The fun house - Part 1

Once in a while you have a project that you know will be a lot of fun. One of the biggest telecom providers dropped a project exactly like that a couple of years ago.

They wanted a full red team assessment, including external and internal digital assessments as well as a physical one. The scope: the entire company. This included the corporate HQ and its employees, the service stores across different cities, local offices, mall stores and the factory. This was a HUGE project. They time allotted? 6 months. Perfect.

My GORUCK GR1 and MacBook Air 11"

Quick and dirty

Sometimes you get in and have no time to do anything, you thought you had the time to get to that server room, to that manager's office. You open your laptop on the floor, connect to that wireless you just cracked and install your backdoor. Then you vanish.

Quick and dirty: in, install, out.

Convincing new customers...

You have two types of prospect customers in the world of Red Teams: Those that believe they need help and are willing to invest in proper security, and those that believe their security is the best but since it's required by their oversight they will hire a security consultant to *try* to find security vulnerabilities.

The former are easy to convince that they need to perform different tests, including a physical penetration test. The latter... Well, those take some convincing to do.

I can show them presentations and hard data on why their security is lacking but they are too confident that their security is so good that they won't listen. In these cases I have to show them first hand. I usually would ask for permission to try to penetrate their building/network but sometimes I do it and then show them.

This last customer I had to convince authorized me to, quote: "try to bypass my security guards, I dare you...".

Difference between penetration testing and red team exercises

Penetration testing involves mimicking the actions of computer attackers to identify vulnerabilities in a target organization, and exploiting them to determine what kind of access an attacker can gain. Penetration tests typically provide a deeper analysis of security flaws than the vulnerability assessments described in Critical Control 10. Vulnerability assessments focus on identifying potential vulnerabilities, while penetration testing goes deeper with controlled attempts at exploiting vulnerabilities, approaching target systems as an attacker would. The result provides deeper insight into the business risks of various vulnerabilities by showing whether and how an attacker can compromise machines, pivot to other systems inside a target organization, and gain access to sensitive information.

Red team exercises go further than penetration testing. Red team exercises have the goals of improved readiness of the organization, better training for defensive practitioners, and inspection of current performance levels. Independent red teams can provide valuable and objective insights about the existence of vulnerabilities and about the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.

(via SANS: Penetration Tests and Red Team Exercises)

Internal assessments

Red team assessments and digital penetration tests not always involve trying to penetrate an organization's network or premises from the outside; sometimes you are tasked with checking what an insider or an adversary that physically got in can see from within your networks.

I've talked about this a bit in the hole in the wall and chasing the ghost in the machine but I just want to give you another example.

Before a Red Team assessment...

Before a red team assessment I usually recommend organizations perform at least 2 out of these 5 actions:

Identification of the critical information to be protected
Threats analysis
Vulnerabilities analysis
Risks assessment
Application of the countermeasures

The ones I recommend are the identification of critical information and threat analysis. Those two will most likely define the rest, however if you could perform all 5 action before a red team tries to break in, it would increase the chances of 1) having a tighter security posture and 2) providing proper guidance after the exercise.

Sometimes the developers are the weakest link

Like the title says, sometimes the careless developers are the weakest link and the reason an organization's network gets compromised.

In this particular assessment the team spent close to a month trying to find a way in via the organization's main website, email server, database servers, routers and firewalls. We were hitting well configured and security hardened systems and we were getting close to the finish date for our project. I am sure that had we have more time we would have found an exploitable vulnerability.

Getting information, by any means...

During a project where I helped track a high-ranking fraud criminal, we run into a problem. The criminal had his computer protected with a BIOS password.

Part of the project called for a little deception so I could sneak into the criminal's hotel room (with permission of the law enforcement agency) and search his laptop's hard drive, extract any useful information and install and backdoor. However, intel that reached us stated that the criminal's laptop was protected by a BIOS password. I had the tools to bypass the OS password or even some well known full disk encryption software (there was back then a workaround, it has been fixed), but didn't anticipate this. My bad.

I researched how to bypass the BIOS password on this specific brand and model of the laptop. There wasn't much to be done except to fry the BIOS. That would alert the criminal that someone tampered with his computer. I mean, at that point why not just take the hard drive out of the computer and be done with it.

But no...