Towards improved offensive security assessment using counter APT red teams


Author/Creator ORCID




Towson University. Department of Computer and Information Sciences


Citation of Original Publication


There are no restrictions on access to this document. An internet release form signed by the author to display this document online is on file with Towson University Special Collections and Archives. Copyright protected, all rights reserved.



Defending against cyber criminals, cyber warfare and cyber terrorism all rely on the mitigation of the motivated advanced persistent threats (APTs) that carry out such campaigns. The only proactive solution capable of addressing these threats is ethical hacker conducted emulation during offensive security assessments such as penetration testing and red teaming. Many security industry institutions label their products or services as addressing APTs unfortunately there is no agreed upon standard for the proper processes, tradecraft or techniques involved in doing so. Additionally, academic efforts regarding APTs largely focus on reactive monitoring or automated assessment which simulate known attack sequences and do not necessarily represent realistic future attacks. This dissertation aims to provide a standard for addressing APT attacks by counter-APT red teaming (CAPTR teaming). The CAPTR team concept seeks to build upon traditional red team processes to augment the offensive security assessment process. This will allow security practitioners a level playing field to engage and mitigate the threats and vulnerabilities most likely to be leveraged by APTs. Such an assessment counters the outcome of APT breaches by prioritizing vulnerabilities that enable an actor to compromise the data most important to an organization locally and pivoting outwards to points used for access and exfiltration. When an organization identifies critical items that represent unacceptable losses they should be protected as if an actor, regardless of motivation, were intent on compromising them. Adequate identification and protection of critical items via offensive security assessments originating at such positions represents an approach more efficient and capable of mitigating the impact of an APT breach. In a threat landscape with hyper-focused actors it is the responsibility of the security field to provide an equally focused security assessment solution that goes beyond the attack simulations of traditional penetration tests or red team engagements. This dissertation discerns the need and novelty of the CAPTR teaming concept and ratifies the validity of the assessment paradigm through experimentation as well as case study.