In a recent interview with Tom Van de Wiele, Principal Technology & Threats Researcher at WithSecure, The Cyber Express gained valuable insights into the world of cyber security and penetration testing.
With over 20 years of experience in the field, Tom has become an expert in offensive security, red team operations, and targeted attack simulations.
His extensive knowledge and expertise allow him to uncover vulnerabilities and devise innovative methodologies to breach systems during cyber attack simulations.
Tom emphasizes the importance of aligning attack strategies with the threat actor being emulated and maintaining ethical practices throughout the testing process.
His expertise extends to testing applications with advanced AI components, dealing with zero-day vulnerabilities, and simulating advanced persistent threats (APTs).
By conducting red team operations against well-defended targets, Tom reveals how understanding human behavior and exploiting potential weaknesses can lead to successful attacks.
His experiences shed light on ransomware gangs’ evolving behaviors and strategies, and he shares how his team adapts to their techniques during penetration testing exercises.
Overall, Tom’s expertise and practical insights demonstrate the crucial role of penetration testing in improving organizations’ cybersecurity readiness against real-world threats.
Can you share an instance where you had to leverage a relatively unknown or underutilized methodology to penetrate a system during a cyber attack simulation?
Just like any real coordinated cyber attack that is serious about getting in, so we split up our attacks using different techniques in order to either establish a false narrative or trust relationship that can later be abused, or to avoid detection altogether.
Some of those components can involve less traditional approaches, but always within the expectation levels of the customer and the intended level of sophistication of the threat actor level we need to emulate.
For example, it happens that once we have breached the network, we need to elevate our privileges, but the technical attack surface might be very small. In this case, we have to create our own miniature version of a supply chain attack where, e.g. software utilities that we came across on a company’s network could be altered by anyone. Once the software utilities received my specific and controlled backdoor, I started creating fake but realistic support case situations that would involve using those software utilities for support staff/administrators/the target individuals to run, and thus have their systems backdoored so we can re-use their access to accomplish our goal.
In other cases, it might involve more obscure ways of hiding the data you have stolen and exfiltrating it over a longer period of time in order to avoid detection using a mix of covert channels e.g. sending out a few hundred meeting requests to an external e-mail account that all contain small parts of the encrypted target data inside. It could be converting the data into a series of QR codes and making a movie out of it that is then shared over an outbound Zoom call.
Keep in mind that this is not a “carte blanche” or free for all. The methods of attack need to be aligned with the threat actor we are trying to emulate, and need to be in accordance with the attack scenarios we are carrying out to see if they can lead to a successful compromise and whether or not the customer and their security partners are able to detect and respond to the attack.
How would you approach testing an application’s cybersecurity resilience that incorporates advanced AI components?
For most detection methods, including AI powered ones (although these are rare), the same trade-offs need to be made: what is considered normal behaviour versus what is considered malicious?
If enough baseline behaviour and data is generated to fool the detection into thinking the actions were non-malicious, then the attacker wins. It’s all about skewing and poisoning the model to the point where you can start moving the needle of what is acceptable behaviour.
Examples could be flooding the sensors with fake data or creating overt false positives to the point where you get detection fatigue, allowing attackers to slip under the radar of a “new normal”.
Could you talk about a time when you had to exploit a zero-day vulnerability? When conducting penetration tests, how do you ensure that you achieve a balance between thorough testing and avoiding unnecessary disruptions or damage to the client’s operational capability?
Exploiting zero-day vulnerabilities is usually not part of a red team or penetration assignment. By definition, using zero-day vulnerabilities will involve a degree of uncertainty and, thus, risk where the application’s behaviour will be unknown.
In the case of a networked service, it might cause the application to malfunction, corrupt or destroy data, or might render the application itself unusable. As red teaming involves real-life production systems, the risk has to be kept low and in accordance with what was agreed with the customer.
In addition, finding and developing a stable exploit for a zero-day vulnerability takes time that could be spent on testing efforts that offer more value to the company that is being tested, as far as testing their resilience and validating their investments in the form of training, technology and process flows.
In some specific cases an exploit can be tested on a test environment as part of a separate spin-off project to assess whether or not the detection strategy and tooling would be able to pick it up. In other cases, the cyber attack kill-chain is “de-chained” by assuming that a zero-day exploit was used and supplying the testers with access that would have been obtained if an exploit was triggered, and using that as the starting point unbeknownst to the blue team.
In this way, the detection and response process, along with the people and technology, can be evaluated without causing unnecessary risk. Sometimes, we have received clearance to be able to exploit a number of zero-day vulnerabilities under very specific circumstances, but it should be regarded more as an exception than a rule.
What was the process, and how did you ensure it was reported and handled ethically?
During testing, we come across vulnerabilities all the time that are new or unknown. There we work together with the customer and the vendor or integrator to ensure that the disclosure process is performed ethically while we provide the customer mitigation paths to lower the risk during the waiting period for receiving a vendor update or patch.
Could you explain how you would go about conducting a red team operation against a well-defended target with an established security program, including blue team operations and state-of-the-art intrusion detection systems?
I have performed red teams that have had the head of the incident management team, executive management or an actual technical third party responsible for security operations as my targets.
They all depend on human beings that want to do the right thing, and on internal communication, company-to-company communication, computers and software.
If you are able to think like your target as far as what they need to function and what makes them successful, then you can find and invent scenarios that will be able to undermine and attack whatever it or whom you are trying to target.
This is where the intersection between technical hacking and behavioural psychology becomes more an art than a practice. The more you know how companies function and how they are built up, the more insight you will have in where the cracks might exist that can be exploited or might lead to compromise.
How do you simulate advanced persistent threats (APTs) in your penetration testing exercises?
Adversary simulation always needs to be aligned with the threat actors you are trying to mimic and thus, you need to be able to know about and offer techniques that are at least at the same level as the real cyber criminals e.g. organized crime groups or nation states.
That means for every part of the “cyber kill-chain”, you need to be able to know and document how real criminals operate and how they try to avoid detection while still keeping the scenarios realistic.
That implies being able to have cutting-edge attack techniques that are constantly being developed, being able to set up public but controlled Internet-facing attack infrastructure, actively developing new command and control channels and staying on top of detection strategies that you might be running into.
For some good examples of this, I recommend this 3-part series I wrote about how this actually works in practice from beginning to end while combining physical and Internet based attacks just like a real APT: Red Team Diaries: SE01 E01 – Physical | WithSecure™
How do these simulations help improve an organization’s readiness against real-world APTs?
These simulations help organizations exercise their capabilities and allow them to spot weaknesses or misalignments in their processes, tooling or training.
It means being able to validate your security investments and test them out in real-life scenarios but without the real impact and risk of a real APT-level attack. Not only will it help build resilience to be able to respond to real incidents, but it also strengthens and specializes the team in developing a nose for existing and newer indicators of compromise so that incidents can be handled before they can play out.
Could you describe a time when a penetration testing or red teaming exercise led to an unexpected discovery or an unusual vulnerability in a system? How did you proceed in such a scenario?
Every red team will uncover IT assets without an owner, processes that were languished, as well as areas of shared responsibility where multiple parties all thought the other parties would step in. But not only that, sometimes you come across highly sensitive data that was accidentally leaked outside its intended environment, test or demo environments, with all production data available but with little to no security controls or third parties having access to critical data that was hidden from sight as part of fraudulent or criminal behaviour.
The most important factors here are to be able to establish what it is you are looking at, being able to document how it was uncovered and keeping your customer contacts close in a way that the situation can be handled with the proper discretion and urgency.
How have the behaviours and strategies of large ransomware gangs evolved in recent years, particularly in terms of presenting themselves as reputable companies?
When it comes to interaction with the Internet and the outside world, it is beneficial for an adversary to make the target employee or defenders believe that they are, in fact, communicating with a legitimate entity or company.
Especially when it comes to the initial breach in making someone go to a website or open a document, but also afterwards once control has been established, and a command and control communication channel has to be kept open.
The latter can be done covertly but will involve a higher cost for the attacker in trying to evade detection. So, in order to bring down the cost, many cyber attackers try to hide in the open by using overt communication channels and end-points, trying to fool detection and response teams. This is particularly true when it comes to ransomware gangs that are leveraging supply chain attack methods like we saw with the 3CX and SolarWinds breaches.
Can you share an instance where you had to deal with such a scenario in your penetration testing or red team exercises?
We utilize overt and covert command and control channels and try to adapt our attacker infrastructure, e.g. “watering hole” servers, to what the target organization might be using.
If the company is heavily dependent on a range of cloud services, then we try to mimic those in the way they look and communicate in order to try and muddy the waters and stay hidden.
That means doing a lot of reconnaissance on the target organization as well as the third parties they use in order to try and blend in. This is also the reason why in the majority of cases, we have to inform the customer that we have breached their network because we are able to walk within the shadows or hide in plain sight unbeknownst to the defenders.