Red Team Operations: Attack and Think Like a Criminal

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody thank you for joining us on today's webinar my name is Camille Duke we and I will be moderating the webinar the topic today is red team operations attack and think like a criminal so we're about to have a really interesting session here today we've got our guest speaker Jeremy Martin we'll meet him in just a minute but first I'd like to go over just a couple of things so as attendees you are on listen-only mode however we invite you to please ask us questions at any time we're going to save a few moments at the end and and perhaps pepper those questions in throughout the presentation for Jeremy as well but we'll save some time to have our expert go through those burning questions you're thinking about when talking about Red Team operations so next I just want to briefly touch on CPEs InfoSec Institute webinars are a great way to earn CPEs and you may qualify by filling out a certificate of completion after the webinar is over and you'll see the link there on your screen but you'll also receive that in the follow-up email and you'll also receive the recording of the presentation today in the email we also have a link there for some CPE eligibility requirements so those do vary by certifying body each certifying bodies a little bit different about what they accept for a CPE so go ahead you can check out that link or check with your certifying body to see if you are eligible next we'll go ahead and meet our speaker so before I turn it over to Jeremy I just wanted to share a little bit about him Jeremy is a senior security researcher and he is an instructor for us here at InfoSec Institute so as a senior security researcher he has focused his profession around Red Team penetration testing computer forensics open source intelligence and cyber warfare starting his career in 1995 mr. Martin has worked with fortune 200 companies and federal government agencies also has received a number of awards for his service Jeremie currently provides training and helps manage the computer forensics lab for the Abu Dhabi judicial Department in the United Arab Emirates and outside consulting he is an instructor security researcher published author and speaks at security conferences around the world so Jeremy's current research projects include vulnerability analysis threat profiling exploit exploitation automation anti forensics open source intelligence gathering and reverse engineering malware so definitely a you know an incredible person to have with us someone with a lot of knowledge in the space Jeremy's also volunteer for local Issa and IC FBI chapters he's held positions for the open information system security group and sitting on the board of directors for Denver's InfraGard chapter so again just an amazing person to have with us and on top of that he also holds over 30 professional certifications so with that we'll turn it over to Jeremy now thanks for being available to join us and and take some time out of your busy schedule so we'll let you go ahead and turn it over and then tell us a little bit about what we're chatting about today good morning uh this German it's basically today we're gonna cover Miska what it is be Red Team so if you haven't had the opportunity to do any sort of vulnerability assessments or pen testing red team basically just takes it to a little bit more of an extreme so I personally the thing is probably one of the more fun situation security because people pay you to pretend to be the bad guy so you're just doing it legally so realistically with a red team is traditionally this can be a group of subject matter experts just like on the screen but you are give me subject matter expert hopefully a team of different skill sets so you might have somebody with say physical security background us could be programming could be course network server comm Wireless and then just work together to achieve the goal of breaking in no with things like social engineering that definitely does take quite a bit of skill set everybody should have a little bit of knowledge background in it but there are some people that are just amazing con people for example one of the most iconic individuals out there that focused on social engineering specifically don't kevin Mitnick so each yet person that has a unique skill set up teams def yeah buy a good asset but the biggest thing comes down to try to pretend to be an adversary so think of it in this way sometimes the if you're doing any security mouth it might be just break in any way you can otherwise they might say we have this specific competitor there have been attacking us and we want you to mimic their attack base some tools will even automate the process and do things such as like a PT there's a decent commercial tool out there it started off from a was Metasploit and then it interface to that goal Armitage a good old comb on strike so that automates the process of mimicking yet when it comes down to it the biggest thing comes we're trying to basically break it so with that set you need to see Evo nur bilities like the bad guys waxy fortunately a lot of people they do they only see how things are built so how they've been architected so it was built for very specific reason that's all it's supposed to do but unfortunately a lot of things work differently the way it was which they design for example last year there was an issue to where some security researchers found out there was a vulnerability in a sequencer and so what they ended up - English they wrote malware for the sequencer and then encoded it ena and that the sequencer read it and that in effect made it backdoor that system which then called home so you're trying to think about not just how some of the common bad guys would do it but how anybody could potentially bypass something it was written and basically also testing the defenses in that scenario that I just mentioned there's very limited reason why certain type of environments may need to get access to the Internet so for example the DNA sequencer probably didn't need internet access but if it ran exploit code called home god entered it access that itself is also testing what same thing with ICS and SCADA systems not sure if anybody if you've seen a place like showdown before but when it comes down to it there's a lot of potential systems out there that definitely get should not be picked on so places like showdown you can use for information gathering some people will call this open source intelligence gathered OSINT recon but basically what you're trying to do is try to find out what's public and you're not even testing the target not touching them at all so at this point you're trying to get all the information related to could be event employees they have to even with technology and going to again some of the sites like showdown there's tools like bingo there's all kinds of good information gathering items out there to help automate the process but you're just trying to find again way what they're using and how that could potentially things may not even be internet accessible a job posting boards so I know a lot of HR departments has gone through and pushed even further to where they will ask we need this very specific skill set so it could be lets say SELinux at that point you know that they're using Linux boxes and they're also have security enhance Linux so there's a good possibility that some of the systems may not be configured so absolutely there's a recon or ocean that can do most your job for you uh especially things like social networking sites so many people have a social network profile most of its do something we have more than one especially if you're on the security side that it's not necessarily uncommon Facebook however is kind of cracking down but it's still it's the comedy troupe but people disgruntled talking about their work or they're proud of their work and they're talking about and you can get aside our conversation with them and sometimes they do leak out a little bit should so with that said now that you have some base information again you can start poking around so that means potentially do things like port scanning want to I know we're talking about showing down before but what's interesting about that whole scenario is that they're based off of and map scans anyway and they just they go a few steps further so if you haven't been there it's definitely a good resource so said looking for things beyond normal cyber weeks like open ports I know we kind of mentioned to scroll to employees but it's things that you're looking for that are not necessarily obvious especially difficult had some scenarios to where I get stuff like contacting some of the sales staff seeing if they're selling specific content or pretending to be target and then contacting the vendor and saying I want more seed license for its specific product and the salesperson might say yeah it's going to be this amount you already have this amount of licenses so at that point you now know what the tech know if they come back and say hey we don't see that you have this technology then or it's that also tells you something that they probably don't or if they do it's not part of their main organization so things like that or if you can even get on-site I had a colleague that's a little bit more eager than I am and active when it comes to physical assessments what he'll do is a recon and try to find out when they have new hire orientation so once he finds that in a lot of times that might be Friday's it could be Wednesdays whenever we'll then research who the hiring managers are what groups are hiring and he usually tries to go for an IT position system admin not necessarily high-level security but somebody low in the ranks but would still have good access and he'll try to get insight and knowing that he doesn't have any authority there go to the security desk Sam here for new hire orientation I was told to be here words trade security officer guard usually calls up HR or walks them to the area once HR gets involved of course he's not on the list but he's convincing and he has fake offer letter and they usually gets put in a trading and at the end of the week comes out with credentials and at that point it's you're looking at the guards themselves just let them through HR just let them through he's able to just walk it or and especially when you're talking about open ports know a lot of organizations or most people in general or non-confrontational which is good to an extent it's human nature but some of the potential challenges you're gonna come up with is see something say something so somebody is in an area that they shouldn't be either contact security things in that area but they usually don't so you want to look for would be actual open doors or see if anybody will open them for you I have a very good percentage of I'm carrying something or somebody goes to open the door I hold it open but instead of going in I let a few people in and then follow them and get that usually don't ask so definitely look not just for the cyber but anything related to schedules and again it's usually the human factor is like a sweetness and then of course the physical always thank you - no Jeremy just you know bringing up the point you just talked about researching you know when they have orientation and stuff I suppose it's it's pretty easy to find that information maybe on linkedin someone posted you know oh hey I've got a new position I'm so excited to start working with with this company and my orientation is Tuesday can't wait to start so I think people you know need to be aware that even on professionals sharing sites you can really get a lot of information about someone oh absolutely and that's where it comes down to is try to identify those sources LinkedIn is a good one monster people that have jobs there I've even been in a group that we had fake job interviews for fake competing organization or startup and then started asking questions like that the the people we take out to dinner so yeah absolutely sometimes it's a little bit more hands-on but usually it's just right there yeah that's very interesting stuff and you know a lot of a lot of people uh you know for sure think that it's a harmless post or an excitement type thing and you know we all want to build our brand and build awareness of our of our own self on unlinked it in and look at those professional opportunities but interesting to think of it how it how it can be really a security concern so oh absolutely and trying to be from the the good stand point is that's usually not going to happen to most people but absolutely industrial espionage is huge it has been for the house in two years that's going to be for a long time since so with that said once you've identified potential weaknesses there's a bunch of things I know here we have a list you can send exploits to the server so I be the cyber in that instance you're hoping that there's a port open with some portable soft and then take it over great fishing I know a new term that they're starting to push over the last few years it's kind of a moby dick reference but good old whaling and so instead of going for the average fish in the average item you're going for the big guys the Moby Dick of the organization CEO CFO and what's interesting about that is unfortunately it's kind of a catch-22 people that have authorization of business those that sign the paycheck are usually the ones that sometimes are the biggest risks they're using the biggest targets but a lot of times they have more rights than they need I've known CFOs that have had a banner across the domain and there's no real reason a CFO that deals with finances needs domain access or domain admin access rest system but yeah absolutely I know here weak services weak services could be use names and passwords and be looking for us and then if they you can get a TLS going back to the whole thing about being an actual bad guy um you can then pretend to be either IT service staff so and then at that point you know physical access and once you have physical access the joke is the game's over the only thing that really stops that would be full disk encryption but when the computer turns on that's out the window too so basically when you defy vulnerability you just try to find some way of exploiting and if you can't find anything that's the proverbial joke is the red teaming is a try harder profession so just try until you break so with that set there's a lot of apt is out there the advanced persistent threats and sometimes that's what you're trying to mimic is pretty or just try to break in any way you can but a lot of these things are calling back home and it's amazing over the years how many services have popped up that allow people to call back home for example I know here we're talking about end rock and Serbia and Rock is a site basically developed for developers so they can set up an application on their own home PC behind a firewall behind that behind all the protections contact outbound their server and then be able to share with the rest of the world same thing with Serbia but sir mio is just doing an ssh reverse tunneling and you can set up your own on a spin up a AWS server there's all kinds of things so at that point especially stuff like this you don't necessarily have to worry about firewall and Nats on your side because three years and years I've been doing pen testing a lot of times I'd be in a hotel because I do the on-site and then I'd be back at the hotel turn things I would definitely not have a static IP address or if I do it's usually a cloud service because I don't want my personal static that I have a couple of I'm being tied with the potential attack draft blacklisted so yeah definitely uh third party serves us all over and a lot of people have been using tor of the years or it's definitely been around who's that is harder to call back home on but it does add for a little bit of layer of an amenity but yeah outside that once the connection has been made I know another running joke is gather first analyze later which basically means have as much stuff as you can don't look at the content that you're getting necessarily and let be very specific unless you have all kinds of time those bad guys do for example uh brought into an incident response case where money exchange organization came as trying to figure out how they got it so we got pulled into a risk assessment basically banty after we did the investigation but it was one of those interesting scenarios to where the bad guys we found out during the investigation they were in there for over a year and a half so they weren't pulling anything for a red team you might have a week or two maybe more if you're lucky and you need to basically pull as much as you possibly can so you can start basically analyzing but this is later so with that said when you do find things you always kind of want to look for I like to call the pain point of your customer so with a pain point testament that i was brought in to basically this airport brought us in so there's a team of two of us very small team and they were very cocky the specific site had about 900 computers and out of there he had about 80 servers and within the first day was able to guess the servers all of them worth basically the same image of a Windows 2008 and they had the same password so their golden image maybe was name password has changed things afterwards so the only thing we weren't able to break with the time that we had was the Active Directory but we had the vast majority file server so we started copy all other IP data we copied all the financial data given the presentation interesting about it was the CFO's when it called it's in there it prompted the assessment he didn't care cool part though yeah yes it's kind of an interesting part I was able to find a image of his laptop that the IT did about a week before we were brought in and I stumbled across it and I found this after again pulled all kinds of data over and I mounted it in some friends software and basically found some stuff related to him and even though that in our report we were showing that we had pictures of everybody else's passports we had everything related to their IT their HR but other finances you didn't care until at the very end of the presentation brought up a picture of his wife it's his family at that point it hit him to where oh it makes me personally this is an issue so if you're ever able to point out a pain point to the customer it does give a little bit more not only is it flashy and good for a show but it definitely gets a little bit more emotion of customer for the client so with that set I know here there's always two sides every story in that area so once it's in a system it's always a good idea not to just stay on that one system talking about little pivoting there's another term called island hopping so a military term which is basically Red Team minutes anyway but once you hit a system there's probably all kinds of issues within the network so that's where a lot of problems happen is you're not able to necessarily compromise the serve the outside duty that firewall rules they'd have a low footprint or overhead whatever but once you get in then spread up systems and then once you do try to blend in with the rest traffic so if you're creating users I do two things I do create users that look like other users and then I also create users that are obvious but I usually do that towards the end and the reason I do both is again testing security and also proving a point that we were not only able to get in but they should have seen but yeah as far as whenever you're inside look like normal traffic you're trying to pretend to be a bad guy so they're probably not gonna catch you if you're able to get in to begin with if they do that's great that's a huge good finding for the the client is that they were looking they saw it you can go on from there but don't see it then again that's kind of a negative finding if they have a cert team which is supposed to be looking its if you're slow and going blending in there's a good probability they're not gonna catch it especially if you know the the baselines to the technology that they're using and that's how bad guys get away with things for so long be absolutely blendin go deeper blended more and then it's not a bad idea to have some fun - is it you're hired in there to test their security so once you go in not only tested but make it to where it's useful now Jeremy I have a question or a little bit of a thought here what is the longest just out of curiosity what is the longest that you've ever heard of someone being undetected in in a system or in a network um probably 10 years at Nortel Wow when they went out of business Wow so basically they never found it it was the third party that was going through their assets that found that they were making some call homes to Beijing and then of course they asked the question why is Nortel call in Beijing so often and then they found that's incredible 10 years Wow with full admin rights so they had all their trade secrets okay so not being the bad guy as you're hired into tests through security hate to say it documentation is the key so you need to document everything for a few reasons you're trying to help the customer we're trying to identify weaknesses and then when you identify them help them fix you're not going to be able to identify everything but here's the other problem is that if you don't document something else wrong or for whatever reason client is upset because a server went down in a different country and it subnet even touch you're gonna be responsible for it they're gonna blame you and you need to be able to prove or disprove that you could or could not have us the problems and if you did justify why so especially if those systems are outside of scope so you need to keep the count pretty much everything that you everything just found a place that you went everything you touched if for example you're on one network you're scanning it and a system an entirely different network even the different country goes down it's associated to that company if you did do it but you didn't touch their IP address or their system that is shown in itself another phone ability and that's something that the client needs to take care of so absolutely documentation it's huge because that basically minimizes liability and increases value so a couple other things I did want to mention in this scope do is scope always stay within scope so going back to the documentation that helps you prove the statement let's go if you go outside and beyond the scope that does bring you some legal liabilities so again if you do take down a server and you attack something that was not within the contract that is a potential boss on your part there's a one trick that I've actually learned um I don't know if anybody has seen these videos before there's a couple on YouTube called the tiger team and that's basically Red Team repent test group that has been around for a while and they actually got a TV show for two episodes but they highlighted something it was very useful and everybody should be doing but they found vulnerability they found their ways in on both those episodes and at the very end they were actually saying you had great security but this is how we can help to security for everyone small that may backfire I have had scenarios to wear down all kinds of issues and the upper level management was basically just check box clients we got the assessment done we're moving on we're not fixing the thing times and if you say everything that you did it was not a waste but for a few more resources you can make things better that definitely makes a little bit happier especially like I mentioned before the cert team you might they may have found you and at that absolutely that's great thing so they may have blocked your IP address for example when I do an assessment I never do it from the IP address that I'm currently in I always go through a VPN or some other proxies the main reason is is I want to see how long it's going to take for my IP address to get blocked and my stuff to stop work it never gets blocked or stopped that's great for me but it's bad for them if it does get stopped then absolutely some to document they were great they identified me within five minutes they blocked me switched IP addresses same thing happened but again when you do find things that are bad it could be a simple fix it could be miss configuration problem or it could be an inherent issue technology they have for example Doudna an assessment on a a large organization down south and they actually had some pretty good security one of the weaknesses found was that if somebody was going to HR the security guards would just let it right up everybody else they had to be escorted secured barb so you basically said we have an appointment with HR you walk right in and we start talking to the yeah we go to the IT stacks we're supposed to meet them in course they were surprised we got it then they changed their mind because we were supposed to have some credentials and start a basic risk assessment and they said okay we just want to see to it here's a phone line and they had a voice over IP system here's network cable to the phone get into our network now so we're talking in monthly my colleague was taken at most time and so basically at that point I was able to get my system I ran a couple tools one called net discover to find out what IP ranges actresses were in the area I found a printer spoof to the MAC address and that was able to get spread on their network and that took maybe about two - enough minutes and when I found out later on is that they had an ax system Network Astro system but it wasn't fully functional because they had a lot of systems like printers or old printers it didn't match the system that they had to whitelist so I was the bad guy would have to do is identify one of those and I got lucky I first try I got one that was being whitelist and that got right past them so again highlighted the good and then pointed out one of the weaknesses in their technology and they were able to make their area a little bit secure well Jeremy thanks so much for for that and that's some some interesting stuff that you know people looking to get into this this red team side of things we have a new offering that I wanted to talk about real quick before we get to the Q&A section so please continue to ask questions we've gotten a few through the QA and a few through chat as well but we're saving a couple minutes here so while we let similar questions stream in and while we look through those just wanted to get get you a little overview on our new red team operations course so InfoSec Institute recently released two new courses around offensive and defensive security job roles first is the red team operations which you know Jeremy just shared a lot of interesting information about with us and cyber threat hunting which we will cover in next week's webinar so follow up to this one again with with Jeremy our expert on the red and blue team courses but in the course you'll learn how to perform a comprehensive red team operations pentest you know of course what Jeremy covered today all of the all of the things that you need to do to test a network and and think like the bad guy and be that bad guy but the course will also prepare you to pass the certified red team operations professional exam so that you can prove your red team knowledge to your employer or job recruiters and you know advance your career in that sense so we also have a really cool promotion going on through the end of the year here so I know Jeremy you have a few of these a few of these hacking toys don't you yeah I actually have been used in the rubber ducky which is those little thumb drives at the bottom for what since 2012 Wi-Fi pineapples you can do a lot of this stuff your self but it takes a lot of time and effort so this automates a lot of the attacks so yeah absolutely sure very cool well with the with the promotion you can get up to five hundred dollars of ethical hacking toys some of the ones you see there are the hack five elite field kits the physical engagement bundle on the Wi-Fi pineapple which Jeremy just mentioned he used but some interesting tools to monkey around with and get that hands-on experience as well so wrapping up here we've got a few minutes to ask Jeremy some questions I think one of the first ones we'll go with is what are the most common vulnerabilities that you find on midsize or small companies small businesses versus the larger corporations to be quite honest the majority of the Boehner believes I do find are usually misconfigurations bad passwords or unpatch systems outside that if you can't find any of those then the next best bet is social engineering and trust sure and do you see more more issues with you know I know sometimes in larger companies it's easier with the social engineering because everyone doesn't know each other and some of those big companies is that is that a point that you see often yes and the smaller the company the harder it is to social engineering I did have an issue where I was trying to send a calling campaign and I picked the wrong person I picked that person that CIO was actually dating when they did that I was not well that's a that's an interesting way to you know to figure it out that's kind of funny another question here from Colin have you started working along blue teams after a successful red team engagement yes sometimes is before and after so I know when I get called in sometimes it's right after an instant so I have to do instant response and then I work with them to try to do the investigation then plug up some items and then I will testing and then go back to them and see if the it could be fixed so absolutely so both sides of that of that spectrum the bad guy and the and the good guy to fit our analogy here yep very cool so let's see another question what is a good company utilizing a VPN connection or tio are if programs phone home and give your position away sorry could you repeat that please sure so let's see maybe let me reword it a little bit here what is a good company that utilizes a VPN or or how can a company do that if the home phone gives your position away I believe the question is kind of asking ok so I when I've worked with a lot of law enforcement organizations over here's helping them set up investigation systems like open source intelligence gathering things in that area so what we usually do is we set up a router that has a VPN service and a lot of VPN services some of them don't log some of them do but especially depending on what country they're based out of I know in the US there's certain things so if you're not breaking the law shouldn't be an issue so any one of the big ones usually works I know I use VIPRE bpn and they just stop logging due to GD R P because there's a liability there there's another organization I do use opt guard and they focus primarily on people who BitTorrent traffic so they're not logged much anything but they also don't minimize the traffic that you're going through if you do that with a router you can also set up a virtual machine or a couple VMs on the inside and then basically have it to where one VM goes passes through another as a gateway so even if your system does get compromised it calls back to a bad guy it's not getting the right IP address it's getting some other random internal an address or if they do get the external it's going to be going through at least a VPN service sure Jeremy another question that came through on the chat here so this person would like to know the best way to get a Red Team job do they need to learn pentesting do they need to learn social engineering or or can you just kind of specialize right away into that Red Team space that is a very good question so you need to find an organization that has a red team and then to be quite honest use them as your first target try to identify the weaknesses that they're trying to overcome and then focus on those I do know pentesting is a huge start for social engineering is a huge start for it so it depends on what their needs are and absolutely focus on learning what their needs are with that said it is a good idea to know a little bit more than just what specialization but yeah find out what their their weaknesses and try to exploit them sure looks like we've got time for just one or two more questions here so another question is many users feel that IT security is a nuisance how do you deal with that mindset that's a question that we deal with a lot here at InfoSec Institute is is helping people you know care about IT and security but Jeremy do you have any tips on that so that's where if you find a pain point which could be management and that meant so sometimes that's a top-down approach if you can get management to care about it because it became personal to him or focused on something that was interesting to him then they're more likely to support it and then that basically trickles down a lot of stereos but sometimes it does come to be where you have to be find personal information based off the users I know a lot of companies may not care as much about their employee data as their customer data because customer day it's consumed more than employees here at lose their job but yeah if you make it personal then it usually has a little bit bigger of an emotional connection sure well thank you Jeremy so much it looks like we are we're about to run out of time here so last question that will go for came through on the chat and it says I have an IT career but I don't have offensive experience how do I transition well there's a couple ways that you can find a security team that does risk assessment and then you can go that route another route would be be quite honest build your own lab I you can build your own lab with virtualization server for temple at VMware virtual box KVM or Lippert on Linux and then just start attacking those systems try to get a consistent and that's from cyber side at least read much as you can study up and then basically try to build the value for the organization I know some people are able to talk their management into building certain capabilities of an organization but if you're trying to get within another organization absolutely it's a IT definitely helps but trying to get some of the other knowledge is invaluable and labs are great well thanks again for joining us today Jeremy just a lot of great information and can really help those people that are interested in the Red Team side of things you know begin to get involved in this and thank you to the audience for for joining us today and asking some really interesting questions I apologize that we didn't get to all of those but the ones we didn't get to we'll have someone follow up with you you can watch for this recording later of this this presentation in your email and also we'd invite you to join us again next week same time for cyber threat hunting identify and hunt down intruders so in that presentation Jeremy will kind of kind of go from the other side of the spectrum with us and go more of that blue team route with us again you can watch for the recording later but if you'd like more information right away go ahead and head to the link here to learn about our red team course or go ahead and give us a call and speak with you know a rep about the course and the current promotion with those hacking toys going on if you have any further questions please direct them to info at InfoSec Institute comm and we'll be sure to get back to you have a great rest of your day and thanks again Jeremy for the great presentation today absolutely thanks have a good evening you too

Info

Channel: Infosec

Views: 7,212

Rating: 4.9285712 out of 5

Keywords: security awareness, training, red team operations, risk assessment, pentesting, hacking, ethical hacking, certified red team operations professional, crtop, certification, red team, blue team

Id: 8a-sBM34BU4

Channel Id: undefined

Length: 44min 46sec (2686 seconds)

Published: Mon Dec 10 2018