The underside of an offensive security approach

To reinforce the protection of your IT environment, your data and your critical applications, it is important to put them to the test regularly. Attackers, as we know, seek to exploit the slightest loophole. Given sufficient resources and time, they are likely to be able to penetrate any system.

"For cybersecurity teams, it is therefore important to try to identify directly exploitable vulnerabilities in order to limit the possibility of an intrusion or, should one occur, to guarantee the best possible protection for systems considered critical. To achieve this, it is essential to use realistic offensive security approaches", explains Thomas Pianezzola, member of the Cyberforce Offensive Security team.

Real-time attack simulations

How does it work? DEEP's Cyberforce Offensive Security team offers a range of support services to organisations wishing to put their entire security system to the test. In the field of cyber security, we often talk about a “red team”: a team tasked with trying to penetrate a company's IT systems in order to reveal the flaws.

"We can do this in a variety of ways. However, for the exercise to be as conclusive as possible, the best thing is to simulate the real conditions of an attack", explains Anthony Maestre, another member of the team. This is known as Adversary Simulation. ‘Depending on the customer's wishes, we can act with great freedom or target a very specific attack vector, such as phishing, social engineering or attacking exposed servers’, continues the expert.

All means are good

If they have a great deal of freedom, the team in charge of the attack will act as real attackers would, by setting up phishing campaigns to recover identifiers or deliver malware, or by trying to penetrate physical infrastructures. "To get into the system, any means are good enough. We proceed in the same way as those who are really trying to get into the company. We can use IT approaches, but we can also try to get into buildings, even if it means picking locks", says Thomas Pianezzola.

Progressing under the radar

Once inside the system, the Red Team's mission is to test the robustness of the security system. If it is strong enough, with reinforced controls and well-segregated elements, the attackers' freedom of movement should be limited. "Beyond obtaining initial access, the most complex task is to maintain it. The challenge is to move laterally - in other words, to move deeper into the infrastructure, without being detected. The objective, more often than not, is to obtain the highest level of privileges", explains Anthony Maestre.

Testing detection and response capabilities

The team responsible for attacking the organisation's systems must not only reveal the flaws, but also test the detection and alert management capabilities of the people in charge of protection (the ‘Blue Team’, in the jargon). With this in mind, the offensive team does not hesitate to intervene outside office hours: in the evening, at night or at weekends, at times when vigilance is flagging.

If they manage to slip in under the radar, the challenge is to demonstrate - by documenting their actions - their ability to compromise the company's systems and infrastructure, from stealing credentials to potentially installing persistent malware. ‘The aim of this type of exercise is not only to assess a company's detection capability, but above all to measure the effectiveness of its response to scenarios that are close to real-life conditions,’ explains Thomas Pianezzola.

The end justifies the means

The big difference between the team in charge of the simulation and real attackers lies essentially in the means at their disposal. An offensive exercise is obviously limited by the time and budget that the organisation devotes to it. Generally speaking, the simulation takes place over two weeks. "Attempting to penetrate a system from the outside is one thing. However, if we don't succeed after a few days, we suggest that the customer adopt another approach," adds Anthony Maestre. For example, the customer can grant us access to their systems via an assume breach, such as compromising VPN access, an employee's computer or a web server, with the aim of testing the security of the information system once the attacker is inside. However, we have to assume that if a real attacker really wants to penetrate a system and has the time, he will succeed.