Red Teaming and Energy Grid Security Slides

Some interesting points in this presentation.

The informative and entertaining discussion is presented by a 26 year military and law enforcement veteran and former federal counterterrorism operative (now working as a state law enforcement agent responsible for critical energy infrastructure protection), and details the emergence of Red Cell activities and Red Teaming as a valuable form of alternative assessment for use in securing the American energy grid. A widely accepted and established practice in military and intelligence circles, Red Teaming is slowly moving into law enforcement and the private sector, and is now being utilized as a key vulnerability and threat assessment tool by state law enforcement agencies, Fortune 500 companies, and national laboratories.

/

Point and Pattern Red Teaming | Red Team Journal

I remain convinced that the best red teamers are those who know many different things. Yes, domain knowledge and skills are essential, but the best red teamers I’ve met—almost without exception—are those who actively hunt down concepts from other domains and then apply them to their red teaming activities. I’ve even encountered a couple of organizations that do this well, although I increasingly worry that they are the exception, not the rule.

Another great article at the Red Team Journal

/

Red Teaming Yourself

A reader recently asked me if I can help him Red Team himself, to check his digital footprint and to know whether he was safe out there.

My answer was a list of things that he can check and that if any of these questions raised concerns then we could take it one step further.

Here's the list, I think it will help you threat-assess yourself:

Digital Life

  • Use passphrases instead of passwords
  • Use different passphrases for different accounts
  • Don’t reply to spam emails or click on links/pictures without verifying them, even when they came from friends
  • Don’t respond to emails coming from companies requesting more information about you, call them, and only to the number that you know it’s the real number
  • Don’t open PDF, office documents, GIF or JPEG files directly on the email client or browser.
  • Don’t run Windows. If you do, you at least have it hardened for security
  • for windows, you have at least a good personal firewall (not free) and a good anti-malware (not free) (they don’t really work, but they do catch the script kiddies)
  • Don’t use pirated software, most have backdoors
  • Your mobile devices (phone, tables, etc) are password protected.
  • your mobile devices are not rooted and you download apps from trusted sources
  • Install the latest updates on both the computers and mobile devices
  • Don’t download apps for your computer from “download” sites, but from their author’s site or the app store
  • Don’t use filesharing services (torrent, etc)
  • You clean the browser cache, cookies, history, etc, at least once a day
  • Don’t use Internet Explorer
  • Don’t install Flash, Silverlight or Java
  • Don’t connect to public, unprotected wifi networks. At least, if you do, do not login to any personal site (bank, email, etc)
  • Harden your computer for security
  • Enter your own URL and not just click on the link
  • Lock the computer when you walk away
  • Don’t use public computers
  • Buy online ONLY from trusted sources
  • Do NOT let browsers store passwords for you
  • Read the error messages, don't just click OK

Personal information

  • Don’t reveal SSN or other personal identifying information (address, mother maiden, girlfriend name, identifying marks, tattoos, etc)
  • Don’t share you life on social media, in fact stay away from social media unless it’s needed for work and then only post very little.
  • Keep sensitive information such as bank accounts, ssn, medical, etc off your mobile devices and computer (at least the computer that you travel with)
  • You have training on social engineering and know how to spot someone tying it
  • Stay away from Facebook if possible
  • Shred anything that has your name on it
  • Digitally shred sensitive files
  • Wipe your HD when you want get rid of it
/

Start Here

We've seen a lot of new readers in the past few days and a lot of the questions coming our way are good, but can be easely answered by reading previous posts. I thought that maybe the new readers would benefit and know more about the blog and the Team if we list some of the old posts.
So, here's a list of what I think it's a good way to start understanding the blog and Red Teaming. It's a good thing for new readers and for the the old timers here, well, it's a good refresher to read this again.

And some of the old projects and operations we performed in the past few years.

And some about Gear too

/

The Three C’s of OPSEC

Via Grugq.

I would add:

  • Be paranoid, never trust anyone, always verify
  • Never reveal your plans
  • Never work from your own office/safe place
  • Don't reveal personal or atmospheric details
  • Never leave anything behind that might be traced to you

Fundraising

Last year we lost two of the Red Team members in two separate incidents in Afghanistan. They were there performing an assessment while attached to a military unit.
In one incident they took fire and one of the Team members, jumped out of his cover to assist a wounded soldier. He dragged the soldier to safety but he was shot while doing this. He died on the way to the field hospital.
The other incident was pure bad luck. A mortar round found its way to the position where the unit and the Team member were taking cover when the attack began. They had no chance.

I put some of my watches and other gear for a raffle last year to help raise money for their families. This is year I would like to raise money in a way that everyone that donates gets something and after asking the guys in the Team, they all agree that tshirts are the best way. We all love them and we all need a cool, new tshirt.

So, we have created a new campaign with this tshirt. The design was made for the Team that went to Afghanistan. We figured it would be a good tshirt. I hope you guys like it.

Available in 4 different colors, the target is 100 tshirts. Make it count.

/

Digital Recon

Morning chaos is usually a good time to tailgate someone and sneak into your target. Each company has its own morning chaos time, a little recon can show you when it's the best time to try this.  
The trick is to appear as if you belong. Wear the right clothing, have a fake badge that looks the part (again, recon will help you with this, take pictures of actual badges), be on the phone with a customer and just walk right in.

Once you are inside try to get to the network and begin your digital recon.

JS and I managed to get inside our target a while back. This was one of those projects where everything works and you just have it.  

Read More

Quote of the day

"No purely deceptive plan ever ‘won’ a battle or a war…. You can, perhaps, persuade your opponent that since you are going to hit him in the eye, he should guard that organ, whilst in fact, your intention is to hit him in the stomach. You still have to hit him and, after you have done so, guard yourself against his agonised and furious reaction. The first is for the deceiver, in war; the second is for the commander."

-- From Mure’s classic 1980 volume Master of Deception. (via Red Team Journal)

/

Disguising Exfiltrated Data | Infoworld

The article is an interesting one.

How hackers used Google to steal corporate data.
Attackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers.

A group of innovative hackers used free services from Google and an Internet infrastructure company to disguise data stolen from corporate and government computers...

This is a common technique on high-end and more sophisticated adversaries, some of whome might be working for governments. It is not hard to do, but it takes time, knowledge and proper recon of the target to properly do it.

What was unique about the attackers was how they disguised traffic between the malware and command-and-control servers using Google Developers and the public Domain Name System (DNS) service of Hurricane Electric, based in Fremont, Calif.

In both cases, the services were used as a kind of switching station to redirect traffic that appeared to be headed toward legitimate domains, such as adobe.com, update.adobe.com, and outlook.com.

Yes, it is a good way of hiding your exfil data.

In the case of Google Developers, the attackers used the service to host code that decoded the malware traffic to determine the IP address of the real destination and edirect the traffic to that location.

This part is new and very clever. Leveraging a good 3rd party system to do this for you takes a lot of knowledge. Impressive.

Read the article, it's good.

/

There Is No Spoon | Mark Webb

This post is not about Red Teaming, although you will find the right mindset in it. This post is about enduring. It's about continuing forward.

More than a week ago, a good friend was on an accident. A GORUCK Tough like me and many readers of this blog, his words are an inspiration.

Fear is a wonderful thing, designed to protect us from risky scenarios, from danger. Sometimes we seek fear, with high adrenaline sports, theme park rides or horror movies. Sometimes fear seeks us… that moment we suddenly realize all the traffic on the highway is stopped and we need to suddenly brake, or we forget something important at work and need to rush to a deadline.

Eight days ago from the writing of this post I should have been scared. Somehow I wasn’t. I was decelerating on my motorcycle in readiness for a merge a few hundred yards away when, without warning, a cage (motorcycle term for car) turned left in front of me, blocking my way, with mere feet to play with. Fear sought me.

/