NCC Group’s Exploit Development Capability: Why and What

[Editor’s note: Originally published by Ollie Whitehouse on the original nccgroup.com blog in 2018.]

tl;dr

NCC Group develops exploits against publicly known bugs for use in our red-team and penetration testing engagements whilst allowing us to stay current on exploit techniques. The former gives our clients a real-world view of how compromises happen and the latter allows us to give pragmatic and up to the minute experience on exploit mitigations and level of resilience.

History

In early 2014, while supporting a customer onsite far from home, we came to the realization that we needed an enhanced capability to bring more value to our clients during red team engagements.  

This realization was, in essence:

‘To be truly world class at red teaming and penetration testing we need to be able to qualify and exploit vulnerabilities that other consultancies can only talk about in terms of likelihood and risk’

The business case was developed in March and later that year approved. In November, the inaugural member of the Exploit Development Group was employed.

It’s about the force multiplier and demonstrating impact

At NCC Group we have over 850 security professionals, the vast of majority of which are delivering technical security consulting services to clients. A significant proportion of this contingent are delivering red teaming, penetration testing and phishing simulation services. This is full stack work in all facets of hardware and software through to operations.

In short gone are the days of smash the ‘a’ key, get control of EIP and be done in terms of exploit development.  Exploit development in 2018 is significantly more involved, in both knowledge and time investment required.  Consultants delivering red team do not have the time to evaluate and develop custom real-world reliable exploits.

Furnishing our teams with an engineering team that is capable of producing exploits for vulnerabilities significantly increases the value provided to our customers, without impacting the coverage the red team members can accomplish. We are as a result able to demonstrate the art of the possible along with the impact of the vulnerabilities in their systems. This converts lifeless CVEs with CVSS scores into fully functional (and leverageable) avenues into the client’s environment to help assess their resilience.

This ability to deliver this type of capability requires a specially skilled, trained and focused team.   The result was for NCC Group to create a team to provide engineering support to our consultants; The Exploit Development Group (EDG).

It isn’t about zero-days – it’s about old-days

At this point it is important to point out we do not mine or hoard an arsenal of weaponized zero days. This from both a corporate risk and safety of the Internet perspective, would be dangerous and arguably irresponsible. 

Rather than cultivate zero-day exploits, EDG focuses on published vulnerabilities for which there are patches but there are not public exploits.  Private exploits are necessary to avoid endpoint protection, and in cases where the public ones are unreliable or simply do not exist. It is these issues that customers are most interested in understanding if they are exploitable, what leverage they would provide into an environment, and what our consultants wish to take advantage of as opposed to throwing down the zero-day card. 

There are some exceptions, such as one where during the exploitation work on an existing vulnerability a new zero-day was found. The affected vendor was informed when we confirmed the bug and in parallel exploitation work continued. The new exploit was not made available to the consultants until the vendor had issued their patches however. 

EDG also provides tactical support to consultants where they think they may have found a new vulnerability and they need help as part of a client’s engagement scope. EDG is a knowledge centre around software exploitation techniques, and thus are called on to support various client engagements to see if within the engagement we can demonstrate exploitability. 

The team also provides a blend of internal consultancy and support whilst producing tooling. The team also has various goals around the publication of research, the results of which you see their blogs, papers and presentations. 

Our ethos: it is quite simple

The EDG ethos is:

• Support the consulting workforce
• Follow responsible disclosure practices for any new vulnerabilities
• Provide value to our consumers
• Produce easy to use and reliable exploits
• Publish great research

Has the experiment worked? 

The team continues to grow, taken secondments in from the business and there is always more work than resource. 

Has the capability yielded? Yes, quite clearly. The small print is it is a big investment in terms of both money and time. However, the returns to us at least as a business are clear by quantifiable and qualifiable measurement.

My opening position of – to have a world-class red team and penetration testing capability (not vulnerability assessment)  in 2018 you need a knowledge centre able to deliver work class exploits when you reach a certain size – remains true today as it did in 2014. 

EDG has been able to demonstrate exploitability of bugs people thought theoretical, as well as show why certain bugs are not exploitable despite the CVSS score indicating otherwise.  We have shown some vulnerabilities that the community would have you believe are world ending to have a significantly less impact than thought.  These outputs all result in clients being provided the evidence they need to focus their efforts in order to drive real change and thus, ultimately, value.  

Finally Wassenaar

Don’t get me started..