Simulating a good guy

What would happen if the one person in your organization that you counted on the most becomes a bad guy? What would happen if the person with access to everything, suddently flips and becomes your worst enemy: an insider with access.

This was one of the things we were asked last year, during our latest biggest assessment introduction. After Snowden did what he did, a lot of people are a bit more paranoid of their own data, IP, and other things, so this is a common question that keeps on being asked.
During the last operation, we factored that into the planning.

For this part of the project, we were given all access. The CISO wanted us to have the same level of access as the CIO. He was at that point the one man that could see and do anything, badge into any lab, open any database, read any file and access the company's most guarded secrets: the source code of their different products.
In order to properly simulate this person, the CISO decided that we needed to be him. He created an account for us with the same level of access (physical and digital). We all got badges and and company laptops and we were given a very nice office to work in. We had all the time we needed to begin to learn the CIO, what he does and see how we potetially could extract information, harm the organization (both reputationally and digitally) and ultimately get to a point where we completely stop the organization from doing business.

We set to work. We spent the next 2 months slowly learning the netowrk, the players, the different access levels and what was most important: how the company did its business and the role of the CIO in it. We used a system similar to the CARVER Matrix to identify the possible targets and work from the top down.
Then, slowly, we began targetting systems and people, from the inside.

The first thing we did was to introduce noise. Logging into sensitive systems and extracting information. At the same time we also created a trail of physical entries into labs, network controls, server rooms and other sensitive areas. Finally, we connected into well known file sharing websites and uploaded a file (with random text, not the real information).
We did this for several days and the Blue Team never discovered us. We could had just stolen all their source code, list of clients, financial information, network plans… All.
So, we took it to the next level: we began crashing random systems. But not just any systems, the very systems we were extracting information from. That makes them notice.

The Blue Team began analyzing what was going on and soon enough they had extra monitoring and some traps put in place. They suspected someone was inside, but still the didn’t manage to follow the trains we left from weeks of extracting information.
The thing is, since we had the same access as their CIO, we also had hourly updates from their SOC and CERT teams, so we were one step ahead of them and managed to go at systems or networks where the monitoring wasn’t put in place yet. It was fun to see the chaos of them trying to figure that one out.
But eventually they figured the source of this. They traced one of the connection to one of our laptops and they began asking questions.

We stopped the exercise there. At that point we had already demonstrated that a person with the level of access the CIO had could really bring the whole company down.

Next step was to apply the lessons learned and see what the Blue Team could do…

To be continued.