Understanding Mitre Attack to Perform Dirty Red Team Tricks
Are you ready to go on an awesome experience because I believe that understanding tools and vulnerabilities is not enough that is becoming old fashion, this is what we are doing for ages, okay we know patch management is important but what if we can understand how a hacker was thinking during his attack phases, what if we can understand the trade craft of a actual hacker aka the secret formula
Disclaimer : “For the most part we will try to understand how an organization behave when it comes to cybersecurity these days & how we can fix this hypothesis idea. I will try not to use as much as technical jargon and try to make you understand it in a easy way, this blog might get long so i request you to take a coffee and enjoy it ”
When it comes to cybersecurity most of the organization think it as a product, they believe if we run some vulnerability tools for our organization we are safe from future threat but in my believe cybersecurity is a practice and a consistent healthy habit which a company should follow it’s like brushing your teeth daily, it will not going to effect you anything if you don’t brush your teeth one day but keep brushing is a good practice to follow for your long term overall oral health.
There is a term called Cyber Kill Chain it is nothing but the steps a hacker would take to perform his malicious activity (learn more about malware here) as Mitre Attack Framework Documents this multiple attacking phases which we will try to understand. Which starts from initial access then persistence and ends with impact which can be describe as the ultimate goal of a hacker
Now, Mitre Att&ck where ATT&CK stands for Adversarial Tactics and Common Knowledge. It is basically a knowledge based for hacker’s behavior, it is fully based on how a real world hacker will behave while hacking a company. It is free and community driven but why we are looking at this why can’t we just learn some tools and try to secure our organization right, see learning tools is great but it has it’s limitations as there are plenty of tools available to defending your organization you can’t learn and apply all of them in your organization for example if we try to block Power-Shell Empire hackers could write their own tools, these kind of limitation are real and annoying for the organization, that’s why nowadays organization trying to defend against the hacker’s behaviour what is that you may ask, let’s try understand this with the help of Pyramid of Pain, shall we.
Let’s suppose an organization tries to block some hash value of malicious executable it will be an trivial task for changing the hash value for an hacker he can add some comments inside his code which will change the hash value of that exe, what about IP addresses what if an organization detects some malicious IP addresses and tries to block it on firewall that also an easy task to change an IP address for an hacker, that’s what this pyramid wants to tell you the higher you go, the harder it gets to execute a hack. At the top of the pyramid their is a term TTPs which stands for Tactic, Techniques and Procedures where Tactics means hacker’s goals, Techniques means how those goals has been achieved or to be achieved and Procedure where it says how an attacker will try to implement the technique while performing the whole attack. If the Organization, Blue Teamer will identify what these TTP is it will be much harder for an hacker to achieve his goals, basically we are now targeting the hacker’s behavior to defend our organization
Mitre provide us this tool to help to track this behavior. We will not try to learn the tool itself but i want you to get familiar with this and understand the concepts. In our previous blog we tried to analyze a malware by which we found out how a malware author writes his code to achieve his goals and tried to analyze Wanna Cry Ransomware that i would recommend to read here by which you can relate the whole thing better.
This is how a Hacker will mostly behave while trying to execute an WannaCry Ransomware attack the initial access is not highlighted because at the time wanna cry was happening the initial infection was likely through an exposed vulnerable SMB port aka Eternal Blue here which is a remote code execution attack. There are 11 tactics which i have highlighted in yellow followed by techniques which is highlighted in red, if you look very closely at every column there are multiple ways a hacker can achieve his goals for example if we look at Initial Access column there are 11 ways a hacker can get the Initial Access and so on. “PS:- It is a cropped screenshot”
Now, what are the ways we can use this matrix for i am sure that you have a good understanding of Att&ck Matrix now although this blog is mostly focused on Red Teaming but this matrix can help your organization with other things as well.
Just from a blog it is impossible to discuss the technical part of the red teaming but i have a surprise for your at the end for now we will try to learn the core concepts which will help you while doing your Red Team Engagement. I Believe your Cyber IQ and the Mindset is more important than learning some new tools, So in a typical Vulnerability Assessment and Penetration Testing it’s all about the vulnerabilities right, but i am not saying it is not useful it has it’s own advantages like if you are a startup and have limited budget you should probably choose VAPT over Red Team Engagements, Although VAPT take upto 2 to 3 weeks a Red Team Engagement can take upto 1 to 6 months even longer i know you might be curious to know when to choose Red Team Engagements right, for that let’s try to see what are the differences
A typical VAPT may be only focused on only one task you may ask, example maybe one web app or an internal network like Active Directory their style of engagement is not about how a real hacker would attack the organization, VAPT teams always determine the organization’s risk factors associated with the number of vulnerabilities they will find but when it comes to Red Teaming it is all about the whole organization it’s about the whole process which they are working from years now, let’s try to understand with an example, Let’s suppose you are a bank and the basic process of a bank is to collect money from you and to secure it from the bad guy, this is how basic a banks functions right, now you as a Red Teamer how can you defeat that bank’s process by which a bank can function no more. What is the maximum impact you can create for that bank from the security perspective by which they could lose their process and there is not rules you can physically break into that bank during your engagement you can use some social engineering or you can take advantage of some web application which is facing the internet or many more, see here you have to understand as a Red Teamer your ultimate goal is to impact the process not to test bank’s web application or portal you are only using bank’s website to break into their internal network but your ultimate goal should be how you can create a maximum security impact during your engagement. It could includes testing all the staff of the bank, all the C Levels, managers or that new intern who just joined that department
Now, what about the tradecraft how can we create that mindset of that hacker and get started into Red Teaming for that i am giving you this secret formula which you can use and here it is, Naah i am just kidding their is not secret formula but yes the basics remains the same i can suggest you not to learn new tradecrafts while doing your engagement if you are just started try to learn from previous attacks and tradecraft which previously happened on your sector let’s suppose you are from banking sector & trying to defend banks then the simple and easier way to go to Attack & Mitre Official website and search for banks and mitre will show you the multiple Hacker’s Group who tired to hack into banking sector, learn from their tradecraft and try to map that with your team.
Mitre will provide you previous multiple hackers groups who tries to hack into banking sector for example here APT38 Group tried to target multiple banking sector go to that tool which i have provided above and study the TTPs of the APT38 and discuss that with your CISO and tried to map that into your organisation and emulate the same threat vector which APT38 is been using to hack banks and test your organization process from a security perspective .
Phew, we learnt a lot today but but but you are a professional now after a successful Red Team Engagement the real duty starts, here are some takeaways after you successfully done your engagement
I could have cover some technical part of the Red Teaming in this whole blog but i believe at last the concept remains the same but the tools and tradecraft changes although for those who were looking for the training i am leaving you guys with this training course which is absolutely free here and it talks about the whole Red Teaming Tradecraft from a very technical perspective i would recommended to learn this day by day. At last enjoy your Red Teaming Journey I hope you enjoyed this blog, do your best and if you want to give me feedback here is my twitter handle it will matters a lot to me.
By the way if you learn something new today consider sharing it, As Rumi said “A candle loses none of it’s light by lighting another”
