Attacking the Plan

We often provide plan analysis. A plan analysis is essentially red teaming a plan, how an adversary would see the plan and attack it. This analysis help decision makers plan better and create contingencies as well.

Sometimes we get attached to security teams to do this, other times we get attached to specific units and help the commanding officers with their planning. We try to envision what the adversary or enemy is or will be doing based on intelligence collection. Those are the fun projects, the all-nighters.

In one particular case, we were helping a security department of a big corporation when they detected a possible breach on a segment of their network. They have some really paranoid monitoring and something set off an alarm on one of the IDS.
We knew the company well because the previous month we performed a full red team exercise on the company with several months in advance of recon and planing. We knew where the good stuff was located (which servers). So, we went to their SOC room and started asking what they were seeing. We review logs and check the IDS for information. After more than an hour of checking we discovered a connection out masked as a DNS request. The packets had a small payload and based on experience (we used DNS requests in the past to exfil information out of a target) we thought it was part of a backdoor or attack tool.

Their SOC team is really good and immediately started working on tracing the source of the request down to what process was making it, In the meantime, we grabbed the information security director and the company's QRF (a security team that deal with breaches) and we started reviewing our possibilities. We would act as attackers based on what we learned during our red team assessment and the QRF would plan a possible defense and offense for that. After a couple of hours, we managed to identify the potential targets. The SOC in the meantime found the source of the DNS request. It was an unknown Windows service on a fileserver. Based on the location of the backdoor, we follow one of the plans we prepared during the red team / QRF engagement an hour prior and the QRF went to work.

The next 12 hours were spent tracking different rogue processes on different operating systems across the organization's systems. The QRF was really professional, with hackers working their magic. They would consult with us when something wasn't feeling right and we would try to think like the attacker, trying to predict what the target would be. Of course predict is not the right word, but it's close.

After about 24 hours of constant work and a lot of system and network clean ups, firewall and other network devices reviews and many other tasks, the QRF was very confident that they managed to get rid of whatever was in the network.
Of course, us being us… We started thinking again about the what ifs.

It was a good project and one that taught us and the QRF a lot about working under pressure, and thinking like an adversary.