Some people don’t see the benefits of Red Teaming until you show them. Offensive security is not something organization are often willing to undertake, but sometimes is the only way to really find who is after them.
This was the case for one of our customers. We run a Red Team engagement for 3 months, we showed them what their competition and other adversaries can do to get to their IP (Intellectual Property) and, while doing so, we uncover signs of an ongoing exfil of data.

Once we presented the findings, including the possibility of the bad guys already inside and extracting information, their CTO asked us if we could help their security department find out what/when/how/who. After some discussions with the CTO and the CSO, we mentioned the need for offensive security, or as they put it, to hack back. Well, I hate that term hack back. Offensive security is not that, but good luck trying to explain this to execs that don’t really understand security on the field. We tried to walk them through the many possibilities of offensive security, we tried to explain that there’s nothing wrong with trying to go after the people already inside their network in a more pro-active way. They brought the legal department… Things got more complex..

After about a week of discussions, where all the while, the attackers might have still managed to exfil information, even when we told them what to block (if these were good attackers,they would have contingency routes and access, so I was still convinced they were active), we went nowhere. On the out, their CSO grabbed me and told me that he would arrange for us to come on-site, covertly as he called it, and do our thing from within. The idea was that he would bring us is as a group of contractors working on a network issue, and while we were there we should investigate and attack back (again, his words). We were happy to oblige.

It took 10 days, but we figured out a pattern. The bad guys were good and were covering their tracks (we discovered some IP addresses, but they were just not their real ones), but they were after a specific kind of data. So, we set a trap. We set a bunch of weaponized Office documents, along with some fake developer environment systems that had some extra monitoring in place. These systems also had a particularly vulnerable version of Apache and PHP, making it an attractive target for lateral movement for the attackers.
Meanwhile, in our office, we had a bunch of listeners to see if any of the weaponized documents managed to drop our attack code and get us a way in.
While we discussed the findings with the CSO and his VP of security, we agreed to temporarily pull the real data the adversaries were going after and slowly replace it with fake data and some watermarks. This way we could also track that data if it would appear on some competitor’s site, or news site, etc.

Anyway, 3 days later, we had a ping. One of our listeners emailed us. We had a shell. A day later 2 more. At the end of the week we had all of them pinging home.

Now we needed to move fast. While I did the recon on where we were and possibly who they were, JD try to get some redundancy (extra ways in, just in case) and uploaded some really nasty code to bring the buys down if we needed it. I uploaded our digital drone and set it up to discovery mode. In this mode, the drone only maps the network and reports back any targets of interest, such as DBs, web servers, domain controllers, network devices, email servers, etc. It’s really fast and surprisingly nimble and quiet. Hard to detect unless you know what you look for.
Within the hour we already had an idea that this was a simple setup, it seemed like a bunch of laptops (based on their MAC addresses) connected by a wireless router. We had also a possible real IP and geolocation of the bad guys. Z run a bunch of searches on this IP and locale and we compiled a brief of all we knew for the CSO.
In the meantime, some of the fake information we dispersed began to appear in a forum in Asia and on some download sites. While these are hard to crack to get who the users uploading the info were, it was an indication that these people were after just money, not really the damaging of our customers. So, we added that to the brief.

With all this information, the CSO briefed the legal department and they decided to get the law enforcement involved. However, they asked us to bring this guys down and help reconstruct what happened to help the forensics team sent by the LE.

So, we did.