How Red Team Exercises Increases Your Cyber Health

Last year, we shared information on the differences between red team exercises and how organizations may get benefits from each type of activity. External red teaming, assumed breach, and purple teaming each have distinct characteristics that can influence which exercise is suitable for an organization’s requirements. Regular execution is essential to validate and improve the security framework, including individuals, procedures, and technologies.

According to The SANS Institute, “ransomware attacks continue to pose a growing danger to all companies, with both existing and new criminal groups on the rise.”

Since 2021, Trend Micro has published a series of spotlights offering threat information on the most infamous ransomware families used in threat actor activities. Ransomware gangs have collaborated and evolved to exacerbate the harm to businesses using ransomware as a service (RaaS) and double extortion tactics.

We will examine common tactics, techniques, and procedures (TTPs) in more depth by analyzing an external red teaming exercise as a case study.

This exercise often follows the following Cyber Kill Chain framework developed by Lockheed Martin:

• Reconnaissance. Collecting data about the target and the tactics for the attack
• Weaponizing. Developing malware by leveraging security vulnerabilities
• Delivery. Delivering weaponized malware via a phishing email or other medium
• Exploitation. Delivering malicious code into the organization’s system
• Installation. Installing a backdoor or remote access Trojan with malware that provides access to the intruder
• Command and control (C&C) – Gaining control over the organization’s systems and network
• Actions on objective – Gathering, encrypting, and extracting confidential information from the organization’s environment

The following are fundamental steps that may be performed according to the Cyber Kill Chain. These steps may vary depending on the organization’s needs and requirements:

• Collecting email addresses from social networks like the corporate homepage, LinkedIn, Hunter.io, or other sources
  • For external phishing, after we have information on the target, we create a domain that fits the narrative of the phishing email and often includes a link to get login credentials
  • If phishing is not permitted due to corporate policies, the external exercise will focus on services reconnaissance, including cloud providers, without harvesting emails
  • We explore weaponization by concentrating on remote code execution (RCE) vulnerabilities to get access to a shell or similar tools, mostly to demonstrate potential ways to compromise the customer’s network
• Use the service that delivers the payload of the C&C application.
  • We use the same technologies often employed by attackers for C&C purposes
  • Following the initial phase, we continue into activities around objectives that are generally the same as ransomware operators or the majority of advanced persistent threats (APTs)

This stage is not set in stone, and when the initial objectives are fulfilled, if there is still time in the simulation, the client may request the team pursue other goals, such as a backup network, Citrix, VMware VCenter servers, or a Microsoft Azure/Amazon Web Services (AWS) environment.

Understanding phishing tactics

Phishing may take several forms. This includes a link to download and execute a payload (to obtain credentials/access), delivering the payload directly attached (which is more likely to be discovered depending on the danger), and most recently, employing a QR code that will allow the payload to be download while still circumventing security controls.

Read More HERE