Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing, or pentesting, is the simulation of a cyberattack to assess a network’s security to find weaknesses that can then be fixed before threat actors exploit them. Pentesting is done externally, unlike many approaches to security, such as vulnerability scanning, which uses technology tools from within the network to seek out potential problems. Ethical hackers attack the network to see where they can gain entry and what they can exploit in terms of vulnerabilities, misconfigurations and back-doors that weren't closed after contractors were given temporary access.
FREE role-guided training plans
Red team members, compared to penetration testers, make full use of a plethora of pentesting techniques and more. They incorporate attempts, within a predefined set of parameters agreed on by the client, to physically enter the building, such as finding unlocked windows, outside doors that don't close all the way, or even breaking in and checking to make sure the key code for the alarm isn't something like 1-2-3-4. They also harness social engineering tricks like dropping malicious thumb drives in the parking lot to see if employees pick them up and plug them into their computers to see who they belong to. Another ploy is walking in the front door in a UPS costume with a package and asking someone with keycard access to hold the door to a restricted area.
Matt Lorentzen, principal consultant at Cyberis, has spent much of his career in the pentesting world.
Most recently, he has involved himself in what is known as intelligence-led penetration testing, which is a form of red teaming. It is guided by real-world threat intelligence about the attacks against various organizational sectors. The purpose of red teaming is to determine where the threshold of detection is. i.e., how far the pentester can reach within the network before being detected.
Some clients want to see whether you can get into their systems and what files and databases you can get into. Other people tell you the exact things they are concerned about, such as sensitive files or network infrastructure areas covered by compliance mandates. And in other cases, people want the pentester to emulate the types of attacks they are seeing to determine how easy it might be for attackers to find a route into the enterprise.
Purple teaming
Red teams are those pretending to be hackers, and blue teams are those defending the organization. Lorentzen likes this approach but admits that this approach sometimes has limitations as it assumes all attacks are externally based. In reality, the number of attacks arising from the actions of disgruntled or compromised employees or contractors is rising. Thus, purple teaming is becoming more common, where the red team and blue team members work in tandem and collaborate in real-time to find and exploit weaknesses.
“There are numerous routes that somebody can use to become embedded in an organization, including getting a job as a means of infiltrating IT,” said Lorentzen.
But insider threats are one of many options. Another purple team exercise might involve the red team finding a vulnerability accessible by a high-placed insider and passing that data onto the blue team. They, in turn, terminate network access privileges or use that vulnerability to get up to other mischief.
Banks, for example, are interested in attack paths attackers can use to reach their Swift infrastructure and extract funds. But other industries have different needs. It is all about what they most want to protect.
What should you learn next?
Cloud attacks mean a broader attack surface
The cloud has brought a great many benefits to IT. From a cybersecurity perspective, though, it introduced greater complexity, broadened attack surfaces, and significantly increased the number of potential points of entry.
“The perimeter that we spent a lot of time building has now largely disappeared in order to facilitate agility and freedom of movement,” said Lorentzen.
That has resulted in environments where people often don’t know exactly where all their data and systems reside. Data pockets and silos may be in hidden spots that people are unaware of. Hackers can exploit these areas as they are typically poorly protected, may be misconfigured, and are likely to be unpatched.
Similarly, cloud or mobile settings can render some security technologies unfeasible in certain settings. Take the case of multi-factor authentication (MFA) and a strong password policy. Both are difficult or impossible to implement across an entire student population, for example, or in government systems that face outward to the citizenry. There are just too many people and too many non-tech savvy individuals that you have to expect weak credentials, repeated passwords, post-it note passwords on PCs, heavy pushback on MFA, or complete unwillingness to take any security precautions.
“For schools specifically, you have to accept the fact that children are going to choose weaker credentials for a number of reasons,” said Lorentzen. “But you can compensate in other ways, such as by policing the types of permissions people have and who has administrative access. That’s a good way to slow attackers down even if they manage to phish a user credential.”
Another safeguard in school environments is geo-location. There is no reason, for example, why an American student should be logging in from another country. There may be ways for hackers to get around such safeguards. Nevertheless, it is another layer an attacker needs to go through.
Listen to Matt Lorentzen's insights on red team evolution on Infosec's Cyber Work Podcast.
FREE role-guided training plans
Pentesting and red teaming continue to evolve
Recent refinements such as intelligence-driven red team pentesting and purple team collaboration tactics have helped organizations face the many challenges posed by today’s broadening attack surfaces. But threat actors continue to develop new techniques to penetrate enterprise defenses. Therefore, pentesting and the testing of security readiness must continue to evolve to address changing threat vectors.