Embed Size (px)
Citation preview
Train as you Fight:
Are you ready for the Red Team?
An inside look at Red Teaming
Yves Morvan
Twitter: @morvan_yves
Email: [email protected]
Agenda
• Introduction
• What is Red Teaming?
– VA’s vs. Penetration Test vs. Red Teaming
• Who Needs Red Team Exercises?
• CDX – Cyber Defense Exercise– How does Red Team fit in?
• The Red Team
– The People, the Infrastructure, The Tools
– Methodology
• Coordinating it all
• Fun and profit!
• Questions
Introduction
Yves Morvan• IT Security Professional, 14+ year public servant,
husband and father of 2 boys.
• Part time chef, musician
• Pen Tester with Secure North IT
• Senior Penetration Tester / Security Researcher at
DND’s Information Management Engineering &
Integration Unit (DIMEI)
• Red Team Leader at Canadian Forces Network
Operations Centre 2007-2016.
• What is Red Teaming?
– VA’s vs. Penetration Test vs. Red Teaming
• Most Organizations understand VA’s & Pen Tests
– Should already employ a VA / Pen Test strategy
• Vulnerability Assessments
– Utilize automated tools to identify known
vulnerabilities, mis-configurations, processes, etc.
• Penetration Tests
– VA included
– Exploit vulnerabilities discovered during VA
What is Red Teaming?Vulnerability Assessment vs Penetration Test
What is Red Teaming?Red Team Exercise vs Penetration Test
• Simulating a threat actor vs. Exploit each vulnerability
• Time allocated to Red Team much greater than Pen Test
• Scope for Red Team exercises is typically much greater
than Pen Test
• Objectives vary
– Red Team is attempting to accomplish a goal /
objective.
– Red Team EX provides snapshot of overall security
posture of the organization.
– Pen Test is confirming level of risk vulnerability
exposes a system / network / organization
Who Needs Red Teaming?
• Obviously! EVERYBODY!
– Improve Security Posture
• Organizations with mature penetration testing strategy
will benefit most.
• Assists organizations prioritize which elements of the
enterprise receive pen tests and track progress.
• Findings will provide organization with overall security
posture against a determined adversary with specific
goals in mind.
• This does not mean VA’s and pen tests are no longer
required, quite the opposite.
Who Commissions Red Team
Exercises?
• CEO / CIO / CSO
– High level executives will request the exercise
– Full access to Red Team as trusted agents.
• Unbeknownst to the Incident Handlers, surveillance
analysts and blue team operators.
• Have the power to stop Red Team at any point
– Actual cyber attack is occurring
– Red Team can assist in the hunt
How does the methodology
differ?• Emulating real world threat actors
– Much stealthier than Pen Test
– No ‘noisy’ vulnerability assessment tools. Low and slow
approach is often utilized to prevent / lower risk of detection
• Tools / capabilities limited only by Red Team capabilities
– Home brew custom tools.
– Non-commercial tools for Command & Control (C2)
– Must study real world actors based on numerous indicators and
evolve accordingly
– Exploits must be properly reviewed / vetted to ensure success
and not effect client system in negative fashion.
• Time – Less required to get immediate results – Low and
slow
Red Team Assessment Phases
• Cyber Kill Chain Model:
– Recon
– Weaponize
– Delivery
– Exploitation
– Installation / Foothold
– Command & Control
– Act on objectives
Red Cell Exercise Background:
What is CDX?
CDX is a 72 hour computer security
competition between US and Canadian
military post graduate schools designed to
foster education and awareness among our
future military leaders about the role of
Information Assurance (IA) in protecting the
nation’s critical information systems.
The goal of the annual Cyber Defense
Exercise (CDX) is to provide a simulated
real-world educational exercise that will
challenge the students to build secure
networks and defend those networks against
adversarial attacks.
Red Cell Exercise Background:
What is CDX?
• I am using CDX primarily as the backdrop
to this presentation in order to provide
insight into military style cyber exercises.
• I can not discuss real world Red Team
engagements
• The idea is to enforce the notion of “train
as you fight”
Red Cell Exercise Background:
What is CDX?
What is CDX?
The Players
• White Cell
– Trusted Agents / Referees
• Gray Cell
– Simulated or human generated traffic / actions
• Blue Cell
– Defenders / Incident Handlers
• Red Cell
– OPFor / Threat actors
Cyber Defense Operations are an ongoing
battle that requires significant investments in
resources and infrastructure.
Exercising your capabilities is key in
identifying flaws or weaknesses that can be
bypassed or leveraged by the Attacker.
Be it CDX or real world
The Red Cell
The People
Coordinating a large team of attackers is not
as simple as one would imagine, some
people are:
– Used to working alone or small groups
– Multi-talented individuals
– Experts in certain fields
We need to be a coordinated set of
capabilities to bring the pain and achieve our
collective goals and objectives
The Red Cell
The People
The Red Cell
The People
• Teams are created based on various roles
and capabilities.
• People are assigned to one or more
teams.
• Team Leads work with their chain of
command to keep everyone informed.
The Red Cell
The People
The Red Cell
The Teams
• Access
– Initial foot in the door and Reconnaissance
• Persistence
– Install foothold. We’re here to stay
• Post Exploitation (Windows / *NIX)
– Lateral movement, dump/steal creds, pivoting,
cause general havoc!
• Web
– We have lots of fun here!
With numerous Red Cell teams and
operators on keyboard at any given time you
need . . .
INFRASTRUCTURE!!!
The Red Cell
Infrastructure
• Command and Control (C2) servers
– Team Servers
• Staging Servers
• Post Exploitation Servers
• Long Haul Servers
– Implants with multi protocol/agent support
And finally ..
• Redirectors!!!
The Red Cell
Infrastructure
The Red Cell
Infrastructure - Redirectors
The Red Cell
Initial Access example
The Red Cell
Initial Access example
• Implants/Backdoors/shells/tools
- Cobalt Strike, MSF, Canvas, custom etc…
- WebShells, *NIX backdoors/implants
- Regular ole SysAdmin tools too!
- Wiki
- Knowledgebase of all things haxxor at your
fingertips
- Test infrastructure
- You thought we didn’t test first?
The Red Cell
Tools
The Red Cell
Tools
And of course, the people using the tools!
Coordinating it all
• What is everyone doing?
• What objectives are affected?
• What’s next?
• Next attack? Which team? What’s the
plan?
• Who needs help? Who needs more time?
• Is everything documented?
• Did you sleep yet?
• High Level Executive
• Trusted Agent / Client
• Red Team Leader
• Day / Night Shift Leads
– Team Leads
• Task Leads
–Operators
Coordinating it all
Chain of Command
Real World Red Team Scenario:
• Exercise Director
• OPFor / Red Cell Director
• Day / Night Red Cell Shift Leads
– Team Leads
• Task Leads
–Operators
Coordinating it all
Chain of Command
Exercise Red Team Scenario:
Fun and Profit
• Major breaches
• Social Engineering
– Don’t use your admin account to see a web
defacement, it’s probably malicious Web
Defacements
• Taunts / Jokes
• Evil things! Even we had to debate them
for hours!
* Remember – These stories are from an exercise!
Taunt your opponent??
Do you want to join our team?
Questions?
OK
…
Beer?
