Blog: Red Teaming

Red Team war stories

Ben Ruffell 02 Sep 2019

One

Pen Test Partners Red Team were busy compromising a market data organisation. The value of a Red Team is obviously in the implementations made after the engagement to improve, primarily, the detect control layer of the organisation. So on our daily call with the white team, they asked us to use some more noisey technieques to see if these could be picked up. And, as anticipated, they did pick it up. Or at least, their EDR did.

The problem was the response latency – the process. The technology was doing it’s part, but once the EDR flagged an alert, it took the orgniasation 2 days to triage and escalate. This is where the value of the engagement was delivered.

If the leaked Conti Ransomware Manual has taught us anything, it is that ransomware gangs and their affilates endorse noisy technieques that enable them to achieve their goal, even if they know that they know are going to be picked up by an EDR.

Which says to me that they have had success dong it in the past, most likely because of the problem we discovered – that alerts simply do not get acted on in a timely enough fashion.

That’s why Red Team engagements can deliver value to an organisation – you can improve processes so that people, process, tech are all aligned to maximise resilience to attacks from capable attackers.

Two

As ever, password security is an ongoing challenge for organisations and often a source of compromise during our red team exercises. One of the common issues is a static password created for a new starter, or during a password reset in the event of a forgotten password.

If no enforced change is required by the user after first use of that new password, it’s very common for it to be left. I was blown away to hear from one of our red team operators that a password of ‘Winter2020’ had been guessed on a public OWA instance. The user had started a few months prior and not changed their password, as they hadn’t been forced to. That password had been used for all new starters in the 3 month winter period. That OWA account compromise was the start of a complete ‘breach’ of the organisation.

During another red team exercise, a CISOs domain password was cracked. It simply wasn’t long or complex enough, despite complying with the relatively strong complexity requirements set on the domain.

Make a red teamers life harder by:

  • Enforcing password changes for new starters and after resets
  • Not setting static passwords for new starters, ‘Welcome1’ or similar being very common. Set a unique password
  • Using MFA to help mitigate against weak passwords, but do beware of social engineering for those token values
  • Biometric authentication has potential for domain authentication, though watch out for weak backup PINs and the requirement for a TPM