Hack your company before someone else does
Table of Contents
Ask Security Leaders how secure their company is and many will tell you all about the tools, controls and runbooks they have in place. Now ask them if those things actually work and you may get a laugh and confirmation. Then ask if they have tested them against a third party that is determined to get in and has no rules of engagement, you’ll likely get an uncomfortable look.
We hired hackers and gave them no rules of engagement.
We did a blind red team and social engineering engagement meaning the security team (and rest of the company as well as myself) didn’t know who, what, where, when or how the attack was coming. There was a single point of contact who coordinated with the third party we chose for the test.
Doing this kind of exercise helps us test some of the following things:
- What can attackers access if they compromise a user and/or machine?
- How will our defenses alert in the case a user or a laptop is “breached”?
- How well does the security team respond to a “breach” scenario?
Overall the exercise went extremely well and we learned some very valuable information around our strengths and weakness. Our employees were notified afterwards that it was an exercise, they were relieved and ecstatic that we do this depth of testing.
Those evil geniuses sent out a phishing email pretending to be our identity provider telling certain employees they needed to refresh their MFA token. Now that is smart but the really clever thing is that the URL the link pointed to actually went to the identity provider using a different org with a slight misspelling. They are using our own identity provider to phish and infect our users, they sent me this blog post after describing the attack.
No matter how much phishing training you put employees through someone is going to click on this. We started an incident right away and began hunting.
We use Obsidian Security to monitor our SaaS apps for security events as well as security configuration issues. It was especially valuable here allowing us to track which users became infected and what the attackers tried to do with their credentials. We began resetting accounts, credentials and session tokens to expel the attackers.
During this we also noticed the attackers gained persistence on the devices using Evilginx2 which meant we had to contain devices and manually kill browser processes.
We thought we had successfully expelled the attackers until…
Two internal phishing emails! They still had a Google Workspace token for a user! One was a fake email chain including yours truly telling people to go to the malicious URL and the other instructed users to go to a Confluence page that had been modified with a malicious “patch” for users to install.
Well we decided to kill this once and for all. Filtered the malicious URL, blocked all known bad IPs, killed malicious hashes, wrote custom IOA rules, etc. We successfully expelled the attackers from laptops and services.
We had a lot of lessons learned from this exercise and here are some points we are comfortable sharing:
- Ensure you reset sessions for all apps accessed
- Use Biometrics (Web Authn) if you can or at least on sensitive applications
- Google Workspace doesn’t allow you to use the investigate tool and remove phishing emails unless you are on an Enterprise plan, why?
The security team responded extremely well with the attackers often being expelled within minutes and they were unable to get any staging or production access.
Some of the things we did really well as a company:
- Employees reported the phishing emails quickly, we actually let the exercise play out instead of blocking it up front.
- Tracking the attackers as they tried to pivot or use different resources
- Triage and expelling attackers quickly
- Communicating with affected individuals and getting them working quickly again
- Putting in new alerts and blocks to remove the threat
In closing, if you haven’t done an unrestricted red team exercise I highly encourage you to. You’ll put all that money you spend on security to the test and quickly find your weaknesses.
Thanks to:
- The Sigma Security team for responding quickly and professionally to this attack.
- Alev Viggio our GRC Manager for planning, managing and coordinating our red team exercise.
- Our partners at Obsidian Security.
- Sigma Computing’s executive team for being supportive in doing this kind of unrestricted exercise
Thanks to Donald Huang