Red Teaming In real lifeThe presentation took place in IESN – Namur on the 3rd

1. Red Teaming In real life
2. The presentation took place in IESN – Namur on the 3rd of December.
3. Two members of the EY security and redteaming group came to talk about what they do on a daily basis and some data and analysis from the real world.
4. The two EY employees were Lorenzo Bernardi, a senior manager in cybersecurity and Karel Sels a senior cybersecurity consultant. They both worked for lots of banking and trading companies in a cybersecurity aspect.
5. The presentation began with some numbers about trends in cybersecurity.
6. These are mostly centered on phishing, mobile, cloud, privacy and automation.
7. The phishing part is trying to get all sorts of credentials and security information, banking information and some things that might be random to most people but could be used in backup security questions to get in an online account.
8. Every bit of information is good to take, like which kind of web browser does the target use.
9. Phishing would be an entry point for a later attack which could happen months later.
10. Mobile was the next focus. At EY they test lots of mobile applications. Everyone has some sort of mobile phone with a lot of personal information on it. These devices are often unhardened and contain insecure apps. They also blend a use of private and work use.
11. EY uses the cloud to host their testing infrastructure. It is also more and more used by companies which move more of their internal infrastructure to cloud based servers. It has the benefit of being accessible from anywhere in the world but at the cost of being much more vulnerable. As the cloud is a more recent technology, people aren’t very knowledgeable about it and it is a good point of entry for the attacker.
12. The concerns about user privacy is growing more and more. Some people at EY are focused on it and the GDPR. A company must know how to protect the data they collect, the consumer usually trusts the company with their data.
13. The part on automation was shorter and it was said that a lot of the automation tools, pipelines, containers could be compromised without a legitimate user being aware of it. The presenters said that by 2025 99% of compromised integration systems will by the client’s fault.
14. A question was asked next: Why these trends?
15. The answer was quite simple. It is because of the newer generation and the changing way of life with internet of things devices (IOT), everything creates more data and needs to be accessible anytime, anywhere. Most of the applications and deployments are not security first. These trends are changing, but the problems will likely remain.
16.  
17. Next the EY employees talked about attack and pentesting and what it is all about.
18. Pentesting is testing a specific system. You would test some application like an attacker would do and try to exploit vulnerabilities, test the network for ports and outdated software.
19. It is always done for a custom specific scope like one server, one database, etc.
20. Companies use pentesting to test their products.
21. Redteaming is testing a full stack to see what an attacker would do, and what would be their motives. The core idea is to emulate an attacker from start to finish
22. There are different kind of teams.
23. The red team is the attacking team, playing in the attackers shoes.
24. The blue team is the defending team, which is the company security team and not aware of the attack.
25. The white team are the scenario organizers. They control the attacks and oversee what is being done to the company.
26. The purple team is an optional team and is the red and blue team combined to make things go faster by doing them side by side.
27. Usually a red team is contracted by a company to test its defenses. It asking someone to attack you on purpose so you know your vulnerabilities and where to add protection.
28. EY does threat intel following the “cyber kill chain” which consists of the following:
29. - Recon
30. - Weaponisation
31. - Delivery
32. - Exploitation
33. - Installation
34. - C&C (Command and controls)
35. Recon can be a part of the threat intelligence which is passive intel gathering on the target.
36. Weaponisation is about creating phishing attacks, false websites, emails or infrastructure
37. Delivery is actually doing the things prepared during the weaponisation.
38. Exploitation happens when someone triggers the delivery (like clicking on a false link) and is followed by the installation.
39. At EY they use flags to put objectives on some things like “obtain persistent control over a target server located in the datacenter” or “elevate access rights”
40. The presenters came back on the recon part to quickly point out that during the recon phase can be tricky as an active recon could trigger some defenses on the blue team side, indicating that a threat is present.
41. They said that the important thing in redteaming is to think like a hacker.
42. Physical payload delivery could be done in a redteaming test but you have to be careful and prepared to call the person in charge in case you are caught. The key to physical intrusion is confidence and blending in.
43. Once inside de system you have to have objectives and a way out for the data you seek. It might not be as easy as it sounds but some less thought about protocols can help with that. DNS is often used to extract data
44. At the end of the talk the two presenters did a short demonstration using a tool named “Cobalt Strike” and some virtual machines. They implemented a payload on one machine and monitored it with the “Cobalt Strike” tool.