We Live in a Complex World

In today’s cybersecurity landscape, the scope and complexity of protection mechanisms and tools have reached unprecedented levels. Even small or medium-sized IT environments often employ a multitude of interdependent tools to ensure the security of their systems and assets.

A relatively simple malware protection setup for endpoints might consist of an Endpoint Detection and Response (EDR) tool and a Security Information and Event Management (SIEM) system with dashboards that provide Security Operations Center (SOC) analysts an overview of alerts and other collected events.

Some typical failure modes for this simple setup are:

  • Failure of the endpoint tool to detect the threat.
  • Faulty process implementation and/or design on how to deal with events and alerts.
  • Misconfigured or faulty components in the detection and logging chain.
  • Silent changes in the behavior of the EDR agent due to updates.
  • Silent changes in the format of event data or parsing behavior of pipeline components.
  • Misconfiguration of the SIEM, e.g., by applying filters for specific host groups that were later forgotten.

These examples demonstrate just a few things that can go wrong with a comparatively simple setup. When considering slightly larger and more complex systems, involving additional endpoint instrumentation, third-party managed security services, and Security Orchestration and Response (SOAR) solutions, the potential failure space and the need to verify the integrity and effectiveness of the overall detection pipeline grow exponentially.

Are Pentesting and Red Teaming the Answer?

While both pentesting and red teaming are essential components of IT security strategies, they may not be the most suitable tools for measuring the quality and integrity of your endpoint protection tooling and concepts.

Pentesting focuses on assessing the vulnerability of a specified scope (IT network, system, application, or specific attack surface). Its goal is not to evaluate an organization’s visibility on their endpoints or whether an EDR agent is performing effectively. Occasionally, a secondary goal of a pentest is to determine whether existing security systems detected the simulated attack.

Red teaming is somewhat closer to the use case of assessing an organization’s overall information security measures. “Classical” red teaming is conducted over a longer timespan than typical pentests and is performed by operators that either imitate a given threat actor or stay completely undetected by utilizing largely novel tactics, techniques, and procedures (TTPs). These engagements can be valuable for mature organizations preparing and training for advanced real-world attacks. There are several downsides:

  • Red teaming is expensive.
  • Red teaming engagements require significant organizational resources.
  • Results are often not reproducible due to the dynamic nature of the engagement.
  • Engagements rarely test the broader system landscape since operators tend to focus on perceived weak spots and objectives (e.g., gaining domain-wide administrative access).

Purple teaming services that leverage skilled red team operators to perform tests in cooperation with the SOC can be more systematic and useful for assessing the integrity and effectiveness of protection systems at large. However, they still retain some of the major problems of red teaming, such as high costs, even higher organizational requirements, and limited reproducibility.

Visibility Assessments with Breach and Attack Emulation Software

Utilizing software to perform automated attacks lowers the overall cost of each engagement, enables more manageable testing, and ensures reproducibility of results. This approach facilitates testing on more systems and allows for more frequent tests.

The tradeoff lies in the potential loss of accuracy if the chosen software doesn’t properly replicate the behavior of malware at a sufficiently low level or fails to reproduce all relevant parts of the malware infection chain. Especially for verifying that an endpoint detection tool can register and alert certain actions conducted by malware, the specific implementation of the malicious code matters greatly. At RedMimicry, we excel in this regard by reimplementing the relevant parts of the malicious code with unparalleled attention to detail and precision.

By using breach and attack emulation software like RedMimicry, you can effectively evaluate and improve your organization’s cybersecurity measures. This method offers several key advantages:

  • Lower costs compared to traditional red teaming or pentesting.
  • More manageable testing with minimal organizational resources.
  • Reproducible results that allow for consistent assessment of security measures.
  • Greater flexibility in testing a wider range of systems and conducting tests more frequently.

In conclusion, while traditional pentesting and red teaming have their place in the cybersecurity landscape, leveraging breach and attack emulation software offers a more accessible and scalable solution to verify the integrity and effectiveness of endpoint protection measures. RedMimicry’s focus on replicating malware behavior with high fidelity ensures that your organization can trust the results and make informed decisions to strengthen its cybersecurity defenses.