Red Team Assessment Phases: Establishing Foothold and Maintaining Presence
In the previous phase, the goal was to gain initial access to the target network. The focus of this phase is to expand this access to the level necessary for achieving the objectives of the assessment. Common goals of this phase include ensuring access to the target network, establishing covert communications channels and expanding and deepening the red team’s foothold on the network.
Scoping the Phase
The goal of this phase is to move from initial compromise of a network to a position where it is possible to achieve operational objectives. At this point, careful data gathering and analysis should be performed to determine what types and levels of access are necessary for the success of the assessment. If, for example, domain administrator access to the network is not necessary for the assessment, pursuing it is a waste of time for the red team and may increase their probability of detection. The red team should carefully consider each goal of this phase and determine whether or not they are necessary before attempting them during an assessment.
Achieving Phase Goals
The goal of this phase is to move from initial access to a network (with potentially limited privileges and scope) to the level of access and control necessary to achieve the objectives of the assessment. Steps in doing so include ensuring continued access to the target network, establishing communication channels and establishing a beachhead on the network.
The first goal for this phase is ensuring that the red team’s access to the target network will be assured throughout the engagement. If the red team loses access at some point in the assessment, they’ll have to start over with gaining access to the network, which may be more complicated if the security team is aware of the attack.
The main concern in this step is ensuring that the red team isn’t detected during the attack. A FireEye report found that on average, hackers remain undetected on a network for 101 days after compromise, so the bar doesn’t seem that high. However, red teams need to be careful in their choice of tools and techniques to ensure that they remain undetected and that the assessment is successful.
A variety of different types of software have been developed for benign purposes and repurposed for malicious ones. Remote Access Toolkits (RATs) are one of the best examples of this. Developed to allow system administrators to easily handle administrative tasks on remote computers, they have been co-opted (and new ones have been developed) by hackers to control compromised machines since they provide a wide variety of functionality to a remote user.
RATs and other malware can be extremely useful to a red team attempting to maintain access to a compromised system. However, care has to be taken in the choice of malware used. A red team member needs to understand the capabilities and functionalities of the tools used to ensure that they will not cause damage to the target system. While unintentional damage may (and should) be covered by the red team assessment agreement, it doesn’t encourage repeat customers.
Collecting users’ credentials is a great way to ensure, expand and deepen the red team’s level of access and control on the target network. Forcing an organization-wide password change can be difficult for a security team and is unlikely to make a major difference if some users choose related, weak password as their updates (incrementing a number, changing one letter and so on). In general, password changes are only forced if there is suspicion of compromise, so gathering as many as possible improves the red team’s chances of one or more remaining usable even if they are detected and a password change is forced.
Methods for stealing passwords were discussed during the Gaining Access phase but trying to collect additional ones after compromising an account is even easier. With a user’s password, phishing emails can be sent from their account, increasing the probability of a click.
Administrator access to a computer can give a red team access to all of the password hashes stored on the computer (for offline cracking with John the Ripper or similar tools) via credential stealing malware. Access to the organization’s network allows sniffing of traffic and collection of embedded password hashes or passwords. Collecting passwords can be a crucial step in maintaining access, establishing a foothold and possibly achieving assessment objectives.
Establishing Communication Channels
Depending on the goals of the assessment, the ability to send messages to and from the target network may be essential for the success of the assessment. For example, some of the “flags” in the assessment may be documents or data that the red team needs to exfiltrate from the network in order to prove that security is lacking. Depending on the configuration of the network’s defenses, it may be impossible to do so without being detected or blocked by the security software.
During this phase of the assessment, the red team may need to set up covert communication channels to control compromised machines and/or exfiltrate data from them. There are a variety of options for this, depending on the configuration of the target network. Some options include tunneling over HTTP(S), using Internet Relay Chat (IRC) and data exfiltration via DNS. The specific choice made by a red team will depend on the target network and the needs of the team (e.g., bandwidth and speed requirements).
Building a Beachhead
In most cases, the level of access achieved during the gaining access phase will not be sufficient for completing the objectives of the assessment. The red team will need access to different machines on the network and may need elevated credentials on one or more machines. In this stage of the assessment, the red team identifies and gains the levels of access necessary for the assessment.
Depending on the techniques used to gain access to the target network in the previous phase, deepening the level of access may or may not be necessary. If it is possible to achieve the operational objectives of the assessment with the original level of access, there is no need to spend time and possibly be detected trying to achieve elevated privileges. However, many red team operations do require elevated privileges on the target network and this phase is when they should be sought.
Elevated privileges can be achieved in a variety of ways. If the hash of an administrator-level password on a crucial computer or a domain administrator’s password hash is accessible to the red team, then offline password cracking may be the way to go. Depending on how well the computers and other network devices are maintained and patched, vulnerabilities may exist than can be exploited for privilege escalation. With internal credentials on the network, a red team may be able to launch more plausible and sophisticated social engineering attacks that could snare elevated privileges. Whatever the means used, the red team shouldn’t risk detection by trying to collect elevated privileges or credentials unless they are essential to achieving one or more of the operational objectives.
Internal Reconnaissance and Pivoting
Most organization’s cybersecurity defenses are perimeter-focused. The complexity of hardening and monitoring every machine and communication channel within an organization’s network means that most security devices are deployed to separate the “trusted” network from the “untrusted” Internet.
This provides opportunities to a red team that has gained a foothold on a machine internal to the protected network. Some scanning techniques may be easily detected or foiled if performed by an external computer buy could fly under the radar if performed from an internal machine. Network information can also be collected passively by examining access logs and ARP caches to determine IP addresses and potentially purposes of different machines within the network.
Once inside a network, it is also easier to infiltrate other machines within the network. User credentials may be shared across multiple computers, allowing cracked passwords collected from one machine to be used to breach another. Vulnerable services may only be accessible internally, allowing a red team to pivot from one machine to another. By subtly compromising other machines, the red team expands their foothold on the network and improves their probability of retaining access and being able to achieve the goals of the assessment.
Setting the Stage
The goal of this phase of the assessment is to set up the red team for success in achieving the objectives of the assessment. A successful phase includes achieving all of the types and levels of access that are anticipated to be necessary for achieving the objectives without being detected by the target’s security team. If the red team is confident of success in achieving their goals, then they are ready to move on to the next phase of the assessment.