Red Team Operations

With the development of new types of attacks and the increase in their sophistication, penetration testing is no longer sufficient for its purpose. Therefore, it is necessary to start testing applications and infrastructure in a more comprehensive way. Standard testing methods will uncover various types of vulnerabilities, but will not test the ability to detect, respond to, and recover from a cyber-attack.

The name is derived from the term Red Team, which refers to a team of skilled ethical hackers who execute an attack using the same sophisticated means as real attackers. Thus, Red Teaming faithfully simulates attack threats using the latest technologies and tactics, and also provides information about a company's readiness to detect, eliminate and remediate these attacks.

Gaining access to the internal network through social engineering methods:

• OSINT - We collect information about the company and their employees from public sources, based on which we adjust our next course of action.
• Tailored Malware - Malware delivered as part of the scenarios is tailored according to the information found about the company's specific technologies. Once triggered, the malware allows access to the company's internal network to our operators, who continue with other scenarios.
• Phishing/Smishing - We deliver an attachment (malware) to employees via a fraudulent email or SMS message.
• Vishing - We call employees from spoofed numbers belonging to their colleagues, increasing the credibility of the call. In the call, we then convince the employee to download and run the malware.

• Breaking the external perimeter - We look for vulnerabilities in the publicly accessible external infrastructure of the company. If found, we exploit the vulnerabilities to access the internal network and follow up with other scenarios.
• Credential stuffing - Based on databases of leaked passwords, we try to gain access to an employee's account that can be exploited for access to the internal network.

Gaining access to the internal network via (on-site) Wi-Fi networks:

• Breaking the guest Wi-Fi network - We will attempt to gain access to the internal network through the Wi-Fi network available to guests in the company's branches.
• Eavesdropping on the employee Wi-Fi network - We will leave a device in the company offices that collects hashes of access passwords. We then try to crack these hashes with a dictionary attack on a specialized password cracking machine.
• Employee Wi-Fi network spoofing - We leave a device in the company offices that broadcasts a spoofed network with the same name as the employee network. After logging into the network, the employee is directed to a fake captive network login portal that collects employee names and passwords.

Gaining access to the internal network by breaching physical security:

• Contractor and employee impersonation - We gain physical access to the company's offices based on a fictional scenario, such as an air conditioning repair.
• Tailgating - We gain access to the offices by, for example, mingling with a group of employees at lunchtime who allow us access to their access cards.
• Access Card Cloning - Through various methods and techniques we attempt to obtain a working fake/cloned access card.
• LAN Drop Device - After gaining access, we plug a device into an internal network, such as between a printer and a switch, which will allow us remote access.
• Dumpster diving - We obtain information about the company and their partners from sensitive documents that are visibly available on the company premises.
• Fake USB Devices - We leave various USB devices around the company premises which, when plugged in, allow remote access to the internal network. These include charging cables, USB Flash Drives, USB network cards, etc.

Abuse of access to the internal network:

• Command & Control - The delivered malware enables us to remotely perform unauthorized actions on the internal network.
• Ensuring persistence - After gaining access, we ensure that the malware continues to run even after the infected computer is rebooted.
• Privilege escalation - On the internal network, we will attempt to escalate privileges to the local/domain administrator level.
• Lateral Movement - We will attempt to gain access to other segments and machines within the internal network.
• Data Exfiltration - We will search the internal network and attempt to stealthily exfiltrate (steal) sensitive data, or meet other objectives specified by customer requirements.

Test termination and de-briefing:

• Report - We write a detailed report of each scenario that includes a timeline of the attack and the actions performed along with their outcome (successful or unsuccessful). For successful scenarios, we also describe the indications of the attacks, which can be used to better detect and stop the attack in the future.
• Workshop with company employees - In the workshop, the Red Team meets for the first time with the company's IT security / SoC staff, and compares the actions performed by the Red Team with the detections made by the company's employees. Successful attacks will also be discussed to train employees on how to detect them.

Just as there are methodologies for implementing penetration tests (OWASP, PTES, OSSTMM, ...), there are frameworks that can be grasped either from the perspective of the Security Operations Centre for attack prevention or from the perspective of the Red Team for attack description and implementation. One such framework is Cyber Kill Chain (CKC) developed by Lockheed Martin (https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html).

The CKC describes seven downstream activities that must be performed for an attack to be successful. The Blue Team's job is to disrupt this chain of events, while the Red Team attempts to bring these attack activities to a successful conclusion.

Reconnaissance
The phase, where the Red Team uses freely available and non-public sources to obtain as much information about the target as possible. Open-source intelligence techniques (OSINT), social network research (LinkedIn, Facebook) or tools such as Maltego, Shoda or ZoomEye are fully utilized. This includes collecting email addresses, employee names, phone numbers and information about the technologies and services used and exposed to the Internet.

Weaponization
The preparation phase, where the Red Team creates malware tailored to the target based on the findings of the previous phase. Proprietary in-house techniques are used to obfuscate the code and exploits exercised, all with the aim of minimising the attack software being detected by the target network's anti-malware resources.
For social engineering methods, so-called decoys are created - documents (pdf, docx, ...) containing attack code. Exploits for known and unknown (zero-day) vulnerabilities, document macros or Dynamic Data Exchange (DDE) are also used.

Delivery
The phase in which the actual attacks are launched. Social engineering attacks can include sending emails with infected attachments (phishing), interacting with employees via phone (Vishing), interacting on social media or using offensive USB devices (RubberDucky, Bash Bunny, Raspberry Pi).
At the same time, attacks are launched against external infrastructure and exposed services such as web, mail and DNS servers or VPN endpoints. The phase also includes attacks on employee and visitor Wi-Fi networks.

Exploitation
This phase indicates successful penetration. It may be the exploitation of a technical error in the form of an exploit against external infrastructure or the Wi-Fi network or the exploitation of a human error in the context of social engineering, where an employee of the target company executes the attack code prepared by the Red Team and delivered in the previous phase.

Installation
The Red Team has successfully compromised a server or endpoint (user station, mobile phone or tablet) and secures persistent access. In the case of a compromise of, for example, a web server, persistence can be achieved by using a web shell. In the case of an endpoint, it is then a backdoor that is automatically triggered when the station is activated. This can be achieved by running the backdoor as a system service or by modifying AutoRun keys within the Windows registry. Such malware is deployed on the network as a beachhead for undertaking other attacks within the internal network.

Command and Control
The malware installed in the previous phase will establish communication towards the Internet to the Red team server. The Command and Control (C2) server is used to remotely control the malware on the network, usually via HTTP or DNS protocols.

Actions on Objectives
As soon as the Red Team gains persistent remote access to the target internal network, it will begin activities to achieve the pre-determined goal of obtaining the Flag. These activities include internal network reconnaissance, lateral movement, collection of user accounts and passwords, privilege escalation, and in the final phase, data exfiltration.
 

As attackers' techniques and penetration methods improve, standalone penetration testing of isolated systems as a self-contained verification of resistance to attack is no longer sufficient. There is a growing demand for a more comprehensive service, as represented by the just described Red Teaming.

We conclude our introduction to Red Teaming with a quote from former Cisco CEO John Chambers: "There are two kinds of companies: those that have been hacked and those that don't yet know that they've been hacked.”