Offensive Information Warfare, Intelligence Gathering and Direct Action Operations Using Red Teams - Part 1

About a year ago I wrote a paper entitled Offensive Information warfare, Intelligence Gathering and Direct Action Operations Using Red Teams, I posted the table of contents in the blog a while ago.

That paper haven't seen the light of the day, yet. However many people asked about this so I decided to write a six part article about this that will provide the basic ideas on each part of the paper.

Quick and Useful Tricks for Analyzing Binaries for Pen Testers - Part 2 | SANS Pentesting Blog →

Again, basic techniques and knowdlege that everyone should have.

This blog post is the second in a series of three blog posts dedicated to quick and useful techniques for analyzing binaries. In my first post, I talked about how penetration testers and other analysts can find and isolate network traffic generated by a binary. This time we'll look at pillaging the various data files that binaries and applications leave lying around. Our focus will again be on the Windows side of things, as that's where we often find the juiciest applications to analyze, including client-side software and internal tools.

Pre- and Post-Event Red Teaming | Red Team Journal →

In December 2008, I posted a short article on Red Team Journal discussing a simple hierarchical model of surprise. I divided the elements of surprise into three levels: strategic (who, why); operational (how, what); and tactical (when, where). If you view the model as a pyramid, the strategic level is the base, the operation level is the middle, and the tactical level is the apex. As I observed at the time, ” … a red team will probably not anticipate elements of a higher level correctly if it misreads elements of a lower level. Conversely, a red team that correctly identifies elements of a lower level is more likely to anticipate elements of a higher level.”

For example, if you understand the who and the why, you are more likely to be able to identify the how and the what. Most red teams will not (and probably should not) address the when and the where; the number of possibilities expands tree-like as you move from the strategic to the operational to the tactical, and the tactical is very difficult to anticipate without specific intelligence.

A Team Effort - Part 3

Over night the different listeners we had open were reporting data being sent by the crawler. We had mail files, several document and spreadsheets files, configuration files (host file, info stored on the the registry of several machines, etc) and a matrix map of how the computers were connected to each other or network architecture. It was a crude map, but it was invaluable to us if we decided to start moving inside the attacker's network.

While Y kept an eye on the computers, D and I began checking the files sent. They were in russian, or at least Cyrillic. That was to be expected given where the team was operating. This also meant we needed someone that could translate this information for us.

The spreadsheets had a lot of IP addresses. When we check a bunch we realized these were addresses belonging to several EU banks and financial institutions across the EU.

Resiliency in Response: Reacting to Crises the Red Team Way | Red Team Journal →

I'm posting here Mike Denny's fantastic article for the Red Team Journal.

The Boston Marathon bombing, the plant explosion in West, TX, and ongoing events around the world represent the types of unexpected surprises that red teamers are expected to explore through planning, simulation, and modeling. When the unexpected occurs, how can the red team overcome the chaos, help control the situation, and manage the outcomes while less mentally prepared individuals curl up into a ball under their desks? Resiliency in thought, action, and organizations can be instilled through training, planning, and flexibility in decision making processes.

Terrorist attacks and active shooter scenarios present crises on multiple scales. Certainly there is the need to address initial triage and evacuation of wounded, security concerns, and the immediate questions of how and why the event occurred. In situations like the Boston Marathon bombing, there is also the need to maintain composure and move forward with the planning and execution of crisis events in multiple timelines both near- and long-term. A red team is incredibly useful in crisis scenarios because they spend a great deal of time thinking like an adversary and are cognitively comfortable with chaos and unpredictable events.

An organization can build resilience in their staffs by allowing these thinkers to execute rapidly based on imperfect information and supporting actions to get ahead of the adversary’s decision making process. Not only do government and business organizations need to be ready to respond to crises, but NGO and civic organizations help spread the robust response to the community at large. Crisis events require more emotional, physical, and mental energy than the daily grind. This requires some fitness and discipline among operational staffs to maintain a routine, eat right, and exercise to overcome the extreme mental and emotional exertion due to crisis events. Clear rule sets with well-rehearsed situational responses allow for an organization to auto-pilot minor events while preparing the individual mindset for crisis response.

RTJ Red Teaming Law #23 states Very little is as it appears to be. Create the hypergame and play it to your advantage. The Boston bombing search was an example of a mixed response to understanding the adversary’s mindset and motivations. While social media outreach campaigns by officials in Boston were very effective, shelter-in-place directives risked developing a populace with a fortress mentality. As John Robb, author of A Brave New War, stated in his blog on April 20th, “However, over the long run, I believe this ["shelter in place"] phrase is going to look as silly as ‘Duck and Cover’ does to today’s world. The reason is simple. As the number of disruptions increase, we’re going to face a choice. We can either stay under constant lock-down, or we can become resilient.” This quote captures the essence of alternative analysis in situations of homeland security crisis: one of the best weapons in a situation like the Boston bombing search is the collective, attentive eyes of a million vigilant residents.

The development of a resilient and vigilant community with the ability to identify potential threats and assist the government in preventing future events can be the goal of an empowered populace. The tools and conduits for a community already exist through civic organizations’ and government agencies’ presence on social media and traditional social networks. Organizations and government agencies have the ability to create the hypergame–in other words, establishing the playing field and forcing the adversary to mold to the rules of the situation. This reduces the power of the adversary, improving the predictability of outcomes and eventually leading to his defeat.

How does a red team assist with this? As RTJ Red Teaming Law #25 notes: The goal of a red team usually isn’t to find a needle in the haystack, it’s to help you see the haystack. An organization’s planning and operations staff–instead of casting a tri-state or multinational net to catch individual actors in a single event–helps predict the adversarial actions and tighten the response zone to an individual “haystack.” This level of detailed analysis allows for reduced resources and improved response time. These actions assist officials preventing organizational hysteria and paralysis by defining the problem to be solved instead of focusing on the potential “catastrophic outcomes” of an adversary’s actions. The fear and paralysis in action during a crisis are potentially as dangerous as the events causing the crisis; they can undermine organizational response and diminish the confidence of citizens or customers in the organization’s competence, which can in turn cause long-lasting effects. For instance, FEMA is still trying to shake the negative publicity from the events of Hurricane Katrina nearly 10 years ago. With proper planning and organizational mindset, crises provide a catalyst for organizational growth and change due to an unpredicted surprise. The red team can assist in growing the organization’s response plan to ensure that a future crisis does not needlessly waste resources while leaders and decision makers are waiting to respond.

A Team Effort - Part 2

When D and I entered the TOC, Y was already there talking to the two guys on the ground. They followed the execs that morning and again they stopped at the cafe. This time they were ready with a control inside the execs' computers. A few minutes after once of the principals opened his laptop and connected to the cafe's WIFI network, the attackers were on it like flies. The team members were also running a sniffer. The combination of the sniffer and the monitoring software at the exec's computers provided us real time info as to what the attackers were trying to do. We saw they ran an exploit and gained access to the computer.

Once their backdoor was installed, they connected back to a listener or C2 computer. A listener is a program that accepts connections from a backdoor. The simple ones are usually a terminal running netcat, the more complex ones allow the bad guys to send command to the backdoor via different channels and protocols. We were ready for this. As soon as the backdoor made its first connection we were able to detect it. We saw the bad guys immediately began scanning the computers. We had several Word documents and PDFs weaponized and ready to be picked up by them. They had names and content that would be too juicy not to copy them. And they did.

A team effort - Part 1

During one project we had two guys on the field trying to assess the personal security of C-level execs of a large corporation while they were abroad. They were working with limited equipment and relied on the guys back at the HQ to help them thru the project. These were two of the most capable hackers and security experts I know, yet they were aware that they needed help from the team to successfully complete the op.

These executives stopped at a local cafe to have breakfast, like they did every morning. One of the execs opened his laptop and began checking the news. The guys from the team started scanning, as we usually do on public networks, and immediately notice someone performing a vulnerability scan on the executive's computer. This is easy to spot if you have a sniffer running on the network. Now, they could have assumed that it was one of those target of opportunity scans, but given who these executives were and based on experience the guys decided that this was a targeted attack. They called us back at HQ and requested from the guys that they began coding a backdoor for the exec's computer. They sent us the results of their own vulnerability scan.

Everywhere

My buddy Jon G's hat with the Group's patch. Undisclosed location.

Akamai researchers on BroBot DDoS and adversarial resilience | CSO →

"At Akamai the attack surface is huge," Ternus said. "As the bad guys attack our customers, we are constantly being tested to see if our systems are good enough. What's needed then is resilience -- the ability to adapt. Our job is to think and act like the adversary to make Akamai safer."

Testing readiness - red team style

One thing we often perform is readiness exercises. These can mean different things and are planned based on the requirements.

One scenario that presents itself quite often is the one where members of an IT team, contractors and TOC personnel have to work overseas on semi-permissive or non-permissive environments.

These teams need to be ready to deal with not just security issues regarding their networks but also threats that are potentially life-ending.