Adversary Simulation Exercise
Adversary Simulation Exercise ⫘
Service Overview ⫘
The Adversary Simulation Exercise challenges your organization's capabilities to detect, prevent, and respond to an unknown, sophisticated threat actor with specific goals and objectives that are tailored to your environment and a realistic threat model. The Secureworks Red Team adopts customized tooling and techniques as needed to assume the role of a unique threat actor. Through simulating a realistic attack by a unique adversary with non-attributable tactics, techniques, and procedures, the objectives of the exercise are as follows:
- Identify deficiencies in security controls and alerting that could allow a threat actor to act on their goals and objectives unimpeded.
- Train your defenders to spot indicators of compromise from unknown threats.
- Test assumptions about detection and prevention against tactics and techniques that require deeper drilling into attack primitives.
While the Adversary Simulation Exercise is largely geared towards organizations with a moderate amount of security maturity, Secureworks offers two tiers and customization options for the exercise to better help train defenders regardless of your current level of security maturity. This allows for scalable sophistication as well as an option to focus only on the internal network from a post-breach context for organizations who are more interested in examining detection, prevention, and response capabilities from this standpoint only. The following table describes the differences between the two tiers.
| Adversary Simulation Exercise - Lite | For organizations who are less concerned with their perimeter and social engineering defenses and who primarily would like to test assumptions about detection, prevention, and response capabilities for activity within the internal network, the "Adversary Simulation Exercise – Lite" takes place over two weeks from an assumed breach context, such as starting from a compromised endpoint or compromised credentials through a VPN or virtual desktop environment. The Lite option is also an attractive option for organizations who are looking for a shorter exercise duration. |
| Adversary Simulation Exercise - Standard | The Standard tier of the Adversary Simulation Exercise examines the detection, prevention, and response capabilities of your organization covering all phases of an attack starting from an assessment of perimeter assets and external footprint, social engineering campaigns for initial access, and ultimately moving to the internal network where consultants will aim to act on goals and objectives established during a pre-engagement kickoff meeting. While the Adversary Simulation Exercise strives to test defenders against a highly sophisticated threat actor, the exercise can be customized to reduce sophistication and adopt more common tactics, techniques, and procedures (TTPs) based on your organization's comfort and security goals. |
Three main features differentiate the Adversary Simulation Exercise from a standard penetration test:
- Incorporating real world, business-impacting goals that resonate with management and executives.
- Using covert attack methods that defeat many security countermeasures, allowing blue teams to improve detection and defenses, and to tune their existing devices to detect advanced methods.
- Using blended attacks that combine various techniques and customized tooling, which may include the following components:
- Open-Source Intelligence ("OSINT") gathering
- Social engineering such as phishing and vishing
- External perimeter attacks
- Malware detonation and command and control
- Internal network attacks and lateral movement
- Wireless attacks (add-on required)
- Physical security attacks (add-on required)
Service Methodology ⫘
The Adversary Simulation Exercise is conducted following each tactical phase of the MITRE ATT&CK framework using a combination of proprietary, commercial, and open-source tools to ensure a complete assessment of detection, prevention, and response capabilities. A high-level overview of the exercise methodology is summarized below:
-
Reconnaissance: Secureworks begins by passively investigating public information sources to collect data on your organization in a process known as Open-Source Intelligence (OSINT) gathering. Active reconnaissance is also performed to gain information about publicly exposed assets and services to probe for potential vectors for a breach or data that can be utilized in subsequent phases of the exercise.
-
Planning and Preparation: The data collected during the reconnaissance phase is analyzed and used to drive decisions for the formulation of an effective social engineering campaign and to strategically assess any discovered vulnerabilities for the likelihood of success, risk of detection, and efficacy in furthering testing objectives.
-
Perimeter Breach: Social engineering campaigns developed during the planning phase, or the exploitation of discovered vulnerabilities is performed to bypass the security perimeter to gain access to restricted internal networks and resources. This can include compromising users' workstations or public-facing servers, or direct access to cloud-hosted services and resources allowing direct access to information or a foothold to move deeper into the internal network.
-
Internal Access: Once breaching the perimeter and establishing a foothold, Secureworks will attempt to set up persistence within the environment followed by lateral movement to other systems and resources to discover paths to escalate privileges which facilitate accomplishing goals and objectives.
As the exercise is constrained by time limitations unlike true adversaries, if Secureworks is unable to find a way to breach the perimeter through exploitation or social engineering in a pre-determined timeframe, an assumed breach model will be adopted to progress the exercise to the internal access phase. The assumed breach scenario can be decided during the kickoff meeting scheduled well in advance of start of the engagement, and there are several potential options such as endpoint compromise with command-and-control malware or credential compromise with VPN access.
- Follow-through on Goals and Objectives: After expanding influence in the target environment through lateral movement and privilege escalation, adversaries will begin to act on their goals and objectives. Secureworks will attempt to covertly achieve the goals and objectives that were established prior to the exercise. This includes attaining intellectual property, exfiltrating sensitive data, compromising and subsequently poisoning development operations pipeline, and other objectives for which an adversary would target your organization.
The exercise assesses whether current security controls and personnel can mitigate and evict adversaries before they are able to follow-through on their goals and objectives. If Secureworks consultants are successfully evicted from the environment, as opposed to using the remaining time attempting to re-gain access, it is encouraged to proceed into a phase that only monitors subsequent activities to gain a full picture of the latter portions of the kill chain, and to identify potential security gaps.
Outcome ⫘
Upon completion of active exercise operations, Secureworks performs a thorough review and analysis of data and logs that were collected during the engagement.
Secureworks maintains comprehensive documentation of how the goals and objectives were achieved. The documentation is used to develop a report containing details of the penetration, the techniques and tools used, the vulnerabilities and systems exploited, the path the tester took through the environment, and how well your organization was able to detect, prevent, and respond to threats. Activities performed during the exercise are tied back to the MITRE ATT&CK® framework to better illustrate and deepen knowledge of threat models. The report contains a complete narrative with supporting documentation, such as screenshots, code snippets, and other forms of evidence.
Scoping Information ⫘
| Description | Exercise Duration |
|---|---|
| Adversary Simulation Exercise - Standard | 4 weeks |
| Adversary Simulation Exercise - Lite | 2 weeks |
| Add-on: Extended Time* | Starting from 1 week |
| Add-on: Physical security attacks component - One (1) location ** | - |
| Add-on: Wireless - One (1) location | - |
*Additional time can be added to the exercise if desired; however, please note that extra time will be a requirement if the goals and objectives of the exercise warrant additional time as determined during a scoping call.
** Due to the unique nature of physical social engineering, additional scoping will be required. This includes a scoping teleconference with a member of the Secureworks physical security testing team, and additional legal protections for both you and Secureworks.
The complete Service Description for this service can be found here: Adversary Simulation Exercise
Scheduling and Booking Information ⫘
See Service Scheduling for information about scheduling this service.