1 Red team Assessment – Concept

& Purpose

PwC 1
 What is Red Team ?
• Red Team Assessment is an amalgamated and comprehensive
attacks assessment which covers various threat vectors related to
physical security, social engineering, application penetration testing and
both internal and external network penetration testing.

• Unlike penetration testing, the aim is not just to find the number of
vulnerabilities open in the organization but to identify the
Awareness
organization’s detection and response capabilities and to test end- Assessing people awareness
users ability to detect fraudulent phishing emails or social by conducting attack
oriented social engineering
engineering attempts. activity

• Purpose behind a full fledged red team assessment is to reveal the possible
Red Team
opportunities for malicious hackers, disgruntled employees and Assessment
bad actors in compromising an organization.

Assessment Management
• These assessments also provides a realistic view and understanding of Assessing the security
posture of an organization by
Assessing the security
implementation process such
testing of an organizations people, technology, and process. exploiting the flaws in as patch management,
vulnerability management
various security.
process

• Red Team assessment is fully an attack driven approach using various

Techniques, Tactics and Procedures (TTP’s) where every aspects of
People, Process and Technology is technically assessed to gather a
comprehensive insight of the current security posture of an organization.

PwC 2
Who are the threat actors ?
State Sponsored
hackers
These are well funded and
government backed threat
actors who performs
malicious activities for the
sponsored governments/
Individuals.
PwC
Script Kiddies
Third Party vendors/ These are not actual
Guests hackers but perform
Driven by malicious malicious activities for fun
intention of deteriorating without understanding the
company. Financial gains consequences
Hackers/ Hacktivists
Attackers with malicious/ Disgruntled Employees
genuine intentions of
Motivated by dis-
compromising the
satisfaction, frustration,
organization
Financial gain etc.
3
What are the various threat vectors ?
• OWSAP top 10 attacks
• Network Intrusion by Compromising
external IP’s
• External Denial of Service attacks
• Network Intrusion Attempts
• Compromising hosts & stealing
sensitive Information
• Internal DoS attacks
• By passing work station Security –
AV & HIDs
• Malicious USB drop
• Macro & Malware via e-mail
• Rogue Access Point
• Wireless Network Intrusion Attempt
• Phishing
• Vishing
• Pretexting
• Dumpster Diving
PwC
• Identify whether the Internet facing applications are vulnerable towards
OWASP top 10 vulnerabilities.
External • To Perform penetration testing and gain access into vulnerable systems; and
Applicati to move laterally in to the banking network.
ons • To Perform external DDoS attack on selected applications; studying the
response mechanism
• Intrude and attack internal network from chosen locations
• Bypassing the existing Antivirus & Host intrusion detection system (HIDS)
Internal and gaining access to computer systems to obtain sensitive information.
• To Perform an internal DoS attack from compromised internal systems.
• Exploits the vulnerable systems, moves laterally and gains enterprise admin
account credentials.
Malware • Gaining access to the systems, inserting pen drives containing malware
& • Sending phishing emails with malicious attachments.
Wireless • Creating a rogue access point and gaining passwords.
• Bypassing the wireless security controls and gaining access to the
attacks
organizations network
• Sending phishing emails to selected key personnel's/ mass employees and
identifying the user who are vulnerable to phishing emails
Social • Making vishing call to selected users and gathering sensitive information
Engineeri from them.
ng • Making pretexting call to teams and gathering sensitive information such as
passwords.
• Performing dumpster diving and gathering sensitive information
4
What are the various threat vectors ?
• Physical security breach
• Tailgating
• War Driving. War Chalking
• Impersonating as employee
• Threat actor gains unauthorized physical entry inside the company premises
by bypassing the existing security controls.
• Gains unauthorized entry inside critical departments such as Data Centres,
Physical Research & Development unit, critical laboratory etc. to obtain sensitive
Security data.
• Threat actor searches for an available/ displays Wi-Fi connection and
performs malicious activities.

Common Threat vector Activities

Wireless Network
Intrusion USB Drop Custom Malware Web Application
Phishing compromise

Physical Intrusion Social DoS/ DDos

Vishing Insider Threat
Engineering attack

PwC 5
How attackers gain access to our system?
Below is an illustration of high level attack kill chain where a potential threat actor gains access to the system by skill fully compromising
the systems without our knowledge.
Remote code execution
Threat actor performs a remote code
execution on servers/ systems which
can be accessed through the
compromised credential.
Admin Recon
Utilising the compromise credential
a Threat Actor hunts for high
privileged credentials
Compromise Credentials
Threat actor post local privilege
escalation gathers the cached
credentials from systems
memory
Compromise Credentials
Threat actor post local privilege
escalation gathers the cached
credentials from systems
memory
Remote code execution
Threat actor utilizes the
gathered credentials to perform
reconnaissance of critical assets

Low
Exploitation
Threat actor compromises the
Privileges High
identified vulnerable system by Lateral Privileges Lateral
Priv. Esc
exploiting the hosted services /
sending out malicious emails etc. Movement cycle Access the
Movement cycle
assets by high
privileged
accounts.

External Compromised Internal Local Privilege Domain Asset Access Exfiltration

Domain Admin Creds
Recon System Recon Escalation Dominance

Reconnaissance
Threat actor performs and initial
intelligence gathering using various
TTPs to gather information related to
application, mail addresses, server
configurations etc.
Internal Recon and Privilege Compromise Domain Access to crown jewels and exfiltration
Escalation Threat actor gathers Domain Threat actor gains access to critical assets
Threat actor performs an internal Administrator credentials and gains such as Domain controllers, exchange
recon by mapping of the internal full privileged access to internal servers, file servers, critical infrastructure
domain and elevates the current domain etc. and successfully Exfiltrates sensitive data.
privilege.

PwC 6
Global Cyber Attacks

October 2019
PwC 7
Why Red Team Assessment ?
Red team assessment gives realistic view of the organization’s technology based defense strength against the real-world
attacks.

Assess the ability of an organization in terms

of detect, respond and prevent complex
and targeted attacks. Confidence
Gain confidence by
addressing the existing
vulnerabilities and
proactive defence.

Defend the organization people, process Text to go here go here go

here go here go here go here
and technology by proactively addressing go here
the weakness in security.

Capability Advantages Insight

Gain Insight regarding
Assess ability to detect
the existing weakness in
Gain a comprehensive insight of existing respond and prevent
people , process and
attacks
weakness, breach Impact and technology
proactively defend the organization against
existing and unidentified threats.
04
Defend
Gain Confidence by addressing Defend Proactively by
known vulnerabilities, security addressing the existing
security flaws .
flaws and achieving proactive defence.

PwC 8
How Red teaming can help ?
Pillars driving meaning assessment for an organization
In the modern cyber threat landscape, malicious attackers are constantly trying to get into your systems.
1 Thus, it is important to understand how cyber attackers work in order to effectively defend against them.
Offensive Security Mind-set
At PwC, we invest time and effort to understand and emulate how real attackers work. Our ethical
hackers are very passionate about offensive hacking methodologies that simulate what real attackers use.

2 Your advisor will provide you with greater value if they understand your business and industry
environment, culture, and operations.
Deep understanding of •We know various industry operations, systems, and leading practices, and have extensive experience
security in various and expertise in red team and penetration testing services, privacy and security, breach notification, and
industries incident response planning.
•We have developed proprietary assessment tools, templates, and project documents that will accelerate
progress in many of the areas in scope and reduce effort and fees.

3 PwC has a comprehensive, tailored and well refined approach to conducting cyber attack simulations:
Cyber Attack simulation
●Perform testing in a stealthy fashion that mimics real threat actors. We can adjust our testing to meet
your needs and test the effectiveness of your team’s incident response capabilities.
●Intelligent hacks that leverage configuration errors and exploit business logic flaws, rather than one-
click “zero-day” exploits. Automated tools and exploits will never identify business logic flaws in
applications that may result in exposure of sensitive data in your organization.
●We understand the “big picture” (root causes) and convey this in our work. Technical changes to
remediate security findings are only a small piece of the overall puzzle. We identify the root cause of each
finding, typically associated with people, processes, or technology, to help enable the prevention of
similar findings in the future.

PwC 9
Scenarios
Social Engineering activities
Our team will mimic as areal world
threat actors to perform various social
engineering assessments such as
Phishing, spear phishing, vishing,
Employee impersonation etc. to assess
people awareness of security aspects.
Internal Infrastructure
Assessment
Our team will assess the internal IT Malware/
infrastructure using various TTP’s to Backdoor
compromise the internal IT domain to
gain access to crown jewels such as
exchange servers, Internal Applications,
Domain controllers etc.
Rouge Device Deployment
PwC team will attempt to physically
Rouge
breach an organization's security controls
Device
and deployed a custom device to gain Deployment
access to the internal IT network and
access the device from internet.
USB Baiting
Malicious USB drives will be thrown among the
employees workspace as a bait to connect to the
domain systems to execute malicious codes/gain
access to the systems.
. network and gain access to systems
PwC
Intelligence Gathering
Our team will utilize various OSINT tools to
perform a real world intelligence gathering for
identifying the sensitive data such as email
Social
Intelligence addresses, web server technology, company
Gathering
domain and sub domain etc.
External Assessment
Perform testing on externally facing systems identified
during the planning phase. Identified vulnerabilities will
External be exploited in order to gain access to sensitive data and
Assessment the internal network
Red Team
Phishing / Spear Phishing attacks
Using data gathered from reconnaissance, multiple
Phishing/
employees/ key personnel's would be targeted
Spear
Phishing using a tailored email designed to lure them into
disclosing credentials or executing malicious file to
gain initial foothold or sensitive information.
Physical Security Breach Assessment
Physical Attempt to bypass physical security controls by
USB Baiting
Security tailgating, RFID cloning etc. within the premises
like data centers and offices posing as different
threat actors in order to implant devices on the
10
Our Approach

Planning Threat Threat Testing Intrusion & Exposure Observation

& vector Actor
approach Setup Exfiltration Analysis & Reporting
Scoping Analysis

• Perform • Gather • Imposing as • Range of • Survey testing • Gather • Create a draft

footprinting information various threat techniques to identify evidence for report with
of company’s from Open actors multiple will be used target the information detailed
external Source tools, to craft a systems and identified and observations,
network Intelligenc techniques and customized weaknesses access gained recommendati
presence to gain e (OSINT) procedure attack on, and risks
an based testing scenario in • Establish • Determine
understanding • With these would be line with MoE foothold by root cause • Finalize the
of externally details, we performed. requirements compromisin and business report and
facing determine g systems and impact if the support in
websites and
viable attacks • With this • The move laterally breaches are internal
resources
that real approach real techniques achieved in a communication
from which
threat threat actors designed are • Escalate similar manner
intelligence
actors attempts to used to privileges
can be gathered
would use to breach a replicate the and gain
breach company would modus access to
company be assessed. operandi of sensitive data /
real-world systems
attackers

PwC 11
High Level attack scenarios

Access to Crown
Jewels

Adversary performs an intrusive malicious

WWW Internet
scans on hosted application to exploit and WW
application
gain access to the internal network W
targeting the crown jewels.
Attacker Web Confidential
Compromise
Applications Data
Adversary bypasses the physical External
security controls perform malicious Physical services
activities such as USB drop, Rouge Breach
device deployment, Shoulder surfing

Lateral
Servers and Movement
Adversary sends a customized email with
Access to Workstations
malicious attachments, links to lure the end Physical Data Centre
Phishing Building
user and gains sensitive information, access
Security
to the systems etc.
Breaches

Drops a malware responsible for

infecting the internal systems and
Malware
gathers sensitive data and exfiltrates
the same on a hosted C&C server or infections Compromise
encrypts the data.
Phishing
endpoints and
User credentials
Insider Threat Critical
Infrastructure

Organization Infrastructure

PwC 12
Key use Case: physical Security Breach
• Posing as an external consultant, the team
will clone the company employees
identity card to bypass the RFID based Physical Intrusion
authentication to gain access to critical and Confidential Dumpster Diving
restricted areas. Documents

• Posing as a legitimate employee the team

will interact and socialize with the
company’s employees to obtain sensitive data Breach into critical War chalking ,
by shoulder surfing, pretexting etc. to Tail gating areas for War walking, Evil
analyze the security awareness of the confidential twin Wi-Fi to
employees. Information harvest credentials

• The team will physically breach into one of

the locations and plug their rogue device
into open LAN ports and access the same Rouge Device
via internet. Thus exposing the entire Social Engineering deployment to
Password
network of company and accessible via publicly expose
harvesting
internet. internal network.

• The team posing as an internal employee

will physically breach the security controls
and drop malicious USB devices loaded
USB drop to Desktop &
with customized malware to lure the
breach systems / Shoulder surfing
victims to connect it to their systems and
Malware drop for data
perform data exfiltration.
ID Cloning

PwC 13
Key use Case: phishing
1. An attacker gathers publicly exposed employees email
addresses using various OSINT (OpenSourceINTelligence)
Sends to Targets

malicious mail
tools.
2. Crafts a customized email attached with malicious

Crafts
links/payload and lures the victim.

Recipients
3. Victims without verifying the legitimacy of the received

clicks
links/ domain clicks on the malicious link and provides
sensitive information such as passwords, PII data etc.
4. An attacker then utilizes the gathered credential to Gathers
access the targeted systems and installs malicious Trojan Credentials Enters Credentials
file which gathers the sensitive data.
5. The gathered data is then uploaded to an externally hosted
C&C server. Legitimate
6. An adversary can perform a phishing attack form the looking website
internal domain as well. Install
7. In this case an attacker can host an internal server and Uses Credentials to access
send malicious emails to the employees and tricks them
to provide their Domain credentials.
Trojan File
8. Using the gathered data an attacker attempts for a lateral
movement and compromises the internal domain. C&C server

Exfiltration

Gathers
Sensitive
Data
PwC 14
Key Use Case: External Compromise of applications

An adversary gathers the publicly exposed web applications and attempts to compromise by
exploiting weakness in coding, unpatched systems etc.
During our assessment below are the Key activities in each stage: The following key areas are targeted to compromise an application:

Unauthenticated Testing

1. Conduct security testing of the web applications from the vantage point of an unauthenticated
user (anonymous web user)
2. Conduct automated scan in following steps:
➢ Update application security testing tools with latest files and attack database.
➢ Configuration of tools and customization to include all the threat models.
➢ Collection of logs and evidences
3. Manual testing will be performed to identify security exposures and exploit findings discovered
from automated vulnerability scanning

Authenticated Testing

1. Conduct security testing of the web applications from the vantage point of an authenticated user
(user with valid credentials)
2. Conduct automated scan using varied security tools
3. Manual testing will be performed in following steps:
➢ Collection of application logs and threat models from previous steps.
➢ Understanding business logic and application architecture.
➢ Combining multiple vulnerabilities to compromise application

PwC 15