The third phase of a red team assessment is target identification. In this phase, the red team moves from general information collected about the target to detailed information and potential plans for gaining access to the target environment and preparing to achieve operational objectives.
Scoping the Phase
In the reconnaissance phase of the assessment, the red team collects “big picture” information about the target. This involves getting a picture of the organization’s operations and defenses and identifying potential paths to achieving the goals of the operation. These operations are mostly “passive” in nature, not interacting with the target’s systems or doing anything with a high probability of detection.
As part of target identification, the red team takes a deeper, more active look at certain systems on the target network. Based on the information collected as part of reconnaissance, the team can target their data collection efforts toward targets which may provide access to the target network and use techniques less likely to be detected by the target. The goal of the phase is to collect the information necessary to generate a plan of attack for gaining access to the network.
Achieving Phase Goals
The end goal of the target identification phase is finding one or more ways in which the red team can gain access to the target system and achieve their objectives. The previous phases of planning and reconnaissance are designed to provide a rough plan and high-level data, and, in this phase, the red team works to fill in the holes. The main goals of this phase are collecting detailed data on potential targets and analyzing it to develop potential plans of attack.
In the target identification phase, the red team starts actively performing data collection on the target network. This primarily consists of network scanning, and one of the main concerns is performing these scans without compromising the secrecy of the red team assessment.
Network scanning is one of the primary ways to collect information about a network. However, the term covers a lot of different things. As part of target identification, the red team’s network scans may include port scans, service enumeration and banner grabbing, operating system detection and vulnerability scanning.
Port scanning is the most basic type of network scanning. When performing a port scan against one or more machines, the red team tries to connect to ports on the machine in order to identify open ports listening for connections. The goal of this is simply to identify what services may be running on the machine.
The next step up in terms of information gathered is service enumeration. Many programs, when connected to, send a banner message providing some basic details about the services provided. By connecting to these ports with a protocol like Telnet, the red team can collect valuable information about the specific service running on a port, which is useful information when trying to identify exploitable vulnerabilities.
Operating system (OS) detection collects information about the OS running on a given machine based upon how it responds to certain requests. Different OS vendors implement the network stack differently and may provide different responses under certain circumstances. While performing OS detection, the red team tests these corner cases in hopes of identifying the specific operating system in use.
For these three types of scanning, Nmap is a great tool. It’s available for free as both a command-line tool and as a GUI-based tool called Zenmap on Windows.
Vulnerability scanning is the most useful and detectable type of network scanning. By collecting information about the services running on the machine (banner grabbing) and their responses to certain types of requests, vulnerability scanners can determine whether or not a computer is vulnerable to certain attacks. Nessus is a common (but pricey) tool for this. Another great option is the community version of the OpenVAS Vulnerability Scanner (see here for information on setup and use).
An important thing to keep in mind while doing in-depth data collection for target identification is the need to maintain anonymity. If the red team is detected during the scanning phase of the operations, the network defenders will be put on guard and gaining and maintaining access to the target network will become much more difficult.
Red teams need to balance their need for secrecy with the need for detailed information. This means that some of the scan types discussed previously (especially vulnerability scanning) are unlikely to occur in a real assessment since they are too easy to detect. Other scans can be modified to make them less detectable (e.g., using “stealth” scans like NULL, FIN and XMAS).
The use of proxies and IP spoofing are other options for concealing the identity if not the existence of the scanners. It’s important to remember, though, that using a spoofed IP without the owner’s consent may be illegal if you are performing illegal actions while masquerading as someone else.
The goal of the reconnaissance and the first half of the target identification phase is data collection. By learning as much as possible about the target network, a red team maximizes the probability that it can find an exploitable vulnerability in the target’s defenses. To do so, it’s necessary to process all of the raw data collected and use it to build a workable plan.
The first few phases of the operation (planning, reconnaissance and target identification) are often performed multiple times. While analyzing the collected data and developing a plan of attack, the red team may discover that they are lacking some crucial piece of information and need to return to reconnaissance or network scanning to find it. The team may determine that their initial plans for gaining access are unworkable and need to return to the planning stage to work out an alternative. This is why the data analysis phase is crucial in an assessment: It’s much better to find out a flaw in the plan now than try to improvise in front of an unamused security guard.
Setting the Stage
The end goal of the target identification phase is setting the stage of the initial phases of the actual attack on the target network. This phase is the culmination of the first three stages, moving from defining the goals of the assessment through data collection to developing workable plans for gaining access to the target and achieving these goals.
The end result of a successful target identification phase is a collection of flexible but well-researched and thoroughly vetted plans of attack. These plans should be supported with the necessary information to support improvisation when something goes wrong and should be designed to minimize the probability of the red team being detected in the process of achieving their objectives.