The catering service

Last year, we were hired to do an overall security posture assessment and see if we could get a foot inside the customer's network. The idea was to test their perimeter and the training their employees had in security awareness.
The customer gave us 6 weeks to complete this and give him what we found.

After a couple of weeks and a bunch of failed attempts, we figured their perimeter security was good. We could probe and penetrate it, but we needed a bit more time than what we had. So, we decided to change the approach.

List most big companies, our customer had a cafeteria in the building that would serve breakfast and lunch to the employees. They outsource the food and service to a 3rd party catering service and since the supply chain is usually one of the traditional weak points, we looked there.
The catering service had set an external website for the employees of the customer to place orders for lunch. After scanning, we found their "secure coding" was, well, non existant and we found multiple vulnerabilities that we could exploit, from PHP env. variables that we could arbitrarily set and get upload our code to reverse shell and exploits, to getting full control of their server. Which we did. After changing a some of the application code, we now had a good way to spread a backdoor into our customer network. The next day, when people began placing orders for lunch, we began receiving shells from their workstations. At the end of the morning we had 39 active shells, including an administrator.

A week later we had copies of all their emails.

So... What's the moral of the story? You might be secure, but are your suppliers?

Interview with the Revue Militaire Suisse

I was recently interviewed for the Revue Militaire Suisse. This issue of the Journal features several articles about Red Teaming, including another interview with our friends from the Red Team Journal.

The interview is on page 16, and if you can read French, here's a PDF with it.

Thank you Yves, edit at the Journal for sending the PDF.

/

Always Contextualize Your Red Team Engagements | Red Team Journal

Despite the fact that we’ve now posted 50 red teaming “laws,” we hope that our readers understand that the superior red teamer should contextualize every red team engagement (within the obvious constraints of budget and schedule). Yes, it’s tempting to commoditize your approach and get in and out as efficiently as possible, but by overdoing it you risk delivering a misleading assessment to your client.

This is another great article posted by our friends at the Red Team Journal.

One of the questions that a reader sent us, aligns great with this post.
In that post, back in 2014, we answered:

PHASE 3: RECON

This phase is, in my opinion, one of the most important phases. If you do it right it will most likely end in the success of the project. If done right, a good team can move to Phase 5 directly and finish the project. During this phase the team observes the target and learns about it. Physical surveillance and digital scanning are performed. The target's digital and/or physical footprints are mapped and analysed. At the end of this phase there is a clear view of the possible vectors of attack. These vectors can be exploited on the spot.

The Red Team Mindset Course and Digital Recon at the 2015 ITS Tactical Muster

I'm excited to anounce that this year, the ITS Tactical Muster will have the Red Teeam Mindset course and, together with Matt from SerePick a course on recon.

If you are a member of ITS Tactical, maybe we'll see you there. If not, then you should definately join!

/

Book Review: Team of Teams

When I first thought Team of Teams by General Stanley McChrystal, I thought this was another one of those book where a high ranking officer recounts some of the stuff he did when he was in charge of certain missions in Iraq or Afghanistan. But given that he commanded the Joint Special Operations Command (JSOC), and he is regarded and one of the people that made JSOC one of the most formidable, fluid and adaptable special operation organizations, I figured I'd give it a try.

What a great book.

This book is not about war. This book is about how to apply small team tactics and its mindset to large organizations, with ever changing landscapes and the human factor. This book helps cope with chaos and shows a different approach to adaptability.

Highly recommended.

/