Threat Led Penetration Testing Introduction

Agenda
 3 About me  13 II Preparation: Approved cyber kill chain 2/4
 4 Penetration testing vs red teaming  14 II Preparation: Approved cyber kill chain 3/4
 5 What is Threat Led Penetration Testing  15 II Preparation: Approved cyber kill chain 4/4
(TLPT)  16 Assessment life cycle 2/2
 6 Why and when  17 I Planing
 7 DORA Article 23 proposal  18 II Preparation
 8 Who  19 III Exercise execution
 9 Methodologies, frameworks and  20 IV Lessons learned
playbooks
 21 Product wide TLPT
 10 Company wide TLPT  22 More from me
 11 Assessment life cycle 1/2  23 Thank you
 12 II Preparation: Approved cyber kill
chain 1/4
 About me
 How I recharge
 Let's change the way we eat
 Let's change the way we live
 And let's change the way we treat each other
 My professional expertise
 More than 10 years professional experience most of which was gained in
the UK
 BSc Computer Network Security in the UK
 MSc Information Security in the UK
 Certs: OSCP, OSEP, GDAT, CRTP, CRTE, CRTO, CRTSv1 and more …
 Linkedin
 https://www.linkedin.com/in/iliyan-velikov-7a895253
 Penetration testing vs red teaming
 Penetration testing
“At its core, real Penetration Testing is testing to find as many vulnerabilities and
configuration issues as possible in the time allotted, and exploiting those
vulnerabilities to determine the risk of the vulnerability. This does not
necessarily mean uncovering new vulnerabilities (zero days), it's more often
looking for known, unpatched vulnerabilities.”
 Red teaming
“A Red Team Assessment is similar to a penetration test in many ways but is
more targeted. The goal of the Red Team Assessment is NOT to find as many
vulnerabilities as possible. The goal is to test the organization's detection and
response capabilities. ”


Rapid7: https://www.rapid7.com/blog/post/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues/


PWC Malta: https://www.pwc.com/mt/en/publications/technology/red-teaming-and-penetration-testing.html
What is Threat Led Penetration Testing (TLPT)
 TLPT definition
“TLPT means a framework that mimics the tactics, techniques and procedures
of real-life threat actors perceived as posing a genuine cyber threat, that
delivers a controlled, bespoke, intelligence-led (red team) test of the financial
entity’s critical live production systems”
 Purple team definition
“A purple team is a group of cyber security professionals who simulate
malicious attacks and penetration testing in order to identify security
vulnerabilities and recommend remediation strategies for an organization’s IT
infrastructure. The term is derived from the color purple, which symbolizes the
combination of both red and blue teams.”


Law Insider: https://www.lawinsider.com/dictionary/threat-led-penetration-testing-tlpt


Crowdstrike https://www.crowdstrike.com/cybersecurity-101/purple-teaming
 Why and when
 DORA
“DORA creates a regulatory framework on digital operational resilience whereby
all firms need to make sure they can withstand, respond to and recover from all
types of ICT-related disruptions and threats. These requirements are
homogenous across all EU member states. The core aim is to prevent and
mitigate cyber threats.”
“The Digital Operational Resilience Act (DORA) is a EU regulation that entered
into force on 16 January 2023 and will apply as of 17 January 2025”
 DORA key message that is currently under consultation
“the criteria used for identifying financial entities required to perform threat-led
penetration testing (TLPT),”

DORA: https://www.digital-operational-resilience-act.com


DORA: https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en


DORA: https://www.eba.europa.eu/joint-regulatory-technical-standards-specifying-elements-related-threat-led-penetration-tests
 DORA Article 23 proposal
“3. Financial entities shall contract testers in accordance with Article 24 for the
purposes of undertaking threat led penetration testing.
Competent authorities shall identify financial entities to perform threat led
penetration testing in a manner that is proportionate to the size, scale, activity
and overall risk profile of the financial entity, based on the assessment of the
following:
(a) impact-related factors, in particular the criticality of services provided and
activities undertaken by the financial entity;
(b) possible financial stability concerns, including the systemic character of the
financial entity at national or Union level, as appropriate;
(c) specific ICT risk profile, level of ICT maturity of the financial entity or
technology features which are involved.”


DORA: https://www.digital-operational-resilience-act.com/DORA_Article_23_(Proposal).html
 Who
 Are the DORA requirements applicable to my organisation?
Financial entities (e.g., Bank, Crypto/Blockchain, Insurance provider, Private
pension scheme etc.)
 Are there other local requirements applicable to my organisation that
requires a purple team or TLPT to be performed?
 The art of war by Sun Tzu
“If you know the enemy and know yourself, you need not fear the result of a
hundred battles. If you know yourself but not the enemy, for every victory gained
you will also suffer defeat. If you know neither the enemy nor yourself, you will
succumb in every battle.”


DORA: https://www.digital-operational-resilience-act.com/


Local regulation: ЗАКОН за киберсигурност
 Methodologies, frameworks and playbooks
 TIBER ECB 2018 (CSTAR -> CBEST 2017)
 Lockheed Martin’s – The cyber kill chain
 Mitre’s - ATT&CK framework and Engenuity
 Scythe - Purple Team Exercise Framework (PTEF)
 Pan-Unit42’s - Playbooks
 etc.


TIBER ECB: https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf


Lockheed Martin: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html


MITRE: https://attack.mitre.org


MITRE: https://attackevals.mitre-engenuity.org/methodology-overview


Scythe: https://github.com/scythe-io/purple-team-exercise-framework


Pan-Unit42: https://pan-unit42.github.io/playbook_viewer
 Company wide TLPT
 Assess all company assets
 Longer engagement compared to a standard penetration test
 Requires more time, people and tools
 Most of the times requires code/scripts/tools to be written
 Requires regular interaction with key stakeholders
 More on the next few slides
 Assessment life cycle 1/2
I Planning (consulting firm A and ACME)
 An organisation (could be other organisation not the one that will execute
the purple team assessment) performs threat intelligence activities to
identify threat actors and threats applicable to the client (hereinafter ACME)
 The consulting firm A delivers the threat intelligence report to ACME
II Preparation (consulting firm B and ACME)
 Plan and agree the details of the cyber attack simulation with key ACME
stakeholders (i.e., approved execution chain)
 Agree key milestones that are to be communicated and when these are to
be communicated
 Clarify the communication chain


MITRE: https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf
 II Preparation: Approved cyber kill chain 1/4
 Consulting firm A has provided report with threat intelligence that ACME can
share with another consulting firm

 Could be a different attack chain. Is your organization a Mexican Bank?


Arstechnica: https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/


https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat
II Preparation: Approved cyber kill chain 2/4
Fail to Prepare == Prepare to Fail
 Reconnaissance
 Passive or active?
 Weaponisation
 Public or custom build exploit?
 What the exploit should do?
 In simple plain language that everyone will understand but
detailed enough. You do not need to go to the level of
0xDEADBEEF or 0xBABACECA.
 II Preparation: Approved cyber kill chain 3/4
MITRE
TTP
Alert
Expected
Fail to Prepare == Prepare to Fail
 Delivery
 What channel will be used by the consultants to deliver the exploit
(email, iMessage etc.)?
 Exploitation
 Does ACME wants to be informed as soon as a successful
exploitation is achieved or 2 hours after the successful exploitation?
 Installation
 Does ACME wants the exploit to drop, install and execute a C2
agent?
 Is the agent to be obfuscated to bypass AV/EDR?
 II Preparation: Approved cyber kill chain 4/4
MITRE
TTP
Alert
Expected
Fail to Prepare == Prepare to Fail
 Command and Control (C2)
 Hold ...
 Does the consultants have to use
a specific C2 (Cobalt Strike,
Havoc, Empire, Mythic, Brute
Ratel, custom C2 etc.)?
 Actions on objective
 Hold ...
 Schedule another meeting with
key ACME stakeholders to agree
on the next objectives (it may not
be a domain admin).
 Assessment life cycle 2/2
III Exercise execution (consulting firm B and the ACME)
 Execute the threat-led penetration test (i.e., the approved attack chain)
 Keep key ACME stakeholders informed about the process as agreed
IV Lessons learned (consulting firm B and ACME)
 Analyse the attack outcome
 Analyse the alerts raised by the detection tools
 Improve tools, documentation and processes
 I Planning
 The consulting firm A
 Is the threat intelligence raw data source reputable?
 Is there an open threat intelligence that is applicable to ACME?
 Is there a closed threat intelligence that is applicable to ACME?
 ACME
 Is the threat intelligence applicable to ACME?
 Is the threat intelligence relevant to the currently known threat trends?
 Has the consulting firm A agreed their report to be forwarded to a 3rd party
(i.e., consulting firm B)?
 II Preparation
 The consulting firm B
 Have we obtained approvals for the proposed attack chain?
 Have we obtained details what is to be communicated to whom and when?
 Do we have something that we can reuse or do we need to invest in a lot
of time in development to be able to execute the approved attack chain?
 Test, research, test, research, test, research …..
 ACME
 Are the appropriate people informed about the simulation?
 Too many people – could miss people, technology and process
weaknesses.
 Very small group of people – alerts raised by the simulation can be
interpreted as a real attack.
 III Exercise execution
 The consulting firm B
 Final test before going in the production env …..
 DLS 2024 - RedTeam Fails - "Oops my bad I ruined the operation"
 Have we achieved the agreed milestone ?
 Do we need to communicate (what, when and to whom)?
 Do we need to agree new objectives?
 ACME
 Have we received status updates about the simulation progress?
 How is our blue team performing (i.e., have we received the expected
alerts and have we action them accordingly)?


SWISSKY: https://swisskyrepo.github.io/Drink-Love-Share-Rump/
 IV Lessons learned
 The consulting firm B and ACME
 What worked and what didn’t?
 Why things have worked and why other haven’t worked?
 What we can improve in regards to the technologies, people and
processes engaged with the simulation?
 Do we have an owner to drive the required improvement actions to
successful completion as per the agreed timeline?
 What bad looks like i.e. what we want to avoid
 “Once, Twice, Three Times A Ransomware Victim: Triple-Hacked In Just
2 Weeks”


Forbes: https://www.forbes.com/sites/daveywinder/2022/08/13/once-twice-three-times-a-ransomware-victim-triple-hacked-in-just-2-weeks/
 Product TLPT
 Assess specific products developed by the company
 Longer engagement compared to a standard penetration test
 Requires more time, people and tools
 Could requires code/scripts to be written
 Requires regular interaction with the product owners
 Requires good knowledge about the product to be able to draft the
appropriate threat paths that are to be agreed with the product owners
 More from me
 Purple team assessments execution tips at BSides Sofia 2024
 https://github.com/iliyanvelikov/BSides-Sofia-2024
 Purple team assessment at BSides Sofia 2023
 https://www.youtube.com/watch?
v=k25jlIgFDXU&list=PLQdETMRapkhygkJG0DNq79-6NDLTLb4Jk&index=18
 https://github.com/iliyanvelikov/BSides-Sofia-2023
 One of the people who developed and delivered the Cyber Security Challenge UK
Masterclass 2018
 https://blog.daniel-milnes.uk/cyber-security-challenge-2018-masterclass/
 Stared the Cyber Security Challenge Masterclass 2018 storyline by creating the first
module of the Play on Demand 2017
 https://web.archive.org/web/20190304090708/https://
www.cybersecuritychallenge.org.uk/news-events/barclays-launch-final-set-2017-
qualifiers
Thank you