Assume Breach
Assume that you are being hacked!
Do you recognise the spread in your network?
Assume Breach is a security strategy that assumes that an attack on a system or organisation is inevitable and that it is therefore important to minimise the impact of such an attack as much as possible. The idea behind Assume Breach is that it is better to prepare for the defence of attacks rather than assuming that a system is completely secure.
What measures does Assume Breach include?
When carrying out an Assume Breach Assessment, hackers proceed in a similar way to a Red Teaming Assessment.
In contrast to red teaming, however, the attackers already have initial access to the internal network, for example via a compromised VPN access or malware that is executed on a computer.
The basic idea is this: Just because a network appears secure at the current time, there is still a high probability that attackers will be able to gain initial access in one way or another.
What is the aim of Assume Breach?
The aim of an Assume Breach Assessment is to analyse in a targeted manner whether an attacker attempting to spread within the internal network is detected and effective measures are taken to prevent further spread and the outflow of data.
Typical sequence of events in a real attack on a company
An attacker gains initial access to the company
An employee uses the same password in several places. A social network to which the employee has logged in with the company email address suffers a data leak, as a result of which the employee's password becomes known. A hacker group exploits this and gains access to the internal network via the company's VPN.
No alarms!
As the employee regularly dials in himself via the VPN, the behaviour of the attackers has not yet been conspicuous. They gain access to a host on which the employee has user rights and can access different network shares.
Escalation of privileges!
The hackers can escalate their rights on the host and become the local administrator. This enables the attackers to download additional malware undetected and obtain further passwords and authorisation tokens.
Spreading in the network
The additional user information and authorisation tokens allow the attackers to spread further and further across the network undetected. They use not only hacker tools, but also programs available on the systems that are not recognised as malicious by any anti-virus programs.
Access to the heart of the company
By chaining rights escalations, the attackers gain access to the domain controller and thus control over all roles and rights assignments. Access to the backup server can now also take place undisturbed. The attackers have taken over the company and are starting to extract data.
ENCRYPTION!
After large amounts of data containing sensitive internal company information have leaked out of the company, the hackers strike and encrypt all the files on the company's computers. They demand a large sum in cryptocurrencies before the decryption key is revealed.
We thought we were in an excellent position with our endpoint protection and our managed SOC provider. Laokoon Security showed us where our blind spots were - and offered us targeted suggestions on how to eliminate them.
CISO of a medium-sized company
Assume Breach
When does an Assume Breach Assessment make sense for my company?
- You want to know whether you can reliably recognise ongoing attacks.
- They don't just want to rely on theories and promises from manufacturers.
- At best, you have already carried out penetration tests and have an overview of your assets.
The colleagues at Laokoon were on hand to answer any questions we had and provided uncomplicated support.
Team Leader Development