RED TEAMING – CAN YOU WITHSTAND A PROFESSIONALLY LED ATTACK?
1 WHAT IS RED TEAMING?
In the following article, we will explain exactly what “Red Teaming” means, how it differs from traditional penetration tests, how the “Red Teaming” approach is unique, and why it best simulates a real coordinated attack.
In Nethemba, we performed “Red Teaming” for many years before the term was publicly adopted – it is a combination of information gathering (OSINT), blackbox penetration tests and social engineering as in the form of sophisticated spear phishing, and physical infiltration.
The Red Team is a professional team of hackers, social engineers and intelligence experts who can obtain, analyze and then use a lot of important information needed for the infiltration itself.
The Blue Team is a professional team of security guards – usually the customer’s system administrators, whose goal is to detect “Red Team” attacks and eliminate them as much as possible.
The White Team represents a close group of coordinators of individual teams (the client), as they are the only ones informed about the Red Team attack.
Red Teaming is a sophisticated, coordinated attack that simulates a real hacker attack in order to avoid detection (by the so-called “Blue Team”). Under normal circumstances, the customer’s IT department (with the exception of the customer) is therefore not informed of the attack. The Red Team itself usually also does not have any information about the target infrastructure, systems or employees of the organization. From this point of view, it is the so-called “Blackbox test”. The only information that the customer approves is a list of identified potential targets that Red Team will then use to attack (otherwise there could be illegal attacks on infrastructure that the customer does not own) and a list of prohibited methods or practices that Red Team cannot use (e.g. DoS attacks, extortion / threats in the case of social engineering, etc.).
Although the goal of Red Team is not to identify all possible vulnerabilities, it uses multiple attack vectors beyond conventional penetration tests (such as social engineering).
Its goal is to achieve a “flag” such as obtaining a local domain administrator or compromising a border router. This can be achieved in any way – from technical penetration of the systems themselves to the psychological manipulation of the main admin in the company.
The goal of Red Teaming is to test the company – seeing how it responds to a complex hybrid attack which uses all possible available ways to achieve this goal.
The relationship between the Red Team and the Blue Team is asymmetric on two levels – the Red Team only needs to find one vulnerability to be able to move forward in its attack, however the Blue Team must have all possible exploitable vulnerabilities fixed (and constantly fixed). At the same time, the Red Team only needs to make one mistake for the Blue Team to be able to detect it (and block it completely, for example) and the Red Team must start again.
2 THE COURSE OF RED TEAMING
2.1 INFORMATION GATHERING
This is a passive, introductory phase of Red Teaming. The aim of this phase is to obtain as much information as possible from publicly available sources (databases, registers, search engines, social networks) that can be used for further penetration. These are mainly:
- IP address ranges, IP addresses that will be further subject to active testing (the list must be explicitly approved by the customer)
- A list of employees and their personal information (email addresses, phone numbers, personal preferences, the technologies they use, their locations, or the people they trust and communicate with). This information will then be used in the phase of targeted social engineering and enumeration attacks
- Identification of customer partners (for possible impersonation in the social engineering phase)
- Identification of physical buildings, office spaces, description of their security (in case of physical infiltration)
2.2 TARGETED ATTACK ON THE INFRASTRUCTURE AND EMPLOYEES OF THE ORGANIZATION
A targeted attack on the infrastructure and employees of the organization can take place in parallel. Red Team members are in constant contact, sharing information with each other and using it during the attack itself.
The Blackbox penetration test of the external infrastructure can be performed as soon as the customer (White Team) approves the list of detected attack targets (in order to prevent attacks on unauthorized address ranges).
Unlike the usual blackbox penetration test, this takes place in maximum secrecy (so-called “stealth mode”), either from unique VPN or Tor nodes, which are changed as needed. The standard goal is to gain access to the internal network (gaining VPN access, compromising servers in the DMZ, targeted attacks on clients – see below “social engineering”).
2.2.2 SOCIAL ENGINEERING
Social engineering (in the form of spear phishing or physical infiltration), like the penetration test, has a specific goal (“flag”) and uses all methods (which are not explicitly prohibited by the customer) to achieve it. This includes targeted phishing (spear phishing), often with specially crafted malware designed to compromise an end-to-end mail client or browser and gain access to the internal network. Trustworthy-looking spoofed Internet domains, fake certificates, etc. are often used for this.
2.3 AUTHORIZATION ESCALATION AND FURTHER INFILTRATION
If the attack on the infrastructure or employees of the organization is successful and the Red Team obtains access data to internal systems or manages to physically get into the building, it continues to escalate permissions and further infiltration.
2.3.1 INTERNAL NETWORK ATTACK
Gaining a VPN user or any internal access (from external penetration tests or social engineering) means that the Red Team continues to attack the internal network. These can be L2 / L3 layer attacks (for example, ARP poisoning) in order to gain control over the communication of internal stations or servers (the techniques used are similar to the internal penetration test ).
Unless the target flag is defined otherwise, the target is to escalate permissions to the domain administrator / root user of key servers or full control over the main gateway.
An attack on the internal network can also mean the deployment of backdoors for the Red Team in case the Blue Team fixes the exploited vulnerabilities.
2.3.2 CONTINUATION OF PHYSICAL INFILTRATION
If the Red Team physically enters the organization’s building, it continues to infiltrate. Unless the target flag is defined otherwise, it is usually important to gain physical access to the server room or the physical archive of sensitive documents (CEO’s office). For this purpose, Red Team members use specialized hardware (mini cameras, portable wifi hotspots, cloning devices for smart cards, etc.). They also have the so-called “Get out of jail letter”, i.e. an official document that will prove their intentions and involvement if they are caught in order to prevent possible violence.
3 FINAL REPORT
The resulting report, in addition to the management summary, contains a list of all the ways (most of which are blind) that the Red Team tried. It documents the exact way of how the Red Team got to the goal and what pitfalls it had to face during this process. It includes a list of exploited vulnerabilities, including how to fully or at least partially address that vulnerability.
CAN YOU RESIST A PROFESSIONALLY LED ATTACK?
With our Red Teaming service you can find out in a few weeks. Try it and be surprised.
In Nethemba, we have 14 years of experience with all phases of Red Teaming, and we have implemented them countless times in complex, coordinated attacks. At the same time, we have a lot of experience in training system administrators (Blue Team) and application developers (Red Team).