Its nice to see smart people in the industry like Dave Aitel (https://lists.immunityinc.com/pipermail/dailydave/2014-October/000769.html, http://seclists.org/dailydave/2013/q3/65) catching up to things we have been quietly providing to our clients for years. Attack Simulation and Threat Response / Reduction have been big focuses for Attack Research for a while now.
First I will address Attack Simulation. Many of the high end (fortune 100 and above) customers already know what machines they need to patch, or that they have weak passwords or vulnerable applications. There is still a place for the vuln scan companies and the PCI auditors, but for those companies who have dealt with those issues and are trying to deal with the most serious threats, rather than the noise, there is a whole different set of questions they need to answer:
1.) How will their detection and response teams perform under pressure?
2.) What are the attack paths that will likely be taken to compromise "crown jewels", be that customer data, IP, source code, etc.?
3.) How does exfiltration of high value data look in their environment?
4.) What does it look like in their infrastructure when an attacker sits quietly sniffing and collecting host surveys, using sysadmin credentials, adding vulnerabilities to internal source, over long periods of time rather than a week long scan and bang?
There is lots more but you get the idea. Our APTSim program has been answering those questions for several years. (First published September 19th, 2012, but had been operating for a while before it was publicly announced). In this program we have done things like:
- Exfiltraton tests using custom written steg, network protocol based covert channels, data to superaudible tones to cell phone mic.
- Built mis-attributable command and control infrastructures overseas to mimic APT type campaigns.
- Engaged in DLP evasion exercises.
- Built custom hardware to implant in intercepted employee's equipment.
- Modified high value client source code to introduce subtle access mechanisms.
We first publicly demonstrated command and control tools communicating over Tor in 2009 (https://www.defcon.org/images/.../defcon-17-valsmith-metaphish.pdf)
Next we have Threat Response, or as we like to call it, Threat Reduction. Many of our clients have come to us stating a problem. They have purchased many Threat Intel feeds, they get thousands and thousands of signatures or IOCs a day, bulletins rehashing twitter conversations, or someone charging them $20,000 a month to scrape Pastebin for their company brand. But what should they do with all this information? Often they dont have the infrastructure, personnel, skillsets, or internal political clout to take action on all of this "intelligence". And how many of these 100000s of items really pose a direct, targeted, threat which warrants real concern beyond the question: "Ok, how fast can we re-image 1000 workstations". Not as many as you might think.
These companies don't need threat intel, as it is being currently sold, they need Threat Reduction, which is exactly what we have been providing for years. Our clients get notices from us saying "There was a threat targeting you specifically, here is the brief description, it's been handled per our agreed upon ROE", rather than "here are 10,000 IOCs, good luck, hope you can stop them yourself!" which amounts to basically a huge, never ending, trouble ticket. This type of service that we provde involves a deep understanding of the client's business and priorities, trust, and the ability to actually DO something about specific threats. This might mean that we make customized modifications to the client's detection / blocking tools, a week before we know a specific type of attack is going to hit them, surveilling a specifc group of actors known to pose a problem (In person, online, etc.), taking down a bot net, or arranging for the delivery of cease and desist notices. It involves developing information sources around the world that go beyond a simple web crawler. Our clients are in the business of producing energy, managing people's money, or manufacturing devices you use every day. They are not in the business of sorting through an internet worth of MD5 sums! That is not their expertise, nor should it have to be. (Some places do have crack internal teams, and they have my respect, but it is not realistic to think that everyone can have 20 FTEs on staff with all the requisite skillsets from RE to exploit reconstruction.)
Like AV, threat intel is one of those things that's probably somewhat helpful to have on hand, but doesn't do much to help organizations deal with specific, focused concerns about their highest priority interests. They need Threat Reduction, they need true, real world, exercising of their detection and response teams, and I am glad to see others I respect finally catching up to the idea.