Red Team Attack Simulations offer an organisation a realistic evaluation of its ability to handle a live cyber incident, putting systems and defence teams through their paces. The Red Team begins by planning the attack simulation well ahead of the simulation, while the defenders are somewhat blind to the nature of the event.
The offensive security strategy then tests and challenges each of the organisation’s defences (people, processes and systems) to see how they react under stress conditions. Attack simulations provide a greater understanding of the organisation’s cyber preparedness and provide valuable insights to managers and incident responders to help improve their response process.
Let’s take a look at how Red Team Attack Simulations work and help you decide whether this kind of engagement is right for you.
Step 1: Confirm Testing Objectives
Red Team Attack Simulations are broad in scope but focus on specific and targeted objectives based on the more likely and real threats you have to worry about. These objectives drive the Red Team Attack Simulation and are tied to critical business functionality or assets (i.e., ‘crown jewels’).
For example, a financial services institution’s primary security concerns could include the ability for an adversary to perform an unauthorised monetary transaction or to encrypt core business systems as part of a ransomware style attack.
Step 2: Identify Threat Actors
Sekuro makes use of Threat Intelligence to identify realistic real-world threat actors and to understand and emulate their known methods of attack, thereby creating and executing a realistic simulation.
In our example, Ransomware groups are currently known threat actors targeting financial services institutions.
Step 3: Confirm Attack Approach
Once defined and understood, these testing objectives and threat actors enable us to identify high-level attack scenarios and approaches.
Following our example scenario:
- To simulate a Ransomware style attack, Sekuro would attempt to create ‘dummy’ files, then exfiltrate and encrypt those files on a number of selected critical hosts. These actions are intended to simulate the operational approach of a ransomware-style attack without overwriting sensitive files
- To simulate an unauthorised transaction, we would attempt to gain access to financial systems. Access would be demonstrated by submitting a ‘test’ transaction record with specific debug string values that would purposefully not be processed by the automated system
Once the scenarios and realistic attack approach components are agreed upon, Sekuro performs the controlled attack execution.
An attack simulation flow for our example could include the following steps:
1. Reconnaissance
The process commences with reconnaissance and identifies a recruitment web application containing employee names and emails. The employee details are added to a compiled list of accounts that are gathered from other resources such as LinkedIn and breached database websites.
2. Initial Access
Next, we perform a password spraying attack against Office 365 – this attack reveals a number of valid account credentials with weak passwords. However, all these accounts require multi-factor authentication (MFA). Of these accounts – a number using the MFA mechanism ‘Push Notification Authentication Approval’ are noted and separated.
3. Access Verification
For the next few days during the morning and post-lunch periods – Sekuro authenticates to Office 365 with these specific accounts, waiting for unsuspecting users to approve the push notifications on their phones. We would be able to authenticate as different users using this method.
4. Lateral Movement
Once authenticated, Sekuro obtains remote access to Outlook, SharePoint and OneDrive via the Office 365 portal in the context of the compromised user accounts.
5. Deploy Assets
Via this access, Sekuro identifies popular working files – some of which use macros. We create backups and then proceed to backdoor the original files by embedding malicious macros in the documents. When executed, the macros download and execute a reverse execution payload.
6. Remote Access Confirmed
As a result of these ‘watering hole’ attacks, we obtain interactive remote access to user workstations. Sekuro leverages scheduled tasks to maintain persistent access, as per the approach recommended by Threat Intelligence.
7. Internal Enumeration
With a foothold in the corporate network, we proceed with internal network reconnaissance, performing scanning to obtain information about the Windows Domain.
8. Outdated Software
During enumeration, Sekuro detects an outdated VMware Vcenter server that is vulnerable to a Remote Code Execution vulnerability – which is exploited to gain SYSTEM level privileges on the affected host.
9. Privilege Escalation
By dumping LSASS memory and cracking password hashes, we identify credentials for an existing user account that could directly access Vcenter.
10. Gather Credentials
Using these compromised credentials – Sekuro further dumps the memory of the LSASS process from Virtual Machines, including Domain Controllers. These memory dumps are then exfiltrated and credentials are extracted using Mimikatz offline.
11. Domain Administrative Access
With these credentials and leveraging the key material extracted from the Domain Controller, Sekuro establishes Domain Administrative access and persistence.
12. Demonstrate Impact
From this point, Sekuro uses valid credential material to perform Over-Pass-the-Hash attacks to assume the identity of domain accounts and access the list of high-value target systems.
On these target systems the team performed the simulated ransomware operations to create, exfiltrate and encrypt ‘dummy’ data files. Thereby demonstrating the ability of an attacker to perform a ransomware attack against the network.
13. Understand Processes
Sekuro also identifies a Content Management System (CMS) that can be accessed with previously compromised credentials, and which contains detailed documentation for all critical IT business infrastructure – including the mainframe.
14. Monitor User Sessions
Next, we target users within the mainframe accounts group. By discovering which workstations have regular active sessions – deploying keyloggers to monitor these systems and users – Sekuro learns how users access and interact with the mainframe.
15. Objective Achieved
Leveraging information identified via the CMS and regular mainframe user activity Sekuro demonstrated their access by performing an unauthorised transaction via the mainframe, emulating real user activities and processes, and submitting a ‘dummy’ test transaction record, thereby demonstrating the ability of an attacker to perform an unauthorised transaction.
Step 5: Attack Reporting
Sekuro reporting process focuses on the paths and steps taken to reach core objectives (i.e., what we did to get there, how sophisticated our attack was and how accessible it is for a real-world threat actor to execute). To enable wider and non-technical understanding and digestion of the root cause, process, and impacts, we create attack flow timeline diagrams.
In our example, the attack execution described above could be visually represented and understood by the below attack flow diagram:
As business security is also in our DNA, we know that results from a Red Team must be understood at a business level and our executive summary is also crafted with that audience in mind. Sekuro identifies and translates the technical impact, to the resulting business risk.
For more information on Red Team Attack Simulations, contact Sekuro today to talk to an expert.
Riley Kidd
Principal Consultant, Sekuro
Riley is a technical security consultant with experience leading and building security teams to deliver technical projects and outcomes. He is currently a Principal Consultant at Sekuro and enjoys learning and teaching all things security.
More Articles
In conversation with Nathan Wenzler, Chief Security Strategist at Tenable (Part 1)
Emerging Threat: AI vs. Human Deceit
