HYACINTH-WFH

The Need of Hyacinth

Hyacinth was created to solve the challenges faced by organizations when detecting new and advanced cyber-attacks from various threat groups.

Unlike traditional traffic-based simulators that are used to test SOC environments, Hyacinth emulates the malwares or malicious behaviour on the endpoint using an agent. This makes the red teaming exercise as real as possible and helps audit SOC deployments and in checking readiness to handle sophisticated attacks.

Real Life attacks are performed without any side effects from the malwares used for this exercise.

Everything from malicious links to advanced malwares including malicious behaviour of employees can be emulated through hyacinth which makes it truly robust and an advanced tool to test your defences against cyber-attacks.

Adversary Emulation with Hyacinth

Hyacinth: Automatic Adversary Emulation Platform

Hyacinth is an automatic adversary emulation tool that simulates the attack on your internal network using a variety of tactics and techniques defined in the Mitre Attack Matrix. It performs post compromise adversarial behaviour inside your organization’s network to test your security controls.

Key Features List:

  • ● Completely automatic
  • ● Decision Engine to choose exploits
  • ● Cross-Platform
  • ● Modern exploits as seen in the wild
  • ● Run-on single or multiple machines
  • ● Customizable to setup your scenarios
  • ● Ability to upload custom exploit scripts
  • ● Seamless updates and support
  • ● Compete logs and reports to show how the attack was performed

Most Popular Use Cases:

1. Ransomware attack Emulation and Protection

Hyacinth will emulate real life ransomware attacks with advanced features such as polymorphism and AV detection and bypass without actually causing any harm to the system files. This is done by targeting a single directory or group of files created specifically for this exercise.

Unlike other traditional traffic-based simulations, hyacinth actually makes use of deploying true malwares without any side-effects. This makes sure the technologies and processes implemented are up to the mark and gaps are identified immediately and improved.

2. Detecting Insider Fraud or Lateral Movement Attacks

If the attacker is already inside and is trying to perform lateral movement attacks or there is an insider
who is trying to gain privileges maliciously, he will have to perform certain actions and run some commands or payloads to achieve this. Traditional logging mechanisms and detection tools may not be able to detect these kinds of attacks.

Hyacinth can emulate such attacks to check if the security tools are sufficient to detect and respond to such attacks.

3. Crypto Miner

Several Threat groups would like to take advantage of web application or network vulnerability to inject crypto mining payload into servers or generic computers for mining bitcoins or other crypto currencies.

Hyacinth can emulate crypto mining payloads that connect to a malicious host as well as connect to mining pools to emulate mining activity. A good EDR or AV should be able to detect the behaviour of this payload as mining and stop it or quarantine it.

4. Malicious bots or C&C

Hyacinth can emulate malicious communication to known and unknown C&C networks. A good Threat intel and SIEM alerting mechanism should be able to detect such communication and report it.

Deployment Mechanism

Hyacinth emulates different cyber-attacks by taking advantage of an agent running on the customer’s endpoints to emulate the attack as well as detect and record the actions by the payload or attack technique.

Ideally it is recommended to install the agent in at least 10% of the total assets in the infrastructure to cover the ground.

Flexible Deployment Options

Hyacinth Management console can be deployed overcloud or on-premises. Using the on-premises appliance, customers can run a quick install script which sets up Hyacinth and makes it available for anyone authorized via a single console. The agent also is served from the same server and can quickly be deployed on any system that needs to be tested.

Work From Home Attack Simulation

Problem Statement

Due to recent Pandemic situation, all organizations have enabled work from home for their employees in a very short span of time. Implementing VPN for such masses and enabling connections through BYOD or company’s laptop has certainly increased risk of breach attack on the organizations. Following issues might have been overlooked by organizations, due to urgency in restoring the operations.

Threats on/from client side environment (BYOD/Company’s laptop), which might be connected to an insecure home router or carry a backdoor installed by a hacker.

Threats on perimeter firewalls, internal network and applications due to poor VPN implementation.

Threats on internal network due to vulnerabilities in remote connection applications (Webex, CISCO meeting app, etc).

Solution: “Work From Home” Attack Simulation

BYOD Systems

Background: Since a user owns the hardware and software and has administrative access, it is possible that he/she can manipulate any software/driver/firmware or let an attacker modify it by a malware.

In which case the BYOD device can act as entry point for an attack or as an exit point for data exfiltration attack.

All types of attacks provided below will be tested on BYOD systems.

Company Owned Systems

Background: Since company owned systems will not have administrative attacks. We will try and create scripts that can do the work for us. All attacks mentioned above in the BYOD attacks will be launched on these systems using techniques that may not require installation of any new programs such as scripting tools. Using the following default scripting languages available in windows platform we will carry out the attacks.

  • Powershell scripting
  • VBS scripting
  • Macro Scripting
  • Batch scripting

Approach

Currently Qseap has 50+ scenarios related to VPN, remote connections and Work From Home attacks. Following diagram provides an approach overview of the assessment: