Improving cyber resilience
A leading and forward-thinking Nordic property management company approached Fraktal to holistically assess and enhance their cyber security resilience. Their objective was twofold: to understand potential vulnerabilities in their IT estate and to evaluate their real-time response capabilities through a purple team testing exercise.
Fraktal's methodology for the purple team testing method was meticulously structured and collaborative. Our test team executed cyber-attack simulations, while the client's security experts, inclusive of their SOC, actively worked to detect, prevent, and respond to the test cases. The result was an engaging and rewarding learning experience.
The assignment followed these major phases:
- Attack Surface Enumeration: Prior to simulations, Fraktal undertook a comprehensive enumeration of the client's attack surface, facilitated by client-provided organizational details.
- Simulated Attack Scenario: A real-world scenario was emulated, wherein an attacker procured valid company credentials and hardware. For authenticity, the client supplied Fraktal with genuine credentials and a company laptop as the initial access, simulating a situation where a company member has had their endpoint breached.
Fraktal team's work provided insights to following topics:
- Endpoint security: Default laptop configuration exhibited a limited attack surface for non-admin users, showcasing robust security measures like AppLocker with strict policies, blocked PowerShell, and an effective Windows Defender. Furthermore, hardening measures, including Attack Surface Reduction rules, effectively prevented unauthorized access to Azure PRT tokens and dumping of credential material.
- Domain integrity: Windows domain was well-maintained, devoid of common vulnerabilities. This included no detectable credentials in admin scripts, file shares, or gpp files/attributes, and no service accounts with undue admin privileges.
- Azure platform integrity: Our testing found that client's Azure resource configurations did not provide any meaningful attack surface toward critical business applications.
Critical insights and recommendations:
Several Tactics, Techniques, and Procedures (TTPs) that are commonly employed by real-world attackers went undetected in our testing, highlighting potential areas of cyber security control weakness:
- LSASS process memory dumping on servers, a technique often used to extract credentials.
- Loading of malicious drivers on endpoints, a tactic to gain unauthorized system access.
- Mass domain enumeration, a method attackers use to gather information.
- Unauthorized modifications of admin groups, potentially leading to privilege escalation.
- Lateral movement using RDP, a common method for spreading within networks.
- Command and Control (C2) connections over SSH and HTTP, channels often used by attackers to control compromised systems.
If not addressed, an adversary might chain these and other potential weaknesses to form an attack path toward critical business data and operations.
Technologies and methods
MITRE ATT&CK® framework
All our attacks and results are mapped to the industry standard framework. As the coverage is extended over time, confidence in continuous improvement is also increased. This mapping provides essential understanding to the benefits gathered from improvements and a bird’s eye view to the attack paths that are now under control.
Offensive security tooling
Fraktal experts use a collection of license, open source, and self-developed offensive security testing tools.
Our team only engages in ethical hacking assignments, where privacy and workplace rights are respected according to legislation in Finland and other relevant jurisdictions.