The term Red Team or Red Teaming has become more prevalent in the security industry. Both commercial and government organizations conduct "Red Team Exercises". What does this mean? What is a Red Team engagement? How is it different that other security tests? Isn't current penetration and vulnerability security testing enough?
Red Teaming share many of the fundamentals of other security testing types, yet focuses on specific scenarios and goals that are used to evaluate and measure an organization's overall security defense posture.
Organizations spend a great deal of time and money on the security of their systems. Red Teams have a unique goal of testing an organization's ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities can significantly contribute to the improvement an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations.
This presentation introduces the Red Teaming concept of IOC management, how a Red Team operator can use specific IOCs to blend in to a target, and how to design specific scenarios to test a Blue Team's defensive posture.
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
1. Using IOCs to Design and Control Threat
Activities During a Red Team Engagement
(Red Teaming)
(Threat Emulation)
(Adversarial Assessment)
Joe Vest - @joevest
2. Controlling Threat Activities in a Red Team Engagement
Introduction to Red Teaming
Define Red Teaming and Red Teaming concepts
Why Red Team?
Compare and contrast to other security testing types
IOC Role In Red Teaming
Red Team Training
-2-
3. Background
Co-founder of MINIS (recently merged with SpecterOps)
17+ years IT
10+ years InfoSec
Red Teamer – Threat Emulator
Author of SANS SEC564 Red Team Operations and Threat
Emulation
Some letters behind my name.
OSCP, GMOB,GCFA, GWAPT, GPEN, GCIH, CISSP, CISA, others…
-3-
4. Definitions
Blue Team
Security team that defends against threats
Command and Control / C2
Command and Control (C2) is the influence an attacker has
over a compromised computer system they control.
Exfiltration
Exfiltration is the extraction of information from a target.
This is typically through a covert channel.
IOC (Indicator of Compromise)
Indicators of Compromise (IOC) are artifacts that identify or
describe threat actions.
OPFOR
Opposing Force or enemy force typically used by the military
in war gaming scenarios. Red Teams are commonly
associated with or support OPFOR in war gaming scenarios.
Operational Impact
An operational impact is the effect of a goal driven action
within a target environment.
Red Team
A Red Team is an independent group that challenges an
organization to improve its effectiveness.
-4-
ROE (Rules of Engagement)
The Rule of Engagement establishes the responsibility,
relationship, and guidelines between the Red Team, the
customer, the system owner, and any stake holders required for
engagement execution.
Threat
Threat is an expression of intention to inflict evil, injury, or
damage.
Threat Emulation
Threat Emulation is the process of mimicking the TTPs of a
specific threat.
Tradecraft
The techniques and procedures of espionage. Tradecraft is
typically associated with the intelligence community. TTPs and
Tradecraft are used interchangeably in this course.
TTPs
TTPs are Tactics, Techniques and Procedures (sometimes called
tools, techniques, and procedures)
5. Red Teaming Definition
Red Teaming
… is the process of using tactics,
techniques, and procedures
(TTPs) to emulate a real-world
threat with the goals of training
and measuring the
effectiveness of people,
processes, and technology used
to defend an environment.
-5-
Red Team
...an independent group that
challenges an organization to
improve its effectiveness.
6. Why Red Team?
Isn’t identification and mitigation of vulnerabilities enough?
-6-
7. Why Red Team?
Red Teaming…
measures the effectiveness of the people, processes, and
technology used to defend a network
trains and/or measures Blue Teams
can test and understand specific threats or threat scenarios
-7-
"We don't rise to the level of our expectations, we fall to the level of our
training.", Archilochus, Greek Poet around 650BC
8. Red Teaming VS Other Security Tests
-8-
VULNERABILITY
ASSESSMENT
PENETRATION
TESTING
RED
TEAMING
BREADTH
DEPTH
9. Red Teaming VS Vulnerability Assessment
-9-
Think About This: A red team(threat) rarely uses vulnerability scanning
tools during an engagement
Goal Generate list of prioritized
vulnerabilities
Focus Identification of vulnerabilities
Tools Typically automated
Risk Identification Induvial Systems vs organizational
Skill Novice to Mid-Level
10. Red Teaming VS Penetration Testing
According to the SANS Top 20 Critical Controls a penetration test is defined by the
following: Penetration testing involves modeling the techniques used by real-
world computer attackers to find vulnerabilities and, under controlled
circumstances, to exploit those flaws in a professional, safe manner according to
a carefully designed scope and rules of engagement to determine business risk
and potential impact all with the goal of helping the organization improve
security practices.
TLDR…
Penetration Testing is an attack against a system designed to identify and
measure risks associated with exploitation of a target’s attack surface.
Red Teaming is the process of using TTPs to emulate a threat with the
goals of training/measuring security operations (Blue Team)
-10-
11. PDRR Observation and Measurement Coverage
-11-
Vulnerability
Assessment
Penetration Test
Red Team
Engagement
Respond RestoreProtect Detect
• Reduce Attack Surface
• Good Security Hygiene
• Measure Security
Operations as a whole
• Train and engage Blue
Teams
12. Red Teaming Take Away
Vulnerabilities and exploits may be used, but are only as a means to a
end. Focus on goals.
Organizational and operational impacts can be extremely valuable
(examples)
• Measure the ability a threat has to laterally move through out a network
• Measure the ability a threat has to escalate privileges
• Measure the ability a threat has to exfiltrate sensitive data
• Can a threat degrade, disrupt, deny, or destroy operations?
Training is key. Blue teams must practice before facing a real threat.
-12-
14. Adversarial Tactics, Techniques, and Common
Knowledge (ATT&CK™)
Framework, knowledge base, and model for cyber adversary
behavior
Focused on threat TTPs and Tradecraft vs exploits and vulnerabilities
https://attack.mitre.org/wiki/Main_Page
Threat Hunter Playbook
https://github.com/Cyb3rWard0g/ThreatHunter-Playbook
https://cyberwardog.blogspot.com/
-14-
15. MITRE ATT&ACK Examples
-15-
Persistence
Privilege
Escalation
Defense Evasion
Credential
Access
Discovery
Lateral
Movement
Execution Collection Exfiltration
Command and
Control
.bash_profile
and .bashrc
Access Token
Manipulation
Access Token
Manipulation
Account
Manipulation
Account
Discovery
AppleScript AppleScript Audio Capture
Automated
Exfiltration
Commonly Used
Port
Accessibility
Features
Accessibility
Features
Binary Padding Bash History
Application
Window
Discovery
Application
Deployment
Software
Application
Shimming
Automated
Collection
Data
Compressed
Communication
Through
Removable
Media
AppInit DLLs AppInit DLLs
Bypass User
Account Control
Brute Force
File and
Directory
Discovery
Exploitation of
Vulnerability
Command-Line
Interface
Clipboard Data Data Encrypted
Connection
Proxy
Application
Shimming
Application
Shimming
Clear Command
History
Create Account
Network Service
Scanning
Logon Scripts
Execution
through API
Data Staged
Data Transfer
Size Limits
Custom
Command and
Control Protocol
Authentication
Package
Bypass User
Account Control
Code Signing
Credential
Dumping
Network Share
Discovery
Pass the Hash
Execution
through Module
Load
Data from Local
System
Exfiltration Over
Alternative
Protocol
Custom
Cryptographic
Protocol
Bootkit DLL Injection
Component
Firmware
Credentials in
Files
Peripheral
Device
Discovery
Pass the Ticket
Graphical User
Interface
Data from
Network Shared
Drive
Exfiltration Over
Command and
Control Channel
Data Encoding
Change Default
File Association
DLL Search
Order Hijacking
Component
Object Model
Hijacking
Exploitation of
Vulnerability
Permission
Groups
Discovery
Remote Desktop
Protocol
InstallUtil
Data from
Removable
Media
Exfiltration Over
Other Network
Medium
Data
Obfuscation
16. IOC Usage and Role in a Red Team Engagement
IOCs are a means to describe/control a threat actor
A Threat will …
Get In Stay In Act
(exploit) (C2, Persistence, Lateral Movement)
(operational impact)
Each phase has a variety of opportunities to engage defenders, allowing
Blue TTPs to be practiced and tuned.
-16-
Today’s Focus
17. Example: Command and Control
-17-
C2 Server Target
HTTP/80 Agent
(standard user)
SMB Agent
(system)
18. Threat Profile
-18-
Category Description
Description General mid-tiered threat that uses common offensive tools and techniques
Goal and Intent
Exist in the network to enumerate systems and information in order maintain command and
control to support future attacks and to determine if and when a Blue Team can detect and
identify the threat’s IOCs
Key IOCs
• Cobalt Strike HTTP beacon on TCP 80
• Cobalt Strike SMB beacon on TCP 445
C2 Overview
HTTPS on port 80Cobalt Strike Beacon with a 1-minute callback time
Calling directly to threat owned domains
TTPs (Enumeration,
Delivery, Lateral
Movement, Privilege
Escalation, etc.)
Assumed breach model, no initial delivery via exploitation. POST exploitation via Cobalt Strike
commands. Enumeration and lateral movement via Cobalt Strike and native Windows
commands. Privilege escalation limited and determined POST exploitation.
Exploitation Assumed breach model, no exploitation.
Persistence
User level persistence using explorer.exe DLL hijack (linkinfo.dll)
WMI Event Persistence (msupdate.exe)
19. Disk IOC Overview
-19-
IOCs
• HTTP traffic over TCP port 80 beacons every 60
seconds with a 20% jitter (drift)
• Payload: linkinfo.dll
• Location: c:Windowslinkinfo.dll
• Timestamp: 07/13/2009 06:31 PM
• Size: 288,768
• MD5: 4a247a94bd215f081c04ef235d158ce1
• Metadata:
• Company: Microsoft Corporation
• Description: Windows Volume Tracking
• Product: Microsoft« Windows« Operating
System
• Prod version: 6.1.7600.16385
• File version: 6.1.7600.16385
(win7_rtm.090713-1255)
IOCs
• SMB beacon using on demand access
• Payload: msupdate.exe
• Location: c:Windowsmsupdate.exe
• Timestamp: 07/13/2009 06:31 PM
• Size: 290,816
• MD5: 81401996518d462fba52a345b63ef918
• Metadata:
• Company: Microsoft Corporation
• Description: Host Process for Windows
Services
• Product: Microsoft« Windows« Operating
System
• Prod version: 6.1.7600.16385
• File version: 6.1.7600.16385
(win7_rtm.090713-1255)
20. HTTP Beacon Network IOC Overview
-20-
HTTP IOC
GET /v11/3/windowsupdate/selfupdate/WSUS3/v6-
muredir.cab?v=T2Yw28y-t_hTdfBSImdzQw HTTP/1.1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9
,*/*;q=0.8
Host: download.windowsupdate.com
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0;
rv:11.0) like Gecko
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: application/octet-stream
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Connection: close
Content-Length: 64
...3..X...T..f.7............&..DZ.p....`./.CG.@..b..h
........C..
HTTP IOC
POST /v11/2/windowsupdate/selfupdate/WSUS3/NzIxMg
HTTP/1.1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9
,*/*
Content-Type: application/x-www-form-url-encoded
Host: download.windowsupdate.com
Content-Length: 29
User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0;
rv:11.0) like Gecko
status=iVtM41G4gRnsNKaocUaOTw
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: application/octet-stream
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Connection: close
Content-Length: 0
22. In Summary
Consider what is being done to protect your systems and networks.
Are resources used to protect the network working?
Being used cost effective?
Able to defend the network?
Staffed appropriately?
Consider applying a threat based approach when testing security of
your organization to better understand true risks from a threat and
not just vulnerabilities.
-22-
23. Training
-23-
SANS
• SEC 564 Red Team Operations and Threat Emulation
https://sans.org/sec564
SpecterOps
• Adversary Tactics: Red Team Operations
• Adversary Tactics: Active Directory
• Adversary Tactics: Powershell
• Adversary Tactics: Detection
https://specterops.io/resources/upcoming-events