During an adversarial review, we look for ways an attacker might make use of the devices and the configurations of those devices that you have used to create your network. This process is especially important for those devices you have used to implement your security infrastructure. Remember that the overall security of your network relies on the individual components that make up the network. Security settings on one device can have a dramatic effect on the security of another device. To gain a complete view of the security of the entire network, you must take a careful look at each of the devices that implement your security infrastructure and then analyze how the interaction between devices affects security. Adversarial review provides a useful method for exploring the impact of these interactions.
We are not actually attacking the network during an adversarial review. Instead, we are conducting an analytical thought process that allows us to develop scenarios that someone else might use to attack the network. By creating these scenarios and identifying measures that could be used to prevent them, we can locate flaws in the architecture of the perimeter or potentially weak links that do not follow defense-in-depth principles.
To conduct an adversarial review, you must perform the following activities:
One of the most time-consuming parts of the review is step 3. To determine the amount of access an attacker has, you must conduct a detailed analysis of each security device on your network. You will be looking for three key pieces of information:
In step 4, you use the access you have discovered to "attack" your network. Thinking like the attacker, you attempt to see whether the access that remains after you have considered each device is sufficient to do significant damage.
Even if you did not find exploitable access in step 3, it is occasionally useful to act as if you had and proceed with the review anyway. New vulnerabilities are discovered in software every day. As an example, consider Microsoft's Internet Explorer web browser. If you were using it in the spring of 2004, you would have had no way of knowing it exposed your network to attack due to an exploitable vulnerability in its drag-and-drop feature (http://www.securityfocus.com/bid/10973). You would have had to wait until the August 2004 for the vulnerability to be made public. This vulnerability had actually been in the software since version 5, which was released in 1999. This means that sites that installed this version or its successors (up to version 6) might have been vulnerable to this attack for over five years. Simulating vulnerabilities during your review allows you to experiment with the impact that an undiscovered vulnerability would have on your network.
Step 5 is an iterative process that requires you to look at where the attacker starts to determine how far he can penetrate the network. If you were analyzing your exposure to an external attack, you would likely start the attack with your public systems. These systems normally come under attack first because they are the most exposed to the Internet. If you have (or simulate that you have) a vulnerability in one of these systems, your next step is to think what attackers could do if they were able to exploit the vulnerability successfully.
Gaining control of one of these systems would allow you to start launching more attacks using the public system as the source. If the access you have discovered during the review allows this public system to attack other computers on your network, and these other systems also have exploitable vulnerabilities, you would be able to control these other systems, moving further into your network. You continue this thought process until you run out of systems that an attacker could access or until you have circumvented the security controls that you care about. At this point, you can look to see how far you, as the attacker, got in the network and what security controls you could implement that would have stopped the attack at each step in the process. Assuming their implementation, you can re-run the analysis to see whether you can figure out any other ways to attack your network. When you have run out of ideas, you are done.
Step 6 ends the adversarial review with the identification of the additional security controls necessary to protect your network. Especially for reviews in which you have included simulated vulnerabilities, the review helps you identify the controls necessary to implement defense in depth. This is the real power of the adversarial review: the identification of the layers of defense needed to help protect you against the unknown.