Cloud purple teaming for a large
financial services organization

Overview

A large financial services organization with a history of working with Reversec was looking to assess the efficacy of its detection capabilities for attacks targeting its AWS cloud environments. Specifically, the client raised concerns around attacks targeting the cloud infrastructure comprising its internet-facing application environment.

Company

Financial services organization

Country

UK

Industry

Financial services

Client

The client’s environment represented a standardized deployment template for multiple application teams to host solutions securely in the cloud, thus they were looking for a level of detection assurance on the template that would then be applicable for hundreds of applications going forwards.

Our solution

Reversec chose a three-phased approach, reviewing the environment’s architecture to devise environment-specific attacks to simulate, alongside more common attack techniques. These attacks were executed in full view of the client’s security team, using a range of technologies including Reversec’s proprietary Leonidas tooling.

Phase 1: Attack path identification
The first phase reviewed the environment’s architecture, leveraging existing threat modelling documentation, to identify the most likely tactics, techniques and procedures (TTPs) attackers would employ in the environment. This considered the activities of an external unauthenticated attacker, as well as an internal application developer (i.e. an insider threat). Approximately a hundred test cases of individual attacker actions where identified, covering the AWS services utilized by the client, including host-based tests on EC2 instances and modification of users in IAM.

Phase 2: Cloud telemetry assessment
The second phase consisted of a cloud telemetry review to identify which log sources were being ingested, mapping this to critical assets and probable attack vectors as identified in phase one. Reversec reviewed the log sources ingested by the client, evaluating which existing and supplementary sources would best service the client in the proactive detection of malicious activity within the environment.

As the agile development of the internet-facing environment was ongoing, Reversec followed these first two phases with the delivery of an interim document which included the devised test cases and the initial recommendations. The client then spent two weeks implementing Reversec’s recommendations before the commencement of the third and final phase.

Phase 3: Cloud attack detection assessment
In phase three, Reversec performed a cloud attack detection assessment, executing the devised test cases and technically validating the degree to which the client’s telemetry coverage could detect malicious activity within the AWS environment. As part of this phase, Reversec utilized its internally developed attack simulation tool, Leonidas, to automate many of these attacker actions. Ultimately, this enabled Reversec to increase the number of attack paths executed within the timeframe.

Leonidas was created by Reversec’s cyber defense specialists with the objective of allowing users to execute attacker actions via a serverless web API. This API is deployed by AWS native continuous integration and delivery tools, allowing for rapid development and deployment of new test cases. The API logs and results returned provide the data necessary to easily validate detection telemetry and events against the actions executed.

Outcome

Reversec’s purple team enabled the client to test and evaluate the level of cyber resilience across its cloud estate. Reversec’s approach offered several benefits to the client, namely:

  • Reversec’s approach was a holistic assessment of the effectiveness of the detective security controls in place, providing recommendations to materially decrease the client’s risk exposure. The assessments themselves provided a means of quantitatively demonstrating measurable improvement over time.
  • Reversec leveraged its years of research and experience of performing targeted attack simulations to deliver sophisticated modern attack techniques that reflected realistic attacker behaviours.
  • Reversec’s cloud capability assessment program was able to determine whether investment in specific security controls was effective, demonstrating either proof of value or providing evidence-based justification to deprecate tooling or forgo further investment.
  • The use of Leonidas allowed for rapid development and deployment of new test cases, maximizing the time available for testing and utilizing effort in the most efficient way.

Reversec’s cloud purple teaming offering is a new, innovative program of work that delivers a threat-led, quantitative assessment of cloud attack detection capability. Leveraging the data output from the initial, flagship assessment, Reversec continues to collaborate with the client through detection ‘sprints’; continuously testing capability as the client’s AWS environment and the associated detection capability develop.

Used services

Resilience Development

Build your immune system and withstand a cyber incident; assess risk by testing your controls against likely threats, and improve the skills of your security operations team.

Resilience development

Our accreditations and certificates

NCSC CCSS CREST CREST CSIR NCSC PCI QSA NDV
NCSC CCSS CREST CREST CSIR NCSC PCI QSA NDV NCSC CCSS CREST CREST CSIR NCSC PCI QSA NDV

Don’t be a stranger, let’s get in touch.

Our team of dedicated experts can help guide you in finding the right
solution for your unique issues. Complete the form and we are happy to
reach out as soon as possible to discuss more.

This site is protected by reCAPTCHA and the Google
Privacy Policy and Terms of Service apply.