Cybersecurity Attacks – Red Team Strategies

Cybersecurity Attacks – Red Team Strategies

by Johann Rehberger
Released March 2020
Publisher(s): Packt Publishing
ISBN: 9781838828868

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Develop your red team skills by learning essential foundational tactics, techniques, and procedures, and boost the overall security posture of your organization by leveraging the homefield advantage

Key Features

  • Build, manage, and measure an offensive red team program
  • Leverage the homefield advantage to stay ahead of your adversaries
  • Understand core adversarial tactics and techniques, and protect pentesters and pentesting assets

Book Description

It's now more important than ever for organizations to be ready to detect and respond to security events and breaches. Preventive measures alone are not enough for dealing with adversaries. A well-rounded prevention, detection, and response program is required. This book will guide you through the stages of building a red team program, including strategies and homefield advantage opportunities to boost security.

The book starts by guiding you through establishing, managing, and measuring a red team program, including effective ways for sharing results and findings to raise awareness. Gradually, you'll learn about progressive operations such as cryptocurrency mining, focused privacy testing, targeting telemetry, and even blue team tooling. Later, you'll discover knowledge graphs and how to build them, then become well-versed with basic to advanced techniques related to hunting for credentials, and learn to automate Microsoft Office and browsers to your advantage. Finally, you'll get to grips with protecting assets using decoys, auditing, and alerting with examples for major operating systems.

By the end of this book, you'll have learned how to build, manage, and measure a red team program effectively and be well-versed with the fundamental operational techniques required to enhance your existing skills.

What you will learn

  • Understand the risks associated with security breaches
  • Implement strategies for building an effective penetration testing team
  • Map out the homefield using knowledge graphs
  • Hunt credentials using indexing and other practical techniques
  • Gain blue team tooling insights to enhance your red team skills
  • Communicate results and influence decision makers with appropriate data

Who this book is for

This is one of the few detailed cybersecurity books for penetration testers, cybersecurity analysts, security leaders and strategists, as well as red team members and chief information security officers (CISOs) looking to secure their organizations from adversaries. The program management part of this book will also be useful for beginners in the cybersecurity domain. To get the most out of this book, some penetration testing experience, and software engineering and debugging skills are necessary.

Table of contents

  1. Cybersecurity Attacks – Red Team Strategies
  2. Why subscribe?
  3. Contributors
  4. About the author
  5. About the reviewers
  6. Packt is searching for authors like you
  7. Preface
    1. A note about terminology
    2. Who this book is for
    3. What this book covers?
    4. To get the most out of this book 
    5. Download the example code files
    6. Download the color images
    7. Conventions used
    8. Get in touch
    9. Reviews
    10. Disclaimer
  8. Section 1: Embracing the Red
  9. Chapter 1: Establishing an Offensive Security Program
    1. Defining the mission – the devil's advocate
    2. Getting leadership support
      1. Convincing leadership with data
      2. Convincing leadership with actions and results
    3. Locating a red team in the organization chart
    4. The road ahead for offensive security
      1. Building a new program from scratch
      2. Inheriting an existing program
      3. People – meeting the red team crew
      4. Penetration testers and why they are so awesome!
      5. Offensive security engineering as a professional discipline
      6. Strategic red teamers
      7. Program management
      8. Attracting and retaining talent
      9. Diversity and inclusion
      10. Morale and team identity
      11. The reputation of the team
    5. Providing different services to the organization
      1. Security reviews and threat modeling support
      2. Security assessments
      3. Red team operations
      4. Purple team operations
      5. Tabletop exercises
      6. Research and development
      7. Predictive attack analysis and incident response support
    6. Additional responsibilities of the offensive program
      1. Security education and training
      2. Increasing the security IQ of the organization
      3. Gathering threat intelligence
      4. Informing risk management groups and leadership
      5. Integrating with engineering processes
      6. I feel like I really know you – understanding the ethical aspects of red teaming
    7. Training and education of the offensive security team
    8. Policies – principles, rules, and standards
      1. Principles to guide and rules to follow
      2. Acting with purpose and being humble
      3. Penetration testing is representative and not comprehensive
      4. Pentesting is not a substitute for functional security testing
      5. Letting pen testers explore
      6. Informing risk management
    9. Rules of engagement
      1. Adjusting rules of engagement for operations
      2. Geographical and jurisdictional areas of operation
      3. Distribution of handout cards
      4. Real versus simulated versus emulated adversaries
      5. Production versus non-production systems
      6. Avoiding becoming a pawn in political games
    10. Standard operating procedure
      1. Leveraging attack plans to track an operation
      2. Mission objective – what are we setting out to achieve or demonstrate?
      3. Stakeholders and their responsibilities
      4. Codenames
      5. Timelines and duration
      6. Understanding the risks of penetration testing and authorization
      7. Kick-off meeting
      8. Deliverables
      9. Notifying stakeholders
      10. Attack plan during execution – tracking progress during an operation
      11. Documenting activities
      12. Wrapping up an operation
      13. Overarching information sharing via dashboards
      14. Contacting the pen test team and requesting services
    11. Modeling the adversary
      1. Understanding external adversaries
      2. Considering insider threats
      3. Motivating factors
    12. Anatomy of a breach
      1. Establishing a beachhead
      2. Achieving the mission objective
      3. Breaching web applications
      4. Weak credentials
      5. Lack of integrity and confidentiality
      6. Cyber Kill Chain® by Lockheed Martin
      7. Anatomy of a cloud service disaster
    13. Modes of execution – surgical or carpet bombing
      1. Surgical
      2. Carpet bombing
    14. Environment and office space
      1. Open office versus closed office space
      2. Securing the physical environment
      3. Assemble the best teams as needed
      4. Focusing on the task at hand
    15. Summary
    16. Questions
  10. Chapter 2: Managing an Offensive Security Team
    1. Understanding the rhythm of the business and planning Red Team operations
      1. Planning cycles
      2. Offsites
      3. Encouraging diverse ideas and avoiding groupthink
      4. Planning operations – focus on objectives
      5. Planning operations - focus on assets
      6. Planning operations - focus on vulnerabilities
      7. Planning operations – focus on attack tactics, techniques, and procedures
      8. Planning operations – focus on STRIDE
    2. Managing and assessing the team
      1. Regular 1:1s
      2. Conveying bad news
      3. Celebrating success and having fun
    3. Management by walking around
    4. Managing your leadership team
    5. Managing yourself
    6. Handling logistics, meetings, and staying on track
      1. Team meetings
      2. Working remotely
      3. Continuous penetration testing
      4. Continuous resource adjustment
      5. Choosing your battles wisely
      6. Getting support from external vendor companies
    7. Growing as a team
      1. Enabling new hires quickly
      2. Excellence in everything
      3. Offensive security test readiness
      4. Building an attack lab
    8. Leading and inspiring the team
    9. For the best results – let them loose!
    10. Leveraging homefield advantage
      1. Finding a common goal between red, blue, and engineering teams
      2. Getting caught! How to build a bridge
      3. Learning from each other to improve
      4. Threat hunting
      5. Growing the purple team so that it's more effective
      6. Offensive techniques and defensive countermeasures
      7. Surrendering those attack machines!
      8. Active defense, honeypots, and decoys
      9. Protecting the pen tester
      10. Performing continuous end-to-end test validation of the incident response pipeline
      11. Combatting the normalization of deviance
      12. Retaining a healthy adversarial view between red and blue teams
    11. Disrupting the purple team
    12. Summary
    13. Questions
  11. Chapter 3: Measuring an Offensive Security Program
    1. Understanding the illusion of control
    2. The road to maturity
      1. Strategic red teaming across organizations
      2. The risks of operating in cloak-and-dagger mode
      3. Tracking findings and incidents
      4. Repeatability
      5. Automating red teaming activities to help defenders
      6. Protecting information – securing red team findings
      7. Measuring red team persistence over time
      8. Tackling the fog of war
    3. Threats – trees and graphs
      1. Building conceptual graphs manually
      2. Automating discovery and enabling exploration
    4. Defining metrics and KPIs
      1. Tracking the basic internal team commitments
      2. Attack insight dashboards – exploring adversarial metrics
      3. Red team scores
      4. Tracking the severity of findings and measuring risks
      5. Moving beyond ordinal scores
      6. Using mean-time metrics
      7. Experimenting with Monte Carlo simulations
      8. Threat response matrix
    5. Test Maturity Model integration (TMMi ®)and red teaming
      1. Level 2: Managed
      2. Level 3: Defined
      3. Level 4: Measured
      4. Level 5: Optimized
      5. Level 6: Illusion of control – the red team strikes back
    6. MITRE ATT&CK™ Matrix
      1. MITRE ATT&CK Navigator
    7. Remembering what red teaming is about
    8. Summary
    9. Questions
  12. Chapter 4: Progressive Red Teaming Operations
    1. Exploring varieties of cyber operational engagements
    2. Cryptocurrency mining
      1. Mining crytocurrency to demonstrate the financial impact – or when moon?
    3. Red teaming for privacy
      1. Getting started with privacy focused testing
      2. Sending a virtual bill to internal teams
    4. Red teaming the red team
    5. Targeting the blue team
    6. Leveraging the blue team's endpoint protection as C2
    7. Social media and targeted advertising
    8. Targeting telemetry collection to manipulate feature development
    9. Attacking artificial intelligence and machine learning
    10. Operation Vigilante – using the red team to fix things
    11. Emulating real-world advanced persistent threats (APTs)
    12. Performing tabletop exercises
      1. Involving the leadership team in exercises
    13. Summary
    14. Questions
  13. Section 2: Tactics and Techniques
  14. Chapter 5: Situational Awareness – Mapping Out the Homefield Using Graph Databases
    1. Understanding attack and knowledge graphs
    2. Graph database basics
      1. Nodes or vertices
      2. Relationships or edges
      3. Properties or values
      4. Labels
    3. Building the homefield graph using Neo4j
    4. Exploring the Neo4j browser
    5. Creating and querying information
      1. Creating a node
      2. Retrieving a node
      3. Creating relationships between nodes
      4. Indexing to improve performance
      5. Deleting an object
      6. Alternative ways to query graph databases
    6. Summary
    7. Questions
  15. Chapter 6: Building a Comprehensive Knowledge Graph
    1. Technical requirements
    2. Case study – the fictional Shadow Bunny corporation
      1. Employees and assets
      2. Building out the graph
      3. Creation of computer nodes
      4. Adding relationships to reflect the administrators of machines
      5. Configuring the query editor to allow multi-statement queries
      6. Who uses which computer?
    3. Mapping out the cloud!
    4. Importing cloud assets
      1. Creating an AWS IAM user
      2. Leveraging AWS client tools to export data
    5. Loading CSV data into the graph database
      1. Loading CSV data and creating nodes and relationships
      2. Grouping data
    6. Adding more data to the knowledge graph
      1. Active Directory
      2. Blue team and IT data sources
      3. Cloud assets
      4. OSINT, threat intel, and vulnerability information
      5. Address books and internal directory systems
      6. Discovering the unknown and port scanning
    7. Augmenting an existing graph or building one from scratch?
    8. Summary
    9. Questions
  16. Chapter 7: Hunting for Credentials
    1. Technical requirements
    2. Clear text credentials and how to find them
      1. Looking for common patterns to identify credentials
      2. Retrieving stored Wi-Fi passwords on Windows
      3. Tooling for automated credential discovery
    3. Leveraging indexing techniques to find credentials
      1. Using Sourcegraph to find secrets more efficiently
      2. Searching for credentials using built-in OS file indexing
      3. Indexing code and documents using Apache Lucene and Scour
    4. Hunting for ciphertext and hashes
      1. Hunting for ciphertext
      2. Hunting for hashes
    5. Summary
    6. Questions
  17. Chapter 8: Advanced Credential Hunting
    1. Technical requirements
    2. Understanding the Pass the Cookie technique
    3. Credentials in process memory
      1. Walkthrough of using ProcDump for Windows
      2. Understanding Mimikittenz
      3. Dumping process memory on Linux
      4. Debugging processes and pivoting on macOS using LLDB
      5. Using Mimikatz offline
    4. Abusing logging and tracing to steal credentials and access tokens
      1. Tracing the WinINet provider
      2. Decrypting TLS traffic using TLS key logging
      3. Searching log files for credentials and access tokens
      4. Looking for sensitive information in command-line arguments
      5. Using Task Manager and WMI on Windows to look at command-line arguments
    5. Windows Credential Manager and macOS Keychain
      1. Understanding and using Windows Credential Manager
      2. Looking at the macOS Keychain
    6. Using optical character recognition to find sensitive information in images
    7. Exploiting the default credentials of local admin accounts
    8. Phishing attacks and credential dialog spoofing
      1. Spoofing a credential prompt using osascript on macOS
      2. Spoofing a credential prompt via zenity on Linux
      3. Spoofing a credential prompt with PowerShell on Windows
      4. Credential dialog spoofing with JavaScript and HTML on the web
      5. Using transparent relay proxies for phishing
    9. Performing password spray attacks
      1. Leveraging PowerShell to perform password spraying
      2. Performing password spraying from macOS or Linux (bash implementation)
    10. Summary
    11. Questions
  18. Chapter 9: Powerful Automation
    1. Technical requirements
    2. Understanding COM automation on Windows
      1. Using COM automation for red teaming purposes
    3. Achieving objectives by automating Microsoft Office
      1. Automating sending emails via Outlook
      2. Automating Microsoft Excel using COM
      3. Searching through Office documents using COM automation
      4. Windows PowerShell scripts for searching Office documents
    4. Automating and remote controlling web browsers as an adversarial technique
      1. Leveraging Internet Explorer during post-exploitation
      2. Automating and remote controlling Google Chrome
      3. Using Chrome remote debugging to spy on users!
      4. Exploring Selenium for browser automation
      5. Exfiltrating information via the browser
    5. Summary
    6. Questions
  19. Chapter 10: Protecting the Pen Tester
    1. Technical requirements
    2. Locking down your machines (shields up)
      1. Limiting the attack surface on Windows
      2. Becoming stealthy on macOS and limiting the attack surface
      3. Configuring the Uncomplicated Firewall on Ubuntu
      4. Locking down SSH access
      5. Considering Bluetooth threats
      6. Keeping an eye on the administrators of your machines
      7. Using a custom hosts file to send unwanted traffic into a sinkhole
      8. Keeping a low profile on Office Delve, GSuites, and Facebook for Work
      9. Securely deleting files and encrypting hard drives
    3. Improving documentation with custom Hacker Shell prompts
      1. Customizing Bash shell prompts
      2. Customizing PowerShell prompts
      3. Improving cmd.exe prompts
      4. Automatically logging commands
      5. Using Terminal multiplexers and exploring shell alternatives
    4. Monitoring and alerting for logins and login attempts
      1. Receiving notifications for logins on Linux by leveraging PAM
      2. Notification alerts for logins on macOS
      3. Alerting for logins on Windows
    5. Summary
    6. Questions
  20. Chapter 11: Traps, Deceptions, and Honeypots
    1. Technical requirements
    2. Actively defending pen testing assets
    3. Understanding and using Windows Audit ACLs
      1. Configuring a file to be audited by Windows using SACLs
      2. Triggering an audit event and changing the Windows Audit Policy
    4. Notifications for file audit events on Windows
      1. Sending notifications via email on Windows
      2. Creating a Scheduled Task to launch the Sentinel monitor
    5. Building a Homefield Sentinel – a basic Windows Service for defending hosts
      1. Installing Visual Studio Community Edition and scaffolding a Windows Service
      2. Adding basic functionality to the scaffold
      3. Adding logging functionality to the service
      4. Leveraging a configuration file to adjust settings
      5. Adding an installer to the service
      6. Uninstalling the Homefield Sentinel service
    6. Monitoring access to honeypot files on Linux
      1. Creating a honeypot RSA key file
      2. Using inotifywait to gain basic information about access to a file
      3. Leveraging auditd to help protect pen test machines
      4. Notifications using event dispatching and custom audisp plugins
    7. Alerting for suspicious file access on macOS
      1. Leveraging fs_usage for quick and simple file access monitoring
      2. Creating a LaunchDaemon to monitor access to decoy files
      3. Observing the audit event stream of OpenBSM
      4. Configuring OpenBSM for auditing read access to decoy files
    8. Summary
    9. Questions
  21. Chapter 12: Blue Team Tactics for the Red Team
    1. Understanding centralized monitoring solutions that blue teams leverage
    2. Using osquery to gain insights and protect pen testing assets
      1. Installing osquery on Ubuntu
      2. Understanding the basics of osquery
      3. Using osquery to monitor access to decoy files
    3. Leveraging Filebeat, Elasticsearch, and Kibana
      1. Running Elasticsearch using Docker
      2. Installing Kibana to analyze log files
      3. Configuring Filebeat to send logs to Elasticsearch
      4. Alerting using Watcher
    4. Summary
    5. Questions
  22. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
  23. Another Book You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Cybersecurity Attacks – Red Team Strategies
  • Author(s): Johann Rehberger
  • Release date: March 2020
  • Publisher(s): Packt Publishing
  • ISBN: 9781838828868