Professional Documents
Culture Documents
ThreatLedPenetrationTesting
ThreatLedPenetrationTesting
Agenda
3 About me 13 II Preparation: Approved cyber kill chain 2/4
4 Penetration testing vs red teaming 14 II Preparation: Approved cyber kill chain 3/4
5 What is Threat Led Penetration Testing 15 II Preparation: Approved cyber kill chain 4/4
(TLPT) 16 Assessment life cycle 2/2
6 Why and when 17 I Planing
7 DORA Article 23 proposal 18 II Preparation
8 Who 19 III Exercise execution
9 Methodologies, frameworks and 20 IV Lessons learned
playbooks
21 Product wide TLPT
10 Company wide TLPT 22 More from me
11 Assessment life cycle 1/2 23 Thank you
12 II Preparation: Approved cyber kill
chain 1/4
About me
How I recharge
Let's change the way we eat
Let's change the way we live
And let's change the way we treat each other
My professional expertise
More than 10 years professional experience most of which was gained in
the UK
BSc Computer Network Security in the UK
MSc Information Security in the UK
Certs: OSCP, OSEP, GDAT, CRTP, CRTE, CRTO, CRTSv1 and more …
Linkedin
https://www.linkedin.com/in/iliyan-velikov-7a895253
Penetration testing vs red teaming
Penetration testing
“At its core, real Penetration Testing is testing to find as many vulnerabilities and
configuration issues as possible in the time allotted, and exploiting those
vulnerabilities to determine the risk of the vulnerability. This does not
necessarily mean uncovering new vulnerabilities (zero days), it's more often
looking for known, unpatched vulnerabilities.”
Red teaming
“A Red Team Assessment is similar to a penetration test in many ways but is
more targeted. The goal of the Red Team Assessment is NOT to find as many
vulnerabilities as possible. The goal is to test the organization's detection and
response capabilities. ”
Rapid7: https://www.rapid7.com/blog/post/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues/
PWC Malta: https://www.pwc.com/mt/en/publications/technology/red-teaming-and-penetration-testing.html
What is Threat Led Penetration Testing (TLPT)
TLPT definition
“TLPT means a framework that mimics the tactics, techniques and procedures
of real-life threat actors perceived as posing a genuine cyber threat, that
delivers a controlled, bespoke, intelligence-led (red team) test of the financial
entity’s critical live production systems”
Purple team definition
“A purple team is a group of cyber security professionals who simulate
malicious attacks and penetration testing in order to identify security
vulnerabilities and recommend remediation strategies for an organization’s IT
infrastructure. The term is derived from the color purple, which symbolizes the
combination of both red and blue teams.”
Law Insider: https://www.lawinsider.com/dictionary/threat-led-penetration-testing-tlpt
Crowdstrike https://www.crowdstrike.com/cybersecurity-101/purple-teaming
Why and when
DORA
“DORA creates a regulatory framework on digital operational resilience whereby
all firms need to make sure they can withstand, respond to and recover from all
types of ICT-related disruptions and threats. These requirements are
homogenous across all EU member states. The core aim is to prevent and
mitigate cyber threats.”
“The Digital Operational Resilience Act (DORA) is a EU regulation that entered
into force on 16 January 2023 and will apply as of 17 January 2025”
DORA key message that is currently under consultation
“the criteria used for identifying financial entities required to perform threat-led
penetration testing (TLPT),”
DORA: https://www.digital-operational-resilience-act.com
DORA: https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
DORA: https://www.eba.europa.eu/joint-regulatory-technical-standards-specifying-elements-related-threat-led-penetration-tests
DORA Article 23 proposal
“3. Financial entities shall contract testers in accordance with Article 24 for the
purposes of undertaking threat led penetration testing.
Competent authorities shall identify financial entities to perform threat led
penetration testing in a manner that is proportionate to the size, scale, activity
and overall risk profile of the financial entity, based on the assessment of the
following:
(a) impact-related factors, in particular the criticality of services provided and
activities undertaken by the financial entity;
(b) possible financial stability concerns, including the systemic character of the
financial entity at national or Union level, as appropriate;
(c) specific ICT risk profile, level of ICT maturity of the financial entity or
technology features which are involved.”
DORA: https://www.digital-operational-resilience-act.com/DORA_Article_23_(Proposal).html
Who
Are the DORA requirements applicable to my organisation?
Financial entities (e.g., Bank, Crypto/Blockchain, Insurance provider, Private
pension scheme etc.)
Are there other local requirements applicable to my organisation that
requires a purple team or TLPT to be performed?
The art of war by Sun Tzu
“If you know the enemy and know yourself, you need not fear the result of a
hundred battles. If you know yourself but not the enemy, for every victory gained
you will also suffer defeat. If you know neither the enemy nor yourself, you will
succumb in every battle.”
DORA: https://www.digital-operational-resilience-act.com/
Local regulation: ЗАКОН за киберсигурност
Methodologies, frameworks and playbooks
TIBER ECB 2018 (CSTAR -> CBEST 2017)
Lockheed Martin’s – The cyber kill chain
Mitre’s - ATT&CK framework and Engenuity
Scythe - Purple Team Exercise Framework (PTEF)
Pan-Unit42’s - Playbooks
etc.
TIBER ECB: https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf
Lockheed Martin: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
MITRE: https://attack.mitre.org
MITRE: https://attackevals.mitre-engenuity.org/methodology-overview
Scythe: https://github.com/scythe-io/purple-team-exercise-framework
Pan-Unit42: https://pan-unit42.github.io/playbook_viewer
Company wide TLPT
Assess all company assets
Longer engagement compared to a standard penetration test
Requires more time, people and tools
Most of the times requires code/scripts/tools to be written
Requires regular interaction with key stakeholders
More on the next few slides
Assessment life cycle 1/2
I Planning (consulting firm A and ACME)
An organisation (could be other organisation not the one that will execute
the purple team assessment) performs threat intelligence activities to
identify threat actors and threats applicable to the client (hereinafter ACME)
The consulting firm A delivers the threat intelligence report to ACME
II Preparation (consulting firm B and ACME)
Plan and agree the details of the cyber attack simulation with key ACME
stakeholders (i.e., approved execution chain)
Agree key milestones that are to be communicated and when these are to
be communicated
Clarify the communication chain
MITRE: https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf
II Preparation: Approved cyber kill chain 1/4
Consulting firm A has provided report with threat intelligence that ACME can
share with another consulting firm
https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat
II Preparation: Approved cyber kill chain 2/4
Fail to Prepare == Prepare to Fail
Reconnaissance
Passive or active?
Weaponisation
Public or custom build exploit?
What the exploit should do?
In simple plain language that everyone will understand but
detailed enough. You do not need to go to the level of
0xDEADBEEF or 0xBABACECA.
II Preparation: Approved cyber kill chain 3/4
MITRE
TTP
Alert
Expected
Fail to Prepare == Prepare to Fail
Delivery
What channel will be used by the consultants to deliver the exploit
(email, iMessage etc.)?
Exploitation
Does ACME wants to be informed as soon as a successful
exploitation is achieved or 2 hours after the successful exploitation?
Installation
Does ACME wants the exploit to drop, install and execute a C2
agent?
Is the agent to be obfuscated to bypass AV/EDR?
II Preparation: Approved cyber kill chain 4/4
MITRE
TTP
Alert
Expected
Fail to Prepare == Prepare to Fail
Command and Control (C2)
Hold ...
Does the consultants have to use
a specific C2 (Cobalt Strike,
Havoc, Empire, Mythic, Brute
Ratel, custom C2 etc.)?
Actions on objective
Hold ...
Schedule another meeting with
key ACME stakeholders to agree
on the next objectives (it may not
be a domain admin).
Assessment life cycle 2/2
III Exercise execution (consulting firm B and the ACME)
Execute the threat-led penetration test (i.e., the approved attack chain)
Keep key ACME stakeholders informed about the process as agreed
IV Lessons learned (consulting firm B and ACME)
Analyse the attack outcome
Analyse the alerts raised by the detection tools
Improve tools, documentation and processes
I Planning
The consulting firm A
Is the threat intelligence raw data source reputable?
Is there an open threat intelligence that is applicable to ACME?
Is there a closed threat intelligence that is applicable to ACME?
ACME
Is the threat intelligence applicable to ACME?
Is the threat intelligence relevant to the currently known threat trends?
Has the consulting firm A agreed their report to be forwarded to a 3rd party
(i.e., consulting firm B)?
II Preparation
The consulting firm B
Have we obtained approvals for the proposed attack chain?
Have we obtained details what is to be communicated to whom and when?
Do we have something that we can reuse or do we need to invest in a lot
of time in development to be able to execute the approved attack chain?
Test, research, test, research, test, research …..
ACME
Are the appropriate people informed about the simulation?
Too many people – could miss people, technology and process
weaknesses.
Very small group of people – alerts raised by the simulation can be
interpreted as a real attack.
III Exercise execution
The consulting firm B
Final test before going in the production env …..
DLS 2024 - RedTeam Fails - "Oops my bad I ruined the operation"
Have we achieved the agreed milestone ?
Do we need to communicate (what, when and to whom)?
Do we need to agree new objectives?
ACME
Have we received status updates about the simulation progress?
How is our blue team performing (i.e., have we received the expected
alerts and have we action them accordingly)?
SWISSKY: https://swisskyrepo.github.io/Drink-Love-Share-Rump/
IV Lessons learned
The consulting firm B and ACME
What worked and what didn’t?
Why things have worked and why other haven’t worked?
What we can improve in regards to the technologies, people and
processes engaged with the simulation?
Do we have an owner to drive the required improvement actions to
successful completion as per the agreed timeline?
What bad looks like i.e. what we want to avoid
“Once, Twice, Three Times A Ransomware Victim: Triple-Hacked In Just
2 Weeks”
Forbes: https://www.forbes.com/sites/daveywinder/2022/08/13/once-twice-three-times-a-ransomware-victim-triple-hacked-in-just-2-weeks/
Product TLPT
Assess specific products developed by the company
Longer engagement compared to a standard penetration test
Requires more time, people and tools
Could requires code/scripts to be written
Requires regular interaction with the product owners
Requires good knowledge about the product to be able to draft the
appropriate threat paths that are to be agreed with the product owners
More from me
Purple team assessments execution tips at BSides Sofia 2024
https://github.com/iliyanvelikov/BSides-Sofia-2024
Purple team assessment at BSides Sofia 2023
https://www.youtube.com/watch?
v=k25jlIgFDXU&list=PLQdETMRapkhygkJG0DNq79-6NDLTLb4Jk&index=18
https://github.com/iliyanvelikov/BSides-Sofia-2023
One of the people who developed and delivered the Cyber Security Challenge UK
Masterclass 2018
https://blog.daniel-milnes.uk/cyber-security-challenge-2018-masterclass/
Stared the Cyber Security Challenge Masterclass 2018 storyline by creating the first
module of the Play on Demand 2017
https://web.archive.org/web/20190304090708/https://
www.cybersecuritychallenge.org.uk/news-events/barclays-launch-final-set-2017-
qualifiers
Thank you