SlideShare una empresa de Scribd logo

Lessons from a Red Team Exercise

Descargar como PPTX, PDF
Peter Wood
Peter Wood

Lessons from a Red Team Exercise - A Simulated Criminal Attack

Internet
1 de 22
Peter Wood Chief Executive Officer First Base Technologies LLP A Simulated Criminal Attack Lessons from a Red Team Exercise
Slide 2 © First Base Technologies 2015 Founder and CEO - First Base Technologies LLP • Engineer, IT and information security professional since 1969 • Fellow of the BCS, the Chartered Institute for IT • Chartered IT Professional • CISSP • Senior Member of the Information Systems Security Association (ISSA) • 15 Year+ Member of ISACA, Member of the ISACA Security Advisory Group • Member of the Institute of Information Security Professionals • Member of the BCS Information Risk Management and Assurance Group • Chair of white-hats.co.uk • UK Programme Chair for the Corporate Executive Programme • Member of ACM, IEEE, First Forensic Forum (F3), Institute of Directors • Member of Mensa Peter Wood
Slide 3 © First Base Technologies 2015
Slide 4 © First Base Technologies 2015 How an Advanced Attack Works
Slide 5 © First Base Technologies 2015 Threat analysis for testing http://csrc.nist.gov/cyberframework/rfi_comments/040813_cba_part2.pdf
Slide 6 © First Base Technologies 2015 Lessons from a red team exercise “The story you are about to hear is true; only the names have been changed to protect the innocent vulnerable.”
Slide 7 © First Base Technologies 2015 Our attack timeline
Slide 8 © First Base Technologies 2015 Remote information gathering • 15 premises in UK, reviewed on Google maps and street view • 4 registered domains • 5 IP address ranges • 72 Internet-facing hosts • Metadata retrieved for Adobe, Office and QuarkExpress • Scan revealed OWA in use • Internet search for relevant email addresses • LinkedIn searches to construct email addresses for employees • 400 email addresses identified • ‘Interesting’ staff names and job titles from LinkedIn • Emails sent to obtain responding email style and layout
Slide 9 © First Base Technologies 2015 On-site reconnaissance • Head office: - Perimeter guards and external CCTV - Main reception manned and controlled - Goods entrance well controlled - No other access - Staff ID card design noted - Results used to plan on-site attack 2 • Branch office: - High street premises, no guarding - Small reception, one receptionist - Door intercom - Multi-tenanted building - Results used to plan on-site attack 1
Slide 10 © First Base Technologies 2015 Results of info gathering 1. Spear phishing is viable and can be used for theft of credentials 2. Head office will require legitimate appointment to gain physical access 3. Branch office may be vulnerable to ad hoc visitor with remote backup 4. Significant number of other premises available as fallback 5. Windows and Office in use, so typical network vulnerabilities will apply
Slide 11 © First Base Technologies 2015 Spear phishing plan 1. Convincing fake domain name available and purchased 2. OWA site cloned onto fake domain for credential theft 3. Large number of email addresses harvested as targets 4. Design of real emails copied to facilitate spear phishing 5. Names and job titles gathered as fake senders 6. Genuine OWA will be used to test stolen credentials (and gather further info) 7. Credentials will be deployed in first on-site attack
Slide 12 © First Base Technologies 2015 Spear phishing exercise 1. Email sent from IT manager, using fake domain address 2. OWA cloned on to tester’s laptop, DNS set accordingly 3. Email sent to three groups of 100 recipients 4. Within a few minutes, 41 recipients entered credentials 5. Credentials tested on legitimate OWA site 6. Significant information gathered from each account 7. Further emails can now be sent from legitimate addresses
Slide 13 © First Base Technologies 2015 Branch office attack plan 1. Team member “Harry” to pose as a contractor working for a telecomms firm 2. Clothing and ID badge prepared 3. Works order fabricated 4. Engineering toolkit prepared, including laptop 5. Credentials obtained from spear phishing stored on laptop 6. Other team members on landline phones for remote verification
Slide 14 © First Base Technologies 2015 Branch office attack exercise (1) 1. Harry arrives and tells receptionist he needs to fix a network fault 2. Receptionist asks for a contact name for verification 3. Harry claims not to know and gives receptionist his works order number and a phone number to get details 4. Receptionist calls and speaks to George who gives the name of an IT employee (who we know is ‘out of office’) 5. Receptionist cannot make contact with absent IT employee, so tells Harry to call their IT Manager to resolve the problem 6. Harry calls Charlie and asks him to impersonate the IT Manager 7. Charlie (impersonating the IT Manager) calls receptionist and tells them to give Harry access
Slide 15 © First Base Technologies 2015 Branch office attack exercise (2) 9. Harry is escorted into the office and given a desk and a network point 10.He is left unsupervised and plugs his laptop in to the network 11.He explores the network and identifies several Windows servers 12.He authenticates to a domain controller using credentials obtained during the phishing exercise 13.He explores various servers and identifies many interesting files 14.He plants several files to demonstrate full read-write access 15.He explains that he has run diagnostics and that the network connection seems ok. He is escorted to reception and signs out
Slide 16 © First Base Technologies 2015 Head office attack plan (1) A number of scenarios were considered: • Apply for a job vacancy with a suitable fake CV • Courier delivery of a parcel • Research and interview for newspaper or publication • Discussion about a school tour of premises • Tour of premises as a prospective customer Two alternatives were selected and developed: • Tour of premises as a prospective customer for a specific product • Interview for a charity magazine about corporate fund raising
Slide 17 © First Base Technologies 2015 Head office attack plan (2) Relevant domain names were obtained, email addresses and web pages created for both fake organisations. 1. Tour of premises as a prospective customer for a specific product: - “Anne” sent an email via the company’s online form - An exchange of emails occurred over the next few days and she obtained permission, as a new customer, to book a tour of the premises 2. Interview for a charity magazine about corporate fund raising: - “Anne” called the company and spoke to head of fund raising team - Press office called Anne and asked for more details - Background research proved convincing and pretext was accepted - Interview booked at head office Option 2 entailed less risk of exposure, so was attempted first.
Slide 18 © First Base Technologies 2015 Head office attack exercise 1. Anne and George arrive for the press interview, are given visitor passes and escorted to a meeting room 2. George asks to use the bathroom and is given directions 3. A senior employee joins the meeting and asks further questions to validate their story, which are answered satisfactorily 4. George returns from the bathroom, but quickly exits the meeting again leaving a pack of diarrhoea medicine on the table 5. During his ‘bathroom visit’ George is able to access unattended lab computers, simulate installing keyloggers and remote control software and copying files on to a USB drive 6. When the interview concludes, Anne and George are escorted from the building
Slide 19 © First Base Technologies 2015
Slide 20 © First Base Technologies 2015 Lessons 1. No checks on social networking using work email addresses 2. No sanitisation of metadata in published documents 3. Insufficient staff training on spear phishing 4. Inadequate visitor validation at branch office 5. Unsupervised visitor at branch office 6. Unsupervised visitor at head office (bathroom break) 7. Unlocked, unattended laboratories and unlocked computers 8. No challenging of unescorted visitors 9. Sensitive information protected only by Windows credentials
Slide 21 © First Base Technologies 2015 Red Team Testing • Use your threat analysis to pick a realistic attack scenario • Use your asset register to identify realistic targets • Engage a red team exercise to simulate a real attack • Check your preventative and detective controls! • Learn, improve, repeat!
Slide 22 © First Base Technologies 2015 Peter Wood Chief Executive Officer First Base Technologies LLP peter@firstbase.co.uk http://firstbase.co.uk twitter: @peterwoodx Need more information?

Recomendados

MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Amine SAIGHI
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 

Recomendados

MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Amine SAIGHI
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
Indranil Banerjee
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
slametarrokhim1
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Phishing and prevention
Phishing and preventionPhishing and prevention
Phishing and prevention
Stephen Hasford
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Blue Team
Blue TeamBlue Team
Blue Team
Null Bhubaneswar
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Final Report Presentation Team Red O
Final Report Presentation Team Red OFinal Report Presentation Team Red O
Final Report Presentation Team Red O
Xu Bim
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
Amr Ali
 

Más contenido relacionado

La actualidad más candente

Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 

La actualidad más candente (20)

Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
System hacking
System hackingSystem hacking
System hacking
 
Phishing and prevention
Phishing and preventionPhishing and prevention
Phishing and prevention
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Blue Team
Blue TeamBlue Team
Blue Team
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 

Destacado

Final Report Presentation Team Red O
Final Report Presentation Team Red OFinal Report Presentation Team Red O
Final Report Presentation Team Red O
Xu Bim
 
Welcome to Strategic Red Team Consulting
Welcome to Strategic Red Team ConsultingWelcome to Strategic Red Team Consulting
Welcome to Strategic Red Team Consulting
Fred Aubin, CD MCGI
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
Hykeos
 

Destacado (19)

Final Report Presentation Team Red O
Final Report Presentation Team Red OFinal Report Presentation Team Red O
Final Report Presentation Team Red O
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
DKapellmann_Security Compliance Models
DKapellmann_Security Compliance ModelsDKapellmann_Security Compliance Models
DKapellmann_Security Compliance Models
 
Risk Management Frameworks
Risk Management FrameworksRisk Management Frameworks
Risk Management Frameworks
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloud
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to us
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Fixing the broken Red Team
Fixing the broken Red TeamFixing the broken Red Team
Fixing the broken Red Team
 
Welcome to Strategic Red Team Consulting
Welcome to Strategic Red Team ConsultingWelcome to Strategic Red Team Consulting
Welcome to Strategic Red Team Consulting
 
Advanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team ExerciseAdvanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team Exercise
 
Strategic Red Team Consulting - Company Intro - Jan 2014
Strategic Red Team Consulting - Company Intro - Jan 2014Strategic Red Team Consulting - Company Intro - Jan 2014
Strategic Red Team Consulting - Company Intro - Jan 2014
 
ISACA UW Handbook 2016
ISACA UW Handbook 2016ISACA UW Handbook 2016
ISACA UW Handbook 2016
 
Pentesting
PentestingPentesting
Pentesting
 
mimikatz @ asfws
mimikatz @ asfwsmimikatz @ asfws
mimikatz @ asfws
 
Pentesting with Metasploit
Pentesting with MetasploitPentesting with Metasploit
Pentesting with Metasploit
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
 
Strategic Red Team Consulting - Introduction to Business Wargaming
Strategic Red Team Consulting - Introduction to Business WargamingStrategic Red Team Consulting - Introduction to Business Wargaming
Strategic Red Team Consulting - Introduction to Business Wargaming
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 

Similar a Lessons from a Red Team Exercise

Information Security and Corporate Risk
Information Security and Corporate RiskInformation Security and Corporate Risk
Information Security and Corporate Risk
AgilOne
 
Sheet1WeaknessViolates a policy or procedureThreatWhat is th.docx
Sheet1WeaknessViolates a policy or procedureThreatWhat is th.docxSheet1WeaknessViolates a policy or procedureThreatWhat is th.docx
Sheet1WeaknessViolates a policy or procedureThreatWhat is th.docx
bjohn46
 
Mpho Allen Maluleke
Mpho Allen MalulekeMpho Allen Maluleke
Mpho Allen Maluleke
mpho allen
 
Danger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not SecureDanger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not Secure
TechWell
 
Case Study 1 Questions1.     What is the allocated budget .docx
Case Study 1 Questions1.     What is the allocated budget .docxCase Study 1 Questions1.     What is the allocated budget .docx
Case Study 1 Questions1.     What is the allocated budget .docx
TatianaMajor22
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 

Similar a Lessons from a Red Team Exercise (20)

Pragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
 
Information Security and Corporate Risk
Information Security and Corporate RiskInformation Security and Corporate Risk
Information Security and Corporate Risk
 
Teaching Your Staff About Phishing
Teaching Your Staff About PhishingTeaching Your Staff About Phishing
Teaching Your Staff About Phishing
 
Sheet1WeaknessViolates a policy or procedureThreatWhat is th.docx
Sheet1WeaknessViolates a policy or procedureThreatWhat is th.docxSheet1WeaknessViolates a policy or procedureThreatWhat is th.docx
Sheet1WeaknessViolates a policy or procedureThreatWhat is th.docx
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security Seminar
 
Securing Your Intellectual Property: Preventing Business IP Leaks
Securing Your Intellectual Property: Preventing Business IP LeaksSecuring Your Intellectual Property: Preventing Business IP Leaks
Securing Your Intellectual Property: Preventing Business IP Leaks
 
Mpho Allen Maluleke
Mpho Allen MalulekeMpho Allen Maluleke
Mpho Allen Maluleke
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
FreeSBC - Getting Started
FreeSBC - Getting StartedFreeSBC - Getting Started
FreeSBC - Getting Started
 
Danger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not SecureDanger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not Secure
 
The Bug Sweepers TSCM Guide
The Bug Sweepers TSCM GuideThe Bug Sweepers TSCM Guide
The Bug Sweepers TSCM Guide
 
FreeSBC - Getting Started
FreeSBC - Getting StartedFreeSBC - Getting Started
FreeSBC - Getting Started
 
Case Study 1 Questions1.     What is the allocated budget .docx
Case Study 1 Questions1.     What is the allocated budget .docxCase Study 1 Questions1.     What is the allocated budget .docx
Case Study 1 Questions1.     What is the allocated budget .docx
 
Meeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeMeeting the Cybersecurity Challenge
Meeting the Cybersecurity Challenge
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
How to assess your it needs and implement technology at your nonprofit
How to assess your it needs and implement technology at your nonprofitHow to assess your it needs and implement technology at your nonprofit
How to assess your it needs and implement technology at your nonprofit
 
Jeff bianco
Jeff bianco Jeff bianco
Jeff bianco
 
ITE v5.0 - Chapter 11
ITE v5.0 - Chapter 11ITE v5.0 - Chapter 11
ITE v5.0 - Chapter 11
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineering
 
Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
 

Más de Peter Wood

The Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerThe Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a Hacker
Peter Wood
 

Más de Peter Wood (20)

Hacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesHacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilities
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud security
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 Threatscape
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big data
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's View
 
Prime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePrime Targets in Network Infrastructure
Prime Targets in Network Infrastructure
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack Surfaces
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
 
Social Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewSocial Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's View
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security Vulnerabilities
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised Environment
 
The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security Landscape
 
The Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerThe Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a Hacker
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of Austerity
 

Último

Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 

Último (20)

Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 

Lessons from a Red Team Exercise

  • 1. Peter Wood Chief Executive Officer First Base Technologies LLP A Simulated Criminal Attack Lessons from a Red Team Exercise
  • 2. Slide 2 © First Base Technologies 2015 Founder and CEO - First Base Technologies LLP • Engineer, IT and information security professional since 1969 • Fellow of the BCS, the Chartered Institute for IT • Chartered IT Professional • CISSP • Senior Member of the Information Systems Security Association (ISSA) • 15 Year+ Member of ISACA, Member of the ISACA Security Advisory Group • Member of the Institute of Information Security Professionals • Member of the BCS Information Risk Management and Assurance Group • Chair of white-hats.co.uk • UK Programme Chair for the Corporate Executive Programme • Member of ACM, IEEE, First Forensic Forum (F3), Institute of Directors • Member of Mensa Peter Wood
  • 3. Slide 3 © First Base Technologies 2015
  • 4. Slide 4 © First Base Technologies 2015 How an Advanced Attack Works
  • 5. Slide 5 © First Base Technologies 2015 Threat analysis for testing http://csrc.nist.gov/cyberframework/rfi_comments/040813_cba_part2.pdf
  • 6. Slide 6 © First Base Technologies 2015 Lessons from a red team exercise “The story you are about to hear is true; only the names have been changed to protect the innocent vulnerable.”
  • 7. Slide 7 © First Base Technologies 2015 Our attack timeline
  • 8. Slide 8 © First Base Technologies 2015 Remote information gathering • 15 premises in UK, reviewed on Google maps and street view • 4 registered domains • 5 IP address ranges • 72 Internet-facing hosts • Metadata retrieved for Adobe, Office and QuarkExpress • Scan revealed OWA in use • Internet search for relevant email addresses • LinkedIn searches to construct email addresses for employees • 400 email addresses identified • ‘Interesting’ staff names and job titles from LinkedIn • Emails sent to obtain responding email style and layout
  • 9. Slide 9 © First Base Technologies 2015 On-site reconnaissance • Head office: - Perimeter guards and external CCTV - Main reception manned and controlled - Goods entrance well controlled - No other access - Staff ID card design noted - Results used to plan on-site attack 2 • Branch office: - High street premises, no guarding - Small reception, one receptionist - Door intercom - Multi-tenanted building - Results used to plan on-site attack 1
  • 10. Slide 10 © First Base Technologies 2015 Results of info gathering 1. Spear phishing is viable and can be used for theft of credentials 2. Head office will require legitimate appointment to gain physical access 3. Branch office may be vulnerable to ad hoc visitor with remote backup 4. Significant number of other premises available as fallback 5. Windows and Office in use, so typical network vulnerabilities will apply
  • 11. Slide 11 © First Base Technologies 2015 Spear phishing plan 1. Convincing fake domain name available and purchased 2. OWA site cloned onto fake domain for credential theft 3. Large number of email addresses harvested as targets 4. Design of real emails copied to facilitate spear phishing 5. Names and job titles gathered as fake senders 6. Genuine OWA will be used to test stolen credentials (and gather further info) 7. Credentials will be deployed in first on-site attack
  • 12. Slide 12 © First Base Technologies 2015 Spear phishing exercise 1. Email sent from IT manager, using fake domain address 2. OWA cloned on to tester’s laptop, DNS set accordingly 3. Email sent to three groups of 100 recipients 4. Within a few minutes, 41 recipients entered credentials 5. Credentials tested on legitimate OWA site 6. Significant information gathered from each account 7. Further emails can now be sent from legitimate addresses
  • 13. Slide 13 © First Base Technologies 2015 Branch office attack plan 1. Team member “Harry” to pose as a contractor working for a telecomms firm 2. Clothing and ID badge prepared 3. Works order fabricated 4. Engineering toolkit prepared, including laptop 5. Credentials obtained from spear phishing stored on laptop 6. Other team members on landline phones for remote verification
  • 14. Slide 14 © First Base Technologies 2015 Branch office attack exercise (1) 1. Harry arrives and tells receptionist he needs to fix a network fault 2. Receptionist asks for a contact name for verification 3. Harry claims not to know and gives receptionist his works order number and a phone number to get details 4. Receptionist calls and speaks to George who gives the name of an IT employee (who we know is ‘out of office’) 5. Receptionist cannot make contact with absent IT employee, so tells Harry to call their IT Manager to resolve the problem 6. Harry calls Charlie and asks him to impersonate the IT Manager 7. Charlie (impersonating the IT Manager) calls receptionist and tells them to give Harry access
  • 15. Slide 15 © First Base Technologies 2015 Branch office attack exercise (2) 9. Harry is escorted into the office and given a desk and a network point 10.He is left unsupervised and plugs his laptop in to the network 11.He explores the network and identifies several Windows servers 12.He authenticates to a domain controller using credentials obtained during the phishing exercise 13.He explores various servers and identifies many interesting files 14.He plants several files to demonstrate full read-write access 15.He explains that he has run diagnostics and that the network connection seems ok. He is escorted to reception and signs out
  • 16. Slide 16 © First Base Technologies 2015 Head office attack plan (1) A number of scenarios were considered: • Apply for a job vacancy with a suitable fake CV • Courier delivery of a parcel • Research and interview for newspaper or publication • Discussion about a school tour of premises • Tour of premises as a prospective customer Two alternatives were selected and developed: • Tour of premises as a prospective customer for a specific product • Interview for a charity magazine about corporate fund raising
  • 17. Slide 17 © First Base Technologies 2015 Head office attack plan (2) Relevant domain names were obtained, email addresses and web pages created for both fake organisations. 1. Tour of premises as a prospective customer for a specific product: - “Anne” sent an email via the company’s online form - An exchange of emails occurred over the next few days and she obtained permission, as a new customer, to book a tour of the premises 2. Interview for a charity magazine about corporate fund raising: - “Anne” called the company and spoke to head of fund raising team - Press office called Anne and asked for more details - Background research proved convincing and pretext was accepted - Interview booked at head office Option 2 entailed less risk of exposure, so was attempted first.
  • 18. Slide 18 © First Base Technologies 2015 Head office attack exercise 1. Anne and George arrive for the press interview, are given visitor passes and escorted to a meeting room 2. George asks to use the bathroom and is given directions 3. A senior employee joins the meeting and asks further questions to validate their story, which are answered satisfactorily 4. George returns from the bathroom, but quickly exits the meeting again leaving a pack of diarrhoea medicine on the table 5. During his ‘bathroom visit’ George is able to access unattended lab computers, simulate installing keyloggers and remote control software and copying files on to a USB drive 6. When the interview concludes, Anne and George are escorted from the building
  • 19. Slide 19 © First Base Technologies 2015
  • 20. Slide 20 © First Base Technologies 2015 Lessons 1. No checks on social networking using work email addresses 2. No sanitisation of metadata in published documents 3. Insufficient staff training on spear phishing 4. Inadequate visitor validation at branch office 5. Unsupervised visitor at branch office 6. Unsupervised visitor at head office (bathroom break) 7. Unlocked, unattended laboratories and unlocked computers 8. No challenging of unescorted visitors 9. Sensitive information protected only by Windows credentials
  • 21. Slide 21 © First Base Technologies 2015 Red Team Testing • Use your threat analysis to pick a realistic attack scenario • Use your asset register to identify realistic targets • Engage a red team exercise to simulate a real attack • Check your preventative and detective controls! • Learn, improve, repeat!
  • 22. Slide 22 © First Base Technologies 2015 Peter Wood Chief Executive Officer First Base Technologies LLP peter@firstbase.co.uk http://firstbase.co.uk twitter: @peterwoodx Need more information?