Filtering by Category: Red Teams

Keeping Engagement Data Secure

One of the things I think it's crucial during an engagement, is keeping the information about your customer or target, and the information you extract from them secure. There is a need to both keep their privacy and security tight. In the case of a customer, the data you extract belongs to them, and it may contain highly confidential information. It is extremely important to handle this information in a secure way, as much as possible.

Project Name and Customer Name

One thing I like to do, is to give each customer a codename. This will allow me to talk about the customer to another member of a team on a semi-open location (an office, or on the phone) without disclosing who the customer is.
This is also good if you are sitting with another customer, and a call comes in. You can talk about certain things only referring to the customer by its codename. This way you keep each customer's privacy and OPSEC. Unless specifically allowed to use a customer as reference, you should never mention customer names.

The same can be applied to projects within a certain customer. As you may have yearly projects, or even different projects with the same customer, having codewords for projects will help you keep the data organized. Also, it will help compartmentalize this data. Often, you can get a project within a customer that requires your team members to have a security clearance, for example. Those that have no security clearance, and therefore are not part of this project, shouldn't have access to it. This includes client name and project name. So, sometimes within the team you can benefit from having a codeword for projects.

Both customer and project name compartmentalization is part of OPSEC and you should decide what and how it is applied.

Project Data

Project data includes scan results, OSINT dumps, email addressed captures, credentials, and exfiltrated data, among other things. Anything that is collected from and about the customer or target, should be considered sensitive data.
Efforts should be put in place to keep that information secure. Personally, I do a combination of things. I use:

  • Per engagement external USB backup drive
  • Per engagement USB thumb drive
  • Per engagement completely wiped and re-installed laptop

I store all the data about and from the customer or target encrypted on the backup drive. I might dump all the data at the end of the day, or I might copy it as I find it, but all data ultimately goes there.
If I need to use a USB thumb drive, I use only the one assigned to this project (as much as possible, exceptions will occur). Again data copied to it, will be copied to the backup drive at the end of the day.

At the end of the engagement with a customer, and after the report is done and briefed, I usually ask the customer if he wants to keep his data, or he rather I keep it or destroy it. Since all it's stored in one place, it's easy to destroy or safely store on a safe location. And if the customer chooses to get his data back, as it is his right, it's easy to transfer this to him.

In cases where data comes from a target, having it all sorted and encrypted in one drive, allows for better storage, and transfer to law enforcement or other organizations.

End of Engagement

At the end of the engagement, it is important to wipe the laptop clean and re-install a new operating system and software. Be ready for the next engagement.

Question from a Reader: Building a Red Team

Question:

How would you build red team? What positions would you create?

Dan and I talked about this on Episode 3 of the Red Team Podcast, but maybe this question warrants going a little deeper.

The Red Team

Usually a good Red Team, as we think of it, is composed of two very distinctive sub teams: the Operational Team and the Support Team.

The Operational Team usually is forward deployed. Whether performing physical reconnoissance, or open source intelligence. Whether actively trying to get into things, or on the phone working the social engineering angle. They are the people that learn the target, research the possible adversaries, and help identify the vulnerabilities and define the plan of action.
The Support Team, on the other hand, usually stays back, whether at the office listening to shells getting back, monitoring radio, providing access and intelligence to the Operational Team, and coordinating with the customer if needed.

One thing to note is that the Team Leader moves between the two sub teams, however, most often - in our case at least - he or she is on the Operational Team.

The Operational Team

As we mentioned, the Operational Team is in charge of recon, identifying the weaknesses, and executing the plan. Members of this sub team, take different roles, based on their strengths. Though the team composition might vary with each engagement, it is a good idea to cross train each person with another, thus having redundancy.

Usually the Operational Team members include:

  • Physical security expert
  • Digital security expert
  • Surveillance and recon expert
  • OSINT expert
  • Security generalist (someone that can fit on either position)
  • Team Leader

The Support Team

This sub team takes care of all the needs of the team while things are happening. They provide an extra set of eyes when needed, they perform the initial recon once a foothold on the network is gained, the execute further exploits and gain persistence on other systems, the identify more targets and generally speaking, they are in charge of connecting the dots, and the Find and Fix and Analyze on the 3FEAD.

Usually the members are:

  • Digital security expert
  • Exploitation and code writing expert
  • System and networks expert
  • Physical security countermeasure expert
  • Main planner

Again, in both cases individual team members have to cross train in multiple areas of responsibility, covering for each other, and often rotating between those 2 sub teams.

Phases of a red team assessment: Recon

PHASE 2: RECON

Recon, reconnaissance. This phase is the most important phase. If you do it right, it will most likely end in the success of the project. A good team can ID the targets quickly, modify the plan accordingly, adapt the tools and finish the project successfully.

Read More

Phases of a red team assessment: OPORD

The 5 phases of a Red Team assessment:
1: OPORD | 2: Recon | 3: Target ID | 4: Live run | 5: Report

Phase 1: OPORD

The Operations Order (OPORD), a "directive issued by the leader to his subordinate leaders in order to effect the coordinated execution of a specific operation.". The military five-paragraph format is used to organize the briefing, to ensure completeness, and to help subordinate leaders understand and follow the order.

In our case, an OPORD describes the project, the situation the team faces, the target, and what supporting objectives the team will have to achieve in order to be successful. It sounds complicated, but it's not. Essentially is a set of initial meetings where the team gets exposed to the project and supporting documentation or information is distributed around each member. Each team member begins to prepare the tools and techniques based on the information they have. The team begins to study the target and formulate the initial plan.

The way it works best is to have at least 2 initial meetings:

  • A meeting for the presentation of the project and initial brainstorming
  • A meeting 2 days later after each team member had had the chance to incubate ideas and have a rough plan.

Depending on the timelines set for the project, those 2 meetings (3 if possible) will bring a lot of good ideas and questions that need answer.
Generally, the format/agenda for each meeting is standard and has shown over time to lead the team and their thinking in the right direction. This, of course, is not set in stone. You have to adapt to each project, but the following format is a good start

First meeting

Talk about:

  • Situation: what is the target, where is located, who are the key players, who requested the project, why, information about their security capabilities.
  • Mission: what is the project, what is the objective that needs to be achieved, who are we trying to mimic, when, where and how.
  • Execution: This is the initial "plan", what it's to be expected by the team leader or the person that requested the engagement. It should include any rules of engagement (ROE).
  • Admin & Logistics: What tools are needed, what we currently have and what needs to be written (software/exploits/scanning) or bought (breaching gear, recon gear, etc).
  • Command and Control: who leads the project, comms, deployment of assets and standard operating procedures for everything.

Second meeting

Talk about:

  • information already available on the target: perform a surface pass on OSINT just to have some data to begin.
  • Ask questions that will allow for better planning and move RECON (the next phase) in the right direction. Ask: what is the history of the target, competitors (if relevant), top executives or commanders, main products or capabilities, simple atmospherics, social media and digital overall footprint (from the surface scan), initial apparent or known vulnerabilities.

This second meeting should conclude with a good idea for what needs to be done, the roles of each team member and a good estimate of the timelines. After this meeting, the team plans the recon. A third meeting will be called to, a sort of in-between-phases meeting, where the recon will be plan and set to go.

The OPORD phase should be short and very intense. Things need to be set carefully, but relatevely fast. RECON, the following phase, will take long and going into it unprepared will not work. Use Phase 1, OPORD, to set the team's mindset and energy in the right direction. Allow them to ask questions, have the senior guy in the team take over the leader for a while. Also, if there is a member of the team that has more knowlege about the particular industry, or mission, product or procedure, bring him/her up and listen. Leverage the team strengh.

Small teams work best. Practice this during this phase.

In the next post, we will see what's needed to plan RECON, why it is so important, and how to perform it.

Action Combo

The idea for this assessment came from one of the IT managers at this organization. She wasn't sure people were taking her training seriously, and she wanted to see whether our team could get inside the server room and walk with a drive from one of their servers. Bonus points would be given if we could also take over at least one of the employee's laptops.

After a week of both physical and digital recon, we had solid information that allowed us to create plan. It was going to be a combination of attacks on all fronts: physical, digital and social.
We learned 3 key things on the recon: the back alley on their main building had no camera, the service door there was guarded by a single padlock, and their fire command system (as per the information online), would make the doors "fail open" when it was being reset.

The following week, in middle of most employees coming in, I walked very casually around the building, on the phone "on an important call that needed a little quiet", and reached the service entrance on the back. There, and without anyone looking, picked the lock on the padlock and went into the building. A few minutes later, another guy from the team came by the door and lock the padlock again. Nothing to see... Move along... Any roaming guard will see all as usual.
Onde inside, I put on my fake badge on my belt, and dressed with a suit and tie began walking. After checking the ground floor and going 2 floors up, I found a room filled with racks of servers, routers, and other network devices. Of course it needed badge access. OK, time for the social attack. I called another guy from the team that was waiting by a cafe a few blocks away.

In the meantime, no one challenged me. I was dressed with a suit and tie, I had laptop with me and a pad of paper where I had made some quick diagrams (that said nothing, but looked very official). A few guys said hello with a smile, and one even helped me get a coffee on the small kitchen on the floor.

When R arrived at the front desk, he was dressed on a very convincing fire department uniform. He talked to the security guard and told him that the fire command box was sending alerts to them every 30 min or so, that clearly all was good at the locaiton, but that he needed to see the fire command system. The guard walked with him to the security office, and opened the fire command box. After a few min, R dialed a number on his cellphone (I answered), he said: I think it's all good, we might need to reset the box. Let me know if you see the reset on your end.
He asked the guard to insert his key on the box, turn it and R hit the reset control. It took a few seconds for the box for go down and reboot. He talked to me on the phone: box was reset, can you see it? At that point, all the doors on the floow popped open. I walked into the servers room and said: I'm inside. Let it boot all the way.
R thanks the guard with a smile and while walking always, he commented on the football game for a few minutes. The guard was wearing a football hat and by doing this, he was making the guard feel at ease. An extra step to make sure he wasn't going to get suspicious.

Now I needed to find a drive to remove, and I needed to find a way to "own" one of the laptops. The disk was easy, some of the racks had hot-swappable drives. I searched for one that was labelled "backup" and took it.

The next thing was to find a way to get a laptop. This was done, again, by exploiting the helpful nature of humans. I walked to one of the desks in front of a closed-door office. These desks are usually occupied by assistants to execs, or directors. I found there a mid 40s lady, very well dressed and with "great hairdo". I commented, just passing by, how beautiful she looked and that it must have taken her a while to get her hair so good. She smile a big smile and told me ALL about it. We were having a good chat here. Just as I was leaving, I asked her: I'm having trouble accessing my powerpoints on my computer. I don't whether it's my computer or the thumdrive. Any chance I can check on yours one second?
She smiled and allowed me to kneel by her side, accessing her laptop. I plugged the USB drive, and opened it on her computer. I saw my powerpoint, opened it, but it was greated by a "corrupted file" error. So, I told her thank you and that I was clear my drive was bad. Meanwhile, behind the scenes I had now a backdoor to her laptop. A simple reverse shell that was trying to connect to a specific IP, disguised as an HTTP request. I walked away, smiling and waving goodbye.

Back in the office, the guys where receiving a shell.

Boom. We got them.

So, this one went smooth. Proper planning prevents piss poor performance. The recon, the fact that the company leaked so much of their digital footprint online (from vendors to what software their were using), and a good solid plan that attacked the 3 fronts at the same time, allowed us to really go in and succeed.
It's not this easy most of the times. You have things not working, you have people getting suspicious, you have security controls, and a million other things. However, sometimes... Well, it just works.

Assess the situation

First ask:

What is the most likely threat to occur? And the worst threat? How likely is the worst case scenario to occur?

Then:

Are you prepared for the most likely threat? Do you have a plan? Have you Red Teamed the plan?

Do you have a PACE ready?

Visualize the various parts of the plan, what you need and how you will use what you have. Communicate that plan to all those involved and drill it. Stress test it. Red team it. Give anyone involved in the planning and selection of actions, a chance to poke holes into it.

Sometimes you have time to fully assess the situation. Other times, you assess threats are they are presented and select the best way to act based on the information at hand.

Act, don’t react. Always try to be several steps ahead.

(first appeared here)

Phases Of A Red Team Assessment - Revisited

Back in 2014, a question from a reader asked about the different phases of a Red Team assessment / engagement. Then we listed 8 phases.
These phases were, of course, based on our own experience, and a generic list. Each engagement is different, however having a list to begin the process and have a good visual map of what is needed, is a good thing.
During the last couple of years, we narrowed the phases down to 5:

Phase 1: OPORD

The Operations Order (OPORD). An OPORD describes the project, the situation the team faces, the target, and what supporting activities the team will have to achieve their objective.
In this phase, the team gets exposed to the upcoming project or operation. The initial information about the target and the scope of the assessment are dumped and the team members begin to prepare the tools and techniques based on the information they have. The team begins to study the target and formulate the initial plan.

Phase 2: Recon

This phase is the most important one. If you do it right it will most likely end in the success of the project. If done right, a good team can ID the targets quickly, modify the plan accordingly, adapt the tools and finish the project.
During this phase the team observes the target and learns about it. Physical and digital surveillance are performed, as well an open source intelligence gathering. The physical, digital and social footprints of the target are mapped and analyzed. At the end of this phase there is a clear view of the possible vectors of attack. Usually, during this phase, all activities are passive, however in some cases - and the target is open to attack - a more active scan/surveillance is performed.

Phase 3: Target ID

During the Recon Phase, the team identified the possibles options for an attack. In this phase each option is further analyized and a plan of attack is crafted. On the digital side, a deeper scan is performed and exploits are identified. On the physical side, more information about security measures and controls are sought out. Social engineering calls are made and phishing mails are sent. Dry runs, if any, are performed during this phase too. In many cases, custom tools are written to exploit a specific vulnerability or to provide support for penetration and data exfiltration. This is a more active phase.

Phase 4: Live Run

Phase 4 is the Go! phase. Armed with all the knowledge and tools, the team executes the assessment for real. Whether a digital intrusion or a physical infil, the team tries to go inside. Once in, the team begins the lateral movement and smaller Phase 2 and 3 happen again. Important targets are indentified within the primary target and these are exploited as well. Backdoors, and further persistance are set and data exfil channels are open.
Once the team in inside, the team tries to exfiltrate data and also exploit targets of oportunity. Once all this is done, the point of contact that set the assessment is notified.

Phase 5: Report

The assessment is over. This phase is used to clean anything left behind and analyze all that was done. Findings are reported to the point of contact, and a debrief meeting is set.
The final report writing begins. This is the sucky part. Report writing happens after the endless cries from the point of contact.

On Red Teaming

Today’s adversaries don’t play by any rules. They constantly adapt and learn from failures and the complexity of their tactics and thinking is ever increasing. Whether nation sponsored, criminal or simply opportunistic, this new breed of attacker isn't bogged down trying to exploit the usual suspects (firewalls, web servers, email servers, etc.) They’re not wasting time thinking about your security checklists, policies, and procedures that have been painstakingly developed to thwart them. They’re happy to just go around, under, or over them and uncover weak links wherever possible.

One of the most often exploited weak links is the human one. That human risk can come from both an outsider and insider threats, including your supply chain. The question then becomes, not only whether you know your adversary or not, but do your partners, suppliers and vendors know them as well? Do they know theirs? How frequently are they doing security assessments? It’s a situation that needs frequent testing.

Read More

Hospital Recon and Security Readiness

I was recently in a hospital and the security director and I had a chat about potential threats, active shooter scenarios and how to make the overall perimeter of the hospital harder to penetrate and easier to monitor.

He and I walked everywhere, with me taking notes and pictures of everything. In some cases, I pointed directly to potential routes of entry and problematic spots (see attached pics). I walked the director on how I would penetrate the hospital covertly or overtly, what would I use and who I would potential targer for social engineering. We also brainstormed about the different attackers the hospital would see, and how each affected the security.
Finally we focused on the active shooter scenario. They do have trained staff, but as I was describing how I would do it on a mini-tabletop exercise, they realized the holes on their plans and policies, and more importantly, they realized the weakest points in their perimeter.
This simple tabletop, coupled with the walking of the building and specific pinpointing of areas of concern, provided the hospital security staff with a better way to understand the threats, prepare better security countermeasures and put in place better security cotrols.

This whole assessment took 4 hours. The stuff cooperated completely.

Note: Be aware that the issues found have been closed. The hospital implemented every single suggestion to improve security.