Fundamentals concepts
TryHackMe Red Team Learning path Update: 2022
Differences between vulnerability assessment, penetration testing and red teaming.
Vulnerability Assessment
Usually performed using automated tools.
Focused on identifying as much vulnerabilities as possible.
Do not intend to exploit the vulnerabilities identified.
vs.
Penetration Testing
Identify vulnerabilities, but also exploitation of these vulnerabilities.
Demonstrate to the client how the vulnerabilities can poses a threat to the network.
Loud. We do not care about making noise.
Security controls (whitelisting) may have been removed/diminished during the testing for time consideration.
Rarely includes social engineering attacks.
vs.
Red Teaming
Most realistic test.
Focused on detection/response to a realistic threats (ex: APT).
Testing the defense mechanisms of an organization against Tactics, Techniques and Procedures (TTPs)
Include social engineering attacks.
Planning the mandate and the objectives is an important part of Red Teaming.
Is based on a specific scenario.
Focused on stealth and evasion.
DO NOT focus on identifying as many vulnerabilities as possible.
A Red Team engagement should not be viewed as a "Blue" against "Red" exercise. We are in the same team. Our goal is to improve the detection and response of an organization.
A cyber kill chain is kind of a template that traces the red team engagement steps.
Red Teaming Cell
The team is usually composed of a Red Team Lead (planning and management) Red Team Assistants (assisting the lead) and Red Team Operators (operational level).
Objective, Scope and Rule of Engagement
The objective needs to be identified with the client.
The client has the complete control over the scope.
The scope explicitly indicate what is permitted and what is prohibited.
The Rules of Engagement (RoE) is a legal contract between the two parties. The redteam.guide describes and gives an example of the main sections that needs to be included in a RoE document.
Campaign planning
Different type of plans aim to better organize the actions that will be performed by the Red Team at each steps of the engagement. The plans can include the timeline, the resources, the commands to run, the attack strategies, technical knowledge and requirements, the responsibilities of each operators and any operations to perform following the compromise of the target network (remediation plan, report rules, etc).
A Red Team engagement is characterized by a lot of preparation and organization. A proper documentation is imperative. Since no official standard exist about how to make proper campaign planning and documentation, each Red Team Cell may have its own recipe.
Concept of Operation
High level overview of the campaign.
Should be comprehensible for an individual with a low to middle level of technical knowledge.
Can be compared to a penetration testing executive summary.
The Team Engagement room by TryHack Me list some elements that should be included in any Operation Plan.
Client Name
Service Provider
Timeframe
General Objectives/Phases
Other Training Objectives (Exfiltration)
High-Level Tools/Techniques planned to be used
Threat group to emulate (if any)
Resources plan
To be written in a bullet points format
List what and when the resources (human, technology, materials, monetary) are needed to perform the engagement at each point in time.
Operation plan
Bullet points and subsection format
Flexible
Identify the objectives of the Red Team.
Identify the main TTPs and attacks to be performed (very high level)
Identify the communication method preferred by each Cell.
Can specify at which conditions the Red Team operations are to be stopped
May contain the Rule of Engagement document.
Mission plan
Details of the specific operations to be performed by the operators (tells the operators what to do, when and what to expect)
Cyber Threat Intelligence
A Red Team Cell can make use of the Threat Intelligence research to gather information about the APT groups they want to mimic tools and behaviors. A Red Team cell would want to answer some of these questions:
What are the Techniques, Tactics and Procedures used by APTs group?
Who or what kind of organization the APT group is targeting?
What are the motive of the APTs?
Where is the APT group from?
What tools are used by the attackers?
How C2 traffic from the APT group looks like?
Some frameworks are used to map the TTPs used by attacker groups to the cyber kill chains. For example, MITRE ATT&CK framework maps the main TTPs used by the attacker groups for each node of the kill chain.
The TTPs used by the Carbanak group are highlighted in blue.
Another popular Cyber kill framework is the Lockheed Martin cyber kill chain.
OPSEC
OPSEC is an acronym from U.S. military standing for Operation Security. This model highlight some considerations that a red teamer need to think of in preparation for a Red Team engagement. In brief, the objective is to anticipate as many factors as possible that could prevent the Red Team to achieve its "mission" against the Blue Team (Blue Team).
The OPSEC model can be split into 5 steps.
Identify critical information
What information, if leaked, could threat the success of the campaign? What information do I really want to protect from the Blue Team?
Ex: IP address, Red Cell Teams member name, public IP address, etc.
Threats
Can be resumed by know your enemy. Who are the Blue Teamer? What are their capabilities? What information do they have? What are the implemented defense mechanisms?
Vulnerabilities
The Red Team campaign can be negatively impacted by a combination of vulnerabilities within the infrastructure/bad design/implementation mistakes that could poses a risk to the success of the campaign if known by the opponent.
Ex: using a vulnerable SQL server to gather phishing credentials.
Risks
Risk assessment is about assessing the risks that vulnerabilities can poses to the success of the mission in combination with the adversary being aware of the vulnerable systems and having the capabilities to use it against its opponent.
Countermeasures
Any measures that are taken to remediate to vulnerabilities.
Last updated