Get hacked by a pro: Use red teams to expose security shortcomings

You’re an executive and you’ve just received a dreaded call: Your company has been the victim of a cyberattack, and some of your most sensitive data has been stolen.

Fast forward past the initial investigation, when your security leaders and incident responders take you through the steps of the attack and how you even got here. Every time they highlight a gap or weakness that was exploited, you keep thinking the same thing: How come we weren’t prepared for that?

We invested in all the recommended security tools, we have had everything certified, we even did a penetration test last year. So the big question is: How do we ensure we are prepared should it happen again?

One of the most effective ways that organizations can prepare for cyberattacks is to be attacked — by a friend. Working with a red team, as these professional, ethical hacking groups are known, can quickly and reliably highlight what an organization is doing well — and what they need to work on. 

Like sparring practice at a karate dojo, red teams are trained cybersecurity professionals who simulate an attack against your organization. They emulate the goals and behaviors of real threat actors. Their attacks probe an organization’s technology and personnel for gaps and holes that can be exploited to gain access. From there, they can be in a position to take over the entire company or steal its most prized assets just as a malicious actor would.

Red team engagements driven by threat intelligence can test how an organization’s employees respond to real-world threats that matter most to the organization, exploring the company network and cloud for vulnerabilities, misconfigurations, and other blindspots. Red teams are one of the most effective ways to practice fighting off a real cyberattack.

The entire red team experience covers a lot of ground, so here’s a look inside what an actual red team engagement looks like, and what business leaders can learn from a red team engagement.

Case study: How a nation-state can attack a CEO

A Mandiant client was concerned about news reports of attackers specifically targeting CEOs that coincided with an uptick in the use of zero-day threats, which exploit previously-unknown and unpatched vulnerabilities to attack a target. The company had in the past invested heavily in phishing training and endpoint protection for the computers, phones, tablets, and other devices that connect to the network, but did not feel they were ready for zero-day attacks. Our red team was contacted for an exercise that focused solely on access to the CEO email and applied only to the primary organization, not any of its subsidiaries.

Following a review of this initial brief, our experts highlighted limitations in the original scope and suggested a more realistic threat scenario based on the likely actions of the adversary:

While it’s understandable that an organization would be worried about attackers using zero days to directly access their CEO’s devices and accounts, an initial review showed that another entry point (such as the corporate Microsoft Exchange server or VPN) would be a more likely starting point for access.

The CEO’s email, while always an interesting target, was not the primary goal of the likeliest adversaries for this organization. Mandiant determined a more realistic high-end scenario, given the client's industry and geographic location, would be an attack by a nation-state actor such as APT29, a Russian hacking group that seeks access to sensitive information and government connections.

A supply chain attack targeting a third-party vendor or subsidiary breach would be a more likely way in for an attacker. Since a bilateral trust setup existed between the core organization and its other holdings, a compromise of any subsidiary would permit an attacker to move easily to any organization in their network.

The exercise also focused on assessing whether defenders could spot actions taken by attackers after the initial breach had occurred. It is a commonly accepted truth in cybersecurity that, if given enough time, it’s nearly impossible to stop a determined attacker from gaining an initial foothold. Phishing emails, for example, eventually get past email defenses; whether through luck, misconfiguration, use of exploits, or a combination of all three. Given this, what would the attacker be able to do once they had this foothold, and could the organization stop and stop them before further damage occurred?

To enhance this exercise, the red team used Mandiant Threat Intelligence resources to research and deploy realistic phishing elements and attack tools used in previous APT29 campaigns, as well as techniques that the threat group might use to remain undetected while inside the organization.

Executing the red team attack

The organization’s phishing controls and phishing prevention training performed well. In the first few weeks, the client’s personnel thwarted all efforts to get an initial foothold onto the system. However, by subtly altering the content of the phishing message and switching from targeting all the employees at the company to focusing on specific employees, the red team was eventually able to gain access to one user’s system using a custom attack.

From this initial foothold, the red team then bypassed security measures, including endpoint detection and response, and used stolen credentials to obtain administrative rights on several database servers. Administrative rights grant broad powers, and can enable an attacker to make widespread changes to a system, such as installing ransomware. Since one of the servers was not protected by security solutions, it was able to be used as an undetectable staging ground for further attacks. 

In parallel, the red team also obtained administrator privileges on a different system, which allowed them to get into the organization's primary domain. From here, the attack paths converged again, and the red team was able to exploit weaknesses in core configurations. Ultimately, the red team was able to obtain administrator rights to almost the entire network.

Wizard Mode: unlocked. 

From the initial compromise, it took the red team less than two days to gain full control over the client’s internal domain.

Had this been a ransomware attack, it would now have been possible for a threat actor to deploy the encryption malware across more than 90% of the client’s systems, including their backup servers. However, since the red team was emulating an espionage threat actor, the overall objective was to gain “access to critical IP,” something the client had wisely protected with an additional level of security controls and multi-factor authentication (MFA).

To circumvent this, the red team created a custom code to trigger a fake authentication prompt that matched the look and feel of the real authentication prompt on the victim’s machine. As most employees are accustomed to automatically filling in prompts when they pop up, the fake prompt was immediately populated. That allowed the red team to steal the temporary credential, which they used to log into the vault that contained the IP. 

Mission complete.

What the client learned

One of the most important lessons the client learned from this red team engagement was that news reports about specific security threats do not necessarily reflect the actual threat against many or even most organizations. Curated threat intelligence coupled with adversarial emulation is a much more effective tool to understand what threats an organization might be facing and in what shape or form they will conduct their attacks. 

Once the organization has trusted, curated threat intelligence, they should use this to quickly move on from their prior threat models and adapt security efforts to their new reality. Finding a way to validate that their strategy and controls could actually stop a cyberattack is key. Red teaming that uses this threat intelligence as a base is one effective way of doing this.

In the client situation we’ve described, the client’s maturity as an organization puts them in a better position to respond appropriately to the new threat intelligence. They were already in a good position in regards to defensive security controls and training, and had the resources to work with us to get the right engagement planned. However, because they had prior experiences with red teams, they were harder to convince that a more complex engagement would take longer and take a wider scope than they originally wanted.

Another important lesson is that it’s impossible to defend against initial access via zero-day attacks because of their very nature as a vulnerability the defender doesn’t know about. Testing against them wouldn’t be an effective use of resources. 

What could be effective would be to start an emulated cyberattack from whatever device or system that an attacker could compromise with the zero day. That strategy also shows the importance that the primary security focus should be on the inside, creating layers of detection and response capabilities in-depth. It also supports the approach that that security must start from the inside. The outside is a hard shell that can always be cracked.

The red team benefit

While the idea of conducting real-world attacks against your organization may feel intimidating, safely doing so with a red team can be the most effective way to identify vulnerabilities and misconfigurations in network architecture, gaps in security controls and deficiencies within security operations. 

To be sure, broad-based penetration testing can be useful, but deeper mission-based exercises guided by threat intelligence are more effective. They can reveal the most relevant actions needed to protect an organization’s critical assets, improve technical controls, and create resilience through operational enhancements and overhauls.