Key Things to Have in Mind while Red Teaming

Red Teaming is the art of thinking like the adversary, finding what that adversary will do, and go do it before they have a chance. In doing so, red teamers help build resiliency and create an overall more secure organization.

There are a few things you should consider when you begin to engage a new project, or while deep into an assessment. These things can be applied to all domains of Red Teaming, from digital to physical to human.

Intelligence leads to pwn

Gathering intelligence is essential for understanding your target and to guiding actions and behaviors. Learn your target, its industry, its people, and its competitors, and have a means to understand their real-time digital/physical behavior. Then make a plan.

"Developing the situation" is the most important overlooked skill

Most plans and field actions might fail because of lack of visibility or understanding of what's happening on the field. The environment was not fully analyzed, the target's 3rd party providers were not taken into account, the new leadership approach was not understood... In short, the information and potential problems were not analyzed and developed.
During your planning, make sure you don't ignore what the environment if giving you, do you homework, perform a situation analysis, run that extra OSINT and get your facts right.

Data is key, collect it

Without data to inform you on your progress, success, and direction, you will not be able to understand if you are successful or not. Use ACTE:

  • Assess the situation
  • Create a simple plan
  • Take action
  • Evaluate your progress

Once you loop, address your problems based on the data, re-orient, and execute.

Detailed planning is a must

Before every project or assessment, or even training, you need to spend hours, if not days, on planning and preparing for every scenario that might come up. This is key if you are to be successful. However, as we all know, Mr. Murphy is always present, and things will not go as planned. It's ok, spending time on planning helps you react better and faster when unplanned situations materize. The more you plan, the more of a SOP (Standard Operating Procedure) you have, and the more you can fall back on what worked on similar situations in the past. Things repeat themselves.

Have a backup plan

Rule 4. You know plan A will more than likely fail, or the reality int he field will cause it to have to be re-arranged or droppped altogether. Having a plan B is a default in any red team assessment. Always plan this, understand the threats and risks, address them and make a plan B. Always have a PACE (Primary, Alternative, Contingency, Emergency).

Find the main vulnerability and attack it

Every system can be defeated by understanding its weak point and attacking it with full force. The same applies to people and physical targets. If you think of everything as a system that has vulnerabilities, it will get your mind in the right place. Scan your target as if you were sniper, from far to close, then close to far. Then left to right, and right to left. Create a grid and walk it, make sure you analyze and collect all information.
The weakest areas are usually the joints: where two networks connect, where one area of responsibility ends and another begins, etc. The most vulnerable areas, those most likely to exploited, are where two things connect. There is no such thing as seamless connection. Seek those areas and attack them.

Separate the signal from the noise

Things can get too big to understand. Huge networks, huge numbers of systems, unknown variables, too many people to phish, and unpredictable situations. It's easy to get overwhelmed. You need to be able to separate the signal from the noise, focus on what's relevant and discard the rest. Identify the crital areas of your target and focus first on those. Then begin to go down to smaller and smaller pieces, until you find the vulnerabilities to exploit.

At the end of the day, it's all about execution

You might have the perfect plan. Your team is ready and you have found the right things to exploit. If you fail on the execution, then it's all worthless. Make a dry-run. Run your plan and contingencies. See what breaks and what can go wrong. Get ready to execute to the best of your capabilities.

Quote of the day

“The goal of training for alpine climbing can be summed up in one phrase: to make yourself as indestructible as possible. The harder you are to kill, the longer you will last in the mountains.”

— Mark Twight

Apply this mindset to security. Become resilient! By training to be harder to kill you are making your organization more prepared and more resilient to real-world attacks.

(via The Angry Red Teamer)

Recon and site casing

Ten meters away from the main entrance, there was a big metal box with wires going into it. The door to the container had a simple lock and we figured, well, that was the way into it.
At this point we had done the day and night time recon, and we were familiar with the patterns of life and atmospherics of the place. The container, at this time of the night, was not monitored, and there were no lights near it. We could remain fairly undetected while we picked the lock.

It took JS about a minute to get the lock open. Once the door began to move, we entered the container with ease. Inside there was an arrangement of control boxes, monitors and computers that provided the status of the main UPS (uninterrupted power supply) and controlled their work. We were now inside one of the 2 big UPS's for this complex, and after doing our recon, we found this to be one of the biggest vulnerable points. We could now work quietly and hidden, and gain access to the customer's network via their remote access to UPS.

This was possible due to the recon we performed for 10 days. Like we've mentioned many times, a good recon will likely mean the success of the project. Spend time learning your customer, understanding their environment, their industry, the key players in this industry and how they affect your customer. Understand the technology they use. And most importantly, understand their people. Their mindset and motivations.
Comb the internet for information, spend time observing and collect. Connect the dots.

After a couple of hours inside the UPS container, and given that we knew the software that was running on the servers there, we were able to gain SYSTEM access, and prepare a few pieces of malware that would be spread throughout the network and allow us to gain further access. We exited, closed the door and slowly walked out to the perimeter fence, passing under a security camera that was pointing in the wrong direction, and out to the parking lot. A fast walk for about 200 meters and we were in the next building. A factory that was pretty empty at this time of the night.
We sat on our car, and as the sun was beginning to come up, we observed as the early riserr were arriving to work. We had Z and GY in the office waiting for any connection back during the day. So, our work was done. Now coffee.

The project was successful. The IT people run the usual test on their UPS and when they connected to the server inside the container, a little dropper installed a piece of malware on the IT engineer's computer. From that point onward, we managed to secure multiple access points to their network.
As the final note, and after securing the "OK" from the security director at this company, we shut down one of the UPS's and displayed on all server console screens a message saying: The Red Team was here - all your data are belong to us.

So, spend time doing recon. Spend time knowing the place. In some cases, recon goes hand in hand with site casing. It can help you find observation points (OP), exit routes, and create 2 or more escape plans. Spend time observing. Collect. Learn.

Quote of the day

"Despite the fact that we pride ourselves on thinking laterally and creatively, we red teamers are still human, and as humans, we share a host of “wetware” issues with our non-red teaming colleagues. The difference? We’re aware of the issues (or at least we should be), and we (usually) try to do something about them. Even so, the issues persist."

-- Mark Mateski, Red Teaming: Closing The Gaps

Getting in

So, here's the thing. Sometimes plans are necessary. The complexity of the project really can only be tackled by sitting down and creating a good plan. It's the only way to deal with all the moving parts.

Some others... Well, red team it. You go in, like you belong. You find the one thing that gives you access. You exploit that and you gain the needed foothold.

All you need is the right tools.

Right mindset + right tools + practice = Getting in.