THM | Red Team Fundamentals
Red Teaming | Red Team Fundamentals | Summary:
The aim of this room is to provide an introduction to the basics of red team engagements , their components, and the stakeholders involved.
Lastly, it tries to explain the main distinctions between red teaming, vulnerability assessments, and penetration testing.
Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance. This walkthrough provides one (of the many) possible solution to the challenges, without revealing any flags or passwords directly.
Learning Objectives
- Learn about the basics of red team engagements
- Identify the main components and stakeholders involved in a red team engagement
- Understand the main differences between red teaming and other types of cybersecurity engagements
Task | 1 | Introduction
In the ever-evolving landscape of cybersecurity, conventional methods like vulnerability assessments and penetration tests are essential but may fall short in preparing for real-world cyberattacks. This room highlights the need for more specialized approaches, such as red team engagements, which simulate attacks to help organizations enhance their response strategies.
Red teaming involves creating a controlled environment where a simulated attack is conducted to test an organization's resilience and readiness. This process helps identify gaps in defense mechanisms and improves the ability to respond to actual cyber threats.
Question 1: Click to continue to the next task
No answer needed
Task | 2 | Vulnerability Assessment and Penetration Tests Limitations
The evolution of cybersecurity assessments includes three primary methods:
- Vulnerability Assessments | These are the most basic form of security assessment, focusing on identifying vulnerabilities in individual systems across a network. Automated tools and less technical expertise are often used to maximize efficiency.
- Penetration Tests | Building on vulnerability assessments, penetration tests expand by exploiting identified vulnerabilities and assessing potential impacts on the network as a whole. This process allows for understanding how an attacker might move within the system and pivot between hosts, enhancing insights into potential security weaknesses.
- Red Team Engagements | Addressing limitations in conventional methods, red team engagements simulate advanced persistent threats (APTs) to assess organizational preparedness against real-world attacks. These simulations are often more realistic than penetration tests, as they focus on undetected access and prolonged persistence, mimicking the actions of sophisticated attackers.
These assessments collectively aim to enhance network security by identifying vulnerabilities, understanding potential exploit impacts, and preparing for more advanced threat scenarios.
Question 1: Would vulnerability assessments prepare us to detect a real attacker on our networks? (Yay/Nay)
Nay
Question 2: During a penetration test, are you concerned about being detected by the client? (Yay/Nay)
Nay
Question 3: Highly organised groups of skilled attackers are nowadays referred to as ...
Advanced Persistent Threats
Task | 3 | Red Team Engagements
Red Team Engagements are a specialized cybersecurity exercise designed to enhance an organization's ability to detect and respond to real-world cyber threats. These engagements complement traditional penetration tests by focusing not only on preventing attacks but also on improving detection and response capabilities.
- Purpose of Red Teams | Simulate the behavior of sophisticated threat actors to test how effectively an organization can identify and counter these threats. This mirrors military exercises where a red team assesses the reaction capabilities of a blue team, aiding in the improvement of security controls.
- Goals | Clearly defined objectives, often referred to as "crown jewels" or flags, such as compromising specific systems or stealing sensitive information. The blue team is unaware of these goals during the exercise to avoid analysis biases.
- Stealth and Evasion | Red Teams operate undetected, evading security mechanisms like firewalls and antivirus software, focusing on minimal interaction with network hosts to avoid detection.
- Multiple Attack Surfaces | Extend beyond traditional penetration tests by exploring:
- Technical Infrastructure | Discovering vulnerabilities while emphasizing stealth.
- Social Engineering | Manipulating individuals through deception.
- Physical Intrusion | Exploiting weaknesses in physical security measures.
- Conducting Exercises | Engagements can be conducted in various ways, such as Full Engagement (simulating a complete attack workflow), Assumed Breach (starting from an existing compromise), or Table-top Exercises (theoretical scenario evaluations).
- Objective | The primary goal is to enhance the organization's readiness by providing insights into improving detection and response strategies, rather than defeating the blue team.
In essence, Red Team Engagements provide a realistic training environment for defenders, enabling them to better prepare against real-world cyber threats.
Question 1: The goals of a red team engagement will often be referred to as flags or...
crown jewels
Question 2: During a red team engagement, common methods used by attackers are emulated against the target. Such methods are usually called TTPs. What does TTP stand for?
Tactics, techniques and procedures
Question 3: The main objective of a red team engagement is to detect as many vulnerabilities in as many hosts as possible (Yay/Nay)
Nay
Task | 4 | Teams and Functions of an Engagement
Note: Make sure to check out the Red Team Guide website, it's a fantastic resource.
A red team engagement is organized into three main cells, each with distinct roles contributing to the success of the exercise:
- Red Cell | The offensive component simulates attacks to challenge and test the defensive capabilities of the Blue Cell.
- Blue Cell | Consists of defenders, internal staff, and management who protect the network, effectively countering the Red Cell's attempts.
- White Cell | Acts as a referee, controlling the engagement environment, ensuring adherence to rules of engagement (ROE), coordinating activities between Red and Blue Cells, and monitoring for bias or unfair practices.
Hierarchy Within the Red Team:
- Red Team Lead | Oversees the entire engagement, delegating tasks to the Assistant Lead and operators. They plan and organize the operations, ensuring alignment with strategic goals.
- Red Team Assistant Lead | Assists the Lead by overseeing operations and can contribute to writing engagement plans and documentation. They support in managing team members' assignments.
- Red Team Operator | Executes specific tasks assigned by the Lead and Assistant Lead, interpreting and analyzing engagement plans as needed.
Each organization may structure their red team according to specific needs, adapting roles and responsibilities to suit their objectives and organizational structure.
Question 1: What cell is responsible for the offensive operations of an engagement?
Red Cell
Question 2: What cell is the trusted agent considered part of?
White Cell
Task | 5 | Engagement Structure
Quote: "Below is a small list of standard cyber kill chains."
The Lockheed Martin Cyber Kill Chain is a widely used framework for structuring and understanding cyberattacks. It serves as a standardized model, particularly useful in adversary emulation by red teams, to simulate what a real adversary might do during an engagement.
Components of the Cyber Kill Chain
- Reconnaissance | Gathering information about the target, such as through emails or open-source intelligence (OSINT).
- Weaponization | Combining the objective with an exploit to create a deliverable payload, like a malicious backdoor or office document.
- Delivery | The method used to distribute the payload, such as via email, web, or USB.
- Exploitation | Exploiting vulnerabilities in the target’s system, using techniques like EternalBlue or Zero-Logon.
- Installation | Installing malware or tools on the compromised system, utilizing software like Mimikatz or Rubeus.
- Command & Control | Establishing communication with compromised assets from a remote central controller, often through tools like Empire or Cobalt Strike.
- Actions on Objectives | Achieving specific objectives such as ransomware deployment (e.g., Conti, LockBit2.0).
This framework provides a structured approach for both red and blue teams to analyze and mitigate cyberattacks, offering clarity and organization in understanding the progression of an attack.
Question 1: If an adversary deployed Mimikatz on a target machine, where would they be placed in the Lockheed Martin cyber kill chain?
Installation
Question 2: What technique's purpose is to exploit the target's system to execute code?
Exploitation
Task | 6 | Overview of a Red Team Engagement
Question 1: Click the "View Site" button and follow the example engagement to get the flag
<flag>
The Cyber Kill Chain framework effectively maps to the exercise, outlining a structured process, but the first step is Planning the Engagement.
Then we continue on with the Cyber Kill Chain.
Step-1 | Reconnaissance (recon) | Gathering intelligence on the target, setting the foundation for subsequent actions.
Step-2 | Weaponization | Combining the objective with an exploit, which in this case involves sending a phishing email with a malicious attachment.
AND
Step-3 | Delivery | Sending out the phishing email to target the user, leading to the malicious payload being received.
Step-4 | Exploitation | Using local exploits on BOB-PC (Bob's computer) to elevate privileges and access restricted areas.
And
Step-5 | Installation | Installing tools on compromised hosts once access is gained, such as dumping password hashes.
Step-6 | Command & Control | Establishing a connection to the target via dumped credentials, completing the lateral movement phase.
And
Step-7 | Actions on Objectives | Achieving the final objective, which in this case is establishing communication and control over the target.
Lastly, we finish up with Reporting and Analysis phase of the exercise and by grabbing the provided FLAG.
Task | 7 | Conclusion
Question 1: Read the above and continue learning!
No answer needed