Red Teaming: A Primer In Conducting An Effective Assessment
Red teaming is easily one of the most exciting topics and engagements anyone will be a part of working in cyber security. It can be eye-opening for companies undertaking a red teaming exercise, especially when it can be demonstrated how easy it can be for malicious actors to infiltrate their premises and bypass implemented security measures. Everyone has seen the Youtube videos or read the stories about how specialists have compromised a company by simply walking through the front doors. Quite simply, it can sound like a script out of a Hollywood movie. By industry definition, red teaming is the practice of simulating the actions that a malicious adversary would take against an organisation. This tests a very broad attack surface, such as physical and digital security controls, security policies and processes and everything in between.
A red team is often a group of security specialists (either internal or contractors) who have permission to simulate the actions of an advanced threat actor, such as a corporate spy or nation-state actor. Their primary goal is to breach or compromise a company’s digital and physical security by any means necessary. A blue team, in comparison, is the opposite of a red team, whose primary goal is to detect and stop a red team or adversaries from compromising corporate assets.
Red teaming, believe it or not, originated within the military to realistically evaluate the strength and quality of military base defences. Since its inception, red teaming has become one of numerous best practice strategies to put organisational defences to the test. Red teaming is considered to be the modern-day equivalent of role-playing James Bond. They utilise stealthy strategies and tactics that aim to break down digital, physical and personnel security barriers. Companies generally underestimate the power of social engineering and exploiting peoples kindness and willingness to help strangers. Yes, we know how bad that sounds but welcome to the cyber security industry, where even the most extroverted kind-hearted souls can be turned into paranoid introverts.
The strategy behind infiltrating a company will depend on the objectives agreed upon by the client. These objectives can be anything from accessing confidential data from an internal server, gaining access to a high-value target’s mobile device or breaching the physical security of a secure facility.
Generally, all red teaming exercises will follow this particular format:
1. Goal Setting
Every red team exercise will be different because not all organisations have the same security requirements. Before you start to indulge in the tactical and deliberate exploitation of the client’s security resources, you will need to engage in dialogue with the client around their current concerns, security goals, potential weaknesses that they have discovered internally, or whether they are just interested in testing their fancy new security system.
While not red team specific, a few key considerations you should always ask when engaging in security testing work is:
i) What would you consider to be the highest value data or highest value assets that, if an outsider got ahold of, you would be seriously worried about repercussions?
ii) What would happen if serious reputational or revenue damage occurred due to a breach or leak of confidential company and client data?
2. Reconnaissance/Information Gathering
The second phase in formulating your attack strategy will be to collect as much information as possible about the organisation or target. Reconnaissance is one of the most important steps, as information and data will be paramount in determining weak spots. Many public sources are available to begin your research, such as Google, LinkedIn, Twitter, Facebook, Google Earth, Instagram, etc.
Open Source Intelligence (OSINT) tools will also be your best friend during this phase; tools like Sherlock, Shodan, Maltego and Google Dorking will enable you to build a profile on the IT infrastructure, environment, key personnel, physical security controls, foot traffic, terrain, infiltration and exfiltration points. You will be able to use all of these to your advantage. Last but not least, if digital resources fail, you can always hide in the bushes or a cafe across the road with a high-resolution camera (outside of lockdown restrictions, of course).
3. Initial Assessment and Planning Your Attack
Before you can start to indulge in the tactical and deliberate exploitation of the clients’ infrastructure, your main goal will be to assess the mindset and tactics of actual cybercriminals or nation-state actors; this will place you in a state of mind to identify potential entry points and vulnerabilities of an organisation. Planning your attack will involve the assessment and analysis of intel gathered from the earlier reconnaissance phase. The planning phase will include creating threat models, initial and alternative plans of attack, planning pretexts, preparing malicious files, trojans, spyware or links to utilise, configuring RFID token/card cloners, creating phishing emails and finally creating fake or honey pot profiles on social media.
Oh, and a very underrated infiltration method for building a believable pretext is to compromise the letterbox of a business. Funnily enough, a scarily large number of letterbox keys for residential and corporate mailboxes can be bought on eBay, alongside key cutting tools. Physical letters, bills and documents from letterboxes (or the dumpster) can additionally provide all sorts of juicy information and attack opportunities, such as understanding vendor, contractor and third-party relationships. Analysing all of the information gathered from reconnaissance is essential to any team crafting believable pretexts and entry and exit strategies because no one wants to fail the mission (or get stuck in an emergency stairwell). Once the weak spots have been identified and how the agreed-upon goals will be achieved, the attack phase of the engagement will begin.
4. Attack
This phase speaks for itself. At this point, you should be completely ready to exploit, manipulate and infiltrate the target organisation. If agreed to by the client, launching some cleverly crafted phishing emails to key personnel and performing some social engineering over social media will put you in a good position going forward. Buying some domains similar to the target organisation beforehand will also be incredibly useful.
Another common attack is vishing. Simply calling the organisation’s service desk and asking to have your password reset is a common pretext. If the service desk follows secure policies, this should not be straightforward, but you will be surprised how often it works.
Performing penetration testing of external-facing infrastructure will be conducted during this phase, which will help you identify if there are any exploitable vulnerabilities that could be leveraged to pivot into the internal network. Particularly if you identify webmail or other corporate systems that do not require Multi-Factor Authentication (MFA)
From a physical perspective, it is usually more effective to bypass all of the above-mentioned network security measures by gaining access to a physical office location and plugging directly into the network. Using RFID Cloners to duplicate employee swipe cards is very effective, particularly if you fail at simply following somebody into the building and allowing them to hold the door open for you.
Once you are on the internal network, you might want to look at installing a Rogue Access Point or similar device that allows you or your remote team backdoor access into the organisation.
Maintaining persistence, and avoiding being detected by the blue team is important. So care must be taken to not use loud scanning tools. Bypassing internal client-side security such as Anti Virus and EDR will require careful planning and development of custom software implants.
Once infiltration has been established via either method, a red team will then attempt to escalate access privileges and navigate their way to the agreed-upon objective.
5. Analysis and Reporting
The final phase of a red team engagement, compiling and analysing all the information extracted during the mission. Depending on the initial goals agreed upon, a red team will correlate their findings and evidence to show the client where security gaps were identified, how those gaps were compromised, and most importantly, what the client needs to do to remediate those issues so a real attacker cannot do the same thing.
Included in the final report will be all the reconnaissance conducted, itemising the photos, audio clips, videos, outlining the attack plan, methods used to extract sensitive data during the attack phase, technical details of the IT vulnerabilities and physical barriers exploited and recommendations on how to remediate the weaknesses, alongside any other gems found along the way.