Using Red Teaming to validate the performance of an outsourced managed service provider

Red teaming can provide assurance within a wide range of business scenarios.  One interesting scenario we explored recently with a customer, a firm within the education sector, involved a situation where they had outsourced detection of security incidents to an external MSSP.  As a result of a governance audit, our customer needed to determine whether the detective and corrective capabilities of the managed security services and associated internal technical controls functioned as expected across several lesser-seen compromise scenarios.

The technical controls for the business were provided by a combination of strategically deployed network-based intrusion prevention systems (IPS) and log aggregation/analysis from critical assets and controls, using a data aggregation platform. Since moving to business-as-usual operation of these controls, the solution was known to be effective in the detection of many common security events and activities of concern which crop up in BAU processes, but there were several use cases that not been triggered in production or not yet been proven in an attack scenario.

The primary objective of the red team exercise was to assess the detective and corrective capabilities of the managed security service and controls across these uncommon scenarios, to provide assurance that the MSSP was performing as expected within the contractual arrangements. As a secondary objective, the red teaming assessment was to assess the scope of the overall solution and identify any major gaps in detective capability, during lateral movement in particular. In terms of assets, the attack was to target critical system assets and data – particularly children’s data and HR data. The assessment of lateral movement and the ability of an adversary to elevate privileges and access without detection, was also an important aspect of the exercise.

As the MSSP was tasked with monitoring internal systems, and to meet budget restrictions, several parts of the Cyber Kill Chain were removed from scope (such as social engineering).  Instead, we worked with our customer to establish a set of staring points for our simulation – for example, an employee laptop which had malware installed, and an office which had been physically compromised and a network device connected.

Leveraging these starting points, our red team ran through several attack paths designed to match the scenarios developed by our customer and covered by their contract with their MSSP.  Our team was able to compromise Active Directory domains, Linux environments, critical data stores, external data repositories and critical websites during the assessment. 

Mapping the indicators of compromise generated to the MSSP use cases covered by the contract, we were able to establish that in many areas, the MSSP was failing to detect and respond to incidents that they should have been aware of.  Armed with this information, our customer was able to address coverage and contract issues with their provided to improve performance.  We also identified many areas where blind spots in logging and monitoring existed which meant that no detection would have been possible.  By prioritising these, our customer was able to improve their detective capability in relation to lateral movement a great deal - and within their budget constraints!