Understanding Mitre Attack to Perform Dirty Red Team Tricks
Let’s clear What is Red Teaming? - A red team is a group that helps organizations to improve themselves blah blah blah
This kind of definition can be found on Wikipedia or elsewhere on the internet. But, Red Teaming according to me: - According to me, Red Teaming is some kind of activity performed to achieve goals, but these techniques used to achieve goals can be any techniques which we can use during our engagement, there is no prohibition, limitation or restriction on you to achieve your goal. Yes, you got it right you have to think like an actual attacker and act like them.
Definition for Gamers: Beating the target so hard again, again, and again until it vomits the Red blood
Let’s jump on our main topic as of now to start Red Teaming with understating the methodology or framework that can we use in our engagements. Are you ready to go on an awesome experience because I believe that understanding tools and vulnerabilities are not enough that is becoming old fashion, this is what we are doing for ages, okay we know patch management is important but what if we can understand how a hacker was thinking during his attack phases, what if we can understand the tradecraft of an actual hacker aka the secret formula Disclaimer: “For the most part we will try to understand how an organization behaves when it comes to cybersecurity these days & how we can fix this. I will try not to use as much as technical nonsense and try to make you understand it easily, this blog might get long so I request you to take a coffee and enjoy it” When it comes to cybersecurity most of the organization think it as a product, they believe if we run some vulnerability tools for our organization we are safe from the future threat but in my believe cybersecurity is a practice and a consistent healthy habit which a company should follow it’s like brushing your teeth daily, it will not going to affect you anything if you don’t brush your teeth one day but keep brushing is a good practice to follow for your long term overall oral health. There is a term called Cyber Kill Chain it is nothing but the steps a hacker would take to perform his malicious activity (learn more about malware here) as Mitre Attack Framework Documents these multiple attacking phases which we will try to understand. Which starts from initial access then persistence and ends with an impact which can be described as the ultimate goal of a hacker.
Now, Mitre Att&ck where ATT&CK stands for Adversarial Tactics and Common Knowledge. It is a knowledge-based for hacker’s behaviour, it is fully based on how a real-world hacker will behave while hacking a company. It is free and community-driven but why we are looking at this why can’t we just learn some tools and try to secure our organization right, see learning tools is great but it has its limitations as there are plenty of tools available to defending your organization you can’t learn and apply all of them in your organization for example if we try to block Power-Shell Empire hackers could write their tools, these kind of limitation are real and annoying for the organization, that’s why nowadays organization trying to defend against the hacker’s behaviour what is that you may ask, let’s try to understand this with the help of Pyramid of Pain, shall we.
David Bianco’s Pyramid of Pain
David Bianco’s Pyramid of Pain Let’s suppose an organization tries to block some hash value of malicious executable it will be a trivial task for changing the hash value for a hacker he can add some comments inside his code which will change the hash value of that executable, what about IP addresses what if an organization detects some malicious IP addresses and tries to block it on the firewall that also an easy task to change an IP address for a hacker, that’s what this pyramid wants to tell you the higher you go, the harder it gets to execute a hack. At the top of the pyramid, there is a term TTP which stands for Tactic, Techniques, and Procedures where Tactics means hacker’s goals, Techniques means how those goals have been achieved or to be achieved and Procedure where it says how an attacker will try to implement the technique while performing the whole attack. If the Organization, Blue Teamer will identify what this TTP is it will be much harder for a hacker to achieve his goals, basically we are now targeting the hacker’s behaviour to defend our organization Mitre provides us this tool to help to track this behaviour. We will not try to learn the tool itself but I want you to get familiar with this and understand the concepts. In our previous blog, we tried to analyze a malware by which we found out how a malware author writes his code to achieve his goals and tried to analyse Wanna Cry Ransomware that I would recommend reading by which you can relate the whole thing better.
WannaCry Ransomware Behaviour
This is how a Hacker will mostly behave while trying to execute a WannaCry Ransomware attack the initial access is not highlighted because at the time Wanna cry was happening the initial infection was likely through an exposed vulnerable SMB port aka Eternal Blue which is a remote code execution attack. There are 11 tactics which I have highlighted in yellow followed by techniques which are highlighted in red, if you look very closely at every column there are multiple ways a hacker can achieve his goals for example if we look at Initial Access column there are 11 ways a hacker can get the Initial Access and so on. “PS:- It is a cropped screenshot” Now, what are the ways we can use this matrix for I am sure that you have a good understanding of Att&ck Matrix now although this blog is mostly focused on Red Teaming this matrix can help your organization with other things as well?
Just from a blog, it is impossible to discuss the technical part of the red teaming but I have a surprise for you at the end for now we will try to learn the core concepts which will help you while doing your Red Team Engagement. I Believe your Cyber IQ and the Mindset is more important than learning some new tools, So in a typical Vulnerability Assessment and Penetration Testing it’s all about the vulnerabilities right, but I am not saying it is not useful it has it’s own advantages like if you are a startup and have a limited budget you should probably choose VAPT over Red Team Engagements, Although VAPT take up to 2 to 3 weeks a Red Team Engagement can take up to 1 to 6 months even longer I know you might be curious to know when to choose Red Team Engagements right, for that let’s try to see what are the differences A typical VAPT may be only focused on only one task you may ask, example maybe one web app or an internal network like Active Directory their style of engagement is not about how a real hacker would attack the organization, VAPT teams always determine the organization’s risk factors associated with the number of vulnerabilities they will find but when it comes to Red Teaming it is all about the whole organization it’s about the whole process which they are working from years now, let’s try to understand with an example, Let’s suppose you are a bank and the basic process of a bank is to collect money from you and to secure it from the bad guy, this is how basic a banks functions right, now you as a Red Teamer how can you defeat that bank’s process by which a bank can function no more. What is the maximum impact you can create for that bank from the security perspective by which they could lose their process and there are no rules you can physically break into that bank during your engagement you can use some social engineering or you can take advantage of some web application which is facing the internet or many more, see here you have to understand as a Red Teamer your ultimate goal is to impact the process not to test bank’s web application or portal you are only using bank’s website to break into their internal network but your ultimate goal should be how you can create a maximum security impact during your engagement? It could include testing all the employees of the organization which include all the employees, directors, or that new intern who just joined that department and CEO also. Now, what about the tradecraft how can we create that mindset of that hacker and get started into Red Teaming for that I am giving you this secret method which you can use and here it is, I am just kidding there is no secret or mystical formula but yes the basics remain the same I can suggest you not to learn new tradecrafts while doing your engagement if you are just started trying to learn from previous attacks and tradecraft which previously happened on your sector let’s suppose you are from banking sector & trying to defend banks then the simple and easier way to go to Attack & Mitre Official website and search for banks and MITRE will show you the multiple Hacker’s Group who tried to hack into the banking sector, learn from their tradecraft and try to map that with your team.
Mitre will provide you previous multiple hackers groups who tries to hack into banking sector for example here APT38 Group tried to target multiple banking sector go to that tool which I have provided above and study the TTP of the APT38 and discuss that with your CISO and tried to map that into your organization and emulate the same threat vector which APT38 is been using to hack banks and test your organization process from a security perspective. Phew, we learned a lot today but but but you are a professional now after a successful Red Team Engagement the real duty starts.
I hope that you learned something new today. Coming next will be an article on Stuxnet or Olympic Games which was witnessed back in 2010 and the Cyberwarfare around the world was changed with following incidents Shamoon in 2012, Iran Targeting Western Airports in 2014, Industroyer Ukraine Blackout in 2016, Eternal Blue in 2017, BadRabbit Ransomware in 2017, Triton Triconex SIS Malfunction in 2018, LockerGoga Ransomware in 2019. I am also planning to post a blog on one of the recent engagements in which my team was able to take over an entire organization, but prior approvals will be needed to post, so I am waiting for the approvals.
Cheers Until then, have fun, as always.
https://twitter.com/dhaneshdodia49
https://www.linkedin.com/in/dhanesh-dodia-2a873a11b/ https://www.hackthebox.eu/home/users/profile/69398
Dhanesh Dodia
Comments