short intro

What should be the objectives of such a modern internal security assessment in regards to nowadys threats? It surely is not to showcase one’s hacking skills, but to educate the company on how attackers operate, plan, and execute their attacks. The final outcome of the assessment should result in significant learning opportunities for the IT security team, which they can implement immediately after the assessment ends. Depending on the organization’s maturity, they will know how to continue to implement, improve or fine-tune their security processes and defenses. This reaches from eliminating years-long dormant miconfigurations, drastically reducing the attack surface, protecting sensitive assets, and finally improving early detection rates.

pentest

Contrairy to some of my peers in the security community I’m still a fan of the traditional pentest with some modern flavor added. It is astonishing how many clients, despite having multiple security products with all the latest features, were shocked to discover how easily it was to escalate privileges without the use of complex malware, sophistcated tools or command and control frameworks. Given enough time in a network with bad security very trivial attacks can lead to complete take-over of the domain. Security detections have many blind spots and once administrator access is compromised, it is oftentimes already too late to react and the damage is done.

Conducting this newly-flavored pentest to demonstrate that sometimes even a non-technical person can carry out these types of attacks, may already be an eye-opening experience and massive learning for the company. Moving through the network with a low-privilege user, with a malicious goal in mind, even within the limitations set by administrators, is highly effective. However, using readily available exploits or implants in nowadys intranets like we did in the early days of internal security assessments is unlikely to succeed and will be blocked by most antivirus or endpoint detection and response systems.

I still see some benefits, once the domain has been taken over silently, to slowly ramp up the testing noise, to get a feeling on how the organization reacts to alerts, if they can make contextual sense out of them and if those alarms actually arrive in time, and not hours later, as seen many times in multiple engagements.

So needless to say in those types of penetration tests, it is advisable for the company to keep all their security products and logging active, allowing the pentester to see how they respond and addtional give some learning and analysis material for the time after the test.

more modern - purple teams

A purple team engagement is a type of internal assessment that combines the skills and techniques of both red and blue teams to improve an organization’s overall security posture. A red team is typically responsible for simulating real-world attacks and testing an organization’s security measures, while a blue team is responsible for defending against those attacks and maintaining the security of the organization.

In a purple team engagement, the red and blue teams work together to identify and address any vulnerabilities or weaknesses in the organization’s security systems. The red team will attempt to penetrate the organization’s defenses, and the blue team will respond and attempt to mitigate any successful attacks. Throughout the engagement, the teams will communicate and collaborate to identify areas for improvement and develop actionable plans for enhancing the organization’s security. The goal of a purple team engagement is to provide a comprehensive and realistic evaluation of an organization’s security posture and to develop a roadmap for continuous improvement.

Such an engagement can offer additional benefits to organizations that have a stronger foundational security. However, to make the most of this type of assessment, it’s important for the organization to have a dedicated security team, or blue team, in place. Without knowledgeable techy security personell there is a risk of overwhelming clients with security issues and remediation measures that they may not be familiar with, which can ultimately harm the relationship. Unfortunately, in my experience, it is still quite uncommon for companies to have a dedicated threat hunter, let alone an entire security department. It’s essential to keep this in mind when considering a purple team internal assessment.

One of the key goals of purple teaming is to improve detection capabilities. This is achieved by merging the perspectives and expertise of both the offensive and defensive sides of security. Historically, purple teaming was typically conducted after a thorough red teaming engagement, but in recent times, there has been a shift in this approach. Nowadays, it’s becoming more common to perform a purple teaming engagement even without prior red teaming. This shift in approach highlights the importance of combining the strengths of both red and blue teams to provide a comprehensive and holistic assessment of an organization’s security defenses. This also allows for the execution of implants and tactics that simulate real-world attacks, testing both the detection capabilities and the response of the blue team. The primary goal of these engagements is to simulate a realistic intrusion scenario and evaluate the organization’s defenses against potential adversaries.

While evaluating a vendor’s anti-intrusion solutions is not the primary focus of a purple team engagement, those defenses should remain active throughout the engagement. To save time and cost the solutions can be set to alert-only for example. I mention the alert-only mode as it is important to state the obvious that most security solutions, including Anti-Virus (AV) and EDRs, can be bypassed by attackers. Therefore, the general question arises as to whether the client should invest the time and resources to evade their security products or focus on how an attacker might proceed in the event that the solution has already been bypassed, which is also known as assumed breach.

This approach should definately operate under the premise that a successful attack on the organization’s systems has already occurred and the attacker has bypassed its defenses. The purpose of this variant is to simulate a post-breach scenario and evaluate the organization’s ability to detect, respond to, and mitigate the consequences of a real attack.

In an assumed breach scenario, the blue team acts as if an attacker has already gained access to the systems and is attempting to move laterally and exfiltrate sensitive data. The goal is to evaluate the organization’s incident response and incident management processes, as well as its ability to detect movements, interrupt access and contain the breach. The focus is more on evaluating the organization’s ability to respond to and mitigate the impact of a real attack, rather than on testing the efficacy of its security solutions.

red teaming

Mostly if you ask yourself as a company if you need a red team assessment the answer is usually no, unless your infrastructure is exceptionally secure by design and the security team consistently employs proactive threat hunting, and you are constantly evaluating and reinforcing the organizational security processes.

But I want a red team to test our security solutions

Save your money, unless you are willing to spend big bucks and you have the personell to deal with an active intrusion. In a lower budget red-team like assessment a consulting firm will not divert a lot of personell to actively bypass all the protections in place. Such techniques require a lot of time-intensive preparations. Additionally if the price isn’t right no one will spend their precious EDR bypass research on such an assessment, as the risk of having their techniques and implants analysed and signatured is just too high. As a result you will end up (happily) with a lot of detections and might think you are safe, when in reality real-life adversary play in a different league all together. For a couple of millions of ransomware money everyone will risk a burned malware or implant.

A red team engagement, which simulates real-world attacks on an organization’s infrastructure, typically involves a multi-week or multi-month effort, requiring a well-coordinated team with specialized skills. Usually at least 4 different roles are assigned, depending on the scope of the assessment this can be 1 or more persons per role:

  • a team lead or project manager
  • a person responsible for initial access and maintaining this access
  • a person to programmatically bypass security defenses, i.e. a coder
  • a highly skilled operator who compromises systems, moves laterally, executes the mission

The factor of time is also crucial in red team operations. Consider a basic scan for open SMB network shares within an organization’s intranet. Most robust security systems, such as an EDR or IPS, will flag this type of activity as highly suspicious. However, if the same scan is spread out over several days or weeks and blended in with normal daily user network traffic, it becomes much more difficult to detect. Although the end result is the same, it just took the red team operators a couple of weeks to enumerate the internal attack surface.

A dedicated blue team, responsible for defending against these simulated attacks, must be able to effectively respond and counteract the red team’s actions, which can divert important resources and manpower away from their daily tasks. This adds to the overall costs for the client and should be taken into account as well.

Given the complexity and cost of red team engagements, it’s evident that for many organizations, such engagements may not be the best solution for their needs. This is especially true for organizations that lack a dedicated budget and a blue team capable of effectively defending against simulated attacks. As a result, it may be more appropriate for these organizations to consider alternative forms of security assessments, such as a modern pentest or a purple team engagement, until they have met the necessary preconditions to undertake a red team engagement.

that’s it for now, some final words: security is hard, getting owned and cleaning up the mess is harder. Security products are incredible powerful in the hand of skilled people but you should’nt rely on them when you have general bad security. Invest in active dedicated defenders (humans). With every security product you buy, hire a threat-hunter and make the most out of it.

Get in contact if you agree or more importantly if not, I want to hear why. Thanks for reading and see you in the next one.