"In all affairs it’s a healthy thing now and then to hang a question mark on the things you have long taken for granted. Many people would sooner die than think. In fact, they do."
-- Bertrand Russell
-- Bertrand Russell
Red Teaming is the art of thinking like the adversary, finding what that adversary will do, and go do it before they have a chance. In doing so, red teamers help build resiliency and create an overall more secure organization.
There are a few things you should consider when you begin to engage a new project, or while deep into an assessment. These things can be applied to all domains of Red Teaming, from digital to physical to human.
Gathering intelligence is essential for understanding your target and to guiding actions and behaviors. Learn your target, its industry, its people, and its competitors, and have a means to understand their real-time digital/physical behavior. Then make a plan.
Most plans and field actions might fail because of lack of visibility or understanding of what's happening on the field. The environment was not fully analyzed, the target's 3rd party providers were not taken into account, the new leadership approach was not understood... In short, the information and potential problems were not analyzed and developed.
During your planning, make sure you don't ignore what the environment if giving you, do you homework, perform a situation analysis, run that extra OSINT and get your facts right.
Without data to inform you on your progress, success, and direction, you will not be able to understand if you are successful or not. Use ACTE:
Once you loop, address your problems based on the data, re-orient, and execute.
Before every project or assessment, or even training, you need to spend hours, if not days, on planning and preparing for every scenario that might come up. This is key if you are to be successful. However, as we all know, Mr. Murphy is always present, and things will not go as planned. It's ok, spending time on planning helps you react better and faster when unplanned situations materize. The more you plan, the more of a SOP (Standard Operating Procedure) you have, and the more you can fall back on what worked on similar situations in the past. Things repeat themselves.
Rule 4. You know plan A will more than likely fail, or the reality int he field will cause it to have to be re-arranged or droppped altogether. Having a plan B is a default in any red team assessment. Always plan this, understand the threats and risks, address them and make a plan B. Always have a PACE (Primary, Alternative, Contingency, Emergency).
Every system can be defeated by understanding its weak point and attacking it with full force. The same applies to people and physical targets. If you think of everything as a system that has vulnerabilities, it will get your mind in the right place. Scan your target as if you were sniper, from far to close, then close to far. Then left to right, and right to left. Create a grid and walk it, make sure you analyze and collect all information.
The weakest areas are usually the joints: where two networks connect, where one area of responsibility ends and another begins, etc. The most vulnerable areas, those most likely to exploited, are where two things connect. There is no such thing as seamless connection. Seek those areas and attack them.
Things can get too big to understand. Huge networks, huge numbers of systems, unknown variables, too many people to phish, and unpredictable situations. It's easy to get overwhelmed. You need to be able to separate the signal from the noise, focus on what's relevant and discard the rest. Identify the crital areas of your target and focus first on those. Then begin to go down to smaller and smaller pieces, until you find the vulnerabilities to exploit.
You might have the perfect plan. Your team is ready and you have found the right things to exploit. If you fail on the execution, then it's all worthless. Make a dry-run. Run your plan and contingencies. See what breaks and what can go wrong. Get ready to execute to the best of your capabilities.
Real-world security teams often lack the time to engage in deep red teaming. We get it, so here’s a set of quick, back-of-the-envelope red teaming drills you can run while running from one crisis to the next.
— Mark Twight
Apply this mindset to security. Become resilient! By training to be harder to kill you are making your organization more prepared and more resilient to real-world attacks.
(via The Angry Red Teamer)
I can't remember who recommended me The Ellipsis Manual: analysis and engineering of human behavior, by Chase Hughes, but this is a book every red teamer should read.
This is a highly detailed book on people. Whether you are trying to social engineer someone, or recruit them as part of your insider threat plans, you need to undertand people first.
Mske sure you hsve a pen with you to highlight some of the content, you will find yourself going back to read what you highlighted many times.
Ten meters away from the main entrance, there was a big metal box with wires going into it. The door to the container had a simple lock and we figured, well, that was the way into it.
At this point we had done the day and night time recon, and we were familiar with the patterns of life and atmospherics of the place. The container, at this time of the night, was not monitored, and there were no lights near it. We could remain fairly undetected while we picked the lock.
It took JS about a minute to get the lock open. Once the door began to move, we entered the container with ease. Inside there was an arrangement of control boxes, monitors and computers that provided the status of the main UPS (uninterrupted power supply) and controlled their work. We were now inside one of the 2 big UPS's for this complex, and after doing our recon, we found this to be one of the biggest vulnerable points. We could now work quietly and hidden, and gain access to the customer's network via their remote access to UPS.
This was possible due to the recon we performed for 10 days. Like we've mentioned many times, a good recon will likely mean the success of the project. Spend time learning your customer, understanding their environment, their industry, the key players in this industry and how they affect your customer. Understand the technology they use. And most importantly, understand their people. Their mindset and motivations.
Comb the internet for information, spend time observing and collect. Connect the dots.
After a couple of hours inside the UPS container, and given that we knew the software that was running on the servers there, we were able to gain SYSTEM access, and prepare a few pieces of malware that would be spread throughout the network and allow us to gain further access. We exited, closed the door and slowly walked out to the perimeter fence, passing under a security camera that was pointing in the wrong direction, and out to the parking lot. A fast walk for about 200 meters and we were in the next building. A factory that was pretty empty at this time of the night.
We sat on our car, and as the sun was beginning to come up, we observed as the early riserr were arriving to work. We had Z and GY in the office waiting for any connection back during the day. So, our work was done. Now coffee.
The project was successful. The IT people run the usual test on their UPS and when they connected to the server inside the container, a little dropper installed a piece of malware on the IT engineer's computer. From that point onward, we managed to secure multiple access points to their network.
As the final note, and after securing the "OK" from the security director at this company, we shut down one of the UPS's and displayed on all server console screens a message saying: The Red Team was here - all your data are belong to us.
So, spend time doing recon. Spend time knowing the place. In some cases, recon goes hand in hand with site casing. It can help you find observation points (OP), exit routes, and create 2 or more escape plans. Spend time observing. Collect. Learn.
-- Mark Mateski, Red Teaming: Closing The Gaps
So, here's the thing. Sometimes plans are necessary. The complexity of the project really can only be tackled by sitting down and creating a good plan. It's the only way to deal with all the moving parts.
Some others... Well, red team it. You go in, like you belong. You find the one thing that gives you access. You exploit that and you gain the needed foothold.
All you need is the right tools.
Right mindset + right tools + practice = Getting in.