The following story is your opportunity to pretend you’re going up against a world-class security program’s defenses. You get to decide how you would act at each important step, but you have to live with the result! (Or you can cheat, come back to this page, and choose a different path over and over again, so you can learn more — this is encouraged!)
There will be professional red teamers who are frustrated by this storyline, claiming that this is unrealistic or that there are no security programs with defensive postures this good. Nothing could be farther from the truth.These example story lines are based on real intrusion attempts by professional red teams as well as criminal and nation state groups against many different security programs at unnamed organizations with excellent detection and response capabilities.
It is possible that you could make some of these choices in an enterprise environment and avoid detection because the security program doesn’t have the maturity demonstrated in each particular example. However, I once heard of a SWAT instructor who was fond of telling his students:
“Do not let fortuitous outcomes reinforce bad tactics”
For those us who have much less to lose in our day jobs than a SWAT team: just because you reached your objectives, that doesn’t mean your choices will always work. In some cases, there is no clear answer; there’s always a trade-off. In this story, you’ll have to roll the dice and find out.
This story line aims to do a few things:
- Challenge defenders to bring world class defense to their organizations (this is always why we red team)
- Challenge red teamers to really think long and deep about the way the operate
- Educate anyone interested in red teaming about the finer details of the craft: the planning and complex thinking
Let’s get started…
You’re a red team operator, working for Red Teams R Us, hired by Spacely’s Sprockets to simulate an organized criminal group trying to breach their accounting department to steal funds through their accounts payable systems. In this case, Spacely’s Sprockets has supplied rules of engagement that limit you to only remote means of intrusion; physical access is off the table.
So your team lead decides you must use spearphishing with an attachment (T1193). You have a master social engineer on the team who has crafted the lure for the phish, and another “capabilities developer” who has crafted the initial execution method in the attached payload. Your job is to handle the operation after initial access is acquired.
Your phish payload lands on a host, executes, and calls back to your command and control server. What is the first thing you do?