THANK YOU FOR SUBSCRIBING
Red Team engagements are exercises where a third-party simulates an attacker to test an organization’s controls as authentically as possible. These types of engagements can identify gaps in your controls, processes, or incident response capabilities and are a valuable part of a high functioning security program. One tool used by Red Team engagements is the exploitation of vulnerable systems to further their objective. Recently some Red Teams have begun using Zero Day exploits as part of their testing. A Zero Day is a vulnerability that is exploited before a patch or fix is available.
The use of Zero Days in Red Teams or for testing purposes is somewhat controversial, as is the discussion around appropriate vulnerability disclosure practices. Putting those complexities aside, its first worth askingwhat value is there in defenders seeing and experiencingZero Day exploits in a Red Team engagement?
Intuitively security teams know that some of the most important controls we implement are the least exciting. Network segmentation, asset management, patching cadence, principle of least privilege are all concepts that make up the foundation of our security programs. However, in practice its difficult to stay focused on the basics and always ensure our environments follow these disciplines closely. It’s too easy to be drawn to exciting technologies to hunt more complex threats. Expensive and time-consuming implementations of Security Incident Event Managers (SIEM) or Data Loss Prevention technologies pull overworked teams away from the basics. Are these solutions sometimes necessary, absolutely. Do they also compete against maintaining proper basic hardening of our environments, definitely.
"Zero Day exploits have the potential to help teams test against more realistic attacker behavior in a condensed time frame."
Red Team engagements are an excellent resource to challenge our assumptions about our environment. They hunt for the controls that were forgotten, the system that was configured insecurely for convenience, or the default credential that didn’t get changed. What gets lost in these engagements is that increasingly real attackers are showing a willingness to be patient. Attackers are content to wait for extended periods of time, looking for the right opportunity. They persist in low-risk systems that aren’t tracked on risk assessments. Most organizations can’t afford a Red Team engagement long enough to simulate this same behavior accurately for their teams to test against.
Zero Day exploits have the potential to help teams test against more realistic attacker behavior in a condensed time frame. Testing against these threats forces Blue Teams to defend in a different way. They can’t rely on simple detections from their SIEM or other more straightforward means of defending their environment. It forces teams to re-orient and prioritize some of the basic. Do they have their environment instrumented well? Is the network properly segmented, limiting the “blast radius” of any potential compromise event? Blue Teams can still be successful defending against Zero Days, but it requires shifting away from a tool-centric mindset and focusing on best practices. This is a difficult change in thinking in many environments, but fist-hand experience defending against Zero Days can help drive that.
The other important reason teams should consider testing against Zero Days, is that it’s becoming more and more realistic defenders will see attackers utilizing them. The recent Log4j vulnerability was an excellent example of this. Nation States are also showing increasingly willingness to use these methods publicly and broadly. There are benefits in defenders being comfortable operating in an environment where they must respond to a threat with little to no information, no signatures/detections, and no pre-configured tools to assist. Practicing this type of response with a Red Team in advance helps defenders operate better when faced with a realZero Day threat.
A well-prepared Security team should always practice and train as realistically as possible. There is a tendency for defenders to over value their own tools and practices when using lab environments or other training approaches. The “it couldn’t happen in my environment” mindset is a risky one, because it discounts misconfigurations, human error, and flawed designs. Zero Day exploits are no exception to the need for teams to train realistically. It is more important than ever that defenders gain first-hand experience combatting these threats. Zero Day exploits are highly effective at testing our assumptions around layers of controls and defense-in-depth. It allows a Red Team to quickly gain a foothold in an environment, where they can only be constrained through good security hygiene. For this reason, I believe there is value in Red Teams utilizing Zero Day exploits to help teams prepare to respond to the more advanced threats the industry is already seeing.
I believe the value proposition exists to conduct this type of testing. However, we can’t ignore the challenges associated with responsible disclosure. It is not beneficial to gain first-hand experience defending against these threats, while other companies fall victim to real attackers quietly leveraging the same exploit.Regardless of a Red Team’s use of Zero Day exploits, real world events will continue to challenge Security teams to defend against more advanced threats. I believe there is value in this testing approach, and as a result its worth trying to find responsible ways to utilize Zero Day exploits as part of Red Team testing.