Using Red Teaming to upskill detection and response teams

When we talk about red teaming, it's quite easy for people to understand the benefits of using realistic techniques in our approach to exploring a particular attack pathway and for people to see the benefits of identifying the chains of vulnerabilities that allow a compromise to happen.  Quite frequently, though, people underestimate how effective red teaming can be when it comes to upskilling detection and response teams.  I'd like to give an example of how - run well - red teaming can be used to improve detection and response outcomes.  This is, of course, an anecdote, but it certainly gives an idea of how performance changes when teams are challenged in the right way.

Our customer, a firm within the financial services sector, wished to conduct a STAR simulated attack which assessed four main objectives within their internal network:

• The efficacy of technical countermeasures which have been deployed
• The behaviour and response of users who have been targeted by a social engineering email
• The efficacy of internal detective controls following a compromise
• The response of other internal personnel once an incident has been detected and reported

Using evolving techniques, this simulated attack is one which we have repeated for our customer three times over four years.  This customer did not commission a specialist threat intelligence provider for the purposes of this attack, but anecdotally, they were aware of groups targeting diverse groups of employees via the use of phishing attacks and were keen to understand how exposed to this threat they were.  They also wished to upskill their initially-inexperienced internal response team, and improve employee awareness across the board.

To meet the customer’s requirements, we constructed a number of scenarios, including the compromise of the large Client Services department, who had public-facing Internet presence, targeting of personal data managed by the Human Resources department and targeting of the Business Operations team who had operational control of internal systems and therefore elevated privileges.  In each case, crafted phishing emails were created and deployed, which delivered customised malware to the internal workstations.  We assessed a variety of mechanisms including links to websites hosting malicious content, malicious attachments containing executables, malicious document attacks and spear phishing directed against individuals directly.

Our customer had a relatively mature set of technical controls on the perimeter, and as a result we needed to bypass:

• External web security controls including the blocking of dangerous file types and reputational filtering
• Email protection controls including reputational scoring, blocking of dangerous attachment types, and inspection of web links
• Endpoint protection controls including HIPS and EDR solutions
• Network egress filtering controls blocking outbound communications

Specific targets for access were agreed, including sensitive data files and sensitive email repositories.

As the internal response team was relatively inexperienced, during the first year in which the simulated attack was conducted, we worked closely with our customer’s internal response team throughout the exercise – letting them know what we were doing and when, so that they could track the indicators of compromise we produced through their detective controls and identify where the gaps in their internal visibility lay.  This engagement with the internal responders also provided them with a productive understanding of the general attacker mindset, and the ways in which adversaries will attempt to move through a network once a foothold had been gained.  We were able to highlight for the customer weaknesses in the response processes, and areas where containment was incomplete as a result.  We also made recommendations for improvements to technical controls both on the perimeter and on endpoint devices and recommended additional training for user awareness and for internal responders. 

During the second execution of a similar attack for the customer, the internal incident response team was made aware that an attack was on-going, but no information was provided to them during the execution phase.  It was clear to our customer and to their internal teams that lessons learned during the first simulated attack were put into play when responding to the second simulated attack.  The internal response teams were faster at identifying a compromise in progress, and more effective at containing on-going activity.  Some areas of weakness remained, however, largely in the areas of user reporting of problems.  To assist with this, we conducted a special user awareness debrief session with our customer’s staff, whereby we spoke about the types of techniques we had used to gain confidence and encourage them to open documents and click on malicious links; this training was well-received by all.  Detailed debriefs with the internal response team following the assessment allowed us to demonstrate areas where their response was still lacking in completeness, and to discuss other ways in which the attack-in-progress could have been contained.

During the third execution of a similar attack, the internal response team was not made aware that a simulated attack was on-going.  This third assessment revealed a substantial increase in the reporting of attempted attacks by users, and a more speedy and effective response by the internal response teams. 

There were some great outcomes.  In terms of the value to the customer, our customised approach to delivery of the simulated attack resulted in the upskilling of their internal response team, who are now much better equipped to respond to a real-world incident.  The customer also gained assurance that their technical control set was well positioned in a preventative and in a detective capacity.  User awareness internally  increased year-on-year, and in a world where user reporting is the most common method of a breach being detected, this means that our customer is now well-placed to identify and respond to incoming attacks.