Givan Kolster
Red teaming exercises are an excellent means to identify gaps in the security controls and test the detection and response capabilities of an organization. Being able to simulate an advanced attacker and breach an organization and compromise live, production systems gives me a thrill every time and provides great learning opportunities for our clients. Performing such exercises comes with risks. And therefore, as described in my previous blog that I wrote together with Ivo Noppen, risk management is crucial in successfully performing red teaming exercises.
In this new blog, I want to focus on another element of red teaming that is often misunderstood. Even though these exercises are scenario-based, and have objectives for the red team to try to achieve, the focus should always be on learning: learning how to improve the organization’s ability to prevent, detect and respond to real threats.
Some regulatory-driven exercises, such as TIBER, CBEST and CORIE, are bound to a certain time frame. So, as a service provider, keeping a red teaming exercise within planning and budget is important.
But during a red teaming exercise, not everything always goes according to plan. Sometimes you might need to put in the extra effort get to the next step, or you’re not able to get a foothold at all. For example, when none of the targets open the phishing payload.
But how can we perform effective red teaming exercises every time, if we only have a fixed amount of time to perform the exercise? That’s where the use of so called ‘leg ups’ comes in. Leg ups are often misunderstood and perceived as a failure of the red team or giving away the ‘keys to the kingdom’. So, let’s dive into the concept of leg ups a bit deeper.
What is a leg up?
I would describe a leg up as an agreed, predefined ‘shortcut’ which can be invoked when certain circumstances occur.
Let’s pretend you are a young kid that wants to climb over the fence to get to the ripe grapes of your neighbor. You thought of different options how to overcome the fence. You figured you need something to get you over it. A ladder maybe, or you could smash your way through. Both would be effective, but will take you a while (to get a ladder) or is a one-way ticket to getting caught (smashing the fence). A quick fix would be to get help from a friend to lift you up and climb over the fence. A literal “leg up”.
Helping hand?
Security professionals who perform adversarial simulations or red teaming exercises sometimes have a similar need. To overcome a certain blockade or time-consuming task, a leg up can be invoked. A blockade could be that no target successfully installed the phishing payload. Or going through thousands of SharePoint pages or network file shares could take days/weeks to find the right information.
A leg up can be anything that aids the red team to overcome the hurdle to keep the exercise within the time constrains and to maximize the lessons learnt for the organization. Leg ups can consist of many things, such as:
- Documentation, like IT architecture drawings.
- Insider knowledge on procedures or processes.
- Supervision of a subject matter expert.
- Access to (parts) of the network.
- Access to accounts with certain privileges.
Failure?
With the pressure of an exercise and the determination most of the offensive professionals have, the need to invoke a leg up is sometimes perceived as a failure. They were not able to do it themselves.
From the client’s perspective, a leg up is sometimes perceived as giving away the keys to the kingdom. A CISO might say that the exercise won’t have that much of an impact on the board if the red team got help getting in, or received guidance from an SME about the crown jewel system that got compromised. And with that dismissing the lessons learnt that came out of the exercise. And yes, a narrative has more flair if the red team can showcase a full outside-in scenario without leg ups. But we need to keep in mind that our clients want a red teaming exercise to provide as many lessons learnt as possible in a cost-effective way (same counts for internal red teams). Leg ups can provide the necessary means to deliver that. And knowing that something was not possible within the set time constrains might also be a valuable lesson learnt.
Leg ups should not be taken lightly and should remain within the narrative of the scenario. So, let’s have a look at what a good leg up looks like.
What makes a good leg up?
A good leg up is defined up front, preferably during the scenario creation phase (scoping) of the red teaming exercise. In this phase, the red team maps out the scenario in high-level steps and defines when a leg up needs to be considered. It is important to create an overview of when, why, and what kind of leg ups need to be considered.
An explanation to the white team (steering committee of the red teaming exercise) of what they need to arrange for each leg up is important, as some leg ups will have certain lead times or require a cover story to get arranged, without disclosing the red teaming exercise.
It is crucial that leg ups should not damage the attack scenario that is being simulated. Giving the red team a bit of help is good, giving them too much access right away, reduces the learning possibilities for the organization.
In most cases, a leg up is useful at a phase transition of the attack (i.e. recon, in, through, and out), or when the attack enters a critical path, such as performing risky actions on crown jewel systems.
Defining leg ups is also a mandatory step in most frameworks and defined in the ‘attack plan’ or ‘test plan’. This plan has additional benefits, as it also helps you explain what you’re going to do to a customer. Moreover, it forces the the red team to think about what might hinder a successful flow of the attack.
Real-life example
Let me give you an example. In every exercise, the red team will need to have a foothold within the organization. After all, we are simulating an actual breach.
However, the phishing attacks have not been successful, and the implant has not been proven to be persistent. Putting the red team back to square one several times now. Hopefully this is due to our client’s security awareness and threat response. But the red team has been on this for two weeks, and the full engagement is scheduled to run for another 4 weeks.
As described in the test plan, after two weeks of no persistent foothold, the white team could provide a leg up to grant the red team a company laptop with a valid user account that they can infect, as if the phishing attack was successful. And because this was agreed and defined up front, the white team had requested the laptop a few weeks earlier and the relevant account credentials are available. Everything is now in place to invoke the leg up without wasting time.
Even though it is a valuable lesson for the organization to learn that they are resilient against the phishing attack, the point here is that the organization can also learn many valuable lessons after that point. Because what if an attack can slip past the security controls and entice another user to execute the phishing payload?
We live under the assumption that an attacker, given enough time and resources, will be able to breach the organization at some point. The leg up provides the opportunity to continue to learn even after that successful stop of a part of the attack.
Conclusion
Leg ups are a powerful instrument that the white team can use to get the most lessons learnt out of the red teaming exercise. They can be invoked to use the available time effectively (when the red team is stuck too long in a part of the attack scenario), or to mitigate risks (when the red team comes close to the objectives). Invoking a leg up often means something positive for our clients: their security controls work or their personnel is security aware.
It is important to define and prepare the leg ups up front. So, when the time comes to invoke leg ups, it is clear to everyone why it is necessary, what is required, and that they can be invoked without lead time.
Knowledge center
Other articles
Automating enumeration of missing reply URLs in Azure multitenant apps
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
FalconFriday — Detecting MMC abuse using GrimResource with MDE— 0xFF24
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
Arbitrary 1-click Azure tenant takeover via MS application
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
Together. Secure. Today.
Stay in the loop and sign up to our newsletter
FalconForce realizes ambitions by working closely with its customers in a methodical manner, improving their security in the digital domain.
Energieweg 3
3542 DZ Utrecht
The Netherlands
FalconForce B.V.
[email protected]
(+31) 85 044 93 34
KVK 76682307
BTW NL860745314B01