Book Image

Cybersecurity Attacks – Red Team Strategies

By : Johann Rehberger
Book Image

Cybersecurity Attacks – Red Team Strategies

By: Johann Rehberger

Overview of this book

It's now more important than ever for organizations to be ready to detect and respond to security events and breaches. Preventive measures alone are not enough for dealing with adversaries. A well-rounded prevention, detection, and response program is required. This book will guide you through the stages of building a red team program, including strategies and homefield advantage opportunities to boost security. The book starts by guiding you through establishing, managing, and measuring a red team program, including effective ways for sharing results and findings to raise awareness. Gradually, you'll learn about progressive operations such as cryptocurrency mining, focused privacy testing, targeting telemetry, and even blue team tooling. Later, you'll discover knowledge graphs and how to build them, then become well-versed with basic to advanced techniques related to hunting for credentials, and learn to automate Microsoft Office and browsers to your advantage. Finally, you'll get to grips with protecting assets using decoys, auditing, and alerting with examples for major operating systems. By the end of this book, you'll have learned how to build, manage, and measure a red team program effectively and be well-versed with the fundamental operational techniques required to enhance your existing skills.

Related Content you might be interested in

Current Title:

Small book image
Cybersecurity Attacks – Red Team Strategies
Johann Rehberger
Mar, 2020 | 524 pages
Small book image
Adversarial Tradecraft in Cybersecurity
Dan Borges
Jun, 2021 | 246 pages
Small book image
Purple Team Strategies
Simon Thoores | David Routin | Samuel Rossier
Jun, 2022 | 450 pages
Small book image
Cybersecurity Blue Team Strategies
Nikolaos Thymianis | Kunal Sehgal
Feb, 2023 | 208 pages
Table of Contents (17 chapters)
Preface
Preface
A note about terminology
Who this book is for
What this book covers?
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Reviews
Disclaimer
1
Section 1: Embracing the Red
Section 1: Embracing the Red
Free Chapter
2
Chapter 1: Establishing an Offensive Security Program
Chapter 1: Establishing an Offensive Security Program
Defining the mission – the devil's advocate
Getting leadership support
Locating a red team in the organization chart
The road ahead for offensive security
Providing different services to the organization
Additional responsibilities of the offensive program
Training and education of the offensive security team
Policies – principles, rules, and standards
Rules of engagement
Standard operating procedure
Modeling the adversary
Anatomy of a breach
Modes of execution – surgical or carpet bombing
Environment and office space
Summary
Questions
3
Chapter 2: Managing an Offensive Security Team
Chapter 2: Managing an Offensive Security Team
Understanding the rhythm of the business and planning Red Team operations
Managing and assessing the team
Management by walking around
Managing your leadership team
Managing yourself
Handling logistics, meetings, and staying on track
Growing as a team
Leading and inspiring the team
For the best results – let them loose!
Leveraging homefield advantage
Disrupting the purple team
Summary
Questions
4
Chapter 3: Measuring an Offensive Security Program
Chapter 3: Measuring an Offensive Security Program
Understanding the illusion of control
The road to maturity
Threats – trees and graphs
Defining metrics and KPIs
Test Maturity Model integration (TMMi ®)and red teaming
MITRE ATT&CK™ Matrix
Remembering what red teaming is about
Summary
Questions
5
Chapter 4: Progressive Red Teaming Operations
Chapter 4: Progressive Red Teaming Operations
Exploring varieties of cyber operational engagements
Cryptocurrency mining
Red teaming for privacy
Red teaming the red team
Targeting the blue team
Leveraging the blue team's endpoint protection as C2
Social media and targeted advertising
Targeting telemetry collection to manipulate feature development
Attacking artificial intelligence and machine learning
Operation Vigilante – using the red team to fix things
Emulating real-world advanced persistent threats (APTs)
Performing tabletop exercises
Summary
Questions
6
Section 2: Tactics and Techniques
Section 2: Tactics and Techniques
7
Chapter 5: Situational Awareness – Mapping Out the Homefield Using Graph Databases
Chapter 5: Situational Awareness – Mapping Out the Homefield Using Graph Databases
Understanding attack and knowledge graphs
Graph database basics
Building the homefield graph using Neo4j
Exploring the Neo4j browser
Creating and querying information
Summary
Questions
8
Chapter 6: Building a Comprehensive Knowledge Graph
Chapter 6: Building a Comprehensive Knowledge Graph
Technical requirements
Case study – the fictional Shadow Bunny corporation
Mapping out the cloud!
Importing cloud assets
Loading CSV data into the graph database
Adding more data to the knowledge graph
Augmenting an existing graph or building one from scratch?
Summary
Questions
9
Chapter 7: Hunting for Credentials
Chapter 7: Hunting for Credentials
Technical requirements
Clear text credentials and how to find them
Leveraging indexing techniques to find credentials
Hunting for ciphertext and hashes
Summary
Questions
10
Chapter 8: Advanced Credential Hunting
Chapter 8: Advanced Credential Hunting
Technical requirements
Understanding the Pass the Cookie technique
Credentials in process memory
Abusing logging and tracing to steal credentials and access tokens
Windows Credential Manager and macOS Keychain
Using optical character recognition to find sensitive information in images
Exploiting the default credentials of local admin accounts
Phishing attacks and credential dialog spoofing
Performing password spray attacks
Summary
Questions
11
Chapter 9: Powerful Automation
Chapter 9: Powerful Automation
Technical requirements
Understanding COM automation on Windows
Achieving objectives by automating Microsoft Office
Automating and remote controlling web browsers as an adversarial technique
Summary
Questions
12
Chapter 10: Protecting the Pen Tester
Chapter 10: Protecting the Pen Tester
Technical requirements
Locking down your machines (shields up)
Improving documentation with custom Hacker Shell prompts
Monitoring and alerting for logins and login attempts
Summary
Questions
13
Chapter 11: Traps, Deceptions, and Honeypots
Chapter 11: Traps, Deceptions, and Honeypots
Technical requirements
Actively defending pen testing assets
Understanding and using Windows Audit ACLs
Notifications for file audit events on Windows
Building a Homefield Sentinel – a basic Windows Service for defending hosts
Monitoring access to honeypot files on Linux
Alerting for suspicious file access on macOS
Summary
Questions
14
Chapter 12: Blue Team Tactics for the Red Team
Chapter 12: Blue Team Tactics for the Red Team
Understanding centralized monitoring solutions that blue teams leverage
Using osquery to gain insights and protect pen testing assets
Leveraging Filebeat, Elasticsearch, and Kibana
Summary
Questions
15
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
16
Another Book You May Enjoy
Another Book You May Enjoy
Leave a review - let other readers know what you think

A note about terminology

This book uses common terms, such as alternative analysis, offensive security, red teaming, penetration testing, purple teaming, adversary emulation, and similar ones throughout. It is understood that opinions on what some of these terms mean differ between nations, sectors, organizations, and individuals.

I was introduced to the term of alternative analysis by attending the red team training session Becoming Odysseus, by Dr. Mark Mateski. Mark has been a thought leader in the red-teaming community for over two decades. The training provided great insights and introduced me to the broader definition of red teaming that exists outside the tech industry. In the broader setting, red teaming is meant to highlight any form of alternative analysis and enable people to see something from an adversary or competitor's perspective.

The Center of Advanced Red Teaming at the University at Albany (https://www.albany.edu/sites/default/files/2019-11/CART%20Definition.pdf) proposes the following definition for red teaming: Any activities involving the simulation of adversary decisions or behaviors, where outputs are measured and utilized for the purpose of informing or improving defensive capabilities.

In the tech and cybersecurity industry, it is common to use red teaming to refer to breach operations to measure and improve the incident response process.

When pen testing at a small company, red teaming and even tasks such as threat modeling might be done by the same team, and some activities are outsourced. By contrast, a large organization might have multiple pen test teams focused on different objectives and tasks such as application security assessments, penetration testing, red teaming, and adversary emulation, and so each might be done by differently specialized groups of individuals.

A large red team might further split up responsibilities within the team, such as having dedicated tool development engineers, program managers, operators, or a breach team (Team A) versus an objective team (Team B), and so forth.

This book will use terms such as pen tester and red teamer at times interchangeably depending on the context of the discussion and topic, and hopefully, this will not lead to confusion on the part of the reader. I realized it's impractical to attempt to define a strict ruleset on what some of the terms mean generically, given the variation of opinion throughout the field.

Previous Section
Next Section