentially use platforms like ATT&CK to track selected threat actor TTPs. This results in a detailed summary of the adversary tradecraft with many citations of CTI reports and other external resources used during various phases.

Engagement planning

After you have determined what strategies you will use, you should list and plan how to procure and use all resources you will need to conduct the activity; these can be human capacities or software or hardware capabilities. Because you will work with many stakeholders, you must plan cross-department collaboration, especially with developers and the infrastructure team. In an emergency, you must have a clear communication plan to define all essential contacts for the engagement.

Implementing adversary tradecraft

During this phase, you will detail the adversary emulation plan (AEP) and build automation scripts to reduce manual errors, helping you to improve quality and focus on primary objectives. Because you will be working with the blue team, it is essential to map all possible detection and mitigation techniques so that you can offer your assistance during the process of tuning security controls. You will often set up lab infrastructures to try out your collected TTPs before running them on the client’s infrastructure, hoping to identify potential issues that can cause damage after execution.

Executing adversary tradecraft

In this phase, you will start running TTPs in the environment. It is vital to have some method for collecting results because you’ll use this information when you prepare the report of your findings. Because this is not a pentest or red team report, the focus will be on the behavior of the attacker and the defender, focusing on whether the attack is detected, prevented, or missed. Finally, you can use tools like ATT&CK Navigator to visualize defense coverage and provide a holistic view of security from the standpoint of the adversary being emulated.

During the activity, unexpected things can always happen, and most of the time, they are out of your control, so it is essential to have a general plan for how you will deal with them. These strategies will help you keep the focus on the assessment and know how to react when you believe something is going wrong. One approach would be to define a policy on actions to take when events unrelated to the ongoing emulation are detected. To minimize issues, you can define these actions as a process that will aid you in many future activities (see Part II).

Due to the ever-increasing number of adversaries, every industry can be threatened, even though some sectors are more attractive for APTs. As a direct result of this, APT behavior has been documented and categorized by several organizations that have been observing these groups, with much of this work serving as ground to perform AE. Through these types of collaborations within the industry, our knowledge of advanced threats is updated daily. Nevertheless, attack tactics and techniques undergo continuous evolution, and these changes take time to detect. This means defense must be built keeping in mind that it has not been tested against all possible attack vectors of an APT. Therefore, AE is a cybersecurity discipline associated with the observed behavior of threat actors, and AE practitioners thus have a collective responsibility to improve through knowledge sharing.

Adversary Emulation Plan

AE practitioners make detailed adversary emulation plans (AEPs) that provide a way of compiling adversary tactics. Outlining adversary behavior in this way allows other cybersecurity practitioners to actively model APT groups. An AEP can be a single resource or divided into multiple companion documents, including diagrams, an intelligence summary for the threat actor, and exact procedures to be executed in the testing environment. The plan should also include resources such as tools, binaries, libraries, configuration files, installation scripts, and more. These will support the execution phase and allow you to reach the engagement goals. Finally, because in most cases you are working closely with the blue team, it can be beneficial for you to map mitigation as well. It will help you to guide the network defenders toward the optimal solution.

When building AEPs, you should consider the communication between teams because many terms for the same technique can be interpreted differently and thus lead to confusion. That is why speaking a common language makes it feasible to estimate and compare what you see when executing a TTP. In addition, finding common ground will help both sides collaborate more comfortably and concentrate on the activity.

Suppose you want to report that an adversary has established persistence through the use of registry run keys or login items. Instead of this terminology, you can revert to using T1547.001 and T1547.015, as noted in the MITRE ATT&CK framework. Thus, even if the different stakeholders employ other wording, you can agree on a common taxonomy that will help you quickly identify security gaps, assess risks, and eradicate vulnerabilities.

MITRE created the plan shown in Figure 1-4 to showcase the use of the ATT&CK framework and what offensive operators and defenders can do with public threat reports.

As seen in Figure 1-4, this emulation is executed in three phases, helping you understand the entire attack life cycle of APT3, a China-based threat group known to have the objective of exfiltrating industrial intellectual property from the compromised target.¹⁸

Figure 1-4. APT3’s three phases of action according to MITRE

In the first phase, you want to accomplish code execution and control of a system to achieve an initial compromise. It has been reported in numerous cases that APT3, through spearphishing, has tricked its victims into clicking a link to a weaponized website that exploits a critical vulnerability that allows remote code execution in Internet Explorer.

In the second phase, you perform discovery techniques to gain local privilege escalation (obtaining higher-level access to systems). You gather credentials to achieve network propagation by lateral movement (moving to other targets that are the focus of the assessment), ultimately achieving persistence (the ability of malware/attackers to remain on a system after restart).

Finally, in the third phase, you employ the knowledge and access you gained in the second phase to start exfiltrating office documents from the target, using WinRAR for compression and encryption. Ultimately, this emulation succeeds in stealing proprietary information, which can then be used for espionage and sabotaging.

In many cases, you will need to build diagrams to analyze and identify common patterns by not focusing on one specific action but instead modeling a series of behaviors with the goal of better understanding the adversary.

Biggest problem with network defense is that defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.¹⁹

John Lambert

I like this quote from John Lambert because it shows how adversaries operate their activities and the importance of adding this viewpoint when building the defense. By using graphs like the one in Figure 1-4, you will create a much more effective way to communicate high-level principles to management and discuss complicated technical details with the threat intelligence team and defenders.

I see a lot of potential in the practicality of projects like Attack Flow for creating next-generation intel-driven AEPs. Attack Flow is a data model built by the Center for Threat-Informed Defense (CTID) to describe TTPs and combine those flows into behavior patterns. It also includes a corpus of examples to guide you through Attack Flow or investigate well-known cyber incidents. To model these cyber incidents, you can use the Attack Flow Builder, an easy-to-use platform where you can visualize your plan or analyze adversary campaigns.