Red Teaming in the real world
Red teaming is a relatively new type of extended pen testing used to raise the security and governance bar in major corporates, most notably financial service organisations such as banks.
The vast majority of financial services organisations do not reveal the results of their red team exercises, due to the political sensitivity that is involved so SCMagazineUK.com was keen to hear what Dan Solomon, head of cyber risk and security services with Optimal Risk Management had to say about a red team exercise he and his staff recently carried out against a major New York bank.
In a presentation at Counter Terror Expo this week Solomon explained that the main objective of a red team exercise is to stage a series of controlled attacks against the organisation concerned, to demonstrate the failures in all aspects of physical and electronic security, and prepare the business for real world cyber attack scenarios.
"In the New York bank exercise, we looked at all areas, including how APTs work in the real world, the physical security issues and, of course, technical aspects. We attacked all of the banks web, client and mobile applications, as well as infrastructure,” he said.
Through physical infiltration of one building his team planted other USB drives in the banks comms room, and the team gained successful access to the businesses' WiFi antenna - a step that could be `game over' for many organisations, especially since the team also successfully cloned the bank's WiFi, getting staff to log into the rogue access point.
Solomon also made the interesting claim that his team were able to crack the bank's WiFi- encrypted to WPA-2 standards - in about four-and-a-half hours, a process that they repeated at second bank site, so proving the methodology.
In a second building they enticed a guard away from his security post to access the building.
"The bank had a silent alarm, which was ineffective, as our red team was in - and out - in under five minutes," he said, adding that this was not before they were able to infiltrate the network switchboard, and install ‘bugs'.
On the human attack front Solomon and his team engaged in extensive intelligence gathering including on specific individuals, before staging spear phishing attacks.
"This is also allowed us to carry out a waterhole attack using a fake web page," he said, adding that the attack had numerous high-value ‘victims' including some IT staff.
Another avenue of successfully staging phishing attacks against staff was the generation of ‘internal' emails offering them a reward in return for training and recruitment referrals to colleagues. To demonstrate the dangers of social media, a leading SM application was used to ‘connect' with senior executives having spoofed an invitation.
By systematically escalating privileges after their malware had been downloaded, Solomon adds that this team was able to expose admin pages and shell commands, to access and takeover many of the banks more critical and sensitive systems which included asset services, international online services, online account opening, and online banking.
"Then, of course, it was time for some good old-fashioned external network pen-testing to be carried which exposed unencrypted FTP and SIP services" he said.
"By the end of the red team phase, we found that we had amassed around 160,000 vulnerability issues affecting the bank," he added, noting that 370 of these issues were ‘accessible' vulnerabilities and seven were classed as a severe vulnerability, meaning that the vulnerabilities were potentially catastrophic for the bank.
According to Solomon, Optimal Risk's red team exercise against the bank was designed to simulate a real-world test of the company's security, without allowing the staff to be aware their security defences were being probed.
By contrast, in the second phase, the war game was an overt attack designed to exploit the vulnerabilities that the red team had identified, to create a crisis, and assess how the bank dealt with it.
War games, he told his audience, is all about interpreting information, turning it into actionable intelligence, and managing the right response process.
"Once they began to grasp what was happening, we hit them with a new type of attack to force a new situational assessment, and escalate things from a security incident to a full-blown crisis… when their responses start to fail,” he explained.
The key takeout from the war game, says Optimal's head of cyber risk and security, was that it proved the bank's IT team are slow to detect and identify issues, and bring in the right specialist teams, largely owing to issues such as complacency.
“This proved to them that, whilst they were prepared for an attack, they were only prepared for a high probability scenario, and not all possible threats were assessed at the planning stages," he said.
What characterised the early errors was the difference between the way the security team reacted to fundamental surprise and situational surprise situations.
The difference between these two types of surprises, he said, is the example of a man arriving home to find his wife in bed with another guy.
To the husband, he joked, this is a fundamental surprise, whilst to the wife, it was a situational surprise, as she should always be aware of the risk of the husband finding them together.
More seriously, he went on to say, the war game helped the bank's management understand the nature of their situational awareness, and decision-making during an attack, as well as assisting them in developing a blueprint for a complete approach to security.
Once the security plans were developed in response to the red team's recommendations, Solomon says that this then allowed the bank to refine its strategy and create remediation solutions to divert an attack.
"Recognising the causes of failure, the bank worked with us to develop a non-static approach to information security and effective defence," he said, adding that this led to further war games to test their actual responses using new methods.
These remediations included the creation of decoy IT resources, as well as staged content as part of a pro-active defence strategy.
Soloman explained that the bank introduced ‘snares, traps, and hidden code' to expose and deceive the attackers, as well as lead them in the wrong direction, even allowing primary hackers to be fed false data.
The deterrent factor should not be underestimated, he explained, if the attacker attempted to sell the data to a third party, and it proved to be false, the attacker's reputation in the cyber-criminal industry would take a tumble.
"Attackers have egos as well. If their reputation is threatened, or if you make the target to appear difficult to attack, then they will find softer targets," he concluded.