Red Teaming Exercises

External Threat Vector – Cyber Attacker

A threat actor performing application and network based penetration testing to obtain unauthorized access to your organizations online published applications or obtain remote code execution or remote access;

• Online Internet Applications
• Mobile Application Penetration Testing
• ERP / SCM / CRM / Careers Website Application
• Remote Access (SSL VPN)
• Cloud Based Services
• External VoIP (SIP Trunks)
• Web Site Security – OWASP Top 10 for all published web applications

By performing application-based penetration testing you will benefit from understanding our current security state and posture related to application security, security SDLC and Source Code Review processes whilst ensuring Application Security remains an important priority for business continuity. Application Security is usually the area with little attention due to time to market constraints on custom and purpose-built applications.

A threat actor attempting to penetrate the corporate infrastructure through network penetration and social engineering techniques through physical means:

• Physical Network Access Intrusion through Social Engineering
• Bypassing Network Access Control – VoIP / Printers / Endpoints
• Bypassing Physical Security (HQ, Main Office, Branches, Data Centers)
• Bypassing Help Desk Control – Remote Access User
• Installation of Trojan Horse / Backdoor / KVM / 3G Modem
• Wireless Network Access Intrusion through Social Engineering
• Evil Twin – Rogue Access Point and Credentials Harvesting
• Brute Force Wireless Security Password Cracking
• Guest Network pivoting to Corporate Network

All types of social engineer techniques related to network access intrusion will be performed to validate the resiliency of processes amongst the different team (service desk, branch location and physical security guards, office cleaners etc.).

The activity will be performed like a malicious threat actor with intent of gaining unauthorized internal corporate network access.

A threat actor performing a Distributed Denial of Service (DDoS) attack regarding external IP addresses owned by the organization.

• Perform a DoS – Volumetric and Application DoS
  • Internet Pipe Flooding – Noise
    1. HTTP / HTTPS
       • DNS
       • SMTP

• Perform a DDoS – Volumetric and Application DDoS
  • Internet Pipe Flooding – Noise
    1. HTTP / HTTPS
       • DNS
       • SMTP

DDoS attack should be simulated based on pre-approved internal memo without notification to monitoring NOC and SOC team. The simulation can also happen during off-peak traffic flow and minimal user transactions.

Malicious outsider creating a zero-day malware to circumvent perimeter email security controls to infiltrate corporate endpoints

A threat actor developing a zero-day malware exploit with the objective to circumvent advanced perimeter security controls (advanced malware for web and email) to take RCE (remote code execution) of endpoints to infiltrate data;

• Create an evasive malware – Malicious .PDF, .XLS, .DOC, XLSX, DOCX files and email them to email recipients with @xyz.com email alias found on the Internet
• The objective of the malware is to take remote control of the endpoint
• Advanced spear phishing email attack will be conducted

The purpose of this test is to validate the security configuration and resiliency of advanced evasive malware detection tools deployed within your organization.

The exercise will help in understanding the preparedness level against targeted evasive malware attacks directed towards your environment.

The exercise will also test the processes of malware infection and remediation on endpoints.

Internal Threat Vector – Employee / Trusted

An insider threat actor trying to exploit weak system, network and application configuration regarding business applications or sensitive data repositories / data bases.

• Perform a comprehensive Vulnerability Assessment and Penetration Test against all business and mission critical business applications
• Internal ERP – HR Application (Payroll)
• Internal Financial Application (Supplier)
• Internal Transactional Servers
• Active Directory and Exchange Servers
• Internal Intranet Web Portal
• Service Desk and Ticketing Portal

The above list is not complete and should be based on the Business Service Catalog.

This activity will provide a complete security posture view of critical business applications from an insider threat perspective.

A simulated penetration test with valid normal user account will be used to see what elevated privileges access can be achieved and if confidential data can be retrieved.

An insider threat actor performing Electronic Data Theft;

• Circumventing USB and Media Control by copying confidential and sensitive data from file servers.
• Using Proxy / Anonymizer / VPN services internally to email confidential documents using public cloud email services
• Using backdoor connections (personal hotspot, rogue access point) to infiltrate data
• Circumventing Data Leakage Protection Solution

A simulated attack will be performed where we will obtain a desktop / laptop with limited privileges with all the expected security controls in place. Malicious insider will aim to circumvent corporate controls to perform data theft – however any attempt performed by the red team should be identified and monitored by the security operations center.

By performing this exercise, you will know the overall resiliency and ability to catch data exfiltration and theft attempts.

The exercise will also test security operations center capabilities in detecting such exfiltration attempts with subsequent actions that should be performed.

An insider threat actor performing Physical Data Theft;

• Dumpster Diving (Unshredded documents)
•   Unauthorized removal of HDD of Smart Printers
• Unauthorized removal of Electronic Equipment at Branch / Remote Locations
• Simulated physical theft of a Mobile Device (Laptop / Smartphone)
• Simulated physical theft of a Two Factor Authentication / Token
• Simulation of Spoofing Physical Access Card
• Validate Security Controls
  •   Hard Disk Encryption
  • Remote Wipe Functionality

This exercise will validate the resiliency against physical data theft whilst ensuring that processes related to physical theft are known and executed in a timely manner.

Privilege Abuse: A user performs an action that they should not have, according to organizational policy or regulations.

Privileged Account and User Monitoring (PAUM) is a very important exercise to perform. A set of simulated scenarios will be performed but not limited to the below;

• Active Directory Domain Administrator
  • Creating Privileged Security PowerShell User
  • Creating and Deleting Privileged User Accounts
  • Modification of Machine and User Group Policy Objects (GPOs)
• Microsoft Exchange Administrator
  • Delegating Access to CXO Mailbox
  • Copying and Moving CXO Mailbox
  • Performing Search functionality on CXO Mailbox
•   Creating Admin Accounts on Critical Business Applications
• Performing unauthorized Database Queries related to confidential data

The above is just a few examples – a complete set of testing scenarios for PAUM will be developed to validate again.

This exercise will validate the effectiveness against security operations and monitoring controls against PAUM internal threat actors.

90% of cyber threats materializing are due to successful exploitation of abuse of privileged accounts.

External Threat Vector – Customer / Supplier

An external threat actor who is an authorized customer or supplier exploiting vulnerabilities within your online applications for fraudulent objectives;

• Authenticated Vulnerability Assessment and Penetration Testing – as a valid customer or supplier
• Privilege Escalation
    

External Threat Vector – Semi-Trusted 3^rd Party

Exploitation of a compromised Third Party who has Network Access to your systems / applications by performing a Vulnerability Assessment and Penetration Test across the different transport medium;

• SSL VPN Remote Access for System Support by 3^rd Party
• IPSEC VPN Remote Access for System Support by 3^rd Party
• MPLS VPN Connectivity
• 3^rd Party Interconnect Services
  • Government Entity / Cloud
  • Cloud Services Provider
  • Managed Service Provider
  • 3^rd Party Connections
  • DR as a Service

This exercise will mimic a malicious or compromised semi-trusted third party connecting to your environment. This exercise will validate the security process of third party interconnection and how open or stringent the security controls are in place for 3^rd party interconnectivity.

Social Engineering

External threat actor performing all types of social engineering techniques;

• Voice Phishing: which is making phone calls and posing as someone in authority while targeting human behavior (need, helpful, fear) to leak sensitive information.
• Spear Phishing: which is mass-emailing targets with a message that looks genuine while it contains a hidden malicious HTTP link or an attachment (PDF, DOC, EXCEL…etc).
• Tailgating: which is also known as piggybacking and it happens when someone who lacks the proper authentication following an employee into a restricted area.
• Social Networks Attacks: which is compromising employees through social networks by abusing human behavior (need, helpful) to leverage sensitive corporate information.
•   Reverse Social Engineering: which is an attack where a social engineering consultant makes himself a point of help or poses a higher position to force employees to leak info.
• Physical Breaches: which is an attack where a social engineering consultant physically breaks into an organization abusing their weak physical security controls.
• Social Engineering: which is a psychology of abusing basic human behaviors (need, helpful, fear) to leak sensitive corporate information to conduct further sophisticated attacks.
• Shoulder Surfing: which refers to using direct observation techniques such as looking over someone’s shoulder to get information like passwords, PINs, security codes…etc.
• Critical Desks: which refers to collecting sensitive information from sticky notes, trash cans and sensitive documents from employee’s desks after achieving physical breach.
• Wireless Cracking: which refers to cracking corporate wireless network while trying to gain unauthorized access to the internal network after achieving physical breach.