A CISO's Approach to Ransomware Playbooks

“The value proposition of ransomware simulation to a CISO is that it provides ground truth on how your security program stands. Do the attack simulation in a way that you can learn everything that was done by the Red Team, learn what was missed by the Blue Team, and then you can pivot from there.” - Trevin Edgeworth, Red Team Practice Director, Bishop Fox

This week Bishop Fox’s Tom Eston (AVP of Consulting) and Trevin Edgeworth (Red Team Practice Director) presented at SC Media’s Ransomware eSummit on “Ready or Not? Test Your Ransomware Defenses Against Real-World Playbooks.” If you haven’t been able to watch their conversation on-demand yet, this blog will hit all the highlights including Trevin’s three-pronged approach to ransomware readiness, the nuances of Red Teaming vs. Purple teaming, and why ransomware emulations are the best way to know how you stack up to adversaries' objectives.

An Interview with a CISO

Tom: Trevin, can you introduce yourself?

Trevin: Sure! I am the Red Team Practice Director at Bishop Fox. Prior to joining, I was a CISO at a major cybersecurity consumer company. I am very passionate about building offensive security programs, specifically Red Teaming, and I’ve worked for a few major financial institutions [Capital One & American Express] to build their Red Team programs, as well as a global cybersecurity company. During that time, I was also tasked with managing the threat intelligence function for those firms. My nexus with threat intelligence has contributed to my growth as a Red Team leader by ensuring our attack scenarios were realistic and emulated real-world adversaries. Now at Bishop Fox, I love my role focusing on our Red Teaming services. My day-to-day job focuses on meeting with different customers, listening to their security concerns and creating tailored Red Team approaches to solve these problems. We innovate and find exciting ways to help our customers.

Tom: Being a former CISO is an interesting and unique background for working in the ransomware space. Ransomware has been around a long time, and it doesn’t seem to be getting any better. For those of us in offensive security, ransomware seems to be an increasingly dangerous problem. Why does this issue appear to be getting worse over time?

Trevin: We frequently hear from our customers that ransomware is the main issue that keeps them up at night. The common concerns are the potential for customer data or business operations to be sabotaged and falling victim to extortion campaigns.

First, I do think we as defenders have improved significantly, but so have the adversaries. The threat actors evolve just as defenders do. As we look at the early days of ransomware, campaigns and attacks were much more basic and automated. Modern ransomware attacks are sophisticated with human-led attackers that dwell in networks a long time before ransomware is even deployed. Attackers spend time searching and learning about your environment to see where they can do the most amount of damage in a short amount of time to collect a ransom payment.

Ransomware attacks often start like any other type of attack with an enterprise foothold. Often multiple groups are involved to make a ransomware attack happen. For example, there are now access brokers specializing in and selling initial footholds to groups that deploy ransomware. Modern ransomware attackers even do research to see how much their victims can afford to pay and what a reasonable payment looks like in the victim’s means.

One of the great examples of the ransomware cat and mouse game is the pivot to double extortion. But companies started to improve backups and disaster recovery, so attackers adapted and began to exfiltrate data to sell on the Dark Web. It is a continuous cat and mouse game.

Tom: These days the issue is not if you’ll get hacked but when, so it is better to prepare. Ransomware requires a slightly different approach. In your opinion, how can companies prepare for a ransomware attack?

Trevin: I like to explain attack preparation in the following three-pronged approach:

• Reduce the attack surface and attacker pathways
• Sharpen the ability to detect ransomware attacks as early as possible
• Exercise a broader organizational response across teams and business units

Tom: Can you give us some examples of attack surface reduction?

Trevin: Most networks are open on the inside once an initial foothold is established. There is not a big safety net around end-users, and there should be. End-users like to click and explore information. Companies employ many great resources on their networks like zero trust and fine-tuning end point and email controls, but still find that susceptibility to ransomware is unknown until it happens in real life. And that is not an ideal situation to be in.

This is where offensive security is a powerful complement to an overall cybersecurity strategy. Bishop Fox’s Cosmos is a continuous attack surface management service and platform that helps organizations define their public facing assets and keep a constant watch on gaps in that attack surface. Penetration testing looks at scoped environments, like applications or cloud infrastructure, to identify security gaps that will enable further compromise of those environments. My practice area, Red Teaming, on the other hand, starts with attack objectives instead of a scoped environment. We test scenarios in response to customer questions like “can you exfiltrate customer data” or “can you deploy ransomware in this part of our environment”. Since Red Teaming starts with attack objectives the scope opens beyond the network to include the people in an organization. In Red Teaming, we define the top ways that an attack objective could be deployed by an adversary.

Tom: Could you talk about how a ransomware simulation works?

Trevin: For ransomware simulations, we aim to mimic real attacker playbooks as closely as possible, and we benefit from leaked playbooks. Much of the exercise focuses on TTPs [tactics, techniques, and procedures] prior to activating the ransomware payload. Essentially, we are looking to determine what the available attack pathways are and if they can be detected by endpoint or network detection mechanisms. We usually operate in a stealthy manner with zero to limited knowledge from the Blue Team. The customer usually provides a test area in the network for the Red Team to operate to minimize potential danger and unnecessary escalation. Lastly, we check to see how defenders interpreted the Red Team actions. Were they deemed false positives or actual threat activity? We help Blue Teams improve detection strategies based on actions that the Red Team took in their network.

Tom: Ransomware simulation is not a one size fits all. Are there certain caveats that organizations should be aware of when they are considering ransomware emulation services?

Trevin: Ransomware simulation is a better use of money and resources for organizations that are further along in their security journeys. I recommend starting with basic pen testing before considering a Red Team exercise. Red Teaming is a sweet spot for organizations that have already implemented key parts of a security strategy and are looking to test the investment. While Red Teaming is not a perfect fit for every security program, a big benefit is that it provides results through a lens that resonates throughout many parts of a business, not just a security team, which increases the ROI.

Tom: You mentioned that organizations need to sharpen detection capabilities in the three-part strategy. How do you recommend that organizations do this?

Trevin: It is a challenge because many security teams run into the issue of “you don’t know what you don’t know.” Attack activities happen and sometimes this results in alerting, but defenders don’t get to close the loop with attackers. This is where Purple Teaming is a useful offensive security approach. Unlike a real attacker, a Purple Team provides a play-by-play account of everything the Red Team implemented to include handing over telemetry or even logs. The Purple Team is your sparring partner and tells what your blind spots are.

Tom: Are there considerations for choosing a Purple Team vs. a Red Team exercise?

Trevin: Red Teams are constructed around the attack objective and do close the loop at the end of the exercise, but Purple Teaming is structured specifically around collaboration and communicating with Blue Teams throughout the entire exercise. There are significant differences between the two, but both are very valuable.

Tom: Bishop Fox had a recent client engagement with Illumio. Can you talk a bit about what we did?

Trevin: Absolutely. Illumio has built interesting solutions and technologies that can move the needle around ransomware, specifically being able to dynamically create segmentation within your network and classes of your assets. They reached out to Bishop Fox because they wanted to ensure their solutions were fully battle-tested and to see the results of a ransomware simulation patterned after a real-world attack. We crafted a custom methodology and network for this engagement and simulated a full-scale ransomware attack that was re-played against four different configurations of their network based on their solutions. We started with the most basic configuration which meant that no Illumio solutions were enabled. We slowly changed the control from the Illumio side, increasing controls, and measured things like how many total attacker TTPs Bishop Fox’s Red Team was able to execute, how soon before detection began, and how long until the Red Team was kicked out of the network. This scenario illustrates the benefits of telemetry augmentation being able to reduce attackers' ability to infiltrate a network environment. This is a different approach from what we’ve normally taken with clients, but still impactful offensive security, nonetheless.

Tom: Can you talk about how organizations implement these types of security practices on a regular basis?

Trevin: It is important to have the right cadence of operations when using Red Teaming. Some customers want to have their own internal Red Team, so we have continuous models to address that need. It gives companies something close to the cadence of an internal team. We conduct two to six engagements per year and keep the same consultants working with the customer’s internal stakeholders. We also have continuous Purple Teaming which means we might work with a Blue Team once a month, for example. There is a subset service called Continuous Ransomware Purple Teaming. In this case, we use our real-world playbooks that allow us to simulate different ransomware playbooks each time we meet and work directly with Blue Teams to build security program improvements.

Tom: What benefits does ransomware emulation bring to CISOs and Board Rooms?

Trevin: I've been very fortunate to work for companies that prioritize security at the highest levels. In some cases, executives took their roles as stewards of the organization very seriously and stressed the importance of asking about resilience against ransomware attacks and susceptibility to supply chain attacks. As a CISO, there are many lenses that you can show for your security program, but nothing was as satisfying to both me and the board as running a ransomware simulation against our own network and mapping as closely as possible to known ransomware behaviors. Definitively knowing here is what we learned, here is what we did well, and here is what we need to invest in and strengthen for a stronger security posture.

Dig Deeper into Strategic Ransomware Readiness

Hear more from Trevin on our upcoming webcast, Ransomware Emulations: Pressure-Testing Scenarios for Cybersecurity Defense Teams, on December 7 at 2 p.m. ET as we dig deeper into his strategic ransomware readiness approach, alongside Illumio who battle-tested their Illumio Core product against the latest ransomware tactics and techniques. We hope to see you there!