After collecting extensive information about the target it is time to use it for planning and executing the infiltration stage. This stage is meant to give initial (in most cases a very limited) access to the target’s infrastructure from where additional attacks could be performed in a pursuit of the Red Teaming goals. Let’s see how such initial compromises usually happen.
Compromising the target’s network starts with taking over one (or more) systems or deploying a rogue device on the target’s network. To achieve this a Red Team can take two routes: externally compromise a remote system or infiltrate the target’s buildings and deploy a malicious device (and maybe infect some device on the way out). In this section we take a look at some of the most common techniques used to achieve initial compromise.
++ External Compromise
Performing attacks externally allows a Red Team to use a wider set of techniques and makes it easier for the team to conceal their identities. While the following list is not exhaustive, it includes the most common tactics used by Red Teamers while attempting to get into the target’s network.
- Spear phishing. One of the most common tactics used by APT’s and thus by Red Teamers. Spear Phishing being a variation of it’s own has a few derivatives: Spear Phishing Link/Attachment/Service. This tactic focuses on approaching a target employee (or a few of them) through email, social networking sites or phone and trying to lure the victim into clicking a link, opening a malicious document or a program. If performed successfully, the victim’s system is infected and/or login credentials stolen. From there a Red Teamer can continue with the next steps.
- External infrastructure exploitation. This tactic is used to target externally facing services which might be vulnerable. Such services include websites, SSH/RDP/VPN login interfaces, custom network services, etc. By leveraging reconnaissance data gathered earlier the Red Team decides which systems are likely to be vulnerable. Depending on the target’s infrastructure and level of success an access to a portion of sensitive data and/or infrastructure can be gained after a successful compromise.
- Wi-Fi attacks. While being somewhat between an external and an internal attack, this tactic does not require physical contact with the target. Depending on the infrastructure and the surroundings, target’s Wi-Fi networks can be breached from within the building (some shared space, like reception, restaurant, etc.) or from outside by using special equipment which increases Wi-Fi signal’s strength and reception sensitivity (basically, a sophisticated antenna like those on Amazon UK or Amazon DE). Wi-Fi attacks can also be used by “invading” the target employee’s Wi-Fi space with a hope that his/her device will connect to a public (or trusted) Wi-Fi spot which is actively spoofed by a Red Teamer. Once the target’s device is lured into the Red Teamer’s network such a device can be attacked with various techniques in order to infect the device or to extract sensitive details from the network traffic.
- Other. Some other tactics that might be used depend on actual circumstances. For example, in case the target organization has a long history, Red Teamers might lookup previous (direct or indirect) data breaches which were made public or sold in the underground. Looking through the previous data breaches Red Teamers try to cross reference potential employees and their compromised credentials to gain access to their corporate accounts. In some cases employees use their corporate email addresses to register on third party websites which might give a hint on how they structure their passwords. Additionally, sending custom “gifts” in a form of a USB stick/toy with pre-loaded malware can be used to lure victims into executing a malicious payload. Finally, the actual tactic depends on circumstances, but a bit of creativity combined with a twist of social engineering usually results in great results.
++ Internal Compromise
In order to use an internal compromise tactic Red Teamers need to infiltrate the target’s buildings (or at least the surroundings) and seek for ways to interact with the equipment or network. So first let’s see how a Red Teamer can get inside in the first place.
- Pre-texting. This tactic relies on building a false sense of trust with the victim. A Red Teamer dressed up as a technician with the logo on his chest of the actual servicing company (internet service provider or logistics company) approaching the receptionist with an explanation that he/she “was tasked to fix some issue” is one of the examples. A pizza guy having a few boxes of ACTUAL pizzas spreading warm smell of bacon and chili peppers can’t be a thief, right? What about a cleaning lady arriving at the end of business hours to “clean the dirt”? If a Red Teamer is able to build a solid trust, he/she will be able to get significant access to the target’s building(s).
- Tailgating. Another way to get in is simply by following a legitimate person entering the building. To increase chances of success additional social engineering tricks can be used. For example, if there is an obvious place where people gather to have a smoke break, why not to sneak around that place, try to engage in some random conversation and then get back to “your” office together with your “colleagues”? Another common example is to approach the entrance door with hands full of “heavy” boxes. If you try to get in together with some of the company’s employees chances are high that someone will open the doors for you. Finally, trying to tailgate during a specific time, like in the morning (at the beginning of a business day) or just after the lunch break, raises less alarms since it’s easier for a wolf to blend in when there is a ton of sheep, especially when the wolf has that visually similar looking badge on his neck.
- Job interview. While being somewhere for the sake of a job interview can be a pretext for a pre-texting tactic on its own, being there for an ACTUAL job interview is a completely different story. A Red Teamer can arrange a job interview and thus get inside with a trust relationship already established. On the way to the meeting room a Red Teamer can wander around the building and if asked for the purpose of presence within the building he/she could simply tell the reason. Similarly, any opportunities of “please wait, I will be there soon” can be exploited for reconnaissance or actual compromise.
- Other. There are definitely other ways to get in. For example, by attempting to pick a lock and break in after office hours. Going as far as applying and accepting an internship is also a possibility, but everything boils down to risk assessment of being caught. Thus, while there are endless possibilities of creative ways to get in one should not forget the boundaries of law, rules of the engagement and take care of client’s equipment and staff.
OK, so once a Red Teamer is in, what’s next? Well, the main goal is to infect some systems or to deploy a secret device which acts as “an agent”. Let’s explore some of the techniques of compromising an internal system or attaching to an internal network.
- Planting malware. To infect an internal system a Red Teamer will first have a set of malware prepared for each type of operating systems (Windows, Linux, Mac OS). This malware might be hosted on a remote server or carried in a USB stick, phone, etc. Next, an unattended and unlocked device needs to be found. Once a Red Teamer gains physical access the malware can be deployed very quickly, either by copying and executing a file or by running some commands in a terminal. To speed up the process an attacker can use gadgets like Rubber Ducky (one can be bough on Amazon UK, Amazon DE, or elsewhere) or Bash Bunny (Amazon UK, Amazon DE) which makes the task effortless.
- Planting a rogue device. In cases where no employee device is left unattended and unlocked, but a potentially unsecured network port is found, a route of planting a custom device (usually a Raspberry Pi with a custom Linux OS – Amazon UK, Amazon DE) which serves as “an insider” is usually chosen. Once on the network, such a device calls back home and awaits for instructions or simply opens up a backdoor communication channel (usually via an SSH connection).
- Hardware keystroke logger. To collect keystrokes in a stealthy way a Red Teamer can deploy a hardware keystroke logger (examples on Amazon UK, Amazon DE). Such a keystroke logger is virtually undetectable by software since it works in a transparent mode and does not show up as a device. However, its deployment is tricky since a Red Teamer needs to physically access the target’s computer. Nevertheless, versions with Wi-Fi support makes it easy to collect intercepted keystrokes without ever coming back to a “crime scene”.
So we outlined a few common attacks that can be used during the initial compromise phase, but how can an organization defend themselves against such intrusions?
- Employees must not open any (e)mails from untrusted sources. In case of any suspicion such (e)mails should be reported to responsible staff within the company. It might be that multiple employees received similar (phishing e)mails which could alert IT security staff much earlier resulting in a rapid response on a potential intrusion.
- Use of second factor authentication. To enhance the security of user accounts and reduce the potential impact of a phishing attack it is recommended to deploy a strong two factor mechanism across the company. In most cases, an attacker who hijacked the user credentials will be unable to reuse them for malicious purposes if the attacker cannot bypass a second factor authentication.
- Maintenance of IT systems. IT staff should continuously monitor their external and internal infrastructure. All new IT products should be tested in terms of IT security before rolling out for production use (especially when the product will be exposed to the internet). After release the products used in the IT infrastructure should be constantly updated so that known security issues are patched in a timely manner reducing a time window of a potential compromise.
- Be vigilant about strangers within the company’s buildings. Any suspicious persons should be asked for credentials in areas where only authorized personnel is expected. Asking for a badge and/or contacting a person the stranger “is about to meet” should be done to validate the permission.
- Lock your laptop whenever you are away from your workstation. Making it automatic after 5 minutes of inactivity is even better. This can be implemented fairly easily on all modern operating systems. Preventing accidental access to employees’ computers minimizes the likelihood of infection by a third party (including disgruntled colleagues!).
- Use conventional security software and mechanisms. While not a silver bullet, the use of properly configured Anti-Virus software and Firewalls (both, on the end user’s PC and network) can have significant impact for defending against cyber attacks.
- Prepare and enforce IT security policy. No one likes the bureaucracy, but a well written and enforced policy aids in educating the staff and also helps to cope with the crisis if one is faced some time in the future. IT security policy should define the most important assets of the company, how they are managed and protected, how staff is educated about IT security and what is the response protocol in case of a data breach.
- Test, Test, Test. Having stuff in place does not necessarily mean everything is fine. Periodically testing technological measures, staff and organizational policies are important to be sure everything works as it should.