Development and operations a practical guide
Poor or Lack of Security Monitoring
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Social Engineering (SE)
| Poor or Lack of Security Monitoring A lack of security monitoring allows a threat to use a more extensive toolset. Tools or techniques that maybe loud or trigger a response may work just fine in an unmonitored environment. This oversight provides a threat with much greater flexibility and capability. A Red Team can take advantage of an unmonitored network. A common operational impact is data exfiltration. Perhaps a target organization has propriety sensitive intellectual property. Exposures of this information could significantly harm the organization. A Red Team can test the ability a threat has to gain access and exfiltrate the data. Alack of monitoring may allow the threat to access and steal the data without being noticed. Blue Teams that have a weak security monitoring process will not identify malicious traffic or changes made by a threat. Defensive tools are great but must be configured and tested to ensure they are operating as expected. Remember, the primary role of the Red Team is to facilitate the improvement of an organization's defensive posture. Social Engineering (SE) Social engineering is exploiting weaknesses inhuman nature. Red Team engagements often rely on social engineering to support goals. This is typically used in the following areas: Phishing ● Sending an email to entice an end-user to provide sensitive information or to deliver a payload ● Can be used to deliver a malicious payload ● Can be used to facilitate in-person SE ● Can be used to facilitate physical access Telephoning/Texting ● Calling or texting to entice an end-user to provide sensitive information ● Can be used to facilitate either phishing or in-person SE ● Can be used to facilitate physical access In-person pretexting ● In-person social engineering is typically used to support a physical breach Use Caution Social engineering (especially Phishing) works, period. But, this is not always the best option. There are political risks associated with SE a user. For example, Phishing campaigns that work well may harass or even embarrass end users. Use caution when creating a phishing campaign. Many targets of phishing require the campaign to be approved before the emails are sent. This may protect the organization but can also limit the success rate of a phish. In cases where phishing is risky, consider white carding. A solid strategy is to send a phishing email to a trusted insider. That person will click links or provide information as directed by the phish. This allows a phishing payload to be delivered in apolitically safe manner while allowing the phishing email to touch all the security defenses. This model uses the assumption that a user will succumb to a phishing attack. The challenge for the Red Team is to bypass the security protections designed to protect users from themselves. A phish that leads to the compromise of a single system maybe acceptable. A phish that leads to the compromise of an organization is not acceptable as multiple failures must have occurred in organizational controls (technical, policy, procedural, etc. The authors are aware these are controversial statements and provide the following concepts for thought. Download 4.62 Mb. Share with your friends:
|