Este es un foro dedicado a las Fuerzas Armadas Mexicanas así como de los diferentes Cuerpos de Policía y demás entes que se dedican a la Seguridad interna de México.


Cyber Warfare: The “Team” in Red Team

Comparte
avatar
Hitman
US Army Major
US Army Major

Mensajes : 3244
Masculino
Edad : 107
Localización : Entre Helheim y Muspelheim

Cyber Warfare: The “Team” in Red Team

Mensaje por Hitman el 21/5/2013, 1:48 pm

As the name implies a Red Team is a team. In the world I live in – information and physical security – it is comprised by a variety of experts in different areas. Each member can perform the other’s duty but each one has a specialty and he or she is responsible for it.

I can’t disclose the current team structure, but one team I was part of early on a few years ago was composed of six members: four members doing the actual work (we called them Alphas), one managing (called Six) and the overall commander (called Six Actual). We rotated through the management of the team so each of us would work as an Alpha on some projects or as a Six on others. This way we all learned to manage the team. Six usually would set the initial plan (recon, digital or physical pentests, schedules, etc) but the whole team would have the ultimate word about the plan once more information was gathered.

Our team had people that were experts in: exploits or tools coding, networking, crypto, social engineering and perimeter security. Again, we could all do everything but some of the Alphas were really good at a specific activity. For example, I am a very good programmer and have experience coding low-level system code and exploits, however I’m not very good with Python, Ruby or other fast and light languages and scripts. These are needed during an operation to write on the run attack tools, scan tools, exploits, etc.
We had this guy, whom I’ll call Z, who was an expert in this. We would have a need for a tool that had to scan a webserver or find an FTP that we could use to exfil files while on the field, he would grab his laptop and have the script ready in a matter of minutes. Z was really good at this. Then we had another guy, called Y, who could pick a lock in under 5 seconds or bypass alarm systems with pliers and a voltage sensor; he could map the blind spots of security cameras and provide the best movement plan. We also had X, a gorgeous female hacker who loved to bruteforce passwords and crack codes and protocols. She would be usually our go-to girl for figuring ways to bypass login screens, prompts or analyze the stuff that was flowing back and for on a port belonging to a service we didn’t know. Finally we had W, he was a network wiz. He could figure out the way a network was mapped, how the routers, firewalls and other network appliances were set and configured.
My speciality was in social engineering and finding and coding ways to extract the information once we were in, be it in the form of hidden channels on TCP packets or DNS requests, or by implementing backdoors or trojans that reported back to a server somewhere in the world, I was also in charge of the ever important C2 part of the backdoors, a piece of software that would allow us to control the penetrated systems remotely from a TOC. Since social engineering was my task and I have a background as a sniper I would be usually in charge or setting the infils for our team and having all the contingency plans for the exfil as well, I would spend countless hours on the field sneaking in different holes.
It was a good team. We worked well together and we had fun doing it.


by

Uri
Former recon and sniper turned red teams and disruptive digital warfare expert.


Read more: http://sofrep.com/7978/cyber-warfare-the-team-in-red-team/#ixzz2TxEu2JHC


___________________________________
"In my dreams I hear again the crash of guns, the rattle of musketry, the strange, mournful mutter of the battlefield"
Douglas MacArthur
avatar
Hitman
US Army Major
US Army Major

Mensajes : 3244
Masculino
Edad : 107
Localización : Entre Helheim y Muspelheim

Re: Cyber Warfare: The “Team” in Red Team

Mensaje por Hitman el 21/5/2013, 1:51 pm

Offensive Information Warfare and Red Teams

It’s 0100. The moon sits high in the sky over the target’s facility. Four men dressed in BDUs and gear are sneaking in by the tree line, about 50 meters outside the building outer perimeter fence. Pausing occasionally to peer through night vision monoculars to scan the perimeter. They make it to the final penetration position.

One of the men keys a mike and relays their position to the TOC (Tactical Operations Center) where another team is ready for the next phase of the operation. This team is comprised of highly skilled digital operators with backgrounds in computer hacking, intelligence, electronics and networking.
They’ve already spent the better part of 2 months preparing the mission’s digital package: digital intelligence gathered via OSINT and direct digital actions (DDA) – in other words, through good, solid network and computer hacking.
They’ve also performed an onsite analysis: they used laptops and highly sensitive antennas to scan for radio frequencies emanating from the target and a good solid recon by observing guard patrol schedules and looking for holes in the perimeter for possible breach points.
They are now ready to execute the next DDA in support of the team on the ground. This digital op will enable the team to bypass the fence’s security and remain undetected.
Suddenly, a patrol vehicle appears near the corner of the building, its headlights coming in directly to the men. The operators freeze. Not a single movement. The vehicle passes, and the men remain undetected.
Minutes later, the men reach the fence’s back gate. They wait. The team at the TOC is busy with their computers. They have full access to the command and control (C2) computers deep inside the bowels of the target. The backdoor they installed not long ago provides a full range of options.
One of the digital soldiers sends a pre-recorded command, and the C2 computer disables the camera and disengages the lock on the fence’s back door. The ground team moves in quietly. The gate is closed and the security features are enabled again.
At around 0200, the operators enter the target’s office, where he – a well known terrorist – plans the next attacks on the free world. Not this time, the operators think. They place the specially crafted explosive device under the chair and leave, undetected.

They’ve already spent the better part of 2 months preparing the mission’s digital package: digital intelligence gathered via OSINT and direct digital actions (DDA) – in other words, through good, solid network and computer hacking.
They’ve also performed an onsite analysis: they used laptops and highly sensitive antennas to scan for radio frequencies emanating from the target and a good solid recon by observing guard patrol schedules and looking for holes in the perimeter for possible breach points.
They are now ready to execute the next DDA in support of the team on the ground. This digital op will enable the team to bypass the fence’s security and remain undetected.
Suddenly, a patrol vehicle appears near the corner of the building, its headlights coming in directly to the men. The operators freeze. Not a single movement. The vehicle passes, and the men remain undetected.
Minutes later, the men reach the fence’s back gate. They wait. The team at the TOC is busy with their computers. They have full access to the command and control (C2) computers deep inside the bowels of the target. The backdoor they installed not long ago provides a full range of options.
One of the digital soldiers sends a pre-recorded command, and the C2 computer disables the camera and disengages the lock on the fence’s back door. The ground team moves in quietly. The gate is closed and the security features are enabled again.


At around 0200, the operators enter the target’s office, where he – a well known terrorist – plans the next attacks on the free world. Not this time, the operators think. They place the specially crafted explosive device under the chair and leave, undetected.

The story above might seem out of a Hollywood movie, however, it is as close to a real operation as I am allowed to write. The digital operators are part of a special breed of people working for a very skilled red team.
What are Red Teams? They’re the special operation forces of the security industry. They are composed of highly skilled individuals hired by clients (government and private) to break into their own networks and physical security. These guys find the security flaws so they can be patched before someone with malicious plans can sneak in.
The DoD defines them as an organizational element comprised of trained and educated members that provide an independent capability to fully explore alternatives in plans and operations in the context of the operational environment, and from the perspective of adversaries and others.
You can read more about Red Teams in:
Inside NSA Red Team Secret Ops With Government’s Top Hackers
Anatomy of a Red Team Attack
Red Teams can be used to support SOF units as intelligence gathering elements. They can also be used to augment those units by providing digital and comm support and running digital operations (DO) to make the operators on the ground more efficient.
In past operations where my team was involved, we supported those units in two different phases.
We provided the initial digital recon of the target, including inside information about sentry schedule, different access routes (those that were locked during the night hours and those open but monitored), number of personnel inside the facility during the different times of the day, hardware and software information, provided a complete site casing including detailed sketches based on the design blueprints extracted from a computer, and a week’s worth of daily activity logs hour per hour.
We also acted as a direct action support team, providing real time information about what the target was doing inside the premises, location of sensitive computers, disabling alarms and other security features in real time, etc.
All that information was carefully analyzed and compared with the intel gathered by the unit’s own intel guys and was found either at the same level or, in most cases, more accurate.
The guys on the ground went in having a clear image of what to expect on the site and what to look for once they were inside the building.
Another type of operations the Red Teams can run is the DDA. Direct digital action ops are what people today refer as “cyber-battles.” The digital operators study the targets, prepare their weapons (a weaponized PDF, a website containing malicious code, a backdoor ready to be dumped into the target’s system by hiding it inside another program, etc) and perform the attack. Attacks can disrupt the ability of the target to reach the Internet or communicate with their people; it can destroy their backends and frontends (software); it can disperse wrong information and generate chaos, and it can bring the whole enemy operation to a halt.
Digital warfare, also known as cyber warfare (although I don’t like to use that term), is increasing in tempo. Governments are realizing that the future battles are going to be fought both on the real and the virtual worlds.
Red teams can help, if only by pointing the weak spots on our own defenses.


Read more: http://sofrep.com/7642/information-warfare-red-teams/#ixzz2TxFl8bzU


___________________________________
"In my dreams I hear again the crash of guns, the rattle of musketry, the strange, mournful mutter of the battlefield"
Douglas MacArthur
avatar
Hitman
US Army Major
US Army Major

Mensajes : 3244
Masculino
Edad : 107
Localización : Entre Helheim y Muspelheim

Re: Cyber Warfare: The “Team” in Red Team

Mensaje por Hitman el 21/5/2013, 1:59 pm

A Team Effort

A red team is, like its name states, a team. This is a great thing since each member brings his or her own experiences into the mix. Each member of the team has a specific area that he or she is responsible for. These are usually based on the knowledge of that particular person and on his/her personality.

Yes, personality plays a huge role here. For example, not everyone is comfortable with physical security breaches, social engineering or writing attack codes on the fly. If a team member is not an expert in coding the initial exploit, they will usually be the one calling the target and causing her to run the exploit. Although we are masters of our specific sectors, we can do work in other areas as well. We all know how to code and also understand the basics of digital and physical security. However, some of us are experts in these areas and we often take the lead when a related operation comes along.

Still, the success of a project or operation is a team effort, always. Their combined knowledge and ridiculous thinking is key.
During one project, we had two guys in the field trying to assess the personal security of a large corporation’s C-level executives while they were abroad. They were working with limited equipment and relied on us, the guys back at HQ, to help them through the project. These were two of the most capable hackers and security experts I know. Although both had years of experience (one of them being a former SOF operator), they knew that they would need help from the team to successfully complete the op.
The executives stopped at a local cafe to have breakfast like they did every morning. One of the execs opened his laptop and began checking the news. When the guys from the team started scanning, as we usually do on public networks, they immediately noticed someone performing a vulnerability scan on the executive’s computer. This is easy to spot if you have a sniffer running on the network. Now, they could have assumed it was one of those ‘target of opportunity scans.’ Given who these executives were, the country they were in and based on past experience, the guys decided that this was likely a targeted attack. They called us back at HQ and requested that we begin coding a backdoor for the exec’s computer. They also sent us the results of their own vulnerability scan.
The project went from being an assessment about the personal security of the execs, to a digital VIP protection operation.
The idea was to breach the VIP’s computers ourselves. We would then install a backdoor and monitoring program before the attackers had a chance to infiltrate the system. This would allow us to detect the attacker’s identity. Hard to do, but sometimes it works.
Given that we didn’t want to alert our customer yet, “Y”, the master exploit coder, immediately started reviewing the scan. Meanwhile, I began to configure a computer so that it would have the same specs of the executive’s: same OS, same apps, etc. Once this was done, I wrote a program that would eventually be installed on the attacker’s computer if we could send them the code.
The program was complex. It was one that needed to crawl an unknown network, save the attacker’s data (such as IP, domain info, OS, etc.) and find a way out while extracting the data in a way that would not alert the attackers. Right… Hey, that’s what we do. We had about 7 hours to do this, taking into account the time difference between the exec’s location and HQ.
With “Y” and my code tested in less than 6 hours, we sent the package to the guys deployed: an attack code that would exploit a vulnerability at the OS and install a backdoor. The backdoor would then download the counter-surveillance code from the execs’ computer. I wrote it with the hope that if the attackers managed to breach the computer, we could then piggy-back onto the connection, leading us to the bad guys’ computers.
In the meantime, we called our client’s security department and updated them on the development. We wanted to make sure the execs didn’t have any sensitive data on their laptops. They corroborated that the two executives did not have any proprietary information (as per our advice to people traveling to this part of the world). They also gave us permission to install the backdoor on the execs’ computers. It was easier this way. We then forwarded this information to the guys on the ground.
The rest of us went to sleep while “D” stayed at HQ to monitor the situation.
70 minutes later, “D” came to wake me up – I was napping in a sleeping bag in my office. He said: “We have movement.”
It was on.

When “D” and I entered the TOC, “Y” was already there talking with the two guys on the ground. They followed the execs that morning and again they stopped at the cafe. This time they were ready with a control inside the execs’ computers. A few minutes later, one of the principals opened his laptop and connected to the cafe’s WIFI network, and the attackers were on it like flies. The team members were also running a sniffer. The combination of the sniffer and the monitoring software provided us with real-time info on what the attackers were trying to do. We saw that they had run an exploit and gained access to the computer.


Once their backdoor was installed, they connected back to a listener, or C2, computer. A listener is a program that accepts connections from a backdoor. The simple ones are usually a terminal running Netcat, while the more complex ones allow the bad guys to send commands to the backdoor via different channels and protocols. We were ready for this. As soon as the backdoor made its first connection we were able to detect it. We saw that the bad guys immediately began scanning the computers. We had several Word documents and PDFs weaponized and ready to be picked up by them. They had names and content that would be too juicy to not copy them. And they did.
Their backdoor used plain, cleartext HTTP requests to exfil the data. I can only assume they did this because it was the initial breach on a public network, and that they would eventually switch to a stealthier piece of attack code. It worked out well because our sniffer was able to record this and they copied our files. We also sent our own HTML request containing a download link to the attack code we had prepared for them. We saw it getting picked up by the bad guys.
At the TOC, “D”, “Y” and I were ready with the listeners in case our backdoor began transmitting. I called the security officer at our client’s offices and gave him a SITREP – one of many to follow.
The execs finished their coffee and continued on their way to the local office. The security people from our customer called them a few minutes later explaining what happened and that they should not connect those laptops to the corporate network.
Meanwhile, we saw no activity on the listeners we had at the TOC. For the next 2 hours we had nothing. But then a shell opened on one of the listeners. Great!
Now the project had gone from a security assessment, to a digital VIP protection, to a full on offensive digital intelligence gathering. We were asked by our customer to see who these people were and to extract as much intel as we could.
Now we were having fun!
We each took turns with the listener’s shell. The first thing we did was install another backdoor that was different from the first. This was done for redundancy: if the first one gets compromised and blocked, we would still have a way in. If these guys were good, they would eventually notice the first backdoor. It was using UDP and DNS requests to send the data back to us. Although it was slow, it still was fast enough for us to have almost real-time access to the computer. The second backdoor was more complex and provided actual real-time access. It had several levels of crypto and the capability to perform complex automated searches for files, network nodes, etc.
“D” focused on getting as much information as he could about the nature of the group: IP addresses, routing tables, system domains, computer names, etc. Since this information can be obtained by using simple OS commands, it was the first thing we did. Afterwards, “Y” configured the new backdoor to hide our presence a bit more. Then it was my turn. Based on the previously collected data, I was in charge of finding the best way to perform the network recon.
After another SITREP to the customer and a quick conference call with the guys on the ground, we decided to leave everyone in place and continue following the execs – who were now aware that they were being followed. They kept their cool and played along in order to not tip off the attackers.
We set the recon and let the backdoor loose. The crawler module would try to find the requested information and send it back to us.
In the meantime, our first backdoor was killed. I don’t know whether this was because the attackers had found it or because they were blocking UDP. It didn’t matter, we still had a second one that would be very difficult to find and block – well, unless you disconnect the computer from the network. This one had several ways to send the information; using different protocols or by injecting itself into other applications already connected to the internet.
With that set up, we went to work on the data that was initially collected. Meanwhile, the guys on the ground were getting ready for a full on SDR to see if they could detect the attackers following the principals.


Read more: http://sofrep.com


___________________________________
"In my dreams I hear again the crash of guns, the rattle of musketry, the strange, mournful mutter of the battlefield"
Douglas MacArthur

Contenido patrocinado

Re: Cyber Warfare: The “Team” in Red Team

Mensaje por Contenido patrocinado


    Fecha y hora actual: 24/9/2017, 5:31 am