How many times have we watched a movie where there’s a blaring siren and a loudspeaker with a stern voice shouting, “This is not a drill!” It’s a counterpoint to the idea that the military and law enforcement spend a lot of time running drills to show how they would respond to threats. The only way you know how you would react is to see how people perform in a realistic situation, even if it is a simulation.
How do we replicate this kind of action in IT security, though? We’ve had a lot of success with things like phishing simulations to help people see what suspect emails look like. We can train them to see what happens when they click on it and why they need to be vigilant. But what about other things? How can we simulate what happens when someone gets tricked by social engineering? Can we assume that our perimeter is solid? Can we create a drill that will drill down deep into the infrastructure?
Playing for Keeps
During RSA Conference in February, I had a chance to stop by the XM Cyber booth and talk to them about their attack simulation platform. It does exactly what you would expect it to do. It simulates a variety of attacks on various parts of your infrastructure. You can program it to do quite a few things to keep your systems secured.
Want to know what would happen if someone managed to compromise a password from one of your users? XM Cyber can show you exactly how it will spread. Only it will also show you some of the other things you might have neglected, like local service accounts with escalated privileges and weak passwords. XM Cyber will act just like an attacker would and try to exploit that hole in your protection. It will compromise the account in a virtual attack and use those credentials to attack other servers. It can find the things that you have forgotten about.
How about using a fake social engineering attack to footprint and recon the network? XM Cyber can simulate that as well. While it’s not built to specifically act as a social engineer, you can feed it as little or as much as you want and let it run to see what it can find. Perhaps you have a new database cluster coming online in a protected area and you want to see how visible it is to the outside world. XM Cyber can act like one of your users and run with it to see if it can find the target.
XM Cyber can also escalate past your local environment. If you’re using cloud as a part of your environment, the attack simulation can run and see if it has access to those resources as well. It’s better to learn now that you aren’t shielded from having a resource exhaustion attack performed on your VPCs than it is to try and negotiate the bill after the fact.
Purple Infrastructure Eater
It may sound like XM Cyber is the perfect thing for your red team to use to run penetration tests against your defenses. But it’s also a great tool for the blue team to test their own deployments as well. Want to run a proof-of-concept test for a new security appliance? Let XM Cyber work on it for you. Want to figure out how well your lateral movement controls are protecting workloads in a multitenant environment? Don’t guess; just let the platform do it for you.
The best part for blue teams is that XM Cyber has a full reporting suite that can tell you what the compromised and how they did it. So instead of guessing how they were able to jump in and attack your crown jewels you can instead focus on how you can protect it. XM Cyber reports can also be used as great leverage for policy changes inside an organization. If you have an official report stating a weak password policy and credential rotation nightmare is a bad idea, it will go a long way to persuading the stakeholders to make the changes that you need.
Bringing It All Together
If you’re in a heavily regulated vertical, like financial or critical infrastructure, it’s a slam dunk to get something like XM Cyber in your environment to make sure you’re secured. This is the kind of tool you need to set up and run on a regular basis to find the holes before the attackers do. It’s better to bleed a little from a drill than it is to get drilled by the press and regulators about why you let this happen.
For more information about XM Cyber and their offensive security platform, make sure to check out http://XMCyber.com
