Advanced Threat Simulation: Are You Ready for Red Team Operations?
Posted by Luke McLemore
Determining where your organization is along the corporate security journey is essential in determining what services you should be seeking, and what considerations you should have when requesting more advanced tests and operations. Red Team Operations can be an enticing, especially if you have read our blog over the differences between red teams and traditional penetration testing, but not every security program is ready to detect and respond to these advanced threats. This blog provides a set of criteria to review before dedicating resources to a Red Team Operation.
This is a blog in our security services series highlighting the corporate security journey, and identifying the main areas of focus when considering external security services as you move your organization along the corporate security journey. First we will dive into the specifics of a Red Team assessment, and then provide a guide to position your security team for these advanced attacks.
Red Team Operation Breakdown
As covered in prior blogs, Red Team assessments are the capstone exam of the corporate security journey, a red team exercise is a client’s opportunity to evaluate not only the strength of their networks, but of their entire security organization: incident responders, automated defensive tools, SOC analysts, etc. It is their chance to take all of the knowledge imparted on them from past penetration tests and tabletop exercises and determine if they can work together in a “real-world” threat simulation. Operators on a red team assessment get to combine high levels of both technical ability and creativity to provide clients with as real of a threat as possible.
A red team assessment is broken up into (roughly) the following phases:
Recon: This is where a team enumerates as much information they can about your organization. This usually comes as a combination of OSINT and very limited active testing. Information is not only gathered on the infrastructural footprint of your organization, but the organizational structure as well. This includes gathering email contacts, phone numbers, job titles, and managerial duties of as many people as possible in the company.
Exploitation: This phase is the most generic, where a team obtains code execution inside a target environment. This can occur in several ways: email phishing, social engineering, external compromise, VPN credential theft, etc. Highly customized phishing emails, landing pages, malware delivery options and payloads are all extremely commonplace during the exploitation phase.
Privilege Escalation: Once in a target network, the next step is obtaining the necessary privileges required to complete the objectives specified by your organization (this might not be a clear cut checklist, but rather an exercise to see what all can be exposed). This is also the place that organizations tend to spend most of their detection and response resources on. Red Teams attempt to interact with internal systems in ways that do not trigger internal alerting systems like host-based EDRs or network based IDS/IPS.
Objective Completion: Once access to these assets is achieved, it may be required to leave proof of compromise (a flag of some kind) or exfiltrate a particular data set. All of these things are performed respectfully and with a regard to the goal of being stealthy in your organization’s network.
Persistence: This is the last item issued but definitely does not need to come last in the operation of a red team assessment. A good persistence mechanism is extremely important in every aspect of post exploitation activities. Ensuring that your organizations can maintain detection and response to an attack may make the difference in completing your objective or not.
For information on some of the attacks used in Red Team assessments, download our report: The Top 10 Most Prevalent Internal Attacks and How to Prepare for Them.
These tests are clearly not intended for programs at the beginning of the corporate security journey, and for many mid-sized teams, these tests may never fit organizational needs. There are a lot of steps and requirements before launching into full blown Red Team operations that you should consider.
Red Team Operation Prerequisites
PCI Penetration Testing
PCI penetration testing simply uses the industry approach of utilizing NIST SP800-115 standards to ensure compliance. While these tests are not ideal for mature, enterprise-level security programs, they are a great tool to establish a base for the rest of your security journey. In addition to PCI testing, commoditized penetration testing can be used as follow ups to cover more gaps in security infrastructure.
Defense Systems and Technologies
There are quite a few programs and models that help organizations prevent breaches before they occur. For example, Google’s BeyondCorp is a “Zero Trust” enterprise security model designed by Google that shifts access controls from the network perimeter to individual devices and users. Implementing BeyondCorp achieves an end result that allows employees to work securely from any location, without the need for a traditional VPN. This also fixes many problems with networking infrastructure.
These solutions are a great basis for a growing organization, and are steps in the right direction towards more complex operations. In order to achieve the best results, many of these solutions can be achieved in a collaborative Purple Team exercise, where an experienced team can both work to exploit your current system, and simultaneously work with you to fix the exploits.
Purple Team Exercises
Purple Team assessments are a perfect way to prepare your organization for Red Team operations. Purple Team exercises improve the efficacy of your incident response and detection capabilities. In these exercises, a team works alongside your security team while simulating malicious behavior to collaboratively evaluate and improve your organization’s situational awareness. The exercises are designed to programmatically illuminate blind spots in detective capabilities, and then fix them. Here are examples of two results to expect from a successful Purple Team engagement:
1. A mapped understanding of detection gaps - While it’s infeasible to have automated detection for every TTP in the MITRE ATT&CK framework, you should know where your detection blind spots are. Thus, you can implement manual stopgaps or increase your focus on other aspects of the cyber kill chain.
2. Be able to correlate data from multiple sources - Seeing a lot of data being pulled from a file server? That could be normal. Seeing multiple sustained connections from the same hosts to a new site? Strange, but not necessarily malicious. Seeing both at the same time should raise some eyebrows. A strong blue team should have the ability to quickly correlate multiple TTPs to find malicious activity.
Creating familiarity with attacks and how to detect and respond to them is the purpose of Purple Teams, and is the best way to tee up the next step of Red Team operations.
Red Team exercises are the ultimate test for mature security programs, but there are many steps that must be taken in advance to prepare your organization for such complex tests. There are many routes to take, and many steps along the corporate security journey to make you prepared. In our next blog we’ll be diving deeper into the functions of a Purple Team and what to expect from an engagement using the NIST framework.