INTELLIGENCE LED TESTING (STAR)
Simulated Target Attack Response (STAR) is an approach to security assessment that was created by CREST. STAR assessments are a technical approach to support organisations understand what their risks are from Cyber.
STAR Threat Intelligence
Nettitude is a CREST STAR approved Threat Intelligence (TI) Provider, delivering in-depth assessments for clients across the globe. STAR engagements commence with a comprehensive STAR Threat Intelligence assessment of the likely threats that are relevant to an organisation. This includes reviewing:
- Geopolitical Threat Intelligence
- Human Intelligence
- Technical Intelligence
- Open Source Intelligence
- Closed Source Intelligence
Request a free quote
What is the purpose of this test?
This assessment will help to identify the organisation’s digital footprint and will review relevant data associated with social media, code repositories, the supply chain and any associated clients. As part of a STAR Threat Assessment, Nettitude reviews threat actors that have been known to be targeting the organisation directly, targeting their industry, the geographies they operate within or the supply chain that they engage with. This approach, results in a comprehensive report that provides detailed guidance about the organisations unique cyber threat footprint.
Once the intelligence backdrop has been extensively reviewed, a series of test scenarios are created. These test scenarios focus on providing test plans that can be leveraged by a STAR Threat Intelligence provider. These test plans provide the following deliverables:
- Details of threat actors that are known to be targeting similar types of organisations
- Geopolitical assessment of these threat actors modus operandi
- Classification of threat actor according to anticipated level of sophistication
- Details of the motivations and goals for the relevant threats
- Details of the targets that and objectives that threats are known to pursue
- Known TTPs for each threat actor
- Open Source and Technical intelligence assessment so as to measure and quantify the attack surface
- Creation of actionable threat led test scenarios for use by a red team
Main Components Of A Star Assessment
STAR assessments are broken down in to 3 components.
1. A STAR Threat Assessment
2. STAR Targeted Attack Assessment
3. Incident Response Maturity Assessment (IRMA)
STAR assessments are similar to red team engagements as they are focused on depth of assessment, and determining whether a specific objective can be achieved. They leverage the concepts of red teaming, however STAR assessments are designed to simulate known threat actors and their associated Techniques, Tactics and Procedures, (TTPs).
STAR Threat Assessment
STAR targeted attack engagement reflect some of the most sophisticated approaches to cyber security assurance available within the market today. The STAR framework was created by CREST to enhance existing Intelligence led red teaming in a manner that could be used to mimic known threat actors. In many instances, threat actors are known to have defined modus operandi, and have known Techniques, Tactics and Procedures. STAR targeted attack engagements are designed to help organisations understand whether a specific threat actor could be successful in achieving their known or stated objectives. STAR assessments are objective focused, meaning that they focus on determining whether a specific threat actor can achieve their goal. As a consequence, STAR engagements will provide deep assurance for an organisation, as opposed to wider assurance that could be delivered from vulnerability assessments or penetration testing.
The key elements of a STAR targeted attack engagement include:
- Help an organisation measure their depth of defence and depth of response
- Identify the vulnerabilities that a threat actor could exploit to achieve their goal
- Deliver assurance against probable threats, as opposed to assuring against possible threats
- Intelligence led methodology
- Focused on determining whether a specific objective can be achieved
- Simulate known threats
Penetration tests differ from STAR engagements and red teaming engagements, as the former is usually focused on identifying all exploitable vulnerabilities within a defined scope. Penetration tests do not focus on achieving a specific objective and consequently do not provide assurance on whether a specific threat actor could achieve their overall goal.
STAR Targeted Attack Assessment
An organisation’s attack surface will usually cover people, process and technology. It will also include direct organisational elements as well as indirect components introduced through the customer base or through the supply chain. All of these components marry together to form something known as an attack tree. The concept behind this is that each branch, and twig represents a separate path that an attacker could take to reach a leaf. The leaf in this instance is analogous to the attacker’s goal.
Within a tree, there are hundreds and thousands of routes through to a leaf, however some routes are easier to traverse, and some routes have greater probability of getting to a leaf than others.
When a threat tree is meshed together with threat actors modus operandi, goals, motivations and TTPs, it is possible to generate a probable attack path (based upon evidence) that the attacker is likely to pursue to achieve their objective.
STAR engagements are designed to support organisations deliver assurance against probable attack paths, resulting in a much more focused and accurate form of assessment. During a STAR engagement, Nettitude simulates probable attack paths, based upon threat intelligence briefings as opposed to a never-ending assessment that continually iterates through every possible attack trajectory.
Incident Response Maturity Assessment (IRMA)
Organisations have historically focused on defensive security and have less robust approaches to delivering assurance around their detection and response capability. More often than not, organisations try to address detection and response by implementing a SIEM appliance or a SOC, without tuning it to the attack paths that are pursued by their adversaries. STAR engagements are designed to help organisations deliver greater levels of assurance around their detection and response capabilities. By performing an Incident Response Maturity Assessments (IRMA), Nettitude measures the organisations effectiveness of detecting the TTP’s and attack paths of likely threats and adversaries.
Nettitude has delivered STAR engagements for some of the most sophisticated organisations in the world. Nettitude is one of only a handful of elite organisations to be both a CREST accredited STAR TI provider as well as a CREST accredited STAR Attack provider. This unique capability allows us to deliver end to end threat-led attack simulations, delivering unique value to the board.