Automated Attack Platform Lets Organizations Continuously Hack Themselves to Test Their Attack Surface
There are three current approaches to testing company security defenses: internet-facing perimeter scanning, penetration testing, and red teaming. Perimeter scanning evaluates what can be seen from the outside; penetration testing looks for known vulnerabilities and weaknesses; red teaming probes the system in the same way as a hacker.
All have their place; but all have their weaknesses. Perimeter scanning cannot detect flaws inside the perimeter. Penetration testing is expensive and provides a ‘point in time’ view of security — a new vulnerability could be introduced to the system the day after the testing finishes. Red teaming, especially continuous red teaming, is by far the most effective way of finding weaknesses in corporate infrastructures — but is phenomenally expensive and beyond the reach of all but the largest and most wealthy companies.
Solving that last problem is the raison d’etre of Randori, a Boston, Mass-based startup founded in 2018 by Brian Hazzard (CEO) and David (‘Moose’) Wolpoff (CTO); and seed funding of $9.8 million.
Hazzard and Wolpoff met at Carbon Black. Hazzard was VP of product management at the time, and Wolpoff was a seasoned red team specialist. In 2013, Carbon Black was breached by a nation state targeting a select number of Carbon Black customers. The company called in Wolpoff’s red team. He had been hacking, primarily Fortune 500 companies, for ten years with a 100% success rate; and, Hazzard told SecurityWeek, “Kicked our daylight by attacking Carbon Black as a black hat.”
From this relationship, with Carbon Black being acquired by VMware, Hazzard and Wolpoff joined together, formed Randori, and worked on a methodology that could bring the concept of red teaming to all companies, at an affordable price. The target is to bring red team testing within the budget of every single CISO. This was not done behind the back of Carbon Black, some of whose directors are personal investors in Randori.
Hazzard and Wolpoff chose to develop a red team platform for everyone rather than a red team service for the wealthier companies. The result, the Randori Platform, was launched on February 11, 2020. “We’re building a flat-out attack platform,” Hazzard told SecurityWeek, “so that every defender can have a trusted adversary to practice against and prove their defenses.” Randori, incidentally, is a term used in Japanese martial arts to describe free-style practice.
The concept is surprisingly simple. It mirrors adversarial attack methods as closely as possible. It comprises two stages: reconnaissance and attack. The initial reconnaissance phase, also known as the ‘black box discovery’, starts with just a customer’s email address. “We start from zero knowledge,” explained Hazzard, “and build a picture of everything needed to break into a company. The email address gives us the customer’s domain. From that we spider across the internet and build a complete map of the organization’s assets.”
After the discovery, comes the attack phase. The discovery map is used by the customer to scope and authorize the red team attack. “The customer can engage with the platform, and say, ‘yes, these assets are mine and are in scope for attack’,” continued Hazzard. The system will then plan and execute an attack against the assets that the customer has put in scope. Assuming the attack is successful, new reconnaissance acquired in the process may lead to more assets being put in scope that could lead to further engagements.”
Two key aspects of the red team platform are it is continuous and continually improving. The black box discovery phase is not, for example, a single scan to check for vulnerabilities. In one engagement, the initial discovery phase found no problem areas. But rather than moving on to a new customer or client, “the system just watched and waited, looking for anything that might change. Two months later,” said Hazzard, “it detected a new ‘top target’ — something an attacker would be attracted to.”
This alone takes the platform beyond the scope of traditional vulnerability scans, penetration tests and red team, time-limited SaaS engagements. In all of these, detection cannot be successful if the weakness is introduced after the testing. Consider also the dwell time of today’s advanced hackers. They could already be resident and stealthy on the network when a scan is performed, or resident in a different part of the network outside of the agreed scope of penetration or even red team service testing.
“Most services engagements — perhaps because of the time limits — go straight for the crown jewels,” commented Wolpoff. “In my experience of breaking into companies over many years, adversaries rarely attack the most heavily defended areas directly.” The outer parts of an infrastructure are changing constantly. An attacker will monitor these changes looking for way in. So, a company could ‘pass’ a red team engagement without knowing that the adversaries may already be present, elsewhere in the system, slowly working their way toward the target.
In the example engagement, the platform simply flagged its discovery and prompted the customer to authorize the platform moving into attack mode against the new discovery. It was another month before the customer delivered its authorization — but it took less than a day for the platform to breach the asset. In this case, it was a perimeter device. But from there it was able to pivot within the infrastructure, and was able to get to the customer’s crown jewels. With knowledge gained from a successful but benign breach, the customer can improve its security.
At each step taken in its own lateral movement within a network, attack mode pauses, and the system goes into another reconnaissance phase. It compares what it sees to its own armory of play books before deciding what to do next — it behaves, in fact, exactly as a black hat would do.
The system works from automated hacking play books, which are designed by Moose’s hacking team and coded into the platform. Whenever a new technique is discovered, either through their own research or from a successful breach elsewhere, that technique is turned into a new playbook and coded into the platform. This means that the ‘quality’ of the red team platform is continuously improving.
But it also equalizes the traditional relationship between hackers and defenders. In the past, hackers could create one new technique and use it against multiple companies. Now, the Randori red team creates one play book based on that technique, and can use it to test and help defend multiple companies.
If the Randori platform is successful, it will challenge three existing cybersecurity products. Perimeter scanning is just a part of the service. It is done differently, from the viewpoint of an adversary, but the outcome is similar. Penetration testing and red team testing is performed cheaper and continuously.” Spear-phish training is also within scope: “It’s part of an attacker’s armory, so of course it is in scope for us,” commented Hazzard.
Related: Automated Penetration Testing Startup Pcysys Raises $10 Million
Related: Three Emerging Technologies to Accelerate Incident Readiness
Related: IBM Unveils “X-Force Red” Pen Testing Group
Related: PCI Security Standards Council Releases Guidance on Pen Testing
Related: Rapid7 Releases Metasploit 5.0