Project "Mantis" - Intro

Last September we mentioned a large project that lasted 19 months. The project was informally known as Project Mantis. We call projects by names like that to keep OPSEC, especially around customers.
This is the intro to a series of posts that would recount some of the things we did and the lessons learned.

Meetings

The project started with a series of meetings with the stakeholders: the company's CEO, CIO and VP of Technology. Present there were also their head of IT, VP of Security and the CIRT manager (CIRT: Computer Incident Response Team).
We had 5 meetings until we had a final scope for the operation. Each meeting built on the previous one, with different members of the Team being there to present the case for a specific part of the project. At the end of the last meeting, the CEO and the main company lawyer signed off on the project and provided us with a written record giving us legal cover should we get caught, and agreeing that if any system went down we wouldn't be held liable. We try our utmost to NOT cause any denial of service or crash any systems, but sometimes these things happen (during this project it didn't!).

After the initial meetings, the head of IT, VP of security and manager of the CIRT came to the office to discuss the actual flow of events. We divided the project in two: Mantis Alpha - complete black box, unannounced red teaming of their digital, physical and social security posture; and Mantis Bravo - Red vs Blue random engagements with 2-3 days notice so they could get ready.
The idea on Alpha was to find vulnerabilities and exploit them, exfiltrate data and / or gain control over time of the main corporate assets. We could use any means necessary, short of kidnapping people or the physical destruction of property/servers/others. This phase lasted 14 months due to the size of the company and how spread it was among 10 countries, with even more supporting contractors and suppliers. It was a big recon!
With Bravo we focused on the more technical aspects and try to provide a realistic scenario for their CIRT to test their knowlege, ROE, tools and contingecy plans. We used the knowledge of the network gained in Alpha to write custom persistant malware and attack code that had no known signature for them to catch. The best of the exercises during this period was when we had a man inside with a laptop and we would alternate command and control from an external controller to an internal and back to external. It was fun to see people trying to figure that one. More on that when we get to that part.

Recon Planning

As always, after the initial meetings and project kickoff, we went to the recon phase. We needed to learn about the target: who they were, what they were, their main role players, their technology, their physical footprint, etc, etc, etc.
This was not easy, with 10 countries in the play, a massive network to recon with potentially thousands of internal systems and a large number with direct access to the internet, not to mention the contractors and suppliers supporting the company... It was mind numbing. It took us almost a month to just scope the recon. Divide and conquer. Team work. It was oen of our best team building exercises ever. Lots of stress, lots of friction but we prevailed and we came out of this with a bettet team and, more importantly, with a plan.

End result

At the end of the 19-months-long engagement, both the company and us were drained. We kept them guessing and they kept us busy. The project was successful across all fronts. This means two things: we were successful in penetrating them and achieving the goals and thus providing a realistic image of an adversary for the company, and the company got to test their emergency respond methods, their tools, their policies, their security measures and the most important thing, they got to test their people. It was a good exercise.

Stay tuned for Part 1, where we'll talk about the recon proper and the initial way in.