War Games: A WOPR of a Security Test (part 1)

Recently, in what was an interesting change to the usual technical and risk/compliance focused consultancy, our Security Advisory Services carried out a War Games exercise – which is similar in style to a “red team” engagement. This short series of posts aims to describe the experiences and benefits of conducting these types of engagements.

Those of you reading this who are in the penetration testing business, or have been through the process on the receiving end, will know that a typical security assessment is fairly tightly scoped to include specific components or aspects of a service or environment. During the assessment, the Security Services team will endeavor to identify all security issues and use them to provide an understanding of the risks to which our client may be exposed.

In this case, the War Games engagement was much more scenario-based. What we were attempting to do was not to identify all possible ways in which an attacker could exploit security weaknesses, but rather the most effective way an attacker would use security issues to achieve certain goals.

Whilst it might seem as though it was a broad spectrum “plug in and let’s party” type of exercise, we approached this as if it were a series of “missions” that in isolation could identify the likelihood of an attack: Being detected, being blocked, succeeding, failing. These scenarios could then be evaluated as links in a chain that would then result in the enumeration of viable attack vectors (real world attack vectors that would work).

What made this a War Game is not just that we were the attackers. There was a defending team, too.

They were not made aware of the date of the engagement, but once it began and if they were to detect us, they would score “points” and we would select either a different vector, or methodology. Each of the scenarios had a goal, for instance: the undetected exfiltration of dummy data of varying sizes, the introduction and execution of pseudo-hostile code that would mimic a remotely controlled backdoor, breakout from a standard build locked-down laptop and then elevation of privileges, and a phishing attack that would result in the harvesting of credentials.

Various threat actors were also defined, such as “The Malicious Insider”, “Limited Duration Access To Meeting Room Guy” or “Mr Trusting”. These actors enabled us to tailor the scenarios and objectives so that we could use them to evaluate the window of opportunity, level of knowledge required and what the level of risk to the attacker could be.

So, walking into this War Games engagement with our client, we needed to:

  1. Bypass their secure mail gateway: Could we get users to click on a link that would take them to a website we controlled and get them to input credentials (also useful in the sense that it could be a potential vector for browser-based exploitation)?
  2. Assess their endpoint security: Could we infiltrate and achieve code execution of hostile code via email; dirty executables or malicious PDF files?
  3. Validate whether an internal education scheme designed to teach the wider business about physical security had been effective: Could we physical social engineer our way onto their site?
  4. Help them understand and improve their SOC’s capabilities: With limited duration could we gain access to their corporate LAN? What could we do? Would the SOC catch us, i.e. what happens with Mr. Nasty and a vacant meeting room?
  5. Validate their data loss prevention (DLP) system: Could we exfiltrate sensitive PII or financial data of varying sizes via the corporate network?
  6. Assess their standard build: What could a complicit or malicious insider do using just a standard build laptop?

In the next part of this series, we will cover how we used these scenarios to develop fully fledged attack vectors and defined a suitable team for the engagement.