Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Engagement Concepts
| Controlling Tools In order to control IOCs, a robust set of TTPs must exist. Part of these TTPs are tools that will support a Red Team's capability. The tools must not only provide capability but also must be understood. This is often done through tool usage and modification. Tools usage and modification should be built into a standard attack platform. If the platform is managed and maintained, a common baseline is ready for use. As a general rule, a Red Team should: Know the tools used, how they operate, and what actions are conducted Recompile tools (rename functions remove help, comments, and unused code/strings; etc.) Control User-Agents Understand which IOCs are generated by an action Blend in until timing is appropriate The following are common indicators and just a small example to help think about the indicators that must be controlled. User Agents – User-Agent strings can be a dead giveaway for tools ● For example, the SQL injection tool SQLMAP has a default User-Agent string that includes the word sqlmap sqlmap/1.0-dev-xxxxxxx (http://sqlmap.org) This is very common. Binaries may have signatures that can be detected ● Modification and recompiling maybe necessary to change the signature ● The likelihood of Antivirus detection maybe decreased by removing comments and other user output before compiling Focus Point The end state of threat planning is an ability to portray the threat as closely as possible to enable the ability to advise the target of implications to the target environment. Engagement Concepts Red Team engagements can move through several complex and detailed steps during execution but using three simple phases helps keep the focus on goals. Although Red Teaming is offensively focused, it is ultimately used as a tool to improve security. Red Teaming is executed in three phases directly related to areas of defense than can be tested and measured against a threat. It is common for security operations to focus a tremendous amount of time and energy on preventive controls to "keep the threat out" Prevention is important however, 100% prevention is not feasible. An organization should understand potential impacts if a threat is successful. Download 4.62 Mb. Share with your friends:
|