How We “Hack” Enova

Chapter 1: Introduction

The firewalls have been lit, security defenses are in place and mitigation strategies have been documented. We’re confident that the network and application security posture at Enova is ready to withstand any attack and our teams are ready to respond accordingly……but are we really? This is where our red team exercises come into play. In the cyber security realm, “red team” exercises are performed to simulate attacks and/or breaches that have taken place in order to assess the ability of an organization’s tools, teams and processes to mitigate intrusions as quickly as possible. 

Chapter 2: An Arsenal of Attacks

Multiple times a year, the Enova Security Engineering team, along with the help of other “shadow players,” performs red team exercises. Not only does this help identify possible technological and procedural gaps, but also helps ensure we meet various compliance regulations such as PCI, SOX, GDPR, HIPAA, etc. When running these exercises, it’s important to run attack scenarios that include other technology teams. During an actual breach event, you’ll most likely need to pull resources not only from security team(s), but other technical groups. Throughout the years, we have performed a variety of red team exercises including:

  1. Placing a non-corporate IoT device on the network. The goal of this exercise was to identify and remove the device as soon as possible. 
  2. Placing a rogue wireless access point in the office. The goal of this exercise was identification of the AP, verifying if any credentials authenticated to it and shutting it down.
  3. Attacking an unpatched system on our network. This exercise attempted to determine if proper system monitoring was in place and the length of time it took to patch the affected system.
  4. SQL injection attempt on a web application. The goal of this exercise was to determine if the proper monitoring, alerting and security technologies were in place to block this type of attack.

Chapter 3: Breach Debriefs

As mentioned above the goal of a red team exercise is not only validation of security tools and processes, but also identifying any short comings. Does your team have the proper tools in place to identify, monitor and alert on any device connected to your network? Do you have the ability to automatically mitigate attack attempts as opposed to more time consuming manual work? Are you scanning network traffic and devices for threats/vulnerabilities? Most importantly, do you have the proper processes and procedures in place to handle a real world scenario? Regardless of the answer, it’s important to document your findings upon completion of any exercise and review this with all applicable teams.

Chapter 4: One Test Does Not Rule Them All

It should also be mentioned that red team exercises are just one type of security testing which can be employed. Other types of security tests can and should be performed including:

  • Security risk assessments – reviewing and analyzing potential security risks encompassing an organization’s IT infrastructure.
  • Blue Team testing – focuses on defensive security operations entirely.
  • Vulnerability assessments – the process of identifying and classifying vulnerabilities in systems.
  • Pen testing – performed to identify vulnerabilities within your network or web applications and exploit them if possible. This covers a broader scope and not as targeted as a red team test.
  • Physical pen testing – assessing the strength and effectiveness of physical controls within your environment (ie – locks, badge readers, cameras, sensors, situational awareness, etc).
  • Social engineering – the use of manipulation and deception on individuals to obtain sensitive data (ie- passwords, ssn, usernames, etc).
  • Phishing campaigns – a simulated attempt to gain sensitive information through email.

Chapter 5: Conclusion

Red Team exercises provide great visibility into an organization’s security posture and should be incorporated into any mature security program. It’s imperative to perform different red team exercises which assess the entire scope of a team’s security tools and technologies — tools such as WAFs, IPS/IDS, SIEM, end-point protection, email security, DNS, vulnerability/patch management, FIM, DLP, application security, etc. It’s also important to incorporate other teams into these tests for when a real world attack unfolds. Multiple technology teams will need to come to together, collaborate and ultimately resolve the issue together.

Finally, keep in mind that not every red team exercise will be successfully thwarted, and that’s not a bad thing! The goal of these tests are to access security tools and procedures and learn what worked and what didn’t. An outcome could be identifying gaps in your tool set, additional policy creation or better incident response documentation for quicker resolution. Remember, the goal is to learn, implement and consistently adapt to the ever changing world of cyber security.