Like most days social media is flowing with opinions, perspectives, ego and testosterone 🙂
The most recent discussions that have sparked my interest have been those around what is or in many cases isn’t considered to be accurate or real simulated testing.
Like others I have my opinion on what this means to me and I don’t want to go into all the details of my opinions, approaches or theories here, but I wanted to make a couple of observations that I think are primary to the boundaries that exist in the world of simulated testing. I am not focusing on any specific part of simulated testing, but obviously in the context of things here I gravitate to the human elements associated with social engineering.
So here are my two main points. Point one, no simulated testing is every going to fully replicate the real adversary as if it does then now your the criminal also, point two a very select few outside of the real adversarial groups / gangs really know with suitable detail the TTPs used to allow full replication in a simulated scene.
No doubt some of you just spat your drink, cursed at the screen and crossed me off your christmas card list, but let me briefly clarify my thinking. The one thing that should separate a simulated vs real adversary should be their ethical boundaries they constrain themselves with. This should balance pushing the boundaries to their limit to replicate the real activities, but with strained to the point you are an employee or service provider to an organisation, and as a result their are lines that shouldn’t be crossed, as the personal damage could be substantial. A simple example could be that the real adversary sends emails and makes phones calls to the CEO of the company, making threats about family members to influence decision making, sure you could do this in a simulated environment, but then when its communicated it wasn’t for real, it was to test how people handle an adversary the damage is already done, the emotional turmoil has occurred and cannot be undone. The second point I make is that, no matter how good an intelligence function maybe, or whats read in the media the information is typically based on whats been discovered to date, hear say or some other theory. The reality is aside from the adversary themselves no one knows the full extent of their tools, tactics and procedures, so this is why I don’t believe anyone can claim to fully simulate anything, instead its more pragmatic to utilise the information, tools, techniques to push the boundaries to suitable levels within the ethical levels acceptable to the individuals conducting the work and those who are on the receiving end and or approved to authorise them.
Like everyone else on the Internet this is just my opinion, I don’t think there is one size fits all, and some approaches and appetites may deliver more value than others, but without ethics and without boundaries things become a darker shade of grey.