Red Teaming @ 10000 Feet
by David Evenden
There are many articles/books that are pro-Red Teaming, but I haven't seen many that give a very high level on how to organize/run a Red Team. I have some pretty in depth experience on being part of a Red Team, and will share my knowledge here, but let me start by saying that there is really no right answer here. Many teams look different and that's of course OK. There is no real right answer, only functional teams.
Rules of Engagement
Developing a solid ROE for your team is going to be step one. If you are operating on an internal Red Team, you might have two ROEs, one that governs your daily operations by the #infosec staff (let's call that a general ROE), and then an ROE document for each engagement your team performs (let's call that an engagement ROE). You'll want to ensure the ROE signed by your direct management covers all areas of what you're allowed to do internally. This should also be signed by the person giving you authority to operate. This will protect you in the event something goes wrong and things turn into a 'he said/she said' situation where it is being claimed you didn't have authority to perform specific tasks.
The ROE should cover, but is not limited to, the following areas:
This section is included in case you're just getting started. Without understanding the processes and the methodologies, some of the other sections below might not make sense.
- Recon: Reconnaissance is the act of performing open source research of publicly available intelligence, also know as OSINT, for the purposes of learning more about the target. This can range anywhere from target infrastructure, to personnel information, and email addresses.
- Target: Targeting can actually take place before, during, or after reconnaissance; it just depends on the function the specific organization.
- Before Recon: This is often used to develop the "victim" of an operation. In real world hacking scenarios victims are often determined by geopolitical circumstances or critical/proprietary data of high monetary value.
- During Recon: This is simply narrowing the scope of critical assets that are discovered during the Recon phase.
- After Recon: This is often mapping critical assets within scope to potential exploitable vulnerabilities.
- Breach: Breach is the act of obtaining initial access. This can be performed via exploiting externally hosted infrastructure, a successful social engineering phishing campaign, or the results of a close access operation where the attacker was able to run commands or code on a victim machine via close proximity to the device.
- Persistence: Once initial access is obtained operators will often install a method to regain access to the network so that they won't have to re-exploit the vulnerability to gain access again.
- Migration: Lateral movement throughout a target network can be performed using various techniques or methodologies. This can be performed via pivoting from department to department to test user access control settings.
- Data Exfil: Red Teams often gain access to a target network and forget to test real world scenarios that show impact like data exfiltration and content manipulation.
Creating Functional Teams
One of the first steps to operating successfully is developing solid teams. The average Red Team consists of 8-15 members, but can vary depending on the size of the organization, the scoping limitations, the skillset of the team, and the time restraints on the team.
If you're starting from the ground up you'll want to build your initial team with an idea in mind that some of these team members might be leading tiger teams as your Red Team grows.
Some Red Teams will have bandwidth to perform open source reconnaissance against their targets, even if those targets are employees of the same company. You'll want to budget for tools and resources that allow you to collectively pull OSINT data from multiple sources.
The targeting team has one of the most important jobs of the Red Team, identifying and developing operational and effective scopes leaning on their understanding of corporate culture, departmental silos, and the location of the organization's most critical or confidential data. Targeting teams are sometimes the teams that perform OSINT on accessible or target owned infrastructure.
I/A (Initial Access), or I/O (Interactive Operations) teams can sometimes share the workload of identifying target owned infrastructure and vulnerabilities associated with those endpoints. These teams are primarily responsible for gaining initial access and installing persistence in the environment.
While the initial access team is often responsible for installing initial access there is regularly a team who's primary area of jurisdiction is ensuring a sustainable foothold is established throughout the target environment. What determines a 'sustainable foothold' is often proportional to the target environment. For some target environments that might be 2-3 callbacks/implants, while much larger environments might require 5-10 embedded agents.
Red Teams often operate with an element of proximity access. This is when operators test their ability to gain close access, or break-in, to a target location. Ensuring you have teams that are equipped with the skills necessary to effectively gain access to target locations will be very helpful during larger scoped operations.
You'll want to ensure you've budgeted for travel expenses associated with on-site assessments.
One thing I don't love about performing security assessments is having to write an effective report. Hiring dedicated technical writers can alleviate some of the workload from your team and ensure your other teams can continue operating as expected.
Technical writers often have skillsets similar, but not limit to, the following list:
- Business analysis, Computer scripting, Indexing
- Information architecture, Information design, Localization/technical translation
- Training, E-learning, User interfaces, Usability testing, Problem solving
Developing an Effective Scope
Most Red Teams take quite a while to get into a smooth groove of target and scope planning. Some of the best ways to develop functional scoping is to identify the most critical assets (data, infrastructure, people, etc) in the entire target network.
Using the same method from above, we can now add critical asset identifiers and move backwards away from the target.
Once you've identified the critical assets in your environment you can then work backwards to determine the risk associated with the various elements of attack and accessing those critical assets.
Identifying visibility gaps or misconfigurations throughout an environment to increase user and critical data access control protections is a key element to ensuring the organization's most confidential and critical assets are secured from malicious attackers.
For some organizations developing an effective scope might be moving from department to department or from subdomain to subdomain.
FIN for now.
While he currently works with an ISP and DHS to aid in the efforts to enhance the bidirectional sharing relationship between the US Government and Commercial entities, his passion is educating network administrators and security engineers on best practices when securing your network.
David currently holds Pentest+ and CySA certificates.
The article has been originally published at: https://www.linkedin.com/pulse/red-teaming-10000-feet-david-evenden/?trackingId=