A real Red Team Exercise, how to get in?
In this article, we’ll be talking about a red teaming assessment on a FinTech company, what has taught us and what we have actually learned from it.
Today organizations know they will be breached, and it’s only a matter of time. More companies take into account that a sustainable business should be secure as well. This is also the case when talking about financial/banking institutions where there’s money, PII data, and security and compliance standards involved.
Red Teaming is a cyber-security exercise where a client is facing a “real threat actor”. It is usually done when the company is mature enough in order to patch very specific niche misconfiguration, vulnerability, or issues that in case of actual exploitation by a malicious actor, things could go dirty.
Ideally, a time-boxed red teaming exercise should bring to the surface any low hanging fruit starting with phishing attacks, continuing with an external and a physical assessment where cyber security engineers might know different specialties and each one has its strong points (WiFi, Social Engineering, RFID cloning, NAC bypasses).
We’ll take each type of assessment and describe the DOs, DONTs, and what we’ve learned so far:
– Phishing – Most of the attacks nowadays start somehow with a phishing email opened by some company personnel.
Unfortunately, usually, the story ends with ransomware. This is one of the reasons we like helping companies secure their people too, with non-boring (interactive) security training, with some real-case funny (for us) scenarios. However, most financial institutions nowadays have their internal security training done periodically, and we’re glad to see when those dedicated hours were not in vain.
– External – Many companies expose sensitive services and servers.
Developers might be a bit clumsy and leave some things out there. Enumeration is always the key. To assess a company’s external presences, one could use a myriad of tools to enumerate subdomains, getting the information using the awesome projects, one of which could be omnisint (https://omnisint.io/), riskIQ for certificates, shodan domain queries, and many other tools. Additionally, brute-forcing subdomains could also be used to enumerate more. Yet, using the information from the certificates, shodan, and maybe google dorking should be sufficient to have a solid starting point. After having a solid scope, just start getting through all the services and test each and every one. Communication here is also the key. Finding old, stale services might be the way in. Afterward, you should just pivot.
– Physical – social engineering, NAC, RFID cloning, WiFi PenTest, rubber duckies –
During a physical assessment, any social skill is beneficial. Blending in with a crowd, being social (which is not an often skill cyber security guys/galls are known for), and trying to be as security unaware is better when interacting with people. In the morning or after having lunch, people tend to be friendlier and more willing to help, with either access or sensitive details. In case the occasion arises, strike and behave as we all belong there.
In case of success, you’ll be happy to succeed in your mission, as we are in this photo:
What we’ve learned:
1. Social engineering is still one of the ways inside a company
- People want to be helpful, either for their own interest (closing down a business offer), or they’re sucked up with issues in their own life, that being always highly alert for a phishing attempt or helping out a stranger with sensitive information might not be a high priority.
- People are still afraid or too comfortable into asking uncomfortable questions a stranger. Seeing a new coworker at the desk beside you, you should at least make an introduction and make sure the person near you is actually there authorized.
- Non-technical people are not really aware of the threat a cable hanging in one of the conference room poses.
- Don’t point fingers. Security posture improvement is a goal we all are trying to achieve. Congratulate and shake hands (or maybe fist bump) the personnel who was actually paying attention in those security awareness hours.
- The stories of employees using weak passwords similar to **Fall2021** or **October2021** are still valid unfortunately.
2. Attackers will use the easy way in.
If Social Engineering offline(onsite) or online (LinkedIn, mail, forums) is more efficient, instead of cloning an RFID card and getting weirdly close enough to an employee when she/he smokes/talks on the phone, an attacker will always choose the more comfortable and cheapest way in.
Where were we wrong? Some advice:
- Companies implementing and thoroughly testing their NAC implementation. Test all their solutions. Misconfigurations are known to happen, it’s nobody’s fault yet we better test now during a security assessment and find them instead of a threat actor to do it instead.
- Knowing the local languages goes a long way into the physical and social engineering
- Non-technical people are not really aware of the threat a cable hanging in one of the conference room poses.
- Don’t point fingers. Security posture improvement is a goal we all are trying to achieve. Congratulate and shake hands (or maybe fist bump) the personnel who was actually paying attention in those security awareness hours.
- The stories of employees using weak passwords similar to **Fall2021** or **October2021** are still valid unfortunately.
If you need more information on the matter, don’t hesitate to contact us here.
Cybersecurity Engineer @ Cyber Threat Defense
One thought on “A real Red Team Exercise, how to get in?”