Horizon scanning 2023
The Horizon Scanning report provides insight in to the new and emerging areas of risks that Heads of Internal Audit should be considering when preparing and planning their Internal Audit Plans for 2023/24.
For organisations like Social Housing providers who hold a lot of sensitive data, the risk of being actively targeted is particularly acute.
Have you ever tested your controls against known Techniques, Tactics and Procedures (TTPs) used by cyber criminals?
A large Social Housing provider recently asked us to simulate a targeted cyber attack and evaluate their ability to detect and respond to different threats. We focused on emulating two trending threats – phishing and ransomware, through an activity known “red teaming”.
The objectives to test were:
How does a cyber attack start?
Just as many cyber attackers do, the red team started with information gathering via Open Source Intelligence (OSINT). This included researching branding, corporate language, events, and employee email addresses, all of which were used by the red team to craft a phishing campaign designed around hooking the client’s employees’ attention.
The red team’s research was not limited to the public internet and included investigation of the Dark Web: a clandestine portion of the internet often used by cyber threat actors. The Dark Web was searched for sensitive information that could be used by the red team. While no active passwords were identified, historic passwords from previous breaches were found and reported to the client.
The delivery and exploitation phases
Using information gained during reconnaissance, attacks were tailored by the red team before being launched. The attack can be summarised with the following key stages:
Lessons learnt
The weaknesses were not in the client’s IT security controls.
Whilst the red team gained a significant level of access to the client’s network, only a handful of technical issues were used to compromise the environment. Instead, the red team exploited poor security processes and user awareness, particularly around management of privileged accounts and passwords. Most importantly, Endpoint Detection and Response solutions used for threat detection did not detect internal activity nor exfiltration of data due to misconfiguration of alerting.
By using red teaming, it was possible to evaluate the effectiveness of security controls across not only the client’s technology, but people, processes and how they interact. This ultimately provided a much greater insight into the effectiveness of implemented IT security controls.
Get in touch
If you would like to discuss any aspect of the above or how this applies to your organisation, please contact us.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.