Telos cyber operators test SCIT Labs’ ability to foil APTs and 0-days.
Telos does penetration testing for commercial enterprises and government agencies. Our goal is to uncover vulnerabilities in their IT environments and to see if we can get past their defenses.
Recently we were involved in an interesting twist on those kinds of assignments: we were asked by a security vendor to steal a file in order to test the effectiveness of a solution designed to prevent such thefts.
The solution is offered by SCIT Labs of Fairfax, Virginia. SCIT stands for “self-cleansing intrusion tolerance,” which is a description of how their solution works. Its “Moving Target Defense” technology, or MTD, disrupts intrusion attempts by constantly rotating virtual servers and applications. This continuously changes the attack surface of a system and limits the time an intruder can stay in the system.
To the attacker, the system appears static; under the covers, the VMs are being continuously rotated, returning to a pristine state at configurable intervals as brief as a minute. When an intrusion is detected, the system flags the attempt and preserves the forensic evidence for further analysis. It’s an interesting solution that results in much lower data exfiltration losses even for zero day and APT attacks.
So, in essence, SCIT Labs asked our Computer Network Operations (CNO) team to see if they could snag a 3.2GB target file from a web server protected by their Moving Target Defense technology. According to the rules of engagement, SCIT Labs had given the CNO team an “engraved invitation” to break into the server, so gaining access to the target file was relatively easy.
However, the point of the test was to see whether we could grab the target file once we were in the system. And that proved to be nearly impossible, due to the MTD technology continually swapping in fresh servers. In fact, the connection to the server was terminated every 90 seconds, foiling our team’s efforts to exfiltrate the file.
Moving to Plan B, our team wrote a script that would automate attempts to download the target file in segments, but after two days and thousands of attempts, we only managed to grab small (3.8Mbit) pieces of it. (And, in the process, we made so much such “noise” that in the real world we would have given ourselves away.) Trying to download anything larger corrupted the segment and rendered it useless.
The only thing left to try was to download each chunk three times, compare the hashes, and keep one of the files with a matching hash. However, this approach would have taken three times longer and wasn’t considered feasible. In short: the target file was anything but “low-hanging fruit” as a result of SCIT Lab’s MTD technology.
For the purposes of this test, SCIT Labs had turned off other defenses the solution offers, such as throttling of outgoing data, randomizing the exposure time of each new server, and an “early warning system” that logs valuable forensic information from each intrusion attempt. Had these other defenses been in place, the solution’s ability to fend off the attack and remediate afterward would have been even greater.
The moral of the story: pen-testing is just as valuable for vetting an IT security offering as it is for vetting the security of an IT environment. Let us know if you have a security product or solution that could use a good white-hat hack to ensure it works as advertised.