If your environment security testing plan does not start with your “gold disk,” there is a chance that you are actually introducing new attack surfaces with every new gold disk image that you deploy on your network.
If you ask an IT person, “how are you protecting your network?” A very common answer will be, “we have a gold disk image that we deploy with all of the necessary patches and software needed”. That’s what “IT security” means to most organizations, including the majority of people who work in IT roles like network admins and technical support.
This view of security is common, and while a gold disk image is a good baseline to start with, it is a starting point, not an ending point. It can also be a starting point for an attacker.
Security on any network is an ecosystem (commonly referred to as defense-in-depth) with lots of moving parts that need to work together to detect and stop a threat. The assumption of security being provided by the gold disk is that if an organization deploys fully patched operating systems combined with group policy, and antivirus technology, throw in IDS/IPS, a firewall and a rollout of patches every month, then they must be “secure.”
In reality, your gold disk is a likely starting point for an attacker. No matter how secure you believe it to be, the truth is that if you are continuously deploying gold disk images on to your networks without ever testing to see if all of the parts are working together, you may be increasing the likelihood of a breach with every new image you deploy.
Q: What am I testing for?
A: A 21st Century Robbery (aka Adversarial Behavior)
If you’ve seen movies like Ocean’s 11 or The Italian Job, you know that every successful robbery follows a plan. That plan has many sequential phases that need to be executed in order for the plan to succeed.
In a case of truth being stranger than fiction, real life robberies are planned against corporate networks every day with an alarming rate of success. Criminals such as advanced threat actors attempt to steal data, disrupt operations and/or take control of critical infrastructure. They all have a plan, a series of tactics and techniques that they plan to use in order to conduct a successful robbery.
The good news is that in many cases we are familiar with the strategies these criminals use. While it is impossible to completely eliminate the possibility of criminal activity on your network, we can test and run a FireDrill to see if the security tools you have in place can protect you against known threats.
AttackIQ FireDrill and the MITRE ATT&CK (Advanced Tactics, Techniques and Common Knowledge) Matrix can visualize your ability to defend against known threats.
The MITRE ATT&CK Matrix Module in AttackIQ FireDrill
As you move from left to right across the MITRE ATT&CK Matrix, you will see the steps of the plan for a 21st century robbery emerge.
Each column represents a category or tactic (type of attacker behavior); the individual cells represent specific techniques within those categories. To catch a thief, we must think like a thief. Let’s dig into “the plan.”
- Initial Access – Can I get in?
- Execution – Can I execute a simple task?
- Persistence – Can I stay in?
- Privilege Escalation – Can I do something more sophisticated?
- Defense Evasion – Can I avoid detection?
- Credential Access – Can I steal other people’s identities?
- Discovery – What else is around me?
- Lateral Movement – Can I move to other machines in this network?
- Collection – Can I find valuable property?
- Exfiltration – Can I steal what I found?
- Command and Control – Can I use this network as a weapon?
Once we start to think in these terms and evolve beyond the traditional gold disk concept, we will be able to sufficiently protect against a 21st century robbery. Now that you have an understanding of what you are up against, you can test and begin to answer tough questions like:
- Can criminals find and steal data on my network?
- Does my environment protect against common threats?
- Which tools are effective against attacker behaviors and which ones are not
…and many more.
You no longer need to be a security expert to answer these questions, nor do you need to pay an outside consultant for a point-in-time analysis.
AttackIQ FireDrill enables IT security teams to test their defenses against attacker behavior with the push of a button. With thousands of attacker scenarios available to test, including comprehensive coverage of MITRE ATT&CK, it’s easy to assess your security posture and visualize the results.
AttackIQ FireDrill is the world’s leading continuous security validation platform.
Use FireDrill to test your security and find out: Is your Gold Disk putting you At Risk?