Hack your company before someone else does

Ask Security Leaders how secure their company is and many will tell you all about the tools, controls and runbooks they have in place. Now ask them if those things actually work and you may get a laugh and confirmation. Then ask if they have tested them against a third party that is determined to get in and has no rules of engagement, you’ll likely get an uncomfortable look.

We hired hackers and gave them no rules of engagement.

We did a blind red team and social engineering engagement meaning the security team (and rest of the company as well as myself) didn’t know who, what, where, when or how the attack was coming. There was a single point of contact who coordinated with the third party we chose for the test.

Doing this kind of exercise helps us test some of the following things:

• What can attackers access if they compromise a user and/or machine?
• How will our defenses alert in the case a user or a laptop is “breached”?
• How well does the security team respond to a “breach” scenario?

Overall the exercise went extremely well and we learned some very valuable information around our strengths and weakness. Our employees were notified afterwards that it was an exercise, they were relieved and ecstatic that we do this depth of testing.

No matter how much phishing training you put employees through someone is going to click on this. We started an incident right away and began hunting.

During this we also noticed the attackers gained persistence on the devices using Evilginx2 which meant we had to contain devices and manually kill browser processes.

Well we decided to kill this once and for all. Filtered the malicious URL, blocked all known bad IPs, killed malicious hashes, wrote custom IOA rules, etc. We successfully expelled the attackers from laptops and services.

We had a lot of lessons learned from this exercise and here are some points we are comfortable sharing:

• Ensure you reset sessions for all apps accessed
• Use Biometrics (Web Authn) if you can or at least on sensitive applications
• Google Workspace doesn’t allow you to use the investigate tool and remove phishing emails unless you are on an Enterprise plan, why?

The security team responded extremely well with the attackers often being expelled within minutes and they were unable to get any staging or production access.

Some of the things we did really well as a company:

• Employees reported the phishing emails quickly, we actually let the exercise play out instead of blocking it up front.
• Tracking the attackers as they tried to pivot or use different resources
• Triage and expelling attackers quickly
• Communicating with affected individuals and getting them working quickly again
• Putting in new alerts and blocks to remove the threat

In closing, if you haven’t done an unrestricted red team exercise I highly encourage you to. You’ll put all that money you spend on security to the test and quickly find your weaknesses.

Thanks to:

• The Sigma Security team for responding quickly and professionally to this attack.
• Alev Viggio our GRC Manager for planning, managing and coordinating our red team exercise.
• Our partners at Obsidian Security.
• Sigma Computing’s executive team for being supportive in doing this kind of unrestricted exercise

Thanks to Donald Huang