“ATTACK”: RED TEAM & ADVERSARY SIMULATION

We combine these with our skill and experience to create a service designed to deliver real value to our clients. We also use conceptual frameworks, house-made scripts and checklists internally to guide us in the process too. For example, we adopt the “Mitre Att&ck” framework as a guide.

During our discussions and most importantly when working together, we will initially set “rules of engagement” which are very important to manage safety and drive a tangible outcome. Given that a Red Team is a simulation, we will not use real malware, physical techniques or other methods or tools that are potentially destructive.

In establishing a goal-orient approach, we work together to establish a series of scenarios that we agree up-front will be executed and determine what is to be accomplished. Trophies such as files (simulating gaining access to a trade secret); gaining access to IP / critical data stores that are not public; gaining Domain Admin / Root, are key. We then, in collaboration, need to ask ourselves and establish:

• Options: What sort of simulations are to be used? (For example – Social Engineering, Phishing, Vishing etc.)
• Transparency: How much assistance / direction will Chaleit be given?
• Vectors: Through what ways could the frontiers of our clients be breached?

In a little more detail, the process evolves into asking:

For this Red Team,

• Do we know “what we are after” (the end-goal)?
• Where do we start to pave the path towards achieving the goal?
• What “ways” can we research, plan and construct to achieve the goal.
• How do we execute the plan without being detected?
• The are the desired outcomes – noting the goal is either achieved, partially achieved or not achieved.

Please note that Pen Testing again is more like an audit and will look at “how many ways” may we gain access. But in a Red Team we are more interested in what can we gain access to in the most direct manner.

Thus, for clarity we can differentiate in more detail the core concepts and introduce another often mis-understood term:

• Pen Testing – Is “audit” focussed and creates “noise” to identify all possible security vulnerabilities and misconfigurations.
• Red Teaming – Is a “goal-oriented approach” and can create great value. More so:
  • Can use simulations of being more stealthy
  • It potentially uses a variety of methods (including testing / anything that will give value / foothold, social engineering/ spear phishing depending on a specific goal), all sorts of potential vectors
• Purple Teaming – This is all about assessing response and controls. Questions in this scenario to be asked are:
  • Are we detected?
  • How did we respond?
  • How did you respond?
  • How long did it take?
  • How adequate are your responses and controls: Are we stopped (cannot access the goal)?
  • Are we blocked (we now cannot come back)?

When we explore the actual execution of a Red Team exercise, we are typically focussing on the External Perimeter, Phishing, Application compromise, Social Engineering etc., and during this process we must establish the value and outcomes through a structured approach.

An example of a very simple chain is thus;

1. Undertake intelligence gathering (OSINT) & establish the attack surface.

2. Develop our approach using threat models.

3. Research, Identify and use a vector.

4. Deploy the payloads.

5. Gain initial foothold.

6. Establish persistent access (simulating command / control).

7. Escalate privilege(s).

8. Perform internal reconnaissance (discovery and map systems, assets etc).

9. Locate the critical resources.

10. Bypass credentials / compromise systems.

11. Exfiltrate the (goal) data / trophy.

12. Note what else is possible.

A commercial Red Team exercise is not always a true representation of what would happen in the real world for three simple reasons:

1. Efficiency – As we are working in a Consultancy capacity there is the requirement for interaction.

2. Coverage – We may want to find multiple ways to gain access or achieve goals.

3. Commercial Reality – Our work together does need to be on a budget.

Some points of note:

• There are efficiencies to be gained whereby the work can be artificially accelerated accepting some compromises of our approach together when compared for example to a real attacker (but still in the same spirit).
• We may introduce interaction points to gain clarification on various matters (to expedite our work), give caution to sensitive production systems etc…
• We may accept that it’s not true “Red Team” in nature in that more than a few key people will be aware of it.
• We could potentially be detected! If this is the case we can still work on other approaches, methods and still see if the goal can be achieved in any event

Naturally, all Red Teaming of this nature are under commercial contracts which limit the amount of time that is available to be spent on the goal attainment. There are also some practical ways where we can achieve a balance together to create a real-world simulation but still meet the requirements of the three construction points above.

1. We can create a campaign-based approach: undertaking the exercise over a longer period of time and being asynchronous in nature.

2. There will be lots of enumeration work to create a threat model and map the attack surface.

3. We can potentially avoid security mechanisms detecting us (IDS/FW/EDR etc.) by researching on bypassing your detection mechanisms once we have mapped them.

Red Teaming is a highly creative, interesting and as real-world as possible approach to simulate the various attacks that you may be subjected to and an opportunity to test your defence. It also presents further value and opportunity to establish the effectiveness of controls (detect, assess, contain, respond etc..) aka becomes a Purple Team. Red Teaming is very much a two-way process and is used as a totally separate set of tools in addition to your traditional Penetration Testing program.