White and red teams will define goals that align with the business' risk scenarios.
Blue team is usually not informed at this stage about the exercise, as we want to analyze their natural response against an attacker.
The red team gathers as much information as they can about the bank, including:
- Technologies in use
- List of employees
- Information on social media
- Photos
- Any other usable information...
Threat intelligence sources are also used to check for APTs targeting similar companies to get a better grasp of the TTPs and tools they use. As an example, you can check Carbanak's information.
With all the information at hand, the red team will create a plan that includes several TTPs that fit the target and get it approved by the white team.
The red team starts the engagement by emulating a phishing campaign against a list of emails they made, based on employees' names found on LinkedIn and a detected pattern in their email addresses.
The phishing campaign was detected. The blue team sent an email to all employees to warn them of the ongoing threat. This still allowed the attack to carry on, as there was no process in place to check for possibly infected PCs or even delete any copies of the malicious email from all users' inboxes.
Phishing alert!
From: Blue Team <[email protected]>
To all employees,
please avoid opening any email with subject "Account
Suspended!!!", as it is part of an ongoing phishing
scam.
Remember that we won't ever ask you for your credentials
via email.
Cyber Security Training
Hello all,
Remember to attend the cyber security training on monday
at 10h00. See you there!
Ben
you're account is being suspended due to compromised
password... TO avoid suspension please login to the
following link ASAP:
http://hr.bankk.example.com
HR Dept.
The red team found missing Windows patches on BOB-PC. One of them allowed for PrintNightmare exploitation.
While the available public exploit was detected by many AV solutions, some AV evasion techniques were successfuly applied to avoid triggering any alarms, obtaining SYSTEM privileges.
The red team was able to upload and run a modified mimikatz to extract local password hashes, including the local administrator account "Backups".
The red team used a Pass-the-Hash attack against all hosts on the network to check if the "Backups" user could login to other hosts. No direct connection could be made to the DB server, as firewall policies were in place to prevent it.
After doing some additional recon, a workstation called DBA-PC was identified. Using Pass-the-Hash, DBA-PC was compomised and used as a pivot to connect to the DB server.
While the Pass-the-Hash attempts triggered many alerts on login attempts from the user "Backups", the blue team ignored them as they were confused with a batch backups process which runs monthly.
After finishing with the exercise, red, white and blue teams will meet and discuss about how to improve the security of the bank.
Although we are focusing on the specific TTPs that allowed the red team to reach its objective, in a real-life engagement, you will usually have failed attempts as well. It is important to note that those "failed" attempts can still provide valid information for the exercise. Suppose, for example, that you ran some brute force attacks against the DB server and never got any valid credentials from it. It might still be interesting to check if the Blue Team detected the attack at the end of the engagement.
Also, remember that many things might take unexpected turns during the engagement. Maintaining clear communication between the red and white teams is vital to make decisions that will direct the exercise in the right course and avoid conflicts at the end of the road.