Step 1: Planning and Preparation
Managing the process starts with planning and careful preparation. A dedicated project manager works together with the Red Team lead and the White Team to create a schedule and a dedicated set of rules of engagement. Throughout the engagement, this schedule is followed and adjusted where necessary. Risks and scenarios are assessed ongoing.
Step 2: Reconnaissance
An important objective is to emulate realistic scenarios, using techniques and methods precisely like those used by real attackers. This is where the ‘Threat Intel’ comes into play.
If an attacker were to see your organization as a target and wanted to learn as much as possible about your internal processes, infrastructure, and data, what could they find out? Any Red Teaming strategy starts with an information position, and the better the position, the better the strategy. A lot can be found out about a company and its employees by using Open Source Intelligence (OSINT), social media, and websites or technical forums. At a later stage, physical access, social engineering, and phishing can be used. Everything combined, a wealth of information can aid an attacker (and the red team) in their attacks.
Step 3: Exploitation
Delivering a malicious payload into the target network can take many forms, but currently, the easiest and very efficient is, again, (spear)phishing. It can be used to harvest credentials for core applications and deliver malware directly. However, delivery of a payload can also be done through a physical USB device, rogue network device, or compromised laptop. In all cases, the delivery leads to the following step: exploiting a vulnerability to gain a foothold.
Step 4: Post-exploitation
Gaining a foothold is achieved by successfully delivering an exploit, not being detected, and executing that exploit. This usually leads to a compromised system in the network of the target. The compromise itself can take the form of installing our piece of custom ‘controlled malware’. Moving through the network, closer and closer to the crown jewels, we pivot through the network, jumping from one server with specific access rights to another with more privileges. Gaining domain administrator rights in a Windows network is usually the last step before access to the crown jewels can be achieved.
Step 5: Exfiltration
Once the crown jewels (or anything else interesting such as captured network traffic, the database of domain password hashes, or exchange email server database) have been reached, it is time to exfiltrate this data. This tests detection capabilities on outbound traffic and detection of transfer of funds (as well as capabilities to respond to these actions). When this has been achieved, the attack chain has been fulfilled.
Step 6: Clean Closure
Clean closure does not only mean managing the leftover digital remnants of the executed attacks. It also means providing the blue team with one or more evaluation sessions where the full timeline is replayed in a workshop, maximizing learning and awareness. The clean closure and evaluation also contain a detailed report and our perspective on your overall security maturity in your threat landscape