"Conflict can be seen as time-competitive observation-orientation-decision-action cycles. Each party to a conflict begins by observing. He observes himself, his physical surroundings and his enemy. On the basis of his observation, he orients, that is to say, he makes a mental image or “snapshot” of his situation. On the basis of this orientation, he makes a decision. He puts the decision into effect, i.e., he acts. Then, because he assumes his action has changed the situation, he observes again, and starts the process anew.
― William S Lind, Maneuver Warfare Handbook
Thank you all so much for the support!
We just sent out the access code for the forumn and private area of the blog. Please check your inboxes. The forum will be up and running in a few weeks. So keep an eye on the blog.
In several cases, Paypal didn't attach an email address, so if you haven't received the code, please use the contact form to let us know, and we will send it right out to you.
Again, thank you.
The idea for this assessment came from one of the IT managers at this organization. She wasn't sure people were taking her training seriously, and she wanted to see whether our team could get inside the server room and walk with a drive from one of their servers. Bonus points would be given if we could also take over at least one of the employee's laptops.
After a week of both physical and digital recon, we had solid information that allowed us to create plan. It was going to be a combination of attacks on all fronts: physical, digital and social.
We learned 3 key things on the recon: the back alley on their main building had no camera, the service door there was guarded by a single padlock, and their fire command system (as per the information online), would make the doors "fsil open" when it was being reset.
The following week, in middle of most employees coming in, I walked very casually around the building, on the phone "on an important call that needed a little quiet", and reached the service entrance on the back. There, and without anyone looking, picked the lock on the padlock and went into the building. A few minutes later, another guy from the team came by the door and lock the padlock again. Nothing to see... Move along... Any roaming guard will see all as usual.
Onde inside, I put on my fake badge on my belt, and dressed with a suit and tie began walking. After checking the ground floor and going 2 floors up, I found a room filled with racks of servers, routers, and other network devices. Of course it needed badge access. OK, time for the social attack. I called another guy from the team that was waiting by a cafe a few blocks away.
In the meantime, no one challenged me. I was dressed with a suit and tie, I had laptop with me and a pad of paper where I had made some quick diagrams (that said nothing, but looked very official). A few guys said hello with a smile, and one even helped me get a coffee on the small kitchen on the floor.
When R arrived at the front desk, he was dressed on a very convincing fire department uniform. He talked to the security guard and told him that the fire command box was sending alerts to them every 30 min or so, that clearly all was good at the locaiton, but that he needed to see the fire command system. The guard walked with him to the security office, and opened the fire command box. After a few min, R dialed a number on his cellphone (I answered), he said: I think it's all good, we might need to reset the box. Let me know if you see the reset on your end.
He asked the guard to insert his key on the box, turn it and R hit the reset control. It took a few seconds for the box for go down and reboot. He talked to me on the phone: box was reset, can you see it? At that point, all the doors on the floow popped open. I walked into the servers room and said: I'm inside. Let it boot all the way.
R thanks the guard with a smile and while walking always, he commented on the football game for a few minutes. The guard was wearing a football hat and by doing this, he was making the guard feel at ease. An extra step to make sure he wasn't going to get suspicious.
Now I needed to find a drive to remove, and I needed to find a way to "own" one of the laptops. The disk was easy, some of the racks had hot-swappable drives. I searched for one that was labelled "backup" and took it.
The next thing was to find a way to get a laptop. This was done, again, by exploiting the helpful nature of humans. I walked to one of the desks in front of a closed-door office. These desks are usually occupied by assistants to execs, or directors. I found there a mid 40s lady, very well dressed and with "great hairdo". I commented, just passing by, how beautiful she looked and that it must have taken her a while to get her hair so good. She smile a big smile and told me ALL about it. We were having a good chat here. Just as I was leaving, I asked her: I'm having trouble accessing my powerpoints on my computer. I don't whether it's my computer or the thumdrive. Any chance I can check on yours one second?
She smiled and allowed me to kneel by her side, accessing her laptop. I plugged the USB drive, and opened it on her computer. I saw my powerpoint, opened it, but it was greated by a "corrupted file" error. So, I told her thank you and that I was clear my drive was bad. Meanwhile, behind the scenes I had now a backdoor to her laptop. A simple reverse shell that was trying to connect to a specific IP, disguised as an HTTP request. I walked away, smiling and waving goodbye.
Back in the office, the guys where receiving a shell.
Boom. We got them.
So, this one went smooth. Proper planning prevents piss poor performance. The recon, the fact that the company leaked so much of their digital footprint online (from vendors to what software their were using), and a good solid plan that attacked the 3 fronts at the same time, allowed us to really go in and succeed.
It's not this easy most of the times. You have things not working, you have people getting suspicious, you have security controls, and a million other things. However, sometimes... Well, it just works.
What is the most likely threat to occur? And the worst threat? How likely is the worst case scenario to occur?
Are you prepared for the most likely threat? Do you have a plan? Have you Red Teamed the plan?
Do you have a PACE ready?
Visualize the various parts of the plan, what you need and how you will use what you have. Communicate that plan to all those involved and drill it. Stress test it. Red team it. Give anyone involved in the planning and selection of actions, a chance to poke holes into it.
Sometimes you have time to fully assess the situation. Other times, you assess threats are they are presented and select the best way to act based on the information at hand.
Act, don’t react. Always try to be several steps ahead.
(first appeared here)
Bringing this concept of doctrine back around to SHTF security planning, we have to ask, how well do we understand the threat? How well do we understand the types of activities or the tactics that they might employ?
Everyone: the team is currently deployed on a incident response project. This has delayed the forum coding and sending of codes for the people that donated. The guys writing the code for the forum are currently overseas. This will be over soon and we'll get back to work.
Back in 2014, a question from a reader asked about the different phases of a Red Team assessment / engagement. Then we listed 8 phases.
These phases were, of course, based on our own experience, and a generic list. Each engagement is different, however having a list to begin the process and have a good visual map of what is needed, is a good thing.
During the last couple of years, we narrowed the phases down to 5:
- Target ID
- Live run
Phase 1: OPORD
The Operations Order (OPORD). An OPORD describes the project, the situation the team faces, the target, and what supporting activities the team will have to achieve their objective.
In this phase, the team gets exposed to the upcoming project or operation. The initial information about the target and the scope of the assessment are dumped and the team members begin to prepare the tools and techniques based on the information they have. The team begins to study the target and formulate the initial plan.
Phase 2: Recon
This phase is the most important one. If you do it right it will most likely end in the success of the project. If done right, a good team can ID the targets quickly, modify the plan accordingly, adapt the tools and finish the project.
During this phase the team observes the target and learns about it. Physical and digital surveillance are performed, as well an open source intelligence gathering. The physical, digital and social footprints of the target are mapped and analyzed. At the end of this phase there is a clear view of the possible vectors of attack. Usually, during this phase, all activities are passive, however in some cases - and the target is open to attack - a more active scan/surveillance is performed.
Phase 3: Target ID
During the Recon Phase, the team identified the possibles options for an attack. In this phase each option is further analyized and a plan of attack is crafted. On the digital side, a deeper scan is performed and exploits are identified. On the physical side, more information about security measures and controls are sought out. Social engineering calls are made and phishing mails are sent. Dry runs, if any, are performed during this phase too. In many cases, custom tools are written to exploit a specific vulnerability or to provide support for penetration and data exfiltration. This is a more active phase.
Phase 4: Live Run
Phase 4 is the Go! phase. Armed with all the knowledge and tools, the team executes the assessment for real. Whether a digital intrusion or a physical infil, the team tries to go inside. Once in, the team begins the lateral movement and smaller Phase 2 and 3 happen again. Important targets are indentified within the primary target and these are exploited as well. Backdoors, and further persistance are set and data exfil channels are open.
Once the team in inside, the team tries to exfiltrate data and also exploit targets of oportunity. Once all this is done, the point of contact that set the assessment is notified.
Phase 5: Report
The assessment is over. This phase is used to clean anything left behind and analyze all that was done. Findings are reported to the point of contact, and a debrief meeting is set.
The final report writing begins. This is the sucky part. Report writing happens after the endless cries from the point of contact.
And the winners of the giveaway prizes are:
RESCO Red Teams: Nathan M.
GORUCK GR1: Sylvia W.
Agilite Jacket: Justin P.
Arc'teryx Jacket: Eriko Y.
Red Team Patch: Travis W.
Emails have been sent. For the Jacket winners, please send the size you'd like to get. For the international winners, please be patient with the mail... Our post service is not always that fast.
Thank you everyone that donated! We'll be sending an access code next week for the Guerrilla Red Team close forum. Standby for that.