Quote of the day

"It is not good to settle into a set of opinions. It is a mistake to put forth effort and obtain some understanding and then stop at that. At first putting forth great effort to be sure that you have grasped the basics, then practicing so that they may come to fruition is something that will never stop for your whole lifetime. Do not rely on following the degree of understanding that you have discovered, but simply think, “This is not enough.” One should search throughout his whole life how best to follow the Way. And he should study, setting his mind to work without putting things off. Within this is the Way."

— Hagakure

Knowing your weaknesses by actively searching for them

From the Yahoo breach of 3 billion accounts, to the JP Morgan intrusion, to the recent Equifax attack, the frequency and scale of attacks is increasing, and there is no sign of stopping.
As you watch company after company essentially fall victims, and unable to deal properly with these crises, it is becoming evident that current security testing and methodology need to evolve.

Evolve into something that properly mimic the attackers. Evolve into something that properly test the organizations and companies in the same way a real attacker would.
This means attacking the three fronts - digital, physical and social - in a way that truly mimic a real adversary.

This last bit above is what we've been trying to inform the public about. This last bit above is real Red Teaming.

What is Red Teaming?

Red Teaming is the act of portraying an adversary in order to test the security posture of an organization or company. This means all three fronts. Red Teaming is not penetration test. Though penetration testing can be and often is a part of Red Teaming.
Red Teaming is executed by a trained, educated, and experienced team and can often provide more that just a view of the state of affairs of security. Red Teaming can be applied to everything, from plan analysis and exploration of alternatives, to testing of capabilities in the context of the operational environment, to the application of the adversarial mindset to policy making.

Why Red Teaming?

In today's world, it is critical to assume that a security incident can and will occur. It's not a matter of if, but a matter of when and how. Period. It is correct to assume that a compromise already happened.

Red Teaming must be a necessary component in any effective security strategy to face today’s realities and the modern adversary. A Red Team is a friendly force that plays the role of an advanced adversary to uncover those weaknesses before a real attacker does. Organizations and companies can better prepare for the impact of current and future threats by simulating real-world attacks and exercising Tactics, Techniques and Procedures (TTPs) that determined and persistent adversaries use during breaches, helping build resilience and test in advance their own TTPs: the information gained from Red Teaming helps to significantly strengthen defenses, improve response strategies, train defenders, and drive greater effectiveness of the entire security program.

Act, don't react

Security prevention strategies and technologies cannot guarantee safety from every attack. Given today’s threat landscape, like mentioned above, it is important to assume that a breach has either already occurred or that it’s only a matter of time until it will.
By planning for the worst-case scenarios, organizations can develop the necessary capabilities to detect penetration attempts and significantly improve responses associated with security breaches.
In other words: when the real attack happen, you will be ready and you will have the necessary muscle memory to confront the breach. Operating with this assumption will reshape detection and response strategies in a way that pushes the limits of any organization’s infrastructure, people, processes, and technologies: Resiliency

Prevention is a chosen action; reaction is a forced one.

One of the biggest benefits of understanding your adversary is that it helps take much of the guesswork out of security solutions, controls and plans. As had been demonstrated and explained in previous posts in this blog, once an adversary has been researched and a real-life attacks performed against the organization, it is much easier to begin understanding all types of attacks and the different adversaries.

Again, understanding, prevention and action brings resiliency.

Do it

Understanding the adversary will help creating this resiliency. Real Red Teaming, and adapting the plan and response measures will ensure the survival of your business. Start thinking like an adversary, adopt the mindset of an open system that can adapt to the environment, and be ready for the next attack. It will happen.

Bringing in an advanced Red Team will jumpstart the process. Red Teams act like a real attacker, truly identifying where the controls break, providing a realistic view of how resilient an organization is.

Don't neglect to evaluate your controls in a realistic way.

Quote of the day

"Security prevention strategies and technologies cannot guarantee safety from every attack. Given today’s threat landscape, it is vital to acknowledge that a breach has either already occurred or that it’s only a matter of time until it will."

Welcome to the new version of the blog

Welcome everyone to the new version of the blog.

The old blog posts and the gear section have been archived and can be found under the archive menu on the top right.
In the new blog we’ll start soon adding new projects, more how-tos and posts focusing on the adversarial mindset. The idea is to bring this to all industries, not just the technical and physical security industries.

The forum is connected now to the blog, however we are still working on the backend code, so it might be a bit spotty. If you received a password you can go ahead and enter. You have to create an account after doing this.

Have a good one. More updates soon.

UPDATE: there is a bug on the login for the forum. We know about this and we are working to solve it. Standby as we are working remotely in between projects. Thannks!

Phases of a red team assessment: OPORD

The 5 phases of a Red Team assessment:
1: OPORD | 2: Recon | 3: Target ID | 4: Live run | 5: Report

Phase 1: OPORD

The Operations Order (OPORD), a "directive issued by the leader to his subordinate leaders in order to effect the coordinated execution of a specific operation.". The military five-paragraph format is used to organize the briefing, to ensure completeness, and to help subordinate leaders understand and follow the order.

In our case, an OPORD describes the project, the situation the team faces, the target, and what supporting objectives the team will have to achieve in order to be successful. It sounds complicated, but it's not. Essentially is a set of initial meetings where the team gets exposed to the project and supporting documentation or information is distributed around each member. Each team member begins to prepare the tools and techniques based on the information they have. The team begins to study the target and formulate the initial plan.

The way it works best is to have at least 2 initial meetings:

  • A meeting for the presentation of the project and initial brainstorming
  • A meeting 2 days later after each team member had had the chance to incubate ideas and have a rough plan.

Depending on the timelines set for the project, those 2 meetings (3 if possible) will bring a lot of good ideas and questions that need answer.
Generally, the format/agenda for each meeting is standard and has shown over time to lead the team and their thinking in the right direction. This, of course, is not set in stone. You have to adapt to each project, but the following format is a good start

First meeting

Talk about:

  • Situation: what is the target, where is located, who are the key players, who requested the project, why, information about their security capabilities.
  • Mission: what is the project, what is the objective that needs to be achieved, who are we trying to mimic, when, where and how.
  • Execution: This is the initial "plan", what it's to be expected by the team leader or the person that requested the engagement. It should include any rules of engagement (ROE).
  • Admin & Logistics: What tools are needed, what we currently have and what needs to be written (software/exploits/scanning) or bought (breaching gear, recon gear, etc).
  • Command and Control: who leads the project, comms, deployment of assets and standard operating procedures for everything.

Second meeting

Talk about:

  • information already available on the target: perform a surface pass on OSINT just to have some data to begin.
  • Ask questions that will allow for better planning and move RECON (the next phase) in the right direction. Ask: what is the history of the target, competitors (if relevant), top executives or commanders, main products or capabilities, simple atmospherics, social media and digital overall footprint (from the surface scan), initial apparent or known vulnerabilities.

This second meeting should conclude with a good idea for what needs to be done, the roles of each team member and a good estimate of the timelines. After this meeting, the team plans the recon. A third meeting will be called to, a sort of in-between-phases meeting, where the recon will be plan and set to go.

The OPORD phase should be short and very intense. Things need to be set carefully, but relatevely fast. RECON, the following phase, will take long and going into it unprepared will not work. Use Phase 1, OPORD, to set the team's mindset and energy in the right direction. Allow them to ask questions, have the senior guy in the team take over the leader for a while. Also, if there is a member of the team that has more knowlege about the particular industry, or mission, product or procedure, bring him/her up and listen. Leverage the team strengh.

Small teams work best. Practice this during this phase.

In the next post, we will see what's needed to plan RECON, why it is so important, and how to perform it.

Quote of the day

"Conflict can be seen as time-competitive observation-orientation-decision-action cycles. Each party to a conflict begins by observing. He observes himself, his physical surroundings and his enemy. On the basis of his observation, he orients, that is to say, he makes a mental image or “snapshot” of his situation. On the basis of this orientation, he makes a decision. He puts the decision into effect, i.e., he acts. Then, because he assumes his action has changed the situation, he observes again, and starts the process anew.

― William S Lind, Maneuver Warfare Handbook

Action Combo

The idea for this assessment came from one of the IT managers at this organization. She wasn't sure people were taking her training seriously, and she wanted to see whether our team could get inside the server room and walk with a drive from one of their servers. Bonus points would be given if we could also take over at least one of the employee's laptops.

After a week of both physical and digital recon, we had solid information that allowed us to create plan. It was going to be a combination of attacks on all fronts: physical, digital and social.
We learned 3 key things on the recon: the back alley on their main building had no camera, the service door there was guarded by a single padlock, and their fire command system (as per the information online), would make the doors "fail open" when it was being reset.

The following week, in middle of most employees coming in, I walked very casually around the building, on the phone "on an important call that needed a little quiet", and reached the service entrance on the back. There, and without anyone looking, picked the lock on the padlock and went into the building. A few minutes later, another guy from the team came by the door and lock the padlock again. Nothing to see... Move along... Any roaming guard will see all as usual.
Onde inside, I put on my fake badge on my belt, and dressed with a suit and tie began walking. After checking the ground floor and going 2 floors up, I found a room filled with racks of servers, routers, and other network devices. Of course it needed badge access. OK, time for the social attack. I called another guy from the team that was waiting by a cafe a few blocks away.

In the meantime, no one challenged me. I was dressed with a suit and tie, I had laptop with me and a pad of paper where I had made some quick diagrams (that said nothing, but looked very official). A few guys said hello with a smile, and one even helped me get a coffee on the small kitchen on the floor.

When R arrived at the front desk, he was dressed on a very convincing fire department uniform. He talked to the security guard and told him that the fire command box was sending alerts to them every 30 min or so, that clearly all was good at the locaiton, but that he needed to see the fire command system. The guard walked with him to the security office, and opened the fire command box. After a few min, R dialed a number on his cellphone (I answered), he said: I think it's all good, we might need to reset the box. Let me know if you see the reset on your end.
He asked the guard to insert his key on the box, turn it and R hit the reset control. It took a few seconds for the box for go down and reboot. He talked to me on the phone: box was reset, can you see it? At that point, all the doors on the floow popped open. I walked into the servers room and said: I'm inside. Let it boot all the way.
R thanks the guard with a smile and while walking always, he commented on the football game for a few minutes. The guard was wearing a football hat and by doing this, he was making the guard feel at ease. An extra step to make sure he wasn't going to get suspicious.

Now I needed to find a drive to remove, and I needed to find a way to "own" one of the laptops. The disk was easy, some of the racks had hot-swappable drives. I searched for one that was labelled "backup" and took it.

The next thing was to find a way to get a laptop. This was done, again, by exploiting the helpful nature of humans. I walked to one of the desks in front of a closed-door office. These desks are usually occupied by assistants to execs, or directors. I found there a mid 40s lady, very well dressed and with "great hairdo". I commented, just passing by, how beautiful she looked and that it must have taken her a while to get her hair so good. She smile a big smile and told me ALL about it. We were having a good chat here. Just as I was leaving, I asked her: I'm having trouble accessing my powerpoints on my computer. I don't whether it's my computer or the thumdrive. Any chance I can check on yours one second?
She smiled and allowed me to kneel by her side, accessing her laptop. I plugged the USB drive, and opened it on her computer. I saw my powerpoint, opened it, but it was greated by a "corrupted file" error. So, I told her thank you and that I was clear my drive was bad. Meanwhile, behind the scenes I had now a backdoor to her laptop. A simple reverse shell that was trying to connect to a specific IP, disguised as an HTTP request. I walked away, smiling and waving goodbye.

Back in the office, the guys where receiving a shell.

Boom. We got them.

So, this one went smooth. Proper planning prevents piss poor performance. The recon, the fact that the company leaked so much of their digital footprint online (from vendors to what software their were using), and a good solid plan that attacked the 3 fronts at the same time, allowed us to really go in and succeed.
It's not this easy most of the times. You have things not working, you have people getting suspicious, you have security controls, and a million other things. However, sometimes... Well, it just works.

Phases Of A Red Team Assessment - Revisited

Back in 2014, a question from a reader asked about the different phases of a Red Team assessment / engagement. Then we listed 8 phases.
These phases were, of course, based on our own experience, and a generic list. Each engagement is different, however having a list to begin the process and have a good visual map of what is needed, is a good thing.
During the last couple of years, we narrowed the phases down to 5:

Phase 1: OPORD

The Operations Order (OPORD). An OPORD describes the project, the situation the team faces, the target, and what supporting activities the team will have to achieve their objective.
In this phase, the team gets exposed to the upcoming project or operation. The initial information about the target and the scope of the assessment are dumped and the team members begin to prepare the tools and techniques based on the information they have. The team begins to study the target and formulate the initial plan.

Phase 2: Recon

This phase is the most important one. If you do it right it will most likely end in the success of the project. If done right, a good team can ID the targets quickly, modify the plan accordingly, adapt the tools and finish the project.
During this phase the team observes the target and learns about it. Physical and digital surveillance are performed, as well an open source intelligence gathering. The physical, digital and social footprints of the target are mapped and analyzed. At the end of this phase there is a clear view of the possible vectors of attack. Usually, during this phase, all activities are passive, however in some cases - and the target is open to attack - a more active scan/surveillance is performed.

Phase 3: Target ID

During the Recon Phase, the team identified the possibles options for an attack. In this phase each option is further analyized and a plan of attack is crafted. On the digital side, a deeper scan is performed and exploits are identified. On the physical side, more information about security measures and controls are sought out. Social engineering calls are made and phishing mails are sent. Dry runs, if any, are performed during this phase too. In many cases, custom tools are written to exploit a specific vulnerability or to provide support for penetration and data exfiltration. This is a more active phase.

Phase 4: Live Run

Phase 4 is the Go! phase. Armed with all the knowledge and tools, the team executes the assessment for real. Whether a digital intrusion or a physical infil, the team tries to go inside. Once in, the team begins the lateral movement and smaller Phase 2 and 3 happen again. Important targets are indentified within the primary target and these are exploited as well. Backdoors, and further persistance are set and data exfil channels are open.
Once the team in inside, the team tries to exfiltrate data and also exploit targets of oportunity. Once all this is done, the point of contact that set the assessment is notified.

Phase 5: Report

The assessment is over. This phase is used to clean anything left behind and analyze all that was done. Findings are reported to the point of contact, and a debrief meeting is set.
The final report writing begins. This is the sucky part. Report writing happens after the endless cries from the point of contact.

The Red Teamer's Bookshelf 2017 edition

It’s been a couple of months since we first announced that Red Team Journal, redteams.net, and OODA Loop would be compiling the latest “Red Teamer’s Bookshelf” jointly. For those of you who’ve been waiting, the list is finally here. It’s larger than previous years, so we’ve organized the titles by category (and yes, some of these titles would fit in more than one category). The titles address a range of red teaming activities and skills, with a noticeable increase in special operations books this year. Thank you to everyone who submitted titles.

Here's the list.

Focusing on the goal

I've experienced plans going wrong many times during the several years I've been Red Teaming. Sometimes because of poor planning, some others because the real world always has the last word, especially when Mr. Murphy is along for the ride - and he always is.

Over the years both experience and mental resilience had taught me to assess the situation and adapt the original plan, go to a plan B or just work without a plan. While on the field, ideally you’d be looping through 4 steps constantly:

  1. Understand the problem (in this case what caused the plan to not work)
  2. See the solution (how do I solve this in a simple, fast and reliable way)
  3. Communicate the new plan (to your team or to you, mentally saying the plan helps red team the issues)
  4. Execute it

However, while doing this you have to keep in mind the goal of the mission, assessment or engagement. It is very easy to lose focus of the goal. An instructor at one of the schools I attended while on the military, always told us to focus on the end goal, no matter how bad it was. Mission came first and if the mission was to recon a target and gather intel then that should be the focus. All our planning was geared towards achieving that mission. Once we had that, then the rest (kit, transport, alternative exfil points, etc) would cascade from there. Remember: Rule 16: Target dictates the weapon and the weapon dictates the movement. The goal comes first. The what you are planning for.
It is very easy to lose focus of this when the conditions on the field are chaotic, or not as expected. We tend to focus on the things on front of you, and while these are often pressing and more important (sometimes life or death), once we solve the immediate problem, we need to go back to the original mission.

The best way I found to do this is adding the following to the steps described above: 0. What is the goal.

So, identify the goal, identify the problems preventing you from achieving the mission, find a solution (don’t forget: the solution is in the problem), communicate that solution and execute it. If it didn’t work, or a new problem arises, start again, but always keeping the question what is the goal as the first step. This will keep you focused on your mission.

Offensive security? Yes.

Some people don’t see the benefits of Red Teaming until you show them. Offensive security is not something organization are often willing to undertake, but sometimes is the only way to really find who is after them.
This was the case for one of our customers. We run a Red Team engagement for 3 months, we showed them what their competition and other adversaries can do to get to their IP (Intellectual Property) and, while doing so, we uncover signs of an ongoing exfil of data.

Once we presented the findings, including the possibility of the bad guys already inside and extracting information, their CTO asked us if we could help their security department find out what/when/how/who. After some discussions with the CTO and the CSO, we mentioned the need for offensive security, or as they put it, to hack back. Well, I hate that term hack back. Offensive security is not that, but good luck trying to explain this to execs that don’t really understand security on the field. We tried to walk them through the many possibilities of offensive security, we tried to explain that there’s nothing wrong with trying to go after the people already inside their network in a more pro-active way. They brought the legal department… Things got more complex..

After about a week of discussions, where all the while, the attackers might have still managed to exfil information, even when we told them what to block (if these were good attackers,they would have contingency routes and access, so I was still convinced they were active), we went nowhere. On the out, their CSO grabbed me and told me that he would arrange for us to come on-site, covertly as he called it, and do our thing from within. The idea was that he would bring us is as a group of contractors working on a network issue, and while we were there we should investigate and attack back (again, his words). We were happy to oblige.

It took 10 days, but we figured out a pattern. The bad guys were good and were covering their tracks (we discovered some IP addresses, but they were just not their real ones), but they were after a specific kind of data. So, we set a trap. We set a bunch of weaponized Office documents, along with some fake developer environment systems that had some extra monitoring in place. These systems also had a particularly vulnerable version of Apache and PHP, making it an attractive target for lateral movement for the attackers.
Meanwhile, in our office, we had a bunch of listeners to see if any of the weaponized documents managed to drop our attack code and get us a way in.
While we discussed the findings with the CSO and his VP of security, we agreed to temporarily pull the real data the adversaries were going after and slowly replace it with fake data and some watermarks. This way we could also track that data if it would appear on some competitor’s site, or news site, etc.

Anyway, 3 days later, we had a ping. One of our listeners emailed us. We had a shell. A day later 2 more. At the end of the week we had all of them pinging home.

Now we needed to move fast. While I did the recon on where we were and possibly who they were, JD try to get some redundancy (extra ways in, just in case) and uploaded some really nasty code to bring the buys down if we needed it. I uploaded our digital drone and set it up to discovery mode. In this mode, the drone only maps the network and reports back any targets of interest, such as DBs, web servers, domain controllers, network devices, email servers, etc. It’s really fast and surprisingly nimble and quiet. Hard to detect unless you know what you look for.
Within the hour we already had an idea that this was a simple setup, it seemed like a bunch of laptops (based on their MAC addresses) connected by a wireless router. We had also a possible real IP and geolocation of the bad guys. Z run a bunch of searches on this IP and locale and we compiled a brief of all we knew for the CSO.
In the meantime, some of the fake information we dispersed began to appear in a forum in Asia and on some download sites. While these are hard to crack to get who the users uploading the info were, it was an indication that these people were after just money, not really the damaging of our customers. So, we added that to the brief.

With all this information, the CSO briefed the legal department and they decided to get the law enforcement involved. However, they asked us to bring this guys down and help reconstruct what happened to help the forensics team sent by the LE.

So, we did.

Mandatory Books

A while back a reader asked me for a list of MUST READ books. While I was compiling a list from our bookshelf, it occurred to me that, a lot of the guys in the Team haven’t read some of these books. So, after talking to them, I decided to make them mandatory reads.

Here’s the list: