Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Phase Mapping
| Execution Phases At a high level, a Red Team must move through these three phases to complete an engagement. Get In - Gain access to a network. The Red Team must have access to their target. Access can be through a legitimate compromise or access is directly granted as part of an assumed breach scenario, such as an insider threat scenario. Can an organization detect a threat gaining access to its network? Stay In - Establish persistence or a permanent presence. Red Team engagements are typically longer than other types of tests. A Red Team usually establishes persistence or a permanent presence in order to survive the duration of the engagement. Can an organization detector prevent a threat from living in its network? Act - Finally, a Red Team performs operational impacts against the target What impacts can a threat perform based on the capabilities it gained during Get In and Stay In? Phase Mapping Most penetration testing frameworks are broken down into individual phases that focus on vulnerability identification and exploitation. The Red Team methodology categorizes many of the same actions into only three distinct phases with a focus on the impacts caused to the target environment. Several examples of this categorization have been provided below. GET IN Reconnaissance ● Perform Open Source Intelligence (OSINT) against the target. ● Search using open, unauthenticated sources: ○ Target websites ○ Social media ○ Search engines ○ Public code repositories ○ Alternate target sites External enumeration ● Identify external assets: ○ Perform a reverse DNS scan to identify registered hosts ○ Identify URLs and other external touch points from the scan and OSINT ● Evaluate the web presence: ○ Browse as a normal user through a web proxy to capture intelligence and understanding ○ Identify known vulnerabilities and vulnerable conditions ○ Do not send attack code at this time ● Execution and exploitation ○ Attempt to exploit targets based on current knowledge ○ Perform situational awareness on the target ○ Attempt local privilege elevation ○ Attempt domain or other system-level privilege elevation STAY IN Post-exploitation ● Continue internal and domain enumeration ● Identify domain users/groups/memberships ● Identify the IP space ● Identify file shares ● Establish persistence ● Use the persistence plan to place agents on target systems ● Move laterally ACT Operational Impacts ● Perform a realistic simulation against target systems ● Does not need to be highly complex ● Does not need to leverage known or traditional vulnerabilities ● Does not always require administrative (local/domain) privileges ● Does require an actual impact to the target environment ● Does require input from the ECG and TA ● Does require notification to the ECG and TA when the operational impact is executed ○ Avoids unwanted (and possibly catastrophic) defensive actions ● Does need to exercise at least one of the target’s detection, incident response, continuity, and recovery plans and procedures Operational impacts area key distinguisher for Red Teaming engagements vs. other types of tests Download 4.62 Mb. Share with your friends:
|