Following from the first and second parts of this series, here is the third. In my opinion, this is the rule that helps you and your team gain visibility within an organization from folks senior to your client - and helps your client make their case to leadership to get the buy-in to get stuff fixed.
Rule 3: Realistic Objectives
Raise your hand if you’ve ever had a client say this to you: “No one would attack us.”
Now, it’s possible that if you’re the National Technical Information Services, no one cares to hack you. That said, I can think up some semi-plausible reasons to break into their network and start compromising their files. But if you’re an actual company (especially a publicly traded one), in the business of making money? Of course there are good reasons to hack into you. People give you money in return for services, right? So there’s a bunch of reasons right there.
Instead, what we ask is this: “What is the one thing (or handful of things) that, if an attacker compromised it, would be game over for your company? No recovery, just shut the doors and tell the employees not to show up tomorrow. Is it a particular piece of intellectual property? Is it the CEO’s e-mail? Is it a wire transfer system that has access to your clients’ funds? Is it access to the control system network that manufactures a particular pharmaceutical drug?”
I’ve found it to be primarily a mindset issue. People don’t like thinking of themselves as targets or as potential victims. It’s an uncomfortable view of the world, knowing that someone is actively trying to cause you harm. Some people have that mindset by default, some can learn it, some can’t. But forcing the client to shift (at least temporarily) into that mindset helps you to identify what the objectives of your red team engagement should be. A client who isn’t able to believe they’re a legitimate target makes for a very difficult relationship - and generally a very unsuccessful one.
It may take the client a little bit of time to come up with such a target (also, different employees at the organization may have different ideas of what that “one thing” is) but when you’ve got a few good objectives, that’s what we ask to target. Compromising domain administrator and doing the shells dance is nothing in comparison to digging through the network, finding a wire transfer system, researching which users have access, and then logging into it as one of the people authorized to send a few billion dollars anywhere with no accountability. And then showing your client that they didn’t detect any of that activity.
THAT is impact that the boardroom cares about. Not a screenshot of you logged into their domain controller.
Balancing Impact and Realism
One of the challenges that we have as consultants is getting people to take us seriously when we tell them the bad things that could happen. We need our clients to understand that hacking into their network isn’t (in most cases) rocket science and that if it hasn’t happened yet, it’s only because they’re lucky. However, we absolutely have to keep our warnings grounded in reality. And that’s where the realistic objectives help.
When I give a customer a final report, or presentation of my exploitation activities, or whatever, I always make sure to clearly differentiate between what I actually did and what I could theoretically have done. I’ve found that customers are very appreciative of that and it helps to cut down on some of the FUD that fills this industry. The more realistic the client thinks the attacks are, the most likely they will be to fix their systems. And that’s what we want - them fixing their systems.
Edit: Now that part four is published, go read it.