INTERNAL NETWORK ASSESSMENT

Service Description

In the CAG Internal Network Assessment offering, our advisers provide expertise on two fundamental tenets of cyber security: defensive incident response and offensive attack methodologies. 

Our Methodology

Using offensive methods that emulate attackers relevant to your organization, we compromise your environment in a step-by-step approach, pausing the simulation after each phase to conduct a hands-on incident response investigation.

During this part of the engagement, we focus on knowledge transfer by having our incident response consultants sit side-by-side with your security personnel providing live instruction to determine the effectiveness of your current incident response process, assist in implementing cutting edge tradecraft that will increase your situational awareness of an intrusion, and reduce the time it takes for your personnel to independently investigate and remediate an attack.

By slowing down the attacker lifecycle, our experts can guide your team through an adversary campaign, facilitating operational growth, investigative experience, and program maturity. This way, if you do experience a targeted attack from a malicious adversary, it won’t be your team’s first response experience.

The goals for this test include:
  • Identify vulnerabilities noted as part of the offensive attack activities.
  • Determine areas for improvement in the defensive incident response processes across every phase of the “kill chain.”
  • Identify opportunities to improve preventative and detective capabilities.
  • Document response and remediation activities to return your environment to a secure status.

Sequence of work:

The Internal Network Assessment begins with the delivery and exploitation phases of the kill chain. During the threat response simulation, we aim to provide immediate value to your organization. The delivery and exploitation phases of the kill chain mark the first time the adversary and defender begin to engage in a battle for your sensitive data. During these phases, we will compromise your environment using remote or client side attack vectors.

Delivery and Exploitation:

Remote Attacks: We will attempt to compromise public facing infrastructure using available application or system vulnerabilities. We will utilize software similar to that of an adversary; tactics could resemble web shell placement and remote access trojan technologies. If we cannot gain access using the designed intrusion method, or you would prefer to not exploit live infrastructure, then a trusted agent will manually execute the tactic so artifacts are present for investigation.

Client Side Attacks: We ask that you designate two systems as “grey cell” trusted agents for this phase. The goal of client side attacks is not to simply exploit a client side browser. Instead, in a controlled experiment, we will execute a myriad of traditional and cutting edge client side exploitation methods to enumerate as many vulnerabilities in the shortest amount of time possible. This method of testing typically uncovers far more vulnerabilities and possible entry points for attackers to leverage. Our advisers work side-by-side with your team to test each attempt and document every exploitable vulnerability. We will utilize software similar to that of an adversary. Tactics will resemble the execution of a remote access trojan using multiple methods. If we cannot gain access using the designed intrusion method, then a trusted agent will manually execute the tactic so artifacts are present for investigation.

Investigation 1

Following the delivery and exploitation phases we will pause to begin the investigation. Our advisers will work with your security team to conduct host and network based analysis of the events that have transpired. We will provide your security team with tips and clues at every step of the way to keep the process moving. The investigation of the delivery and exploitation phase should produce the source and destination of the attack, exploitation method, rogue process identification and level of privileged access. Additionally, your team will begin to understand and refine their tools and procedures for initial triage and investigation.

Installation, Command and Control, and Actions on Objectives: 

Investigating an adversary’s actions on compromised infrastructure is the most difficult part of a kill chain investigation. To completely understand organizational risk that results from a breach you must investigate and interpret the extent of adversarial activity. In today’s world it is not enough to discover malware in your environment – you must be able to develop situational awareness about what systems, data, and methods the attacker used to infiltrate your environment. During this phase of the simulation, our advisers will resume operations conducting privilege escalation, vulnerability enumeration, access expansion, and simulated data exfiltration in your environment.

Our consultants will use a plethora of techniques to escalate privileges and exploit remote vulnerabilities in a controlled and methodical manner. As a result, your environment will emerge more resilient and resistant to attacks. Our team will utilize different methods of persistence and code execution, giving your security team a depth of experience they can get nowhere else. A variety of lateral movement methods tiered based upon sophistication are used to demonstrate different attacker methodologies and to challenge your security team during their investigation. Finally, our team will leave behind artifacts that are representative of attackers at multiple sophistication levels.

Investigation 2 

Following the actions on the compromised infrastructure phase, we will again pause our attack to begin the investigation. Our advisers will work with your security team to conduct host and network based analysis of the events that have transpired. Once again, we will provide your team with every detail of the attack. Our team of experts will guide your team through the investigation of all accessed systems. The end result will be a complete report of the adversary campaign provided by your team.

Investigation 3: Remediation

Once actions on the objective are complete, we will design and execute a remediation plan that expels our team from your environment, returning you to normal network operations.

Our Deliverables 

We will provide several deliverables during this engagement. 
  1. You will receive a documented report of all the vulnerabilities our team used to infiltrate your environment. The vulnerability report will provide a checklist of actions for your team to begin hardening your environment against attacks. 

  2. You will receive our evaluation of your strengths and weaknesses in your ability to effectively respond to an intrusion. Our team will highlight process, methodology and technology gaps that hinder your future ability to respond to an intrusion. You can use that information to help prioritize your tactical and strategic investments.
Our written deliverables will include:
  • Summary of public risk exposure to your organization
  • Summary of the vulnerabilities exploited during the simulation
  • Summary of the tactics, techniques and procedures used during the simulation
  • Observations and recommendations from the hands-on incident response training conducted during simulation pauses
  • Recommendations on process, methodology and technology deficiencies observed by our team during the entire simulation
REQUEST MEETING