Red Team Assessment Phases: Completing Objectives
The purpose of this phase of the assessment is fairly self-explanatory. In previous phases, the red team performed the operations necessary to set themselves up for success in achieving the goals of the assessment. This phase is focused on achieving those goals and often happens somewhat in parallel with the previous phase (e.g., it would be ridiculous not to grab a “flag” on a compromised machine because the red team wasn’t prepared to grab all of them). In the end, completing this phase and all previous ones should result in achieving all operational objectives or the ability to describe in detail why one or more were impossible to complete (i.e., because the client was doing a good job).
Scoping the Phase
The scope of this phase is defined by the goals of the assessment as defined during the planning session and included in the red team assessment agreement. These goals may range from collecting a certain set of defined “flags” (like sensitive data that should be protected for regulatory compliance) to a more “freeform” exercise in which the red team is instructed to exploit the client’s organization as fully as possible. Depending on the goals of the assessment, the red team may engage in a variety of activities on the target network in order to successfully complete the assessment.
Achieving Phase Goals
The goal of this phase is fairly straightforward yet also depends on the specifics of a certain assessment. As part of the planning and negotiation phase of the assessment, the red team will determine and agree on the goals and rules of engagement of the exercise with the client. In this phase, the red team will explore and exploit targets, exfiltrate collected data and perform cleanup activities in order to achieve the agreed-upon operational objectives.
Most organizations have perimeter-focused cyber-defenses. The logic is that if they keep the “bad guys” out of the network, then it doesn’t really matter what’s happening inside of the network since all actions are taken by employees who (presumably) have no reason to try to harm the organization. However, once the red team has breached the organization’s defenses and established a foothold, this approach toward cybersecurity means that the red team has increased flexibility in what they can do.
Once inside the target network or on an exploited computer, exploration is key to a successful assessment. One of the responsibilities of the red team is to inform their clients about oversights in their cybersecurity. If a flag (like sensitive data) is known to be on a hardened machine, then trying to crack that machine is a must for the assessment. However, finding an unauthorized copy in a less-defended location is as if not more valuable to the client. By exploring each location that they’ve compromised, the red team brings a fresh set of eyes to the organization’s security and may find nuggets formerly overlooked as “impossible.”
Exploiting Targets of Opportunity
Depending on the terms of the red team assessment agreement, the goals of the exercise may not be clearly defined. In some assessments, the red team is provided with a set of “flags” to achieve (certain levels of access, credentials, data exfiltration and so on) and only finding these flags is necessary for a successful exercise. In other situations, the red team may be instructed to do anything that they can to exploit the network, with a full report of identified vulnerabilities to be reported at the end of the exercise.
In a more freeform exercise, exploitation of targets of opportunity is an essential part of the assessment. If, during target exploration, the red team identifies a way to gain access to a machine within the internal network, they should do so if it will not compromise the goals of the exercise (e.g., get them detected by the network defenders). Examples of targets of opportunity include unpatched services or operating systems, access to password hashes on a computer or domain controller and unattended documents or removable media discovered during a physical assessment. Since the red team testers are the “good guys,” it’s important to take care not to cause any unnecessary damage to the network or other operations.
In many red team assessment, data exfiltration is a crucial component of achieving the assessment objectives. In many cases, organizations want the red team to demonstrate the fact that data can actually be exfiltrated from the organizational network (since it’s difficult to breach data if you can’t get it off of the organization’s network).
In the previous phase, setting up covert communications channels was one of the goals of the phase. These methods may include using a certain port for something other than its intended purpose in order to take advantage of the fact that firewalls commonly leave certain ports open (80 for HTTP, 443 for HTTPS and so on).
Ncat (developed by the same group that makes the nmap network scanning tool) is a great tool for use in data exfiltration and command and control. By setting up a listener on an external computer and connecting to the listener on another, the red team can bypass firewall rules by creating an outbound connection (not commonly blocked) to a computer belonging to the red team. This connection can be used to control the remote computer (via shell access) and to exfiltrate data (including using TLS encryption).
An important final stage in this stage of a red team assessment is cleaning up the effects of the red team on the target environment. A folder full of hacking tools on exploited machines and log files showing access attempts to different computers make it obvious to a network defender that something is going on. For the assessment to be realistic, red teams need to cover their tracks so as to not make things too easy for the network defenders.
One of the most common techniques for cleanup is the destruction of log files (used in 75% of real attacks, according to some reports). While red teams need to remain secret in order to carry out a realistic and useful assessment for the client, care should be taken in the cleanup stage of the operation. For example, hackers may corrupt or delete log files to hide their attacks, but this is probably not a viable option for a red team since it may hurt the organization and hide a real attack that happens to be occurring at the same time as the assessment.
An alternative to full log destruction is selective deletion of compromising records on the log. By removing only the log entries that show their presence on the system, the red team can conceal their operations without hurting the security of the target organization against real attacks. Recording the original version of the log file (before deletions is also a good idea). However, the subject of cleanup should be discussed and included in the red team assessment agreement to ensure that the customer is comfortable with the red team modifying security logs on their environment.
Setting the Stage
The next and final phase of a red team assessment is reporting. In the end, the reason that the client is paying for the assessment in order to learn what they need to fix to secure their network.
In order to be successful in the reporting phase, the red team needs to take careful notes throughout the course of all of the preceding phases of the assessment. This allows them to provide comprehensive detail of their operations (which can be extremely important if something goes wrong) and detailed instructions for replicating exploits that can be used by the client to verify findings and test potential mitigations.