Security can be handled without laying a single finger on the keyboard by using attack scenarios
Goal of CTTX: To work with customers and their teams to identify cyber shortcomings, weaknesses, and issues before they happen in the real world, and without laying one finger on an operational system during the exercise.
Most companies are told that pentesting is the only method to 100% identify all vulnerabilities in a network. Simply put from a 30+ year veteran of pentesting … it’s simply not true. First, pentests are not 100% guaranteed to find everything. And the capabilities of the pentest team are based on their years of experience. Most companies’ IT teams look at pentesting efforts with an adversarial view and don’t talk too much to the pentest team. If weaknesses and vulnerabilities are found, then the IT team and cybersecurity teams need to do more work, and some members believe it will get them in hot water when shortcomings are found. Ideally the two teams should work together because in the end, the overall goal is to secure the network better than it was before testing started And without the teams working together, it is likely the pentesting team may miss something. Another downside of pentesting efforts falls under the fact that many companies do not have test environments that replicate their operational network and/or online services. With this in mind, the pentesting teams go after operational networks and services and this can lead to services and networks going down, which can impact the customer.
With all this in mind, the CTTX takes a different approach; it involves a simulated set of scenarios discussed with the cybersecurity and IT teams of the entity under exercise. The entity under exercise provides a lot of architecture, network, services, and technology write-ups to our CTTX experts. Based on our expertise of creating scenarios, Futures custom builds scenarios that will help your team identify whether or not they can handle specific attacks. The overarching goal of the CTTX is to “RAISE THE BAR” of the overall cybersecurity, resilience, robustness, and response capabilities of the environment and the teams that keep it operational as well as secure. Teams are brought together in a single venue and everything is walked through. No live attacks are run and no risk of taking operational networks and services offline. In the end, the teams learn about what they have in place, how they will do, and whether or not their response capabilities are sound.
Futures has run many CTTX events for various customers at the Federal Agency as well as corporate levels. These events have been created for single purpose solutions and for complex networks encompassing thousands of machines. Every single event has been well received and have greatly helped customers improve their overall cybersecurity, resiliency, robustness, and their procedures for handling events. Futures takes great pride in creating scenarios that are realistic, specifically tuned for the environment, and we enjoy working with teams that want to improve their cybersecurity posture. In the end, most of our exercises have helped entities receive additional funding to improve upon what they have. Exercises are very friendly environments and the scenarios are run like the attack is really happening. In some cases, the scenarios are not attacks and encompass things that pentesting does not cover. Our team of CTTX experts can pivot scenarios “on the spot” based on “updated information” that may come in during a scenario being run.
CTTX History
Futures started running CTTX events in 2005. Capabilities quickly expanded and we have used our skills in this area to support Federal Agencies and all commercial customers, including Fortune 100. Over time we have developed a rock solid template for building scenarios and generating final reports that greatly help the customers. All customers have enjoyed these events, including the ones that their teams were very hesitant about them before starting the event. Our shortest events were 4 hours, and our longest event was 5 days long. Length of time depends on complexity of the environment and solutions in place. Our largest event covered over 60 scenarios of varying nature and customer teams got really involved during the discussion period of each scenario.
Strategy
Futures works with the customer during the entire process. While scenarios are not provided prior to the CTTX taking place, teams are met and we discuss some of their largest concerns prior to the event happening. The strategy is simple and that is to run scenarios that will help the customer identify shortcomings by seeing how an attacker will think and “not play by the rules”.