three-locks-and-a-chain

What happens during a Red Team Attack Simulation?

By Privasec RED Team

Red Team Attack Simulations mimic an adversary attacking your organisation. Red Team Attack Simulations enable you to understand and improve upon your ability to identify and respond to an adversary trying to access your systems or information.

But what actually happens during a Red Team and how does an Attack Simulation work in practise? 

Let’s take a look at the 5 steps involved in a successful red team.

Step 1: Confirm Testing Objectives

Red Team Attack Simulations are broad in scope, but focus on specific and targeted objectives based on the more likely and real threats you have to worry about. These objectives drive the Red Team Attack Simulation and are tied to critical business functionality or assets (i.e. ‘crown jewels’).

For example, a financial services institution’s primary security concerns could include the ability for an adversary to perform an unauthorised monetary transaction or to encrypt core business systems as part of a ransomware style attack.

Step 2: Identify Threat Actors

Privasec makes use of Threat Intelligence to identify realistic real world threat actors and to understand and emulate their known methods of attack, thereby creating and executing a realistic simulation.

In our example, Ransomware groups are currently known threat actors targeting financial services institutions.

Step 3: Confirm Attack Approach

Once defined and understood, these testing objectives and threat actors enable Privasec to identify high-level attack scenarios and approaches.

Following our example scenario:

  • To simulate a Ransomware style attack, Privasec would attempt to create ‘dummy’ files, then exfiltrate and encrypt those files on a number of selected critical hosts. These actions are intended to simulate the operational approach of a ransomware-style attack without overwriting sensitive files
  • To simulate an unauthorised transaction, Privasec would attempt to gain access to financial systems. Access would be demonstrated by submitting a ‘test’ transaction record with specific debug string values that would purposefully not be processed by the automated system

Step 4: Attack Execution

Once the scenarios and realistic attack approach components are agreed upon. Privasec performs the controlled attack execution.

An attack simulation flow for our example could include the following steps:

Reconnaissance
Privasec commences with reconnaissance and identifies a recruitment web application containing employee names and emails. The employee details are added to a compiled list of accounts that are gathered from other resources such as LinkedIn and breached database websites.
1
Initial Access
Next, Privasec performs a password spraying attack against Office 365 – this attack reveals a number of valid account credentials with weak passwords. However, all these accounts require multi-factor authentication (MFA). Of these accounts – a number using the MFA mechanism 'Push Notification Authentication Approval' are noted and separated.
2
Access Verification
For the next few days during the morning and post-lunch periods – Privasec authenticates to Office 365 with these specific accounts, waiting for unsuspecting users to approve the push notifications on their phones. Privasec would be able to authenticate as different users using this method.
3
Lateral Movement
Once authenticated, Privasec obtains remote access to Outlook, SharePoint and OneDrive via the Office 365 portal in the context of the compromised user accounts.
4
Deploy Assets
Via this access, Privasec identifies popular working files – some of which use macros. Privasec creates backups and then proceeds to backdoor the original files by embedding malicious macros in the documents. When executed, the macros download and execute a reverse execution payload.
5
Remote Access confirmed
As a result of these 'watering hole' attacks – Privasec obtains interactive remote access to user workstations. Privasec leverages scheduled tasks to maintain persistent access, as per the approach recommended by Threat Intelligence.
6
Internal Enumeration
With a foothold in the corporate network - Privasec proceeds with internal network reconnaissance, performing scanning to obtain information about the Windows Domain.
7
Outdated Software
During enumeration, Privasec detects an outdated VMware Vcenter server that is vulnerable to a Remote Code Execution vulnerability – which is exploited to gain SYSTEM level privileges on the affected host.
8
Privilege Escalation
By dumping LSASS memory and cracking password hashes – Privasec identifies credentials for an existing user account that could directly access Vcenter.
9
Gather Credentials
Using these compromised credentials – Privasec further dumped the memory of the LSASS process from Virtual Machines, including Domain Controllers. These memory dumps are then exfiltrated and credentials are extracted using Mimikatz offline.
10
Domain Administrative Access
With these credentials and leveraging the key material extracted from the Domain Controller, Privasec establishes Domain Administrative access and persistence.
11
Demonstrate Impact
From this point, Privasec uses valid credential material to perform Over-Pass-the-Hash attacks to assume the identity of domain accounts and access the list of high-value target systems. On these target systems - Privasec performed the simulated ransomware operations to create, exfiltrate and encrypt 'dummy' data files. Thereby demonstrating the ability of an attacker to perform a ransomware attack against the network.
12
Understand Processes
Privasec also identifies a Content Management System (CMS) that can be accessed with previously compromised credentials, and which contains detailed documentation for all critical IT business infrastructure - including the mainframe.
13
Monitor User Sessions
Next, Privasec targets users within the mainframe accounts group. By discovering which workstations have regular active sessions – Privasec deploys keyloggers to monitor these systems and users – Privasec learns how users access and interacts with the mainframe.
14
Objective Achieved
Leveraging information identified via the CMS and regular mainframe user activity - Privasec demonstrated their access by performing an unauthorised transaction via the mainframe, by emulating real user activities and processes, by submitting a 'dummy' test transaction record. Thereby demonstrating the ability of an attacker to perform an unauthorised transaction.
15

Step 5: Attack Reporting

Privasec’s reporting process focuses on the paths and steps taken to reach core objectives (i.e., what we did to get there, how sophisticated our attack was and how accessible it is for a real world threat actor to execute). To enable wider and non-technical understanding and digestion of the root cause, process, and impacts, Privasec creates attack flow timeline diagrams.

In our example, the attack execution described above could be visually represented and understood by the below attack flow diagram:

As business security is also in our DNA, we know that results from a Red Team must be understood at a business level and our executive summary is also crafted with that audience in mind. Privasec identifies and translates the technical impact, to the resulting business risk.