Playing the Part

Over the years I've found several techniques that, no matter how trained the security personnel of a corporation is, tend to work one way or another.
In this case "the angry executive speaking in another language on a cellphone".

I've used this many times and with good results. After researching a bit the target, learning what are the baselines in term of dress code for the top executives and diversity of the employees, coupled with the atmospherics of the location and its patterns of life, you can put together a very credible employee from another office act.
The idea is both show that you belong there, but that you are coming especially coming here from another location. It causes whoever happen to be in front of you to be a little more sympathetic.

In one particular case, I was outside, on the street, but the booth keeping the entrance to the underground parking. The guard was looking at me. I was wearing the proper suit and tie, with a fake, though very realistic badge clipped to my jacket's pocket. On cue, another guy from the team call my cellphone. I answered in English and switched to another language. I increasingly become more and more agitated as minutes passed. The guard kept an eye on me. I made it a point to walk back and forth the booth, and give him consternated looks. He began giving me small smiles... And after about 20 min, he lost interest in me. Having seen my badge and sensing that I belong there.
Once I saw that, and still arguing on the phone, I slowly began walking towards the parking. Going down the ramp step by step, still on the phone still gesticulating and never looking back, at the guard. I belong there, right? I wouldn't worry about the guard.

Boom. I was in. I was freely walking on the underground parking.

Next was to get inside the building. My badge was a good copy, but it wouldn't open the door from the underground parking to the elevators. So I stood there, still angry on the phone, until 5 min later, someone came back to his car. As he walked by me, i gave him a smile as I walked in. He never questioned me. So... Now I was really in.

After that it was just stuff, but, once you understand the environment, and know how to play the part... It's just a matter of time.

Quote of the day

"It is not good to settle into a set of opinions. It is a mistake to put forth effort and obtain some understanding and then stop at that. At first putting forth great effort to be sure that you have grasped the basics, then practicing so that they may come to fruition is something that will never stop for your whole lifetime. Do not rely on following the degree of understanding that you have discovered, but simply think, “This is not enough.” One should search throughout his whole life how best to follow the Way. And he should study, setting his mind to work without putting things off. Within this is the Way."

— Hagakure

Knowing your weaknesses by actively searching for them

From the Yahoo breach of 3 billion accounts, to the JP Morgan intrusion, to the recent Equifax attack, the frequency and scale of attacks is increasing, and there is no sign of stopping.
As you watch company after company essentially fall victims, and unable to deal properly with these crises, it is becoming evident that current security testing and methodology need to evolve.

Evolve into something that properly mimic the attackers. Evolve into something that properly test the organizations and companies in the same way a real attacker would.
This means attacking the three fronts - digital, physical and social - in a way that truly mimic a real adversary.

This last bit above is what we've been trying to inform the public about. This last bit above is real Red Teaming.

What is Red Teaming?

Red Teaming is the act of portraying an adversary in order to test the security posture of an organization or company. This means all three fronts. Red Teaming is not penetration test. Though penetration testing can be and often is a part of Red Teaming.
Red Teaming is executed by a trained, educated, and experienced team and can often provide more that just a view of the state of affairs of security. Red Teaming can be applied to everything, from plan analysis and exploration of alternatives, to testing of capabilities in the context of the operational environment, to the application of the adversarial mindset to policy making.

Why Red Teaming?

In today's world, it is critical to assume that a security incident can and will occur. It's not a matter of if, but a matter of when and how. Period. It is correct to assume that a compromise already happened.

Red Teaming must be a necessary component in any effective security strategy to face today’s realities and the modern adversary. A Red Team is a friendly force that plays the role of an advanced adversary to uncover those weaknesses before a real attacker does. Organizations and companies can better prepare for the impact of current and future threats by simulating real-world attacks and exercising Tactics, Techniques and Procedures (TTPs) that determined and persistent adversaries use during breaches, helping build resilience and test in advance their own TTPs: the information gained from Red Teaming helps to significantly strengthen defenses, improve response strategies, train defenders, and drive greater effectiveness of the entire security program.

Act, don't react

Security prevention strategies and technologies cannot guarantee safety from every attack. Given today’s threat landscape, like mentioned above, it is important to assume that a breach has either already occurred or that it’s only a matter of time until it will.
By planning for the worst-case scenarios, organizations can develop the necessary capabilities to detect penetration attempts and significantly improve responses associated with security breaches.
In other words: when the real attack happen, you will be ready and you will have the necessary muscle memory to confront the breach. Operating with this assumption will reshape detection and response strategies in a way that pushes the limits of any organization’s infrastructure, people, processes, and technologies: Resiliency

Prevention is a chosen action; reaction is a forced one.

One of the biggest benefits of understanding your adversary is that it helps take much of the guesswork out of security solutions, controls and plans. As had been demonstrated and explained in previous posts in this blog, once an adversary has been researched and a real-life attacks performed against the organization, it is much easier to begin understanding all types of attacks and the different adversaries.

Again, understanding, prevention and action brings resiliency.

Do it

Understanding the adversary will help creating this resiliency. Real Red Teaming, and adapting the plan and response measures will ensure the survival of your business. Start thinking like an adversary, adopt the mindset of an open system that can adapt to the environment, and be ready for the next attack. It will happen.

Bringing in an advanced Red Team will jumpstart the process. Red Teams act like a real attacker, truly identifying where the controls break, providing a realistic view of how resilient an organization is.

Don't neglect to evaluate your controls in a realistic way.

Quote of the day

"Security prevention strategies and technologies cannot guarantee safety from every attack. Given today’s threat landscape, it is vital to acknowledge that a breach has either already occurred or that it’s only a matter of time until it will."

Quote of the day

“I really try to put myself in uncomfortable situations. Complacency is my enemy.”

— Trent Reznor

Phases of a red team assessment: Recon

PHASE 2: RECON

Recon, reconnaissance. This phase is the most important phase. If you do it right, it will most likely end in the success of the project. A good team can ID the targets quickly, modify the plan accordingly, adapt the tools and finish the project successfully.

Read More

Phases of a red team assessment: OPORD

The 5 phases of a Red Team assessment:
1: OPORD | 2: Recon | 3: Target ID | 4: Live run | 5: Report

Phase 1: OPORD

The Operations Order (OPORD), a "directive issued by the leader to his subordinate leaders in order to effect the coordinated execution of a specific operation.". The military five-paragraph format is used to organize the briefing, to ensure completeness, and to help subordinate leaders understand and follow the order.

In our case, an OPORD describes the project, the situation the team faces, the target, and what supporting objectives the team will have to achieve in order to be successful. It sounds complicated, but it's not. Essentially is a set of initial meetings where the team gets exposed to the project and supporting documentation or information is distributed around each member. Each team member begins to prepare the tools and techniques based on the information they have. The team begins to study the target and formulate the initial plan.

The way it works best is to have at least 2 initial meetings:

  • A meeting for the presentation of the project and initial brainstorming
  • A meeting 2 days later after each team member had had the chance to incubate ideas and have a rough plan.

Depending on the timelines set for the project, those 2 meetings (3 if possible) will bring a lot of good ideas and questions that need answer.
Generally, the format/agenda for each meeting is standard and has shown over time to lead the team and their thinking in the right direction. This, of course, is not set in stone. You have to adapt to each project, but the following format is a good start

First meeting

Talk about:

  • Situation: what is the target, where is located, who are the key players, who requested the project, why, information about their security capabilities.
  • Mission: what is the project, what is the objective that needs to be achieved, who are we trying to mimic, when, where and how.
  • Execution: This is the initial "plan", what it's to be expected by the team leader or the person that requested the engagement. It should include any rules of engagement (ROE).
  • Admin & Logistics: What tools are needed, what we currently have and what needs to be written (software/exploits/scanning) or bought (breaching gear, recon gear, etc).
  • Command and Control: who leads the project, comms, deployment of assets and standard operating procedures for everything.

Second meeting

Talk about:

  • information already available on the target: perform a surface pass on OSINT just to have some data to begin.
  • Ask questions that will allow for better planning and move RECON (the next phase) in the right direction. Ask: what is the history of the target, competitors (if relevant), top executives or commanders, main products or capabilities, simple atmospherics, social media and digital overall footprint (from the surface scan), initial apparent or known vulnerabilities.

This second meeting should conclude with a good idea for what needs to be done, the roles of each team member and a good estimate of the timelines. After this meeting, the team plans the recon. A third meeting will be called to, a sort of in-between-phases meeting, where the recon will be plan and set to go.

The OPORD phase should be short and very intense. Things need to be set carefully, but relatevely fast. RECON, the following phase, will take long and going into it unprepared will not work. Use Phase 1, OPORD, to set the team's mindset and energy in the right direction. Allow them to ask questions, have the senior guy in the team take over the leader for a while. Also, if there is a member of the team that has more knowlege about the particular industry, or mission, product or procedure, bring him/her up and listen. Leverage the team strengh.

Small teams work best. Practice this during this phase.

In the next post, we will see what's needed to plan RECON, why it is so important, and how to perform it.

Strategic Red Teaming: The Job Description

Our friends at the Red Team Journal posted a notional job descrition for a "Strategic Red Team Director". This provides a good list of what's needed on a Red Team, an what a Red Team should be on an organization. Yes, it's not pentesting.
Go read it.

This is an excellent opportunity for an experienced, forward-looking red teamer to build a world-class red teaming capability at a prominent global organization. The successful Strategic Red Team Director will lead the enterprise’s efforts in adopting and maintaining a system-wide view of threat-driven risks, with the goal of working with senior management to control these risks.