Filtering by Category: Fieldcraft

Getting in

So, here's the thing. Sometimes plans are necessary. The complexity of the project really can only be tackled by sitting down and creating a good plan. It's the only way to deal with all the moving parts.

Some others... Well, red team it. You go in, like you belong. You find the one thing that gives you access. You exploit that and you gain the needed foothold.

All you need is the right tools.

Right mindset + right tools + practice = Getting in.


Playing the Part

Over the years I've found several techniques that, no matter how trained the security personnel of a corporation is, tend to work one way or another.
In this case "the angry executive speaking in another language on a cellphone".

I've used this many times and with good results. After researching a bit the target, learning what are the baselines in term of dress code for the top executives and diversity of the employees, coupled with the atmospherics of the location and its patterns of life, you can put together a very credible employee from another office act.
The idea is both show that you belong there, but that you are coming especially coming here from another location. It causes whoever happen to be in front of you to be a little more sympathetic.

In one particular case, I was outside, on the street, but the booth keeping the entrance to the underground parking. The guard was looking at me. I was wearing the proper suit and tie, with a fake, though very realistic badge clipped to my jacket's pocket. On cue, another guy from the team call my cellphone. I answered in English and switched to another language. I increasingly become more and more agitated as minutes passed. The guard kept an eye on me. I made it a point to walk back and forth the booth, and give him consternated looks. He began giving me small smiles... And after about 20 min, he lost interest in me. Having seen my badge and sensing that I belong there.
Once I saw that, and still arguing on the phone, I slowly began walking towards the parking. Going down the ramp step by step, still on the phone still gesticulating and never looking back, at the guard. I belong there, right? I wouldn't worry about the guard.

Boom. I was in. I was freely walking on the underground parking.

Next was to get inside the building. My badge was a good copy, but it wouldn't open the door from the underground parking to the elevators. So I stood there, still angry on the phone, until 5 min later, someone came back to his car. As he walked by me, i gave him a smile as I walked in. He never questioned me. So... Now I was really in.

After that it was just stuff, but, once you understand the environment, and know how to play the part... It's just a matter of time.

Phases of a red team assessment: Recon


Recon, reconnaissance. This phase is the most important phase. If you do it right, it will most likely end in the success of the project. A good team can ID the targets quickly, modify the plan accordingly, adapt the tools and finish the project successfully.

Read More

Focusing on the goal

I've experienced plans going wrong many times during the several years I've been Red Teaming. Sometimes because of poor planning, some others because the real world always has the last word, especially when Mr. Murphy is along for the ride - and he always is.

Over the years both experience and mental resilience had taught me to assess the situation and adapt the original plan, go to a plan B or just work without a plan. While on the field, ideally you’d be looping through 4 steps constantly:

  1. Understand the problem (in this case what caused the plan to not work)
  2. See the solution (how do I solve this in a simple, fast and reliable way)
  3. Communicate the new plan (to your team or to you, mentally saying the plan helps red team the issues)
  4. Execute it

However, while doing this you have to keep in mind the goal of the mission, assessment or engagement. It is very easy to lose focus of the goal. An instructor at one of the schools I attended while on the military, always told us to focus on the end goal, no matter how bad it was. Mission came first and if the mission was to recon a target and gather intel then that should be the focus. All our planning was geared towards achieving that mission. Once we had that, then the rest (kit, transport, alternative exfil points, etc) would cascade from there. Remember: Rule 16: Target dictates the weapon and the weapon dictates the movement. The goal comes first. The what you are planning for.
It is very easy to lose focus of this when the conditions on the field are chaotic, or not as expected. We tend to focus on the things on front of you, and while these are often pressing and more important (sometimes life or death), once we solve the immediate problem, we need to go back to the original mission.

The best way I found to do this is adding the following to the steps described above:

0: What is the goal.

So, identify the goal, identify the problems preventing you from achieving the mission, find a solution (don’t forget: the solution is in the problem), communicate that solution and execute it. If it didn’t work, or a new problem arises, start again, but always keeping the question what is the goal as the first step. This will keep you focused on your mission.

Offensive security? Yes.

Some people don’t see the benefits of Red Teaming until you show them. Offensive security is not something organization are often willing to undertake, but sometimes is the only way to really find who is after them.
This was the case for one of our customers. We run a Red Team engagement for 3 months, we showed them what their competition and other adversaries can do to get to their IP (Intellectual Property) and, while doing so, we uncover signs of an ongoing exfil of data.

Once we presented the findings, including the possibility of the bad guys already inside and extracting information, their CTO asked us if we could help their security department find out what/when/how/who. After some discussions with the CTO and the CSO, we mentioned the need for offensive security, or as they put it, to hack back. Well, I hate that term hack back. Offensive security is not that, but good luck trying to explain this to execs that don’t really understand security on the field. We tried to walk them through the many possibilities of offensive security, we tried to explain that there’s nothing wrong with trying to go after the people already inside their network in a more pro-active way. They brought the legal department… Things got more complex..

After about a week of discussions, where all the while, the attackers might have still managed to exfil information, even when we told them what to block (if these were good attackers,they would have contingency routes and access, so I was still convinced they were active), we went nowhere. On the out, their CSO grabbed me and told me that he would arrange for us to come on-site, covertly as he called it, and do our thing from within. The idea was that he would bring us is as a group of contractors working on a network issue, and while we were there we should investigate and attack back (again, his words). We were happy to oblige.

It took 10 days, but we figured out a pattern. The bad guys were good and were covering their tracks (we discovered some IP addresses, but they were just not their real ones), but they were after a specific kind of data. So, we set a trap. We set a bunch of weaponized Office documents, along with some fake developer environment systems that had some extra monitoring in place. These systems also had a particularly vulnerable version of Apache and PHP, making it an attractive target for lateral movement for the attackers.
Meanwhile, in our office, we had a bunch of listeners to see if any of the weaponized documents managed to drop our attack code and get us a way in.
While we discussed the findings with the CSO and his VP of security, we agreed to temporarily pull the real data the adversaries were going after and slowly replace it with fake data and some watermarks. This way we could also track that data if it would appear on some competitor’s site, or news site, etc.

Anyway, 3 days later, we had a ping. One of our listeners emailed us. We had a shell. A day later 2 more. At the end of the week we had all of them pinging home.

Now we needed to move fast. While I did the recon on where we were and possibly who they were, JD try to get some redundancy (extra ways in, just in case) and uploaded some really nasty code to bring the buys down if we needed it. I uploaded our digital drone and set it up to discovery mode. In this mode, the drone only maps the network and reports back any targets of interest, such as DBs, web servers, domain controllers, network devices, email servers, etc. It’s really fast and surprisingly nimble and quiet. Hard to detect unless you know what you look for.
Within the hour we already had an idea that this was a simple setup, it seemed like a bunch of laptops (based on their MAC addresses) connected by a wireless router. We had also a possible real IP and geolocation of the bad guys. Z run a bunch of searches on this IP and locale and we compiled a brief of all we knew for the CSO.
In the meantime, some of the fake information we dispersed began to appear in a forum in Asia and on some download sites. While these are hard to crack to get who the users uploading the info were, it was an indication that these people were after just money, not really the damaging of our customers. So, we added that to the brief.

With all this information, the CSO briefed the legal department and they decided to get the law enforcement involved. However, they asked us to bring this guys down and help reconstruct what happened to help the forensics team sent by the LE.

So, we did.


I'm writting this as we finish the after action review (AAR). We began the environmental recon for a new project. Five of us spent the lsat 7 hours around the customer's area and buildings trying to learn as much as possible. This will be repeated several times in order to learn any patterns. The same was already done during office hours.

Fortunately, we have a visiting friend, a retired recce guy from the UK, and he brought some invaluable analysis of our plans and provided us with some great ideas. This is why it's always good to have an outsider help you red team the plans. Especially someone with experience in the field.
originally we were going to move from one point to the next and observe, however our friend suggested that we leave 1 team memeber on a fixed position, overlooking the entire target, and then the other 4 separated in two 2-men teams that can move more fluidly around the area, reporting back to the person overlooking all. This way, he can paint a good overall picture of the environment. It was a great idea and it worked great.

During the AAR, our friend really made us walk through all the recon, making sure the things we saw different were noted for further observation the next time we went out.

So, as always, it's is great to learn new things. This was a simple suggestion, but one that made complete sense and made our recon more fluid and better.

Patterns of life

Sometimes the boundaries of an engagement or operations are very vague and your team finds itself having to cover a large "area of operations" - too many people to track, too many sites to learn, to many servers to scan and too many different technologies to learn. It can make your team freeze, not knowing where to begin.

One way we found useful, is to focus on learning your target by drilling down on what or who is important for the target. This is key to better simulate their adversary. Concentrating first on the people will provide a better view of the organization, even the digital side. More specifically, learning who is important and has the keys to the gates, so to speak, will pay a big part in achieving your goal.

This is where patterns of life come into play. Patterns of life is essentialy learning how people go about their lives in a certain location, understanding their habits or what's "normal" and what's not. Once you see these patterns you can begin creating a picture of what's important and begin setting priorities. You can quickly shift focus to the people that will give you a better chance of penetrating your target, understanding a plan or the reason behind it.

Focus on the people, their patterns of life, their social landscape and make plan.