How a Red Team Attacks a Target

– Yeah, so engagements
that we have always done, as I said, you know, were very long, so think six month plus. It would be typical for
us to spend the first 14 to 30 days or so just doing
reconnaissance and surveillance, so getting an idea of
what is the life cycle, what does the pattern of life look like for the organization that
we’re working against. So things like discovery of
all the assets, first stage, reconnaissance, discovery
of all the people, and then observation of are
there things coming up and down. What’s the rate of change? Can I measure things like
how long is a patch cycle? So if Patch Tuesday would
come along or something and you can observe a
change to a perimeter system like an IS server or something, you could try to measure those things. So early stage, we start
very, very hands off. And then once we start doing that, we basically stack rank all
of the assets that we can find on a client’s perimeter, and that would be both technical
infrastructure and people. You say, well what is
an attack that I think in this organization is
likely to be successful? What do I wanna go after first? Where do I start doing research or what do I start poking at? Obviously if I already have
exploit for vulnerability that’s on the perimeter,
then I can just go after that and I might just try it, see what works. And a lot of times, on the Red Team side, we look at individual
vulnerabilities or weaknesses as a nugget that might
provide us useful information. So we might do a spear phishing campaign very early in an engagement
solely for the purpose of collecting information
about the target, but without any real
malicious payloads involved. Right, so just get whatever
information we can get. And then we kinda go low and slow, right, just take our time until we
see something that looks good. But as soon as we get any sort of foothold inside the organization,
the whole pace shifts and we go from low and slow
to move as quick as we can to get our job done.

Leave a Reply

Your email address will not be published. Required fields are marked *