30. 12. 2024 Beatrice Dall'Omo Blue Team, Red Team, SEC4U

Red and Blue Team Cooperation: Attack to Improve

Nowadays attacks evolve over time and threat actors are following different ways to reach the same objectives. This could represent a problem on the defensive side. How can you always be up-to-date and ready to detect, but then when a vulnerability is exploited be able to act in several ways depending on the threat actor?

In Würth Phoenix our red team plans activities for SOC customers with the aim of carrying out likely attacks towards the monitoring perimeter in order to verify the detection capacity and coverage provided by our SOC.

The Activity in Pills

The activity could vary depending on the customer-provided infrastructure and on the evidence found from time to time. However, the common high-level thread is the following.

After deciding on the timing with the contact people,

we need remote access to a machine connected to the Internet, which can reach the monitored perimeter that is in turn monitored.

Possibly even a valid user joined the domain.

These are the basic requirements that must be satisfied in order to proceed with the activity, which therefore starts from a situation of Assume Breach where systems and networks have already been compromised by the attacker.

At a high level the activities performed concern discovery, execution, privilege escalation attempts, defense evasion, credentials dump, encryption, and/or exfiltration attempts, simulating a compromised company machine scenario.

DISCOVERY (TA0007) includes port scanning, account discovery by trying to enumerate for example Domain Administrator or enumerate Kerberoastable users if any
EXECUTION (TA0002) includes installation of third-party software to perform attack activities (e.g., Atomic Red Team, mimikatz, …)
PRIVILEGE ESCALATION (TA0004) as adding user to sensitive groups like “Administrators” or “Remote Desktop Users” exploiting misconfigurations or vulnerabilities in order to gain local or domain higher privileges
DEFENSE EVASION (TA0005) as disable defensive mechanisms or stopping processes
CREDENTIAL ACCESS (TA0006) by executing dump attempts using mimikatz or lsass process from the task manager
IMPACT (TA0040) for a simulation of a ransomware attack, normally using a modified simulator according to our needs of the known ransomware-simulator
DATA EXFILTRATION (TA0010) by connecting to a host and exfiltrate or send it data

At the end of the activity a report will be generated and delivered to the related customer with all the activities performed along with the description, the proof of concept, the results obtained, whether the detection occurred, the specific TTP (Tactics, Techniques, Procedures) defined in the MITRE ATT&CK® Framework, some possible artifacts produced, and other general considerations.

Key Takeaways

Continuous cooperation between Red and Blue teams is valuable, allowing us to combine the simulation of attacks (Red Team) with the defense (Blue Team), creating an environment in which both teams continuously learn from each other and refine their skills.

The Blue side improves detection rules by examining the logs produced to detect and cover more of these malicious actions. The Red side improves in finding ways to perform the same malicious actions while trying not to be detected.

These Solutions are Engineered by Humans

Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find cybersecurity issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.