The DEMONS acronym stands for Dynamic Engagement Methods for Operative Networks and Systems. As with all CASA assessment methodologies, the goal of DEMONS is to identify vulnerabilities and recommend mitigations for improved security. “Dynamic Engagement” means that, in a DEMONS assessment, team members behave like attackers, testing the system directly with the latest adversarial tactics, techniques, and procedures (TTPs.)
The DEMONS methodology includes the following activities:
- Scan and profile the system under test
- Research adversarial TTPs
- Develop tools and attack cases
- Updating system model with test results
The team conducts its activities on the live target system, seeking to exploit vulnerabilities and demonstrate their impact in real time. These impacts include the ability to pivot through a network and compromise other systems while remaining undetected. The team’s work is carried out with the permission and advance knowledge of the system’s owner, but not necessarily its operators.
Like professional thieves casing a jewelry vault, DEMONS assessors prepare for an engagement with intense focus on understanding the target system and its security protections. Depending on the sponsor’s needs and goals, the team may conduct this reconnaissance strictly on its own, or it may use documentation shared by the system owner to save time and budget.
This information gathering continues to reshape the team’s activities throughout the assessment, even as live testing of the system is underway. The team uses results from the TTP testing to revise its understanding of the system and find new weaknesses and develop new attack paths.
“Be like water making its way through cracks. Do not be assertive, but adjust to the object, and you shall find a way around or through it.” – Bruce Lee