Our client engagement started with a threat and risk analysis, personalised to the business, to identify real-world attackers, their motivation, their skills and likely avenues of attack. Once the most likely and damaging threats had been identified, scenarios were created that the staff of the organisation would recognise as real and pertinent to their company.
Each scenario began with an information gathering and reconnaissance phase to identify potential weaknesses in physical premises, staff members and Internet-facing technology. Premises were located and reviewed online to produce a short-list for further examination in person. On-site reconnaissance of selected buildings was used to plan a more detailed, multi-staged operation.
The organisation’s registered domains, address ranges and Internet hosts were examined, exposing the software in use, and finding public-facing systems such as Outlook Web Access. Internet searches harvested email addresses and associated employee information from sites such as LinkedIn. Emails were sent to elicit responses containing the company’s official style and layout.
A spear phishing campaign was mounted, using email addresses discovered in the information gathering phase, with fake domain names and cloned sites facilitating password theft.
The stolen credentials were then deployed in an on-premises attack against a branch office. Physical access to premises was facilitated through a combination of impersonation and telephone pretexting. Subsequent network access using the phished passwords permitted theft of information from a variety of servers and also demonstrated persistent remote access through technical exploits.
More sophisticated on-premises attacks were then designed to test visitor controls and desktop security at head office. Scenarios were developed with team members having fully-developed ‘legends’ (back stories) for each engagement. The stories selected entailed impersonation of a potential customer requiring a tour of a facility, and another masquerading as a member of the press researching the charitable activities of the business. Carefully planned emails and phone calls resulted in a legitimate appointment at head office. Once on site, one team member kept staff occupied in a business meeting while another excused themselves for a ‘comfort break’ and took the opportunity to look for unprotected computers and to plant a remote control device on the network. That team member was never challenged during their excursion and found unlocked offices containing unattended and logged-on computers.
This threat-based approach highlighted vulnerabilities that otherwise would have been missed or perhaps not even considered during a typical ‘due diligence’ exercise. It delivered critical results for a modest outlay in time and expenditure. Red teaming is not an alternative to traditional testing, but it is a very valuable additional activity.
There was also the opportunity to use the results of the red team exercise as the basis for world-wide security awareness training. Presentations based on these simulated criminal attacks engaged people in a fashion completely unlike traditional training. Because the audience was following a story, and because that story was genuinely relevant to their organisation, it was possible to raise the bar on that most difficult of security controls - the human firewall. Security awareness at all levels was increased significantly and staff members became security evangelists in their own right.
Further red team exercises will build on this exciting precedent and provide more engaging stories to continue the education of everyone in the organisation.