CBHS Protects Their IT Crown Jewels by Proactively Executing Attack Vectors
CBHS NEED:
CBHS required an Annual Offensive Security assessment to proactively identify ways to uplift CBHS’ cyber and physical security capabilities.
SOLUTION:
As part of an annual testing program alternating between Red Teaming and Penetration Testing, Sekuro was engaged by CBHS in late 2023 to perform a Red Team (a goal-based Adversarial Attack Simulation including spear-phishing campaigns, external reconnaissance and OSINT of CBHS’ internet facing perimeter, and a Physical Security exercise) on the CBHS security defences and their head office.
OUTCOMES:
CBHS were able to refine their Zero Trust maturity and security defences based on the Red Team assessment findings and recommendations, providing further protection to their sensitive data. All remediation areas have been or are being addressed with support and reinforcement from CBHS Leadership Team and Board.
Proactive and Cyclical Assessment of CBHS’ Cyber Defences
CBHS Health Fund is a long-running, Australian not-for-profit private health insurance fund committed to delivering the highest value policies to safeguard their members’ health and well-being. They have been serving their members (now over 235,000) for more than 70 years. Being an APRA-regulated entity with statutory requirements for Information Security (CPS 234) and Managing Data Risk (CPG 235), CBHS upholds stringent security and risk protocols, embedded into their culture.
In late 2023, CBHS contacted Sekuro to perform a Red Team Exercise targeting its technology security ecosystem, staff and their physical head office to determine the organisation’s business resilience against the latest attack Tactics, Techniques and Procedures (TTPs).
A predetermined set of objectives were agreed between CBHS and Sekuro prior to the engagement. The intention of the project was to identify weaknesses within current security controls, and to evaluate staff awareness, security detection, response and active mitigation capabilities.
IT ALL STARTED WITH ZERO TRUST
CBHS chose Sekuro to perform the recently concluded Red Team exercise on merit earned from a early engagement in developing a Zero Trust Strategy. Direct outcomes of the Zero Trust Assessment resulted in the implementation of proactive controls such as the enhancement of employee-based Multi-Factor Authentication (MFA), additional identity logging, and an outbound cloud email solution to uplift CBHS’ defence capabilities against email threat vectors.
It was 2-3 years ago now that we undertook a Zero Trust Assessment with Sekuro, which gave us a program of actions to guide our cyber security strategy for the coming years. We have been continuing to work through addressing those Zero Trust gaps identified, and check-in annually with Lee Roebig (Sekuro’s Customer CISO and Director of the Strategy and Architecture team).
Sekuro was the partner of choice in this instance as we have had successful previous and ongoing positive engagements with the team and know they have the skills and resources to support us with the Red Team engagement. Additionally, Sekuro’s consultants and engineers have expertise not only across Penetration Testing and Red Teaming, but across the whole security paradigm, such as Cloud Infrastructure and Zero Trust.
Indeed, Sekuro has in the past provided improvements to our security controls which other security vendors hadn’t, which is a solid validation of CBHS’ rotating, multi-vendor approach to our security programs.
Nathan Hunter,
IT and Security Operations Lead at CBHS
PROJECT SCOPING AND APPROACH
To conduct the Red Team, Sekuro executed:
Three variations of spear-phishing attacks, with targeted emails to approximately 20 users per campaign in an attempt to gather credentials and subsequently attempt to access the CBHS internal environment
Open-Source Intelligence Gathering (OSINT) to determine CBHS’s external security posture
Physical Reconnaissance to attempt to gain access through unauthorised access to the CBHS physical head office
Three variations of spear-phishing attacks, with targeted emails to approximately 20 users per campaign in an attempt to gather credentials and subsequently attempt to access the CBHS internal environment
Open-Source Intelligence Gathering (OSINT) to determine CBHS’s external security posture
Physical Reconnaissance to attempt to gain access through unauthorised access to the CBHS physical head office
Sekuro Managing Consultant and Project Lead Steven Knight explained, “It was interesting to be able to assess and try to overcome incumbent vendor detections and safeguards, but also provide the perspective to CBHS of what an adversary could do, and the attack paths they could take, rather than simply trying to bypass the implemented security measures.”
Sekuro leveraged selected TTPs mapped to the MITRE ATT&CK framework in combination with Living Off The Land (LOTL) techniques, to maintain anonymity and stealth – key cornerstones of a successful Red Team Operation. LOTL techniques involve being creative with available native tools and processes available on an Operating System, to masquerade malicious activities as seemingly ‘normal’ activities and thereby reduce the overall likelihood of automated tool-led or manual intelligence-led investigation from the Blue Team. This involved chaining of specific vulnerabilities that would potentially allow Sekuro access to internal applications.
Knight said, “It was an insightful engagement, and proved beneficial from Sekuro’s perspective because we had to approach it with a completely different mindset due to the use of effective security controls within the environment. Sekuro leveraged LOTL techniques and emulated a standard CBHS user in an attempt to not to trigger the existing security measures implemented by CBHS. Therefore, our approach and client recommendations were aligned towards detecting stealthy intrusion attempts and lateral movement.”
“It was interesting to be able to assess and try to overcome incumbent vendor detections and safeguards, but also provide the perspective to CBHS of what an adversary could do, and the attack paths they could take, rather than simply trying to bypass the implemented security measures.”
Steven Knight, Sekuro Managing Consultant and Project Lead
OUR PARTNERSHIP APPROACH
Martin Narvaez, Enterprise Account Director at Sekuro, observed “CBHS has a really mature approach to cyber security. They have such a positive lens to security that extends beyond a minimum compliance check. CBHS were able to come to the table and partner with Sekuro where they were able to clearly articulate a future roadmap, which enabled us to provide a pathway to get them there.”
“In addition to our Offensive Security team, Sekuro’s Technology, Platforms and Engineering team had also been engaged with CBHS on vendor solution implementation and optimisation services.” Knight explains, “We have offered our services to CBHS from both an audit and implementation perspective, by collaborating with our engineering team on potential security risks and bypasses, thereby obtaining a deeper understanding on how a particular solution can be configured more securely.”
On the partnership with Sekuro, Hunter says, “Martin and I talk once a quarter at a minimum. Sekuro is embedded in our environment due to our close collaboration in the past. This as a direct result has helped in expediting the scoping for ongoing projects.
“Sekuro is one of a select group of security partners we reach out to whenever we have any kind of problem we’re trying to solve. We come to Sekuro because we trust that they have the expertise, and we can have a genuine conversation about resolving our challenges, contextualising our needs and aligning with the products and toolsets that we already have. They won’t simply pitch us products because they have incentives or partnerships with certain vendors, they have helped us define our Zero Trust Strategy, and are authentic about helping us on this journey.”
“Sekuro is one of a select group of security partners we reach out to whenever we have any kind of problem we’re trying to solve. We come to Sekuro because we trust that they have the expertise, and we can have a genuine conversation about resolving our challenges, contextualising our needs and aligning with the products and toolsets that we already have.”
Nathan Hunter, IT and Security Operations Lead, CBHS
Narvaez adds, “Our aim is to lead with authenticity and provide our customers with pragmatic advice consistently. This often involves providing constructive feedback and telling things like they are.”
“Yes, not every conversation is straight forward,” reinforces Hunter. “We know when Sekuro is providing constructive feedback, they have a view to improve things for better outcomes. This has been great for CBHS, as it has given us the confidence that when we do get a product or service recommendation from Sekuro, it’s not a biassed viewpoint and is based on what our environment truly needs.”