Research & Intelligence
How Adversarial Testing Complements Incident ResponseCombining the specialized skills from Secureworks® Incident Response and Adversarial Security Testing in a single engagement delivers results that supersede traditional delivery models. By: Jake Dorval & Jeffrey Carpenter
Some things in life are simply better together, like peanut butter and jelly, fish and chips, or better yet, grilled cheese and tomato soup. The same is true for Secureworks’ Incident Response and Adversarial Security Testing practices. Working together, we help customers understand their resistance to cyber threats and deliver highly targeted assistance during cyber incidents that siloed approaches can never achieve.
During both emergency incident response and proactive engagements, the combined expertise of both practices come together and provide a more robust approach for helping customers mitigate cyber threats and elevate their cyber resilience.
Enhancing Emergency Incident Response Engagements
There’s one principle all cybersecurity practitioners agree on when it comes to predicting incident impact: the longer a threat actor remains undetected in an environment, the greater the potential damages to the organization.
The partnership between our Incident Response team and the Secureworks Adversary Group is critical to minimizing incident impact for our customers. We achieve this in a variety of ways depending on the engagement. For example, we often see incidents where there are gaps in the evidence of threat actor activity, or audit trails are overwritten by the time Secureworks is engaged. In cases like these, the Secureworks Adversary Group would reconstruct phases of the attack life cycle by testing the organization’s cybersecurity controls and piecing together the likely tactics and techniques of the threat actor. This work is enabled by world-class threat intelligence from the Counter Threat Unit™ research team.
Remediation efforts also benefit from a joint approach. When our customers go through the remediation process for an incident, the Adversary Group validates that the changes to cybersecurity controls have addressed the failures that led to the compromise. For example, if the customer knows there was a set of compromised credentials and the threat actor leveraged Remote Desktop Protocol (RDP) to gain access, they may choose to disable RDP from outside their networks, perform a password reset, and implement multi-factor authentication (MFA) for any internet-facing services. The Adversary Group can then test whether RDP was disabled, and also validate that the MFA deployment has no lingering vulnerabilities. This interactive threat actor insight is a perspective that a traditional incident response effort often doesn’t include, but is standard operating procedure for large-scale Secureworks Emergency Incident Response engagements.
During a major cyber incident, organizations should also identify any additional vulnerabilities that threat actors could exploit for re-entry. This step is often overlooked in traditional IR efforts, but when working against human-operated cyber threats, overlooking any vulnerability can leave an easy access point for a motivated threat actor. Penetration tests can help customers find these issues during major cyber incidents. Routinely, the focus areas during an active cyber incident are containing the situation and restoring operations, and while these are paramount to ensure the organization can quickly return to business as usual, they shouldn’t be the only focus areas. Without uncovering other vulnerabilities and actively working to remediate them, organizations could be left exposed to additional cyber threat events and impacts.
Bolstering Proactive Engagements
Incident response exercises and threat hunting assessments help organizations improve and validate their cybersecurity postures before cyber incidents occur. For advanced engagements at customers with high-'performance security programs, our Incident Response team calls in the Secureworks Adversary Group. Our incident responders and penetration testers plan the exercise with the customer and carry out tailored attack patterns to stress test the customer’s cybersecurity posture and response processes. During threat hunting engagements for customers with complex technology environments, Secureworks’ threat hunters team up with penetration testers to plan threat hunting objectives and analysis methods to identify unknown adversary activity and security gaps. Throughout these joint engagements, the customer can interact with both the Secureworks Incident Response and the Secureworks Adversary Group in a highly immersive and integrated manner.
Sometimes Two Teams Are Better Than One
It’s hard to imagine peanut butter without jelly. The same is true for Secureworks Incident Response and the Secureworks Adversary Group. Between them, these teams conduct more than 2500 engagements per year, globally. Through our Incident Management Retainer, customers can make the most of this partnership, as well as access a wide variety of offensive security services, including: ransomware simulations, penetration tests, remote access vulnerability assessments, web application security assessments, and more. We can’t imagine helping customers validate their cyber resilience and respond to major cyber incidents without the blended approach of our Secureworks Incident Response team and the Secureworks Adversary Group.