Social Housing Case Study – Scenario based penetration testing

How easy is it for cyber criminals to get into your IT systems?

A simple question, but the answer can often seem elusive. An alternative question to consider - How do you proportionately assess that your current cyber security controls will protect you against a cyber attack? This is particularly significant considering that the breadth and complexity of cyber attacks continue to grow and develop.

For organisations like Social Housing providers who hold a lot of sensitive data, the risk of being actively targeted is particularly acute.

Have you ever tested your controls against known Techniques, Tactics and Procedures (TTPs) used by cyber criminals?

A large Social Housing provider recently asked us to simulate a targeted cyber attack and evaluate their ability to detect and respond to different threats. We focused on emulating two trending threats – phishing and ransomware, through an activity known “red teaming”.

The objectives to test were:

  • Resilience to a breach of the network perimeter - Gain access to the corporate network with no prior access through phishing and information available on the internet about the organisation
  • Can an attacker reach the crown jewels? - Understand the access and impact a potential attacker could have if they were to gain access to the corporate network, focusing on critical business assets
  • Response to a cyber attack - Assess the client's ability to detect and respond to the threat posed by cyber attacks, including ransomware on an end-user's device

How does a cyber attack start?

Just as many cyber attackers do, the red team started with information gathering via Open Source Intelligence (OSINT). This included researching branding, corporate language, events, and employee email addresses, all of which were used by the red team to craft a phishing campaign designed around hooking the client’s employees’ attention.

The red team’s research was not limited to the public internet and included investigation of the Dark Web: a clandestine portion of the internet often used by cyber threat actors. The Dark Web was searched for sensitive information that could be used by the red team. While no active passwords were identified, historic passwords from previous breaches were found and reported to the client.

The delivery and exploitation phases

Using information gained during reconnaissance, attacks were tailored by the red team before being launched. The attack can be summarised with the following key stages:

  • Delivery of phishing emails – Phishing emails designed to mimic one of the client’s internal services and delivered to users likely to be accessing content “on the go”, such as neighbourhood support officers.
    • Several users entered credentials into the red team’s phishing website allowing the red team access to the clients O365 environment.
  • Navigation of file shares and the network – Searching for the clients’ “Crown Jewels” such as financial data, tenant details and other personally identifiable information.
    • The red team were able to access sensitive HR files as well as financial records.
  • Deployment of ransomware- Successful execution of ransomware on a client’s workstation. Ransomware was downloaded via the web and executed in a controlled manner to target dummy files and attempt to encrypt them.
    • The ransomware encrypted 48% of available data, at which point the installed anti-virus flagged the malicious file, stopping the encryption routine.

Lessons learnt

The weaknesses were not in the client’s IT security controls.

Whilst the red team gained a significant level of access to the client’s network, only a handful of technical issues were used to compromise the environment. Instead, the red team exploited poor security processes and user awareness, particularly around management of privileged accounts and passwords. Most importantly, Endpoint Detection and Response solutions used for threat detection did not detect internal activity nor exfiltration of data due to misconfiguration of alerting.

By using red teaming, it was possible to evaluate the effectiveness of security controls across not only the client’s technology, but people, processes and how they interact. This ultimately provided a much greater insight into the effectiveness of implemented IT security controls.

Get in touch

If you would like to discuss any aspect of the above or how this applies to your organisation, please contact us.

Contact us today