Today’s highly motivated cyber attackers continually hone their skills. After all, their job is to know your network better than you do, exploiting even the smallest vulnerability to carry out a mission. In order to stay a step ahead of advanced maneuvers, it’s critical to adopt an attacker’s mindset. For many organizations, a Red Team plays an integral role in continuously improving security practices.
CyberArk Red Team services provide a safe way for security operations teams to test their ability to effectively defend against cyber attacks. The CyberArk Red Team uses a variety of tactics, techniques and procedures (TTPs) that are used in real world attacks to help clients uncover vulnerabilities, test security procedures and identify areas of improvement.
We recently spoke with Shay Nahari, our Head of Red Team Services, to learn more about the process and goals of simulated attacks. Here are some highlights from our discussion. Additional information about the Red Team is available here.
Q: Why do organizations request adversary simulation?
A: Organizations hire us to test their teams’ ability to detect and respond to targeted attacks against their infrastructure. By thinking and acting like real attackers, we give our customers a way to face a real attack and learn from it.
Q: How do you prepare for a simulation?
A: Before any simulation, we focus on reconnaissance, trying to learn as much as we can about the target organization, its employees and the security measures in place. To do so, we employ a number of methods, such as collecting information from public sources like LinkedIn, Shodan and other lesser-known sources. Armed with this information, we typically utilize custom malware to evade their security measures, then either exploit a vulnerability, an external server or use social engineering to gain an initial foothold in the network.
Q: How easy is it to breach a typical network? And what do you do once you get inside?
First, there are always ways to get inside a network. That’s why it’s important for organizations to change their mindsets around cyber attacks. It’s not a matter of “if” but a matter of “when.” Organizations have to adopt an “assumed breach” mindset – assume that one (or more) of their resources is already compromised.
Once we’re inside, we always try to exploit built-in trust as a first step. Trust usually translates to some type of credential – passwords, hashes, SSH keys, tickets. We can abuse this trust to impersonate real users and typical user behavior, which makes it very hard for the defenders to detect the intrusion.
Q: What happens after you breach a network?
A: Once we have a foothold in the network, we take time to familiarize ourselves with our surroundings. At this point, most of the information we need can be gathered by abusing inherent trusts in the target environment, without necessarily requiring admin rights. For example, with standard user privileges, we can query the Active Directory and learn the network topology, map out users and group membership, and also see what privileges users have within the network. We can see their last login time, where they logged in to, and with what privileges.
At this point, we can build a map of the network and create an attack path. During these simulations, we ideally only target internal resources that can either help us escalate privileges or that have the access to the “crown jewel” we’re after – whether it’s financial, intellectual property or something else.
In Windows environments, AD contains a lot of useful information. Even if my “crown jewels” aren’t in the Windows environment, user group and system information can be extremely helpful in mapping out the most direct attack path.
Q: What happens after you establish an attack path?
A: Once we have an attack path, we need to start pivoting in the network. Before we can do this, we need to escalate privileges or abuse some sort of inherit trust on the local target. Once we do that, we can start looking for passwords, hashes, SSH keys, tokens, Kerberos tickets, or anything else that we can leverage for pivoting. Credentials are everywhere. Unless you maintain very strict operational security, one remote login can allow me to take over your entire AD forest.
Next, we try to “live off the land” – which means we try to abuse native tools in order to reuse the credentials we’ve found. With every new system we compromise, we repeat the process, which in turn, allows us to gain access to another set of machines, until we’re able to gain domain admin. Once we achieve domain admin, the main goal is to persist and stay hidden in the network until we can reach the “crown jewels.”
Q: How do you stay hidden?
We try to make sure our actions generate the fewest and smallest footprints possible. For example, WMI or PowerShell remoting are much better options during lateral movement because they leave much less forensic evidence than, let’s say, PSexec.
We leverage native tools to avoid defensive tactics. For example, PowerShell gives you access to the entire .NET language, and other built in tools allow you to compile code natively on Windows without introducing external binaries on the system. By avoiding touching disk and injecting into memory, you can make hunting and IR much harder for the defender.
Q: So how can organizations stop this?
A: It’s important for organizations is to have an “assume breach” mindset regarding their security posture. Assume your internal network is as hostile as your external network. One major way organizations can reduce risk is by limiting internal users’ abilities to gather information from AD. In most cases, you can limit what types of information regular users are able to gather. If you can limit what attackers can learn, it’s much harder for them (and us!) to build an attack path.
Additionally, use two-factor authentication everywhere you can. Rotate and randomize passwords on a regular basis to make cracking them time-consuming for the attacker.
Avoid giving standard users local admin rights, make local admin accounts unique, and keep privileged accounts to a bare minimum. By doing that, you’re significantly raising the bar and making lateral movement much harder for the attacker.
It’s also important to understand what is normally running on your network – and create baseline of internal traffic. Without a baseline, you don’t know if what you are seeing is suspicious or not. Lastly block machine-to machine-communication, to the greatest extent possible.
Note: For additional Red Team insights, read CyberArk’s Threat Research blog.