Avatar

Have you ever wondered about how the everyday information available on your network could compromise your entire organisation?

I lead the Cisco Security Advisory Services team in EMEAR.  We recently performed a “Red Team” exercise in which our client set us the objective of attempting to gain access to their client database.

For the uninitiated: “Red Teaming” can include many different elements as our assessments are uniquely tailored to our individual Clients. Generally speaking, it’s a goal-orientated security engagement designed to give a snapshot assessment of your organisation’s complete response to a simulated compromise (i.e. evaluate the success of the “Blue Team”). What it boils down to is that a Red Team simulates real-world scenarios, assessing genuine responses to a breach, as opposed to the `on-paper’, theoretical approach of a traditional audit; which will provide an accurate view if your breach runs smoothly like a training exercise.

Now, for many getting “hacked” means nefarious individuals in hoodies running cool exploits, dropping shells on boxes, breezing through firewalls and authentication mechanisms and lots of slow moving progress bars. However, these approaches make a lot of noise and are likely to alert the “Blue Team” to your presence. In a Red Team, we want to see just how far we can get before the Blue Team notices we’re there, so we used more subtle means to slip in undetected.

In reality, it’s not hackers blasting your carefully constructed access controls out of the water. It’s once people are already inside your organisation that you’re in trouble. The information made readily available to make employees’ lives easier is the information that can be used to compromise the organisation and steal your data. In this engagement, our Red Team achieved their goals using only information available to every employee in the organisation.

You may be shocked to learn that during the engagement, our Cisco Security Services team were able to:

  • Steal over 1,000,000 credit cards – at an estimated value of around $30 per card in Europe, this data would be worth $30M to an attacker.
  • Compromise Personally Identifiable Information (PII) and exfiltrate it from the network undetected.
  • Gain visibility of all financial transaction data and:
    • Change suppliers’ payment information to our own accounts
    • Access HR systems and Payroll to change the accounts to which employee salaries were paid

As you can see, the costs on a breach of this scale are incalculably high when you consider the devastating impact on the client’s brand, physical financial theft, and subsequent incident management. Although this use case was a simulation, it reflects real-world impact:  the multiple costs of the recent Talk-Talk breach, including brand damage, have been valued at $70M. Additionally, a report from CGI Group and Oxford Economics identified a direct correlation between share prices and security breaches:

  • Average drop of 1.8% on a permanent basis
  • One company’s valuation was reduced by 15%

It is worth noting that, come May 2018 under General Data Protection Regulation (GDPR) being enacted in Europe, our client could have incurred fines of around €520M. UK firms are not currently required to issue notifications of a breach. When GDPR comes into effect next year, they will have 72hours to do so. It is suggested that this could raise the lost shareholder value across the European markets by a factor of 10. Under GDPR, organisations will be liable for fines of €20M or 4% of annual turnover, whichever is higher.

In this Red Team engagement, we replicated the actions of standard users, using information sources typically available on most corporate networks, such as intranet, departmental wikis, and network shares. Got any of those?  These are rarely monitored closely enough to pick up on the odd “Access Denied”, which makes them perfect for a sneaky entrance.

Using only this information, the Red Team gained full access to the client database and their target data, along with multiple other restricted environments. Not only that, but we also compromised the HR systems and payroll and were able to alter their supplier’s payment information.

And the Blue Team?

Not a peep! They never saw a thing. We just slipped in under the radar using what was lying around available to anyone on the network. No network scans, vulnerability scans or any exploits. No anti-virus triggered and we didn’t brute-force any passwords or create new users – all actions almost guaranteed to set the alarm bells ringing.

Now we’re good, but not that good. Fort Knox’s security systems would have caught us red handed (pardon the pun). So what happened here? Were they sedated and hog-tied in the basement with gaffer tape over their mouths? No.

There were gaps in monitoring, security tools and procedures that allowed us to achieve our goals without being seen. The unfortunate truth of the matter is that these gaps and bad security practice exist in the vast majority of organisations; alongside issues with the real-world performance of organisations’ security operations, they are often only identified and evaluated off the back of objective-driven security assessments like Red Teaming.

It’s not all doom and gloom…

Once you know your weaknesses, you can close or mitigate vulnerabilities.  We’re proud to say this particular client is currently strengthening their defences with the help of Cisco.

Wouldn’t you rather be prepared for a breach before it happens?  Learn more about our Cisco Security Services team and how we can help you improve your time to threat detection and response.  We can help you by running a Red Team exercise, conducting network penetration testing, preparing an incident response plan and much more.



Authors

Paul Docherty

Senior Director.

Cisco Security Advisory Services for EMEAR