APT Red Teams – Part 1
January 8, 2014 10 Comments
APT Red Teams – Part 1
APT Red Teams – Part 2
APT Red Teams – Part 3
How do you prevent an APT? The APT Red Teams blog defines core components used by successful red teams and proposes an approach for categorizing and implementing red teams to enable continuous improvement and optimization from counter-intuitive sources and help mitigate advanced threats.
Advanced Persistent Threats (APTs) initiated by an ever growing population of highly capable cyber criminals who are focused, determined and, stealthy are an ever increasing risk. While many organizations have the basic tenets of security in place and regularly test their industry standard best-practice procedures, they are caught off guard by exposed vulnerabilities, risks and threats not previously identified and formally escalated to resolution.
A Red Team approach provides a proven method of risk analysis which uncovers risks and quickly adapts to real world approaches taken by adversaries.
There are many parallels between APT and Red Teams. APT advances on a continuous area of attack because technology is ubiquitous, constantly being implemented and refreshed, and often contains new un-realized flaws as soon as it is implemented. Information security must find a way to leverage the similarity of Red Team services and APT to protect against this new threat much like DevOps and fast-track developer sprint cycles.
What is a Red Team?
A Red Team is typically an independent internal or 3rd party group that challenges an organization to validate and improve its effectiveness. The testers assess organization security, often unbeknownst to IT security staff. This type of Red Team provides a more realistic picture of the security readiness than exercises, role playing or announced assessments. The Red Team may trigger active controls and countermeasures within a given operational environment and both validate security defenses as well as the ability to detect and respond by Security Operations resources (either in-house, co-sourced or 3rd party managed).
Red Team Scope
In order to succeed the Red Team needs to be an “authorized, adversary-based assessment for defensive purposes.”
- Authorized –
- A Representative with legal control of the facility, system, or entity to be red teamed has agreed to the process
- Adversary-based –
- Activity is centered around what would one or more adversaries do if they were attacking the target
- Take into account the adversaries’ knowledge, skills, commitment, resources, and culture = finite
- Assessment –
- Comparison of the capability maturity and state of the target with respect to actions by the adversary and the ability to detect, contain, respond
Ideally Red Team assessments should be performed throughout the infrastructure and system lifecycle but especially in the design and development phase where cooperative Red Team assessments cost less, and critical vulnerabilities can be uncovered and mitigated more easily. Many organizations use Red Teams to validate a new service or production platform pre-deployment.
Red Team assessments are a flexible tool that program managers and sponsors use to identify critical vulnerabilities, understand threats, deliver effective and secure components, systems, and plans … and consider alternative strategies and courses of action.
Red Team Value Proposition
Red teamers are different from regular security personnel. They take a fresh approach to provide creative, and/or apply concepts in new ways to determine what information is valuable.
The general objective for a successful Red Team is to present a safe, but real world example of infiltration and data breaches, and identify what information is vulnerable based on threat scenarios. They will then evaluate the usefulness of the information to an adversary. Some typical strengths of successful Red Teams, but not other security professionals, are:
- Uncover low hanging fruit missed by regular or current procedures
- Uncover temporal risks
- Inform the Defense and/or Response Teams
- Redefine how to discover adversaries or indicators of compromise
- Review high impact targets for potential concerns or threats
- Provide an un-biased opinion (which may conflict with management or audit viewpoints)
- Provide feedback, lessons learned and methods to mitigate risk or improve and fine tune process/procedures
Red Team analysis can also be described as an alternative approach to conventional security reviews. It re-thinks threat analysis by using alternative approaches:
- Creative –
- Think like your enemy, not simply resort to previous audit reports and threat matrices results in new approaches to detection, response, or remediation
- Continual –
- Brings a new mindset and ongoing analysis identifies new risks as well as re-evaluates the evolving threat
- Collaborative –
- Multiple people working on the same problem are able to bring different viewpoints and offer diversity to the team
- Counter-intuitive –
- Red Teams and personnel bring value by finding threats before others know they exist
- Assets previously identified as low risk can be re-assessed by a Red Team
How do you prevent APT?
Most groups suggest a similar approach to Red Team exercises. By using a Red Team it is possible to predict APT threats by analyzing predictive threat intelligence and developing threat scenarios based on the core target infrastructure and critical data and assets. From the threat scenarios canned infections and exploits can be developed and tested to determine and validate if they are blocked, detected, or contained. By gaining an understanding of the enemy it is possible to prevent, detect, isolate or remove them.
Often, exploits used to execute an APT are not particularly advanced or complex. Instead, the APT attacker researches the target and chooses exploits appropriately. As suggested by multiple sources, APT executes similar to Red Teams in that they use the following phases:
- Planning and information gathering,
- Attack and compromise,
- Establish command and control,
- Authorization and credential theft,
- Manual exploitation and information gathering,
- Data exfiltration,
- Maintain presence.
Each phase of an APT attack offers the Red Team a set of test scenarios and a chance for the defense to catch or remove the threat, to evolve the detection and response capabilities and its maturity. While not exhaustive or indicative of a complete security program, consider the following prevention and detection capabilities as basic examples to be used at each phase to prevent, identify, or remove access:
1. Planning and Information Gathering
While no one method can prevent this activity, solid security basics in terms of data classification policy, training, and security awareness may be able to assist organizations and their employees on what information should not be released. This is true especially if the training focuses on real world attacks with a Red Team approach.
Information about internal vulnerabilities is extremely useful knowledge for adversaries and is often disclosed publicly in social media. A company sending out a press release that they just signed a contract with ABC company to provide security is a huge advantage to an attacker.
The APT/Red Team focus on research is on ABC products now. Even if a vulnerability does not exist, it could in the future and information like this should be known by personnel and appropriately safeguarded when possible.
2. Attack and Compromise
Traditional defense mechanisms may help prevent a successful attack. Testing responsiveness to attacks performed by a Red Team which appear as an adversary is an important element of detection and response. Since no patch system can prevent the unknown (or zero day), detection as soon as possible can provide clues into what allowed the access and how it can be removed and prevented in the
A strong security architecture foundation helps a lot, with a Defensible Security Posture together with segmentation using the Adaptive Zone Defense strategy to support rapid Detection, Containment, Response, Investigation, Eradication, Recovery.
3. Establish Command and Control
A typical defense in depth strategy can detect anomalous data points. Also, while an intrusion detection system might be able to spot the traffic, Red Teams can assist in testing and increasing detection capacities, such as outbound traffic analysis or Indicators of Compromise. For more information see the APT Detection Indicators blog.
4. Authorization and Credential Theft
Organizations can prepare against this attack by restricting the opportunities for privilege escalation, reducing account access and regularly changing credentials, leveraging privilege management, role-based access, identity management, multi-factor authentication, and so on. ISO 27001/2 can help a lot as an internationally recognized security best-practice standard (see: ISO 27002 Security Benchmark).
Red Teams test the assumption that unneeded accounts are removed by leveraging unchecked service accounts or privileged accounts given to staff. If access is logged and monitored appropriately, it may be possible to spot anomalous activity. If the defense team did not notice the credential use it may necessary to apply additional information security controls to provide visibility.
5. Manual Exploitation and Information Gathering
Additional information about an attack can be disclosed through logs or other monitoring techniques in line with defense in depth. Red Teams can help create realistic expectations and real world experience of the footprint left in this stage.
Logs indicating successful access are difficult to review appropriately and highlight the importance of identifying an issue before this phase of attack. It is all about developing threat scenarios and sequences of indicators or compromise that can be correlated to detect suspicious or anomalous activity.
6. Data Exfiltration
Performing monitoring of data access could help prevent excessive information harvesting. Red Teams test this stage of protection by executing data exfiltration techniques used by real world hackers. Successful Red Team exfiltration can show information copied to network shares.
Without previously completing a data discovery project, it can be difficult to know exactly where sensitive information exists. Red Teams help show how the information can be gathered and exploited. This can help drive projects which more granularly restrict access and remove unneeded information that has propagated onto open file shares or within the Intranet that is less protected.
7. Maintain Presence
At this point, only advanced methods can detect the intruder unless another indicator becomes more visible, perhaps through another component of defense in depth. Red Teams can often maintain presence for a long period of time without being spotted. However, with training and realistic expectations of how a Red Team could be stopped it is possible to increase the chance of detection and removal of
a persistence presence, see the APT Detection Framework and APT Detection Indicators blogs. There will also be a future blog on Outbound Traffic Analysis to Discover APTs.
In APT Red Teams – Part 1 we have provided an introduction to the concept as well as discussed the scope and how Red Teams can assist in the continuous improvement and optimization from counter-intuitive sources, together with validation of APT defenses by testing the organizations ability to Detect, Contain, Respond, Investigate, Eradicate and Recover.
In APT Red Team – Part 2 we will explore this topic further by discussing how to create Red Teams, roles and responsibilities, risk assessment and, tools and techniques to calibrate and validate detection and response in a continuous improvement cycle.
Thanks for your interest!
Nige the Security Guy.