The Goal
Perform Continuous Testing Of Your Defensive Capabilities Without The Cost Of A Penetration Test Or Red Team Assessment
1. RECEIVE THE INTRUSION PACKAGE
You will receive a deployment command along with an Agent Behavior Report which will contain everything you need for testing.
2. RUN THE COMMAND
Run the deployment command which will temporarily compromise the host. The compromised host will then conduct a series of actions and exit upon completion.
3. MAKE OBSERVATIONS
Use your environment's network and endpoint telemetry to build out a profile containing the Intrusion Agent's actions.
4. VERIFY YOUR DETECTION CAPABILITIES
Compare the agent profile built by your team against the Agent Behavior Report in order to identify gaps in detections. Re-run the deployment command ad-hoc to redeploy the agent against your updated defensive configurations to verify remediation.
An intruder gains access to your internal environment, performs any number of malicious acts within it, achieves its objective, and stealthily withdraws. After the intrusion is discovered, you’ll (at a minimum) need to answer these important questions:
- Were you able to detect the breach both quickly and efficiently?
- Can you positively identify every location/resource accessed by the intruder?
- Are you able to accurately determine every action taken and all of the information accessed in each breached location?
- What changes can be implemented to prevent a similar breach in the future?
Intrusion as a Service is specifically designed to not only facilitate your answers to these questions but introduce substantially greater levels of confidence and precision to those answers. It allows security programs to evaluate the specific threats that can be observed and/or detected, all at a much smaller scale than a penetration test or red team assessment.
Each month, you will receive a new Intrusion Package containing a deployment command and an Agent Behavior Report. After you receive the Intrusion Package, you simply need to run the deployment command in order to briefly compromise the system. The agent will become active on your system and conduct a variety of actions. Upon completion of its tasks, the agent will automatically remove itself from your system.
After the agent completes its tour of your system and/or environment, you will evaluate what you were able to observe, not only on the immediate system, but also within the entire network (if applicable). Once you have collected all of your observations, it’s time to review the Agent Behavior Report, which explains every task that the Agent performed. Comparing your evaluation & observations with the Agent Behavior Report will reveal which of the agent’s activities were identified and which went undetected.
Throughout the course of the month in which you receive each deployment command, you will have the ability to re-run that deployment command ad-hoc, in order to allow fine-tuning of your team’sdetection capabilities. At the beginning of each subsequent month, you will receive a new Intrusion Package, which will deploy a new agent that performs new actions.
While the Intrusion as a Service offering doesn't replace a penetration test or red team, it can help your team begin or continue to develop robust detections and test the human process to interpret incoming telemetry.