Red Teaming @ 10000 Feet

Red Teaming @ 10000 Feet

by David Evenden


There are many articles/books that are pro-Red Teaming, but I haven't seen many that give a very high level on how to organize/run a Red Team. I have some pretty in depth experience on being part of a Red Team, and will share my knowledge here, but let me start by saying that there is really no right answer here. Many teams look different and that's of course OK. There is no real right answer, only functional teams.

Rules of Engagement

Developing a solid ROE for your team is going to be step one. If you are operating on an internal Red Team, you might have two ROEs, one that governs your daily operations by the #infosec staff (let's call that a general ROE), and then an ROE document for each engagement your team performs (let's call that an engagement ROE). You'll want to ensure the ROE signed by your direct management covers all areas of what you're allowed to do internally. This should also be signed by the person giving you authority to operate. This will protect you in the event something goes wrong and things turn into a 'he said/she said' situation where it is being claimed you didn't have authority to perform specific tasks.

The ROE should cover, but is not limited to, the following areas:

Hacker Methodologies

This section is included in case you're just getting started. Without understanding the processes and the methodologies, some of the other sections below might not make sense.

No alt text provided for this image
  • ReconReconnaissance is the act of performing open source research of publicly available intelligence, also know as OSINT, for the purposes of learning more about the target. This can range anywhere from target infrastructure, to personnel information, and email addresses.
  • TargetTargeting can actually take place before, during, or after reconnaissance; it just depends on the function the specific organization.
  • Before Recon: This is often used to develop the "victim" of an operation. In real world hacking scenarios victims are often determined by geopolitical circumstances or critical/proprietary data of high monetary value.
  • During Recon: This is simply narrowing the scope of critical assets that are discovered during the Recon phase.
  • After Recon: This is often mapping critical assets within scope to potential exploitable vulnerabilities.
  • BreachBreach is the act of obtaining initial access. This can be performed via exploiting externally hosted infrastructure, a successful social engineering phishing campaign, or the results of a close access operation where the attacker was able to run commands or code on a victim machine via close proximity to the device.
  • PersistenceOnce initial access is obtained operators will often install a method to regain access to the network so that they won't have to re-exploit the vulnerability to gain access again.
  • Migration: Lateral movement throughout a target network can be performed using various techniques or methodologies. This can be performed via pivoting from department to department to test user access control settings.
No alt text provided for this image
  • Data Exfil: Red Teams often gain access to a target network and forget to test real world scenarios that show impact like data exfiltration and content manipulation.

Creating Functional Teams

One of the first steps to operating successfully is developing solid teams. The average Red Team consists of 8-15 members, but can vary depending on the size of the organization, the scoping limitations, the skillset of the team, and the time restraints on the team.

If you're starting from the ground up you'll want to build your initial team with an idea in mind that some of these team members might be leading tiger teams as your Red Team grows.

Recon

Some Red Teams will have bandwidth to perform open source reconnaissance against their targets, even if those targets are employees of the same company. You'll want to budget for tools and resources that allow you to collectively pull OSINT data from multiple sources.

Targeting

The targeting team has one of the most important jobs of the Red Team, identifying and developing operational and effective scopes leaning on their understanding of corporate culture, departmental silos, and the location of the organization's most critical or confidential data. Targeting teams are sometimes the teams that perform OSINT on accessible or target owned infrastructure.

Interactive Operations

I/A (Initial Access), or I/O (Interactive Operations) teams can sometimes share the workload of identifying target owned infrastructure and vulnerabilities associated with those endpoints. These teams are primarily responsible for gaining initial access and installing persistence in the environment.

Persistence

While the initial access team is often responsible for installing initial access there is regularly a team who's primary area of jurisdiction is ensuring a sustainable foothold is established throughout the target environment. What determines a 'sustainable foothold' is often proportional to the target environment. For some target environments that might be 2-3 callbacks/implants, while much larger environments might require 5-10 embedded agents.

No alt text provided for this image

Close Access

Red Teams often operate with an element of proximity access. This is when operators test their ability to gain close access, or break-in, to a target location. Ensuring you have teams that are equipped with the skills necessary to effectively gain access to target locations will be very helpful during larger scoped operations.

You'll want to ensure you've budgeted for travel expenses associated with on-site assessments.

Reporting

One thing I don't love about performing security assessments is having to write an effective report. Hiring dedicated technical writers can alleviate some of the workload from your team and ensure your other teams can continue operating as expected.

Technical writers often have skillsets similar, but not limit to, the following list:

  • Business analysisComputer scriptingIndexing
  • Information architectureInformation designLocalization/technical translation
  • TrainingE-learningUser interfacesUsability testingProblem solving

Developing an Effective Scope

Most Red Teams take quite a while to get into a smooth groove of target and scope planning. Some of the best ways to develop functional scoping is to identify the most critical assets (data, infrastructure, people, etc) in the entire target network.

Using the same method from above, we can now add critical asset identifiers and move backwards away from the target.

No alt text provided for this image

Once you've identified the critical assets in your environment you can then work backwards to determine the risk associated with the various elements of attack and accessing those critical assets.

Identifying visibility gaps or misconfigurations throughout an environment to increase user and critical data access control protections is a key element to ensuring the organization's most confidential and critical assets are secured from malicious attackers.

For some organizations developing an effective scope might be moving from department to department or from subdomain to subdomain.

FIN for now.


About the author
David Evenden is an experienced offensive security operator/analyst with 10 years of active work experience inside the Intelligence Community (IC). During his time inside the IC, he learned Persian Farsi, worked at NSA Red Team and was a member of an elite international team operating in conjunction with coalition forces to aid in the ongoing efforts in the Middle East.

While he currently works with an ISP and DHS to aid in the efforts to enhance the bidirectional sharing relationship between the US Government and Commercial entities, his passion is educating network administrators and security engineers on best practices when securing your network.

David currently holds Pentest+ and CySA certificates.


The article has been originally published at: https://www.linkedin.com/pulse/red-teaming-10000-feet-david-evenden/?trackingId=


January 7, 2020

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013

Privacy Preference Center

Necessary

Cookies that are necessary for the site to function properly. This includes, storing the user's cookie consent state for the current domain, managing users carts to using the content network, Cloudflare, to identify trusted web traffic. See full Cookies declaration

gdpr, PYPF, woocommerce_cart_hash, woocommerce_items_in_cart, _wp_wocommerce_session, __cfduid [x2],

Performance

These are used to track user interaction and detect potential problems. These help us improve our services by providing analytical data on how users use this site.

_global_lucky_opt_out, _lo_np_, _lo_cid, _lo_uid, _lo_rid, _lo_v, __lotr
_ga, _gid, _gat, __utma, __utmt, __utmb, __utmc, __utmz
vuid

Advertising


tr, fr
ads/ga-audiences