Home Unlabelled 3 Principles of Red Teaming

3 Principles of Red Teaming

By
Monday, January 06, 2020
Read
Add Comment
I wanted to take a minute to write about some critical red team theory. Hopefully you can think back to these theories if you get stuck in a difficult engagement. In this post I'm going to cover the principle of economy, the principle of access, and the principle of humanity. These are concepts I often cover with new red teamers so I wanted to blog these principals to get more community feedback and record the advice. I'm also a big believer in learning theory to help guide one's practice. These offensive principles should help you plan your attack in many situations, with a few caveats I will add, and these can generally be applied to most scenarios where you need to gain access to a target's network or data. I think there are many principles to red teaming (drop your favorites in the comments) but these are three that have always served me well in the past.

Principle of Economy
As we've talked about on this blog before, security operations are a cost center. That means, you shouldn't be paying more for security than the thing you are trying to protect. From a red team perspective, this means the target has a limited budget or amount of resources they are willing to devote to protecting the asset. Further, they normally will have to continue business operations during the incident as this is their primary means of operation. This can help you gauge what their response to an incident may be, when it will become an intolerable issue for them, and how much money they may allocate to solve the issue. While it's also easier now to boot strap a CNA program using open source tools, it's also much easier to get caught using modern intrusion detection solutions. This means the red team should invest equally in their CNA program as the defense has invested in their CND program, otherwise their tools may be easily exploited. Organizations that make little to no effort on either the offensive or defensive side are in a default vulnerable state and can easily be taken advantage of by organizations that make the minimum investment to protect their assets. This means organizations that have no security program can easily be compromised by the bare minimum investment with open source tooling, where as an organization that has made the some investments in CND could counter that same CNA program using the bare minimum for tools. The hidden constraint in the budgets here is actually operator skill, and this will have a massive impact on the outcome of an operation. Talent can stretch a budget incredibly far or waste it on the wrong investments based on their expertise and ability to innovate. The principle of economy is an important one because it helps dictate what resources an organization has to play with, which can help you understand the investment it may take to breach the target organization.

Principle of Access
There is always a system with legitimate access to the target and a means to use it so long as the data is valuable to the organization. That means there is a legitimate path to the data if it is being used, which means the attacker can find and abuse that path. One should assume access to the data exists in some way if the data is being used. This is why it's so important to understand network admin hunting techniques, such as using tools like powerview or bloodhound. Often red teams will go for domain admin or administrator accounts of the IT network, however this is a means to the end and not their true objective. By first obtaining this level of access they can easily access whatever resource they are truly targeting. Gaining levels of access can be broad in the case of hunting domain admins or it can be targeted, but understanding how to access your resource is a critical red team skill. There is room to get creative with your access, for example you can leverage credential reuse and move laterally or you could wait for your target to authenticate to a bastion then steal their access token. Blue teams can also apply many restrictive tricks here, such as inbound and outbound access controls, to limit how people interact with data. Egress access controls for example can greatly hamper a red team from establishing command and control channels, aka an alternate access channel or a backdoor. Setting up bastion hosts is a good idea for gating access to more secure environments, i.e. forcing identity checks or re-authentication at multiple points. Similarly airgapped systems can force attackers to move from purely network based access to other means. Thinking about how you will access the target and exfiltrate the data is critical in red team planning.

Principle of Humanity
This is one of the most abusable principles in red teaming. Computer systems are made for human use and humans make mistakes. The majority of computer systems are designed for humans to use in multipurpose ways and these versatile user systems are often the best place to target for an attacker. Find the people you know have the access, exploit the human element of their interactions with the systems (passwords, tools, applications, chat, network comms), and pivot through their access. Attackers have known this for a long time and thus have targeted the users or employees of an organization when they want access to corporate networks or corporate data; this is why spear phishing is such a popular technique for breaching corporations. This is why so many APT organizations rely on phishing, computers are multipurpose and users need to communicate as well as accomplish business functions. It's the path of least resistance when it's easier to trick a human than exploit a computer service for access to a system. It's also harder to detect when humans have been tricked vs when computers have been exploited. It is long said that users are the weak point in any security design and when red teaming I find abusing legitimate users the best way to access target systems. Many large security conscious organizations, such as Google and Apple, are beginning to separate their people from direct customer data access. Other places have implemented "break glass" solutions, such that an alarm is triggered when any human user escalates to these levels of access or permissions. There can be exceptions to these principles too, for example trying to exploit security conscious individuals may have the exact opposite of the desired effect and the target may sound alarms if they suspect a person of doing something nefarious. Targeting or choosing your mark is a big aspect of the principle of humanity. Targeting is a heavily studied topic in both social engineering and marketing, and could be several blog posts on its own.

I find these principles can help you gauge an organization and determine the best course for intrusion. It breaks down to how does an organization protect its target assets, how does the organization use its assets, and what are the human elements or exploitable points in that chain. Sometimes organizations have unreasonable resources, often if the asset they are protecting is human life or defense based. Try to remember these lessons if you're in a pinch, they may help you innovate your way into a high security environment. If you want to read more red team theory I highly suggest the book "Network Attacks and Exploitation". I hope these principles help you in your red teaming as I've found them to be ubiquitously applicable but let me know your thoughts and feedback in the comments section! The following is a much more in-depth presentation on red team tradecraft and methodology by Jason Lang, but you may recognize the same principles above highlighted throughout his talk and his methodology.

Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us