Red Team Frameworks & Methodologies

Key Takeaways

hey guys hack exploit here back again with another video and welcome back to the red team series uh in this video we're going to be continuing from where we left off in the previous video I do apologize for the delay in uploads but uh uh this video as well as the rest of the videos following this one will be uploaded in uh regular schedule or as per the regular schedule uh but with that being said uh what are we taking a look at in this video um in this video we're going to be exploring the various red team Frameworks or methodologies uh that are used as a sort of a guide um as a guideline or Baseline uh when performing red team operations and again this is not exclusive to penetration testing but uh you get the idea so we're going to be exploring you know the various Frameworks methodologies uh that are typically followed uh in terms of uh you know the process or the life cycle so you know if you think of a um you know if you think of penetration testing uh you have things like uh you know the uh penetration testing execution standard or pte uh which again can work uh in um in relation to Red teams but we're going to be exploring it a little bit more more and the objective here is to further uh understand or to further differentiate and distinguish uh you know a pentest from a red team operation and the methodologies will lend uh to that um or will lend to the explanation so uh you know before we do anything or we get started we need to understand red team engagements in terms of you know uh what we're doing um and what the objectives or um you know what the goals and objectives are and how you know uh how we take that how we go from a defined set of objectives with the Rules of Engagement uh and how we actually Implement that so a successful red team engagement begins with clearly defining the goals or objectives of the engagement with a client so very similar to appentice right um after which or once the objectives are agreed upon the red team is then tasked with planning and orchestrating the engagement or operation based on the predefined goals or objectives uh it's important to note that red team engagements uh or a red team engagement does not focus on the search you know for vulnerabilities and again that may seem a little bit confusing but uh if you look at it holistically whenever you're performing a r team operation your primary goal is not you know find vulnerabilities and then exploit them uh you know you're targeting the organization as a whole in terms of its uh you know uh the way it operates you know uh as well as you know the defensive uh capabilities or the detection and uh defense capabilities of the organization so you're taking a much more holistic approach uh what what that also means if I use an example uh is instead of focusing solely on systems or on uh you know computers let's say or servers you also start incorporating you know employees uh and you're trying uh you know going beyond the basic example of a fishing attack you're trying to assess whether you know um whether they are actually adhering to let's say some predefined standards or security policies around uh email security or you know downloading attachments if they if there is a security policy defined you're also trying to assess the response time or the incident response uh process um or at least the efficacy uh the efficacy of the process what that means is if the the organization you're performing the red team for or on has a blue team in place or a a sock you know Security operation Center you're trying to see uh how quickly or you know firstly if the sock can detect an attack in time and then secondly uh whether their response is proportionate or you know they able to um to defend against the attack um and the bottom line is that the results of the red team engagement or operation should highlight the blue team's ability to detect and defend against attacks and more importantly where improvements can be made which is why red team operations are typically performed you know every quarter or every um you know twice a year to not only assess the um you know the organization's ability to you know detect and defend against attacks but more so uh whether the blue team is actually improving or has improved from you know the previous operation with regards to you know uh the mistakes uh you identified or uh you know areas that you you were able to clearly see that you know the blue team needs to improve on uh so in addition to that as I explained in the previous video red team engagements or operations should also simulate or emulate new ttps and we'll get into ttps the ttps are an abbreviation for tactics techniques and procedures which is an abbreviation or a term or set of terms derived from the MIT attack framework so red team operations should also simulate or emulate new ttps for The Blue Team to learn how to detect and defend against so what this means is that you know the threat landscape is constantly evolving regardless of whether you're an organization of you know medium size or you're a large organization uh you know new AP groups or new new threat actors are constantly again using new ttps uh or you know they may uh you may see some uh advancements or some augmentations to their tradecraft and you need to keep the blue team uh on their tools or you need to keep them you know up to dat or aware of these new ttps and again that lends to the the whole uh cyclic process of improving their detection and uh defensive capabilities so what all of this means based on what I've just uh said here and you know the objectives laid out and agreed on what this means is that any successful red team engagement or operation will obviously require a structured methodological approach especially when you talk about adversary emulation or simulation which we'll actually be getting into um and uh it is therefore recommended uh you know if you and I know I'm going on a tangent here but if you remember what I covered in the previous video a lot of one of the misconceptions is that red team engagements or operations are very adhawk which means you know they there's no structureal methodology behind it but that couldn't be further from the truth uh What uh what usually leads people into thinking that it's quite random ad hoc and chaotic is the large scope or the very wide scope that you typically see red team operations have um what this means uh or what I'm trying to say here is that every red te operation requires an appropriate framework or methodology that you follow in terms of you know the methodological approach to stuff but also ensuring that uh you are uh staying within the bounds not just of the rules or not just uh the ones defined in the Rules of Engagement but uh you know using something that has worked previously uh so that you know you there's a sense of accountability um and this is very useful not just in during the execution phase of the red team operational campaign but also in structuring it beforehand so some frequent uh or frequently utilized red team Frameworks or methodologies include the Cyber kill Chain by loed Martin and of course the MIT attack framework now the M attack framework I know is not really a methodology that you can follow but it's really framework that um you know we'll actually be getting into in a separate video but is a framework that's been adopted by both the offensive side and the defensive side in cyber security and uh at you know at the most basic level offers a common speak or a common language between these two uh cyber Security Professionals or between these two groups and allows them to communicate things like um you know specific vulnerabilities or specific uh procedures and again if you're a little bit confused don't where it'll make sense so you know we have the Cyber kill Chain by loade Martin and we have the might attack framework which is a framework and then we have the unified uh cyber kill chain uh which uh is more so like a methodology or a process and um you can see that the Cyber kill chain here uh breaks down a red team operation again this can work for pen testing but it breaks it down into various phases so stage one or stages I should say stage one is all to do with reconnaissance some examp examples here are you know harvesting email addresses conference information just B very basic examples and then you have stage two which is where you now you're performing weaponization or this is the stage of weaponization where you're coupling exploits uh with back doors um into a deliverable payload another a better example is you know developing your uh let's say word uh your malicious word attachments or Word documents sorry uh that you'll use for initial access any payloads or uh any code that you're going to be using for initial access or even later uh you know during post exploitation and then you have stage three this is delivery so this is where you now deliver the weaponized bundle or payload to the victim via email web USB so that's where you know if you're performing uh fishing or you're using a spear fishing attachment this is this stage is all to do with you know uh setting up let's say your fishing framework uh or your fishing infrastructure in terms of domains emails the fishing um framework that you'll be using so something like goish uh and that encapsulates the whole process of now sending an email to your target uh and then of course you have exploitation uh which again can can include um Can involve the successful execution of your payload uh or your weaponized bundle as it were uh by the Target on the on a Target system and then exploitation sort of infers that you know gaining access to a system by means of either exploiting let's say an employee or a human being through social engineering or by exploiting a vulnerability in one of you know in a particular Target system so the objective here is uh you typically see this with apt groups the uh malicious document uh or file that let's say someone um in the Target organization downloads and opens or executes on this system usually doesn't have anything malicious on it uh from you know if you were to look at it objectively uh what that document if I use the example of a malicious document what it does is act as a dropper so it actually calls back uh to a command and control server and then you know um essentially downloads the stage um so if you think of it from your traditional Metasploit uh framework payload perspective uh the document acts as a stage uh as a Stager and then you know it downloads the stage uh only after the stage has been executed so once the document is open it it calls back downloads the stage which then uh either you know I wouldn't say gives the attacker reverse shell or gives the red team operator reverse shell but more importantly or more uh commonly you know um calls back to a command and control server and then you know further actions are taken which is why you now see um uh this is where you now see your you know command and control so so command and control channel is established uh and uh you know I've sort of skipped over installation of malware but that's where you have stuff like root kits Etc and then you have you know your actions on objectives so this is now where the attacker and again I'm looking at this from an adversarial perspective this is when the attacker either performs additional reconnaissance uh you know performs all the standard post exploitation stuff and then uh or post exploitation activi is and then you know action on objective essentially infers what were you know uh the attackers doing uh or performing actions that are in line with their original objectives so what was the objective of the threat group or AP group uh or why did they want to exploit or gain access to the this organization so you typically have um you know actions on objectives like uh some examples of actions on objectives are you know deploying ransomware deleting data exfiltrating data so on and so forth but as a red teamer you're not really going to be doing any of that that's typically where you stop or you draw the line there so you don't want to delete anything on an organization's uh you know within an organization's digital infrastructure you then have the M attack framework and I've just uh you know clipped a screenshot from the attack framework website and don't worry I'll be explaining this in the next video after this we'll actually be going through it in quite a bit of detail but the attack framework essentially breaks down uh each phase of an adver adversary's life cycle or the adversary's kill chain uh into tactics and each tactic contains techniques so you can see that at the top here these are all your tactics so you have initial access execution persistence privilege escalation defense evasion credential access so on and so forth all the way to impact so impact is the equivalent of actions on objectives in the U cyber kill chain uh by you know loed Martin just so that we're on the same page and then you can see under initial access it references the various techniques that are typically used by adversaries to gain initial access right and I've clipped off um you know the pre-engagement phase here but uh that'll actually make sense in the next video you can see the various ways that attackers typically gain access or initial access onto a system so you have spear fishing attachments exploiting a public facing application targeting external remote Services uh spear fishing links uh spear fishing via service trusted relationships valid accounts so on and so forth now if you compare the two and again I know that the attack framework or the MIT attack framework is a framework as the name suggests and the Cyber kill chain is exactly that sort of a uh cyber kill chain uh you can see that the MIT attack framework is quite popular as the most uh widely adopted framework by again not just red teamers but you know pentesters and also uh The Blue Team uh and again this will make sense as we progress ress but you can see the might the reason the M attack framework is much better is because it's much more comprehensive in um with regards to uh being uh being more detailed or sort of capturing or encapsulating a lot of the phases that for example the Cyber kill chain doesn't encapsulate or doesn't cover you know stuff like resource development or execution uh privilege escalation uh and you know one of the differences is that the attack framework actually outlines a lot of the post exploitation activity that's quite important um you know regardless of whether you're already if you analyze any um you know the tradecraft or the uh the attack cycle or the attack uh kill chain um of an AP group you'll typically see that a lot of their stuff or a lot of the key activity is you know post exploitation or is uh what you typically consider as activities performed after initial access so you know defense evasion uh credential access Discovery lateral movement collection command and control and then exfiltration and then impact right so hopefully that makes sense uh now that we've gotten this uh you know we're aware we gotten the introduction into the various red team Frameworks and methodologies at a high level in the next uh set of videos we're going to be taking a deep dive into the M attack framework or at least getting a practical view uh you know practical understanding or getting some practical experience with the framework um and then we'll also be exploring the MIT attack Navigator as a tool for planning uh red teim operations but I'll also show you how it can be used uh for reporting um as a way to communicate um you know the results of a red team operation to the blue team so that they can actually start making the improvements uh with that being said uh thank you very much uh for watching the video If you enjoyed it please leave a like down below if you have any feedback or questions please leave them in the comment section down below furthermore uh if you check the description section and the comment under this video you'll see uh that'll link you to a page on the hack exploit Forum where this um what whatever's been contained within the slides has been uh added or can be accessed in the form of um a post on the Forum and I've also provided you with access to the slides in PDF format uh on the Forum so just just check the description section of this video and other videos within this series or just check the first comment that's pinned to this video and you should see a link to that post uh The Forum is accessible on forum. Haack exploit. org if you want to visit it and I'll be using the Forum as a means of engaging with you guys so if you actually have any uh suggestions video suggestions any questions uh The Forum is a great place to actually uh quantify or to give uh you know some additional uh Credence to your questions you know the comments can be a bit difficult to keep track of uh but anyway with that being said that's going to be it for this video and I'll be seeing you in the next video [Music]