Adversary Simulation & Resilience Services

Insomnia Security offers a range of Adversary Simulation services to provide a realistic assessment of an organisation's ability to protect against, and respond to, modern adversaries targeting their most valuable assets. The experience gained from performing these offensive-focused exercises has also led to a number of resilience-focused services being created to help organisations develop controls that are effective against adversaries performing targeted attacks.

Adversary Simulation Services

Red Team Exercise

Persistent attackers are happy to perform ongoing, slow-paced reconnaissance, waiting for an opportunity to present itself whilst also being unlikely to be deterred by detection and eviction attempts. Red Team Exercises emulate this by expending an agreed number of days of effort over a number of months to replicate an attacker with an ongoing interest in a business target.

This model allows the freedom to perform opportunistic attacks based on current events, reduce the pace of activities where beneficial, and provides time for the development of additional tooling where needed. Importantly, this also allows the time for organisations to go through the motions of their response plans, practice the eviction of a live attacker from their environment, and deal with an attacker's attempts to re-enter the organisation’s networks using stolen data.

At the completion of all exercises, a narrative attack report explaining the paths taken and any detection or response observed is delivered, along with prevention and detection recommendations relating to the specific techniques used. Generally, an in person debrief is also delivered to allow individuals to ask questions about the attack path decision-making process and the techniques that were used during the exercise.

Assumed Breach Exercise

While it is important to exercise initial entry vectors, there are cases where starting from a post compromise position is valuable. During Assumed Breach exercises, the same access as an attacker would be expected to have in a specific breach scenario is provided, forgoing initial entry efforts. From this starting position, efforts then focus on simulating the later phases of an attack.

For example, most organisations are required to provide third-party vendors with some level of access to their IT environments. Vendors of this nature have been a target for adversaries looking to maximise their efforts, due to the compromise of a single vendor often leading to the downstream compromise of many organisations, particularly in the cases where a vendor has a weaker security posture compared to the organisations they service. Unless contractually obligated to allow targeting of their systems within their supply contract, it can be hard for customers to gauge the security maturity of these vendors. Access also generally originates from devices where the customer's organisation has limited control and monitoring, so they must often rely on identifying the compromise of vendors by anomalies in the actions they are taking once they are within customer networks. This is a good starting point for an organisation to perform an Assumed Breach exercise to understand their ability to identify and respond to malicious activity.

A range of example breach scenarios can be provided and Insomnia Security is happy to discuss unique starting points that make sense for your organisation’s industry/threat model.

Adversary Resilience Services

Endpoint Resilience Assessment

This service provides an assessment of the resilience of a device to initial compromise and post compromise activities. These assessments incorporate previous experience performing Adversary Simulation/Red Team Exercises to focus on controls that are effective against adversaries performing targeted attacks. Uplifting the general security posture of devices has a flow on effect of increasing the effectiveness and value of detection efforts. Every low sophistication threat that is stopped by a basic security control results in more resources being available to detect and respond to sophisticated threats. This ultimately reduces “alert fatigue”, allowing defenders to focus on a smaller number of alerts for the threats that matter most.

Centred around an agreed list of threat scenarios, these engagements address specific areas of concern for the client, rather than taking a purely compliance based approach to device hardening. Each threat scenario is investigated to determine if it is a realistic undertaking for a targeted attacker, and the outcomes are used to provide actionable advice on preventive and detective controls to mitigate risks.

Where sensible, areas of concern are mapped to specific Tactics, Techniques, and Procedures (TTPs) within the Mitre ATT&CK framework, a public knowledge base of adversary tactics and techniques. This helps determine detection and response coverage across a range of real world adversary tactics and techniques, and gives a clearer indication of the general coverage a single assessment will provide.

Phishing Resilience Development

The success of an email-based attack usually relies on the targeted user performing an action, and that action being completed. This often includes enticing an individual into clicking on a link and then entering credentials, or opening an attachment. Whether or not the target will perform the action is dependent on many variable factors such as the time of day, the target's current work, and any work related or personal life pressures.

Insomnia Security’s approach is to focus on hardening endpoints and authentication schemes to reduce the likelihood of compromise, even if the target were to click on a link, open a malicious attachment, or submit credentials. These engagements include reviewing client-side controls and remote access vectors for controls that increase the required complexity for an attack to be successful. This is then combined with exercising detection and response plans to determine whether the organisation has the ability to respond to phishing attacks.

Detection Capability Development

Insomnia Security can provide practical and specific advice to help clients improve their detection and response capabilities. Once current security monitoring visibility and response plan gaps are understood, it is recommended that organisations prioritise individual techniques they would like to detect based on their likelihood of use. These engagements focus on ensuring robust detections exist to identify these techniques being used on the organisation’s network/endpoints; the implications of these alerts firing is well understood; and thought out response plans are in place. Breaking ongoing detection capability improvement into these smaller tasks helps to make them more feasible and provides clear indications of improvement to upper management.

Other Services

Phishing Campaign Triage

Insomnia Security’s experience in the creation and delivery of phishing campaigns has given us the capability to also triage them from a defensive perspective. Technical support can be provided to organisations who have been the target of a phishing campaign and wish to further understand the campaign to enable an informed response. This service provides details on payloads, the domains and infrastructure used in the campaigns, if any specific targeting was observed, and any indicators of the attacker's intent. These indicators of compromise can then be used to help scope the success of the campaign within the client's environment and identify compromised accounts/systems. The final triage brief will also include recommendations around controls to increase the required complexity for similar campaigns to be successful in the future.

To find out more

Insomnia cockroach icon