30. 12. 2024 Beatrice Dall'Omo Blue Team, Red Team, SEC4U

Red and Blue teams cooperation: attack to improve

Nowadays attacks evolve over time and threat actors are following different ways to reach the same objectives. This could represent a problem on the defensive side. How could you always be up-to-date and ready to detect and then be able to act when a vulnerability is exploited in several ways depending on the threat actor?

In Würth Phoenix a red team activity is planned for SOC customer with the aim of carrying out likely attacks towards the monitoring perimeter in order to verify the detection capacity and coverage provided by our SOC.

The activity in pills

The activity could vary depending on the customer-provided infrastructure and on the evidence found from time to time. However, the common high level thread is the following.

After deciding with the contact people the timing,

we need remote access to a machine connected to the Internet, that can reach the monitored perimeter and that is in turn monitored.

Possibly even a valid user joined the domain.

These are the basic requirements that must be satisfied in order to proceed with the activity, which therefore starts from a situation of Assume Breach where systems and networks have already been compromised by the attacker.

At a high level the activities performed concern discovery, execution, privilege escalation attempts, defense evasion, credentials dump, encryption and/or exfiltration attempts, simulating a compromised company machine scenario.

DISCOVERY (TA0007) includes port scanning, account discovery by trying to enumerate for example Domain Administrator or enumerate Kerberoastable users if any;
EXECUTION (TA0002) includes installation of third-party software to perform attack activities (e.g., Atomic Red Team, mimikatz …);
PRIVILEGE ESCALATION (TA0004) as adding user to sensitive groups like “Administrators” or “Remote Desktop Users” exploiting misconfigurations or vulnerabilities in order to gain local or domain higher privileges;
DEFENSE EVASION (TA0005) as disable defensive mechanisms or stopping processes;
CREDENTIAL ACCESS (TA0006) by executing dump attempts using mimikatz or lsass process from the task manager;
IMPACT (TA0040) for a simulation of a ransomware attack, normally using a modified simulator according to our needs of the known ransomware-simulator;
DATA EXFILTRATION (TA0010) by connecting to a host and exfiltrate or send to it data.

At the end of the activity a report will be generated and delivered to the related customer with all the activities performed along with the description, the proof of concept, the results obtained, whether the detection occurred, the specific TTP (Tactics, Techniques, Procedures) defined in the MITRE ATT&CK® Framework, some possible artifacts produced and other general considerations.

Key Takeaways

Continuous cooperation between Red and Blue teams is valuable, it allows us to combine the simulation of attacks (Red Team) with the defense (Blue Team), creating an environment in which both teams continuously learn from each other and refine their skills.

The Blue side improves detection rules by examining the logs produced to detect and cover more of these malicious actions. The Red side improves in finding ways to perform the same malicious actions while trying not to be detected.