RED TEAMING EXERCISES

Advanced cyber-attackers and cyber criminals infiltrate and devastate enterprise networks, appearing as invisible or mules that exfiltrate vast amounts of information. Whichever industry you operate in, you at risk from a breach. The average dwell time in Y2017 and Y2018 is around 229 days where an attacker may reside in your internal network before they are discovered. These numbers are staggering but is the reality in the current modern-day of cyber threats.

Red Team exercises conducted by DTS are a specific set of scenarios that are identified during the project scoping phase, the primary objective of these exercises is to shorten the dwell time from cyber-attacks by running these simulations on a frequent basis and improving cyber resilience capabilities whilst ensuring detection, prevention, monitoring and response capabilities are up to industry standards and can meet the demands of business requirements.

Our red team escalates the nature of each attack to test the detection and response capabilities of your blue team (security monitoring and incident response) to answer these questions:

  • Were you able to detect the attack?
  • How long did it take to detect it?
  • How long did it take to respond to the attack?
  • Was the response the correct one?

This exercise enables us to provide a realistic analysis of how breaches occur while providing valuable insight into the business and mission impact of network intrusions. Our red team testing attempts to compromise your environment through any method possible, including:


 

Ref

Scenario

Description of Testing Scenario

Objectives

External Threat Vector – Cyber Attacker

1

Malicious outsider attacking the external facing applications and infrastructure of the organization

A threat actor performing application and network based penetration testing to obtain unauthorized access to your organizations online published applications or obtain remote code execution or remote access;

 

·       Online Internet Applications

·       Mobile Application Penetration Testing

·       ERP / SCM / CRM / Careers Website Application

·       Remote Access (SSL VPN)

·       Cloud Based Services

·       External VoIP (SIP Trunks)

·       Web Site Security – OWASP Top 10 for all published web applications

All published online applications on the Internet should be subject to application penetration testing across primary and secondary data centers.

 

By performing application-based penetration testing you will benefit from understanding our current security state and posture related to application security, security SDLC and Source Code Review processes whilst ensuring Application Security remains an important priority for business continuity. Application Security is usually the area with little attention due to time to market constraints on custom and purpose-built applications.

2

Malicious outsider attacking the external boundaries of the organizational logical and physical perimeter

A threat actor attempting to penetrate the corporate infrastructure through network penetration and social engineering techniques through physical means:

 

·       Physical Network Access Intrusion through Social Engineering

·        Bypassing Network Access Control – VoIP / Printers / Endpoints

·        Bypassing Physical Security (HQ, Main Office, Branches, Data Centers)

·        Bypassing Help Desk Control – Remote Access User

·        Installation of Trojan Horse / Backdoor / KVM / 3G Modem

·       Wireless Network Access Intrusion through Social Engineering

·        Evil Twin – Rogue Access Point and Credentials Harvesting

·        Brute Force Wireless Security Password Cracking

·        Guest Network pivoting to Corporate Network

 

All types of social engineer techniques related to network access intrusion will be performed to validate the resiliency of processes amongst the different team (service desk, branch location and physical security guards, office cleaners etc.).

 

The activity will be performed like a malicious threat actor with intent of gaining unauthorized internal corporate network access.

 

3

Malicious outsider attacking the external facing applications and infrastructure of the organization

A threat actor performing a Distributed Denial of Service (DDoS) attack regarding external IP addresses owned by the organization.

 

·       Perform a DoS – Volumetric and Application DoS

o    Internet Pipe Flooding – Noise

o    HTTP / HTTPS

o    DNS

o    SMTP

·       Perform a DDoS – Volumetric and Application DDoS

o    Internet Pipe Flooding – Noise

o    HTTP / HTTPS

o    DNS

o    SMTP

 

DDoS attack should be simulated based on pre-approved internal memo without notification to monitoring NOC and SOC team. The simulation can also happen during off-peak traffic flow and minimal user transactions.

A simulated drill for DDoS will ensure the processes and procedures in the incident of a DDoS attack are being followed – roles and responsibilities are defined along with mitigation and countermeasure techniques between the service owners and DDoS Mitigation Provider. The Mean Time To Detect (MTTD) and Mean Time to Response (MTTR) should be evaluated and benchmarked against known KPI and SLA for DDoS Attack Vector.

4

Malicious outsider creating a zero-day malware to circumvent perimeter email security controls to infiltrate corporate endpoints

 

A threat actor developing a zero-day malware exploit with the objective to circumvent advanced perimeter security controls (advanced malware for web and email) to take RCE (remote code execution) of endpoints to infiltrate data;

·       Create an evasive malware - Malicious .PDF, .XLS, .DOC, XLSX, DOCX files and email them to email recipients with @xyz.com email alias found on the Internet

·       The objective of the malware is to take remote control of the endpoint

·       Advanced spear phishing email attack will be conducted

 

The purpose of this test is to validate the security configuration and resiliency of advanced evasive malware detection tools deployed within your organization.

 

The exercise will help in understanding the preparedness level against targeted evasive malware attacks directed towards your environment.

 

The exercise will also test the processes of malware infection and remediation on endpoints.

Internal Threat Vector – Employee / Trusted

5

Malicious Insider to exploit and gain elevated privileged access to obtain confidential information

An insider threat actor trying to exploit weak system, network and application configuration regarding business applications or sensitive data repositories / data bases.

·       Perform a comprehensive Vulnerability Assessment and Penetration Test against all business and mission critical business applications

·       Internal ERP – HR Application (Payroll)

·       Internal Financial Application (Supplier)

·       Internal Transactional Servers

·       Active Directory and Exchange Servers

·       Internal Intranet Web Portal

·       Service Desk and Ticketing Portal

 

The above list is not complete and should be based on the Business Service Catalog.

 

This activity will provide a complete security posture view of critical business applications from an insider threat perspective.

A simulated penetration test with valid normal user account will be used to see what elevated privileges access can be achieved and if confidential data can be retrieved.

 

 

6

Malicious Insider performing Electronic Data Theft

An insider threat actor performing Electronic Data Theft;

·       Circumventing USB and Media Control by copying confidential and sensitive data from file servers.

·       Using Proxy / Anonymizer / VPN services internally to email confidential documents using public cloud email services

·       Using backdoor connections (personal hotspot, rogue access point) to infiltrate data

·       Circumventing Data Leakage Protection Solution

 

A simulated attack will be performed where we will obtain a desktop / laptop with limited privileges with all the expected security controls in place. Malicious insider will aim to circumvent corporate controls to perform data theft – however any attempt performed by the red team should be identified and monitored by the security operations center.

 

By performing this exercise, you will know the overall resiliency and ability to catch data exfiltration and theft attempts.

 

The exercise will also test security operations center capabilities in detecting such exfiltration attempts with subsequent actions that should be performed.

 

7

Malicious Insider performing Physical Data Theft

An insider threat actor performing Physical Data Theft;

·       Dumpster Diving (Unshredded documents)

·       Unauthorized removal of HDD of Smart Printers

·       Unauthorized removal of Electronic Equipment at Branch / Remote Locations

·       Simulated physical theft of a Mobile Device (Laptop / Smartphone)

·       Simulated physical theft of a Two Factor Authentication / Token

·       Simulation of Spoofing Physical Access Card

·       Validate Security Controls

o    Hard Disk Encryption

o    Remote Wipe Functionality

 

 

This exercise will validate the resiliency against physical data theft whilst ensuring that processes related to physical theft are known and executed in a timely manner.

8

Malicious Insider abusing user access privilege.

Privilege Abuse: A user performs an action that they should not have, according to organizational policy or regulations.  

Privileged Account and User Monitoring (PAUM) is a very important exercise to perform. A set of simulated scenarios will be performed but not limited to the below;

 

·       Active Directory Domain Administrator

o    Creating Privileged Security PowerShell User

o    Creating and Deleting Privileged User Accounts

o    Modification of Machine and User Group Policy Objects (GPOs)

·       Microsoft Exchange Administrator

o    Delegating Access to CXO Mailbox

o    Copying and Moving CXO Mailbox

o    Performing Search functionality on CXO Mailbox

·       Creating Admin Accounts on Critical Business Applications

·       Performing unauthorized Database Queries related to confidential data

 

The above is just a few examples – a complete set of testing scenarios for PAUM will be developed to validate again.

 

 

 

This exercise will validate the effectiveness against security operations and monitoring controls against PAUM internal threat actors.

 

90% of cyber threats materializing are due to successful exploitation of abuse of privileged accounts.

External Threat Vector – Customer / Supplier

9

Malicious Customer / Supplier Exploiting Vulnerabilities against Online Applications

An external threat actor who is an authorized customer or supplier exploiting vulnerabilities within your online applications for fraudulent objectives;

·       Authenticated Vulnerability Assessment and Penetration Testing – as a valid customer or supplier

·       Privilege Escalation

 

This exercise will allow you to understand if a malicious authorized customer or supplier does have elevated privileged access to online applications due to business logic flaws or security loopholes.

 

External Threat Vector – Semi-Trusted 3rd Party

10

Compromised or Malicious Third Party (Semi-Trusted) entity connecting into your organizatiopn

Exploitation of a compromised Third Party who has Network Access to your systems / applications by performing a Vulnerability Assessment and Penetration Test across the different transport medium;

·       SSL VPN Remote Access for System Support by 3rd Party

·       IPSEC VPN Remote Access for System Support by 3rd Party

·       MPLS VPN Connectivity

·       3rd Party Interconnect Services

o    Government Entity / Cloud

o    Cloud Services Provider

o    Managed Service Provider

o    3rd Party Connections

o    DR as a Service

 

 

This exercise will mimic a malicious or compromised semi-trusted third party connecting to your environment. This exercise will validate the security process of third party interconnection and how open or stringent the security controls are in place for 3rd party interconnectivity.

11

Malicious Third Party (Semi-Trusted) user connecting into your network infrastructure

Insider Malicious Third-Party Staff who has network access to your environment - see scenarios above which cover this test criteria.

This scenario would test the ability for your organization to identify unknown and non-corporate devices on the network once connected. How well the NAC security policies are applied and how the network segmentation is applied for 3rd party endpoints connecting into your corporate network.

Social Engineering

14

Hacker gaining access to internal confidential information through Social Engineering techniques

External threat actor performing all types of social engineering techniques;

 

·       Voice Phishing: which is making phone calls and posing as someone in authority while targeting human behavior (need, helpful, fear) to leak sensitive information.

·       Spear Phishing: which is mass-emailing targets with a message that looks genuine while it contains a hidden malicious HTTP link or an attachment (PDF, DOC, EXCEL...etc).

·       Tailgating: which is also known as piggybacking and it happens when someone who lacks the proper authentication following an employee into a restricted area.

·       Social Networks Attacks: which is compromising employees through social networks by abusing human behavior (need, helpful) to leverage sensitive corporate information.

·       Reverse Social Engineering: which is an attack where a social engineering consultant makes himself a point of help or poses a higher position to force employees to leak info.

·       Physical Breaches: which is an attack where a social engineering consultant physically breaks into an organization abusing their weak physical security controls.

·       Social Engineering: which is a psychology of abusing basic human behaviors (need, helpful, fear) to leak sensitive corporate information to conduct further sophisticated attacks.

·       Shoulder Surfing: which refers to using direct observation techniques such as looking over someone's shoulder to get information like passwords, PINs, security codes…etc.

·       Critical Desks: which refers to collecting sensitive information from sticky notes, trash cans and sensitive documents from employee’s desks after achieving physical breach.

·       Wireless Cracking: which refers to cracking corporate wireless network while trying to gain unauthorized access to the internal network after achieving physical breach.

This process will validate how effective and efficient your internal infrastructure (people process and technology) is when it comes to Social Engineering attacks and the level of cyber security awareness across your employees.

Contact us to learn more about Red Teaming Exercises

Contact us