Professional Documents
Culture Documents
& Purpose
PwC 1
What is Red Team ?
• Red Team Assessment is an amalgamated and comprehensive
attacks assessment which covers various threat vectors related to
physical security, social engineering, application penetration testing and
both internal and external network penetration testing.
• Unlike penetration testing, the aim is not just to find the number of
vulnerabilities open in the organization but to identify the
Awareness
organization’s detection and response capabilities and to test end- Assessing people awareness
users ability to detect fraudulent phishing emails or social by conducting attack
oriented social engineering
engineering attempts. activity
• Purpose behind a full fledged red team assessment is to reveal the possible
Red Team
opportunities for malicious hackers, disgruntled employees and Assessment
bad actors in compromising an organization.
Assessment Management
• These assessments also provides a realistic view and understanding of Assessing the security
posture of an organization by
Assessing the security
implementation process such
testing of an organizations people, technology, and process. exploiting the flaws in as patch management,
vulnerability management
various security.
process
PwC 2
Who are the threat actors ?
Script Kiddies
Third Party vendors/ These are not actual
Guests hackers but perform
Driven by malicious malicious activities for fun
State Sponsored intention of deteriorating without understanding the
company. Financial gains consequences
hackers
These are well funded and Hackers/ Hacktivists
government backed threat
Attackers with malicious/ Disgruntled Employees
actors who performs
genuine intentions of
malicious activities for the Motivated by dis-
compromising the
sponsored governments/ satisfaction, frustration,
organization
Individuals. Financial gain etc.
PwC 3
What are the various threat vectors ?
• OWSAP top 10 attacks • Identify whether the Internet facing applications are vulnerable towards
• Network Intrusion by Compromising OWASP top 10 vulnerabilities.
External • To Perform penetration testing and gain access into vulnerable systems; and
external IP’s Applicati to move laterally in to the banking network.
• External Denial of Service attacks ons • To Perform external DDoS attack on selected applications; studying the
response mechanism
• Network Intrusion Attempts • Intrude and attack internal network from chosen locations
• Compromising hosts & stealing • Bypassing the existing Antivirus & Host intrusion detection system (HIDS)
sensitive Information Internal and gaining access to computer systems to obtain sensitive information.
• Internal DoS attacks • To Perform an internal DoS attack from compromised internal systems.
• By passing work station Security – • Exploits the vulnerable systems, moves laterally and gains enterprise admin
account credentials.
AV & HIDs
• Malicious USB drop Malware • Gaining access to the systems, inserting pen drives containing malware
& • Sending phishing emails with malicious attachments.
• Macro & Malware via e-mail
Wireless • Creating a rogue access point and gaining passwords.
• Rogue Access Point • Bypassing the wireless security controls and gaining access to the
attacks
• Wireless Network Intrusion Attempt organizations network
PwC 4
What are the various threat vectors ?
• Threat actor gains unauthorized physical entry inside the company premises
• Physical security breach by bypassing the existing security controls.
• Gains unauthorized entry inside critical departments such as Data Centres,
• Tailgating Physical Research & Development unit, critical laboratory etc. to obtain sensitive
• War Driving. War Chalking Security data.
• Impersonating as employee • Threat actor searches for an available/ displays Wi-Fi connection and
performs malicious activities.
PwC 5
How attackers gain access to our system?
Below is an illustration of high level attack kill chain where a potential threat actor gains access to the system by skill fully compromising
the systems without our knowledge. Admin Recon
Utilising the compromise credential
a Threat Actor hunts for high Compromise Credentials
privileged credentials Threat actor post local privilege
escalation gathers the cached
Compromise Credentials credentials from systems
memory
Remote code execution Threat actor post local privilege
Threat actor performs a remote code escalation gathers the cached Remote code execution
execution on servers/ systems which credentials from systems
Threat actor utilizes the
can be accessed through the memory
gathered credentials to perform
compromised credential. reconnaissance of critical assets
Low
Exploitation
Threat actor compromises the
Privileges High
identified vulnerable system by Lateral Privileges Lateral
Priv. Esc
exploiting the hosted services /
sending out malicious emails etc. Movement cycle Access the
Movement cycle
assets by high
privileged
accounts.
Reconnaissance Internal Recon and Privilege Compromise Domain Access to crown jewels and exfiltration
Threat actor performs and initial Escalation Threat actor gathers Domain Threat actor gains access to critical assets
intelligence gathering using various Threat actor performs an internal Administrator credentials and gains such as Domain controllers, exchange
TTPs to gather information related to recon by mapping of the internal full privileged access to internal servers, file servers, critical infrastructure
application, mail addresses, server domain and elevates the current domain etc. and successfully Exfiltrates sensitive data.
configurations etc. privilege.
PwC 6
Global Cyber Attacks
October 2019
PwC 7
Why Red Team Assessment ?
Red team assessment gives realistic view of the organization’s technology based defense strength against the real-world
attacks.
PwC 8
How Red teaming can help ?
Pillars driving meaning assessment for an organization
In the modern cyber threat landscape, malicious attackers are constantly trying to get into your systems.
1 Thus, it is important to understand how cyber attackers work in order to effectively defend against them.
Offensive Security Mind-set
At PwC, we invest time and effort to understand and emulate how real attackers work. Our ethical
hackers are very passionate about offensive hacking methodologies that simulate what real attackers use.
2 Your advisor will provide you with greater value if they understand your business and industry
environment, culture, and operations.
Deep understanding of •We know various industry operations, systems, and leading practices, and have extensive experience
security in various and expertise in red team and penetration testing services, privacy and security, breach notification, and
industries incident response planning.
•We have developed proprietary assessment tools, templates, and project documents that will accelerate
progress in many of the areas in scope and reduce effort and fees.
3 PwC has a comprehensive, tailored and well refined approach to conducting cyber attack simulations:
●Perform testing in a stealthy fashion that mimics real threat actors. We can adjust our testing to meet
your needs and test the effectiveness of your team’s incident response capabilities.
●Intelligent hacks that leverage configuration errors and exploit business logic flaws, rather than one-
Cyber Attack simulation click “zero-day” exploits. Automated tools and exploits will never identify business logic flaws in
applications that may result in exposure of sensitive data in your organization.
●We understand the “big picture” (root causes) and convey this in our work. Technical changes to
remediate security findings are only a small piece of the overall puzzle. We identify the root cause of each
finding, typically associated with people, processes, or technology, to help enable the prevention of
similar findings in the future.
PwC 9
Scenarios
Social Engineering activities Intelligence Gathering
Our team will mimic as areal world Our team will utilize various OSINT tools to
threat actors to perform various social perform a real world intelligence gathering for
engineering assessments such as identifying the sensitive data such as email
Phishing, spear phishing, vishing, Social
Intelligence addresses, web server technology, company
Employee impersonation etc. to assess Gathering
domain and sub domain etc.
people awareness of security aspects.
External Assessment
Internal Infrastructure
Assessment Perform testing on externally facing systems identified
during the planning phase. Identified vulnerabilities will
Our team will assess the internal IT Malware/ External be exploited in order to gain access to sensitive data and
infrastructure using various TTP’s to Backdoor Assessment the internal network
compromise the internal IT domain to
gain access to crown jewels such as
exchange servers, Internal Applications,
Domain controllers etc. Red Team
Rouge Device Deployment Phishing / Spear Phishing attacks
PwC team will attempt to physically Using data gathered from reconnaissance, multiple
Rouge Phishing/
breach an organization's security controls employees/ key personnel's would be targeted
Device Spear
and deployed a custom device to gain Deployment Phishing using a tailored email designed to lure them into
access to the internal IT network and disclosing credentials or executing malicious file to
access the device from internet. gain initial foothold or sensitive information.
PwC 10
Our Approach
PwC 11
High Level attack scenarios
Access to Crown
Jewels
Lateral
Servers and Movement
Adversary sends a customized email with
Access to Workstations
malicious attachments, links to lure the end Physical Data Centre
Phishing Building
user and gains sensitive information, access
Security
to the systems etc.
Breaches
Organization Infrastructure
PwC 12
Key use Case: physical Security Breach
• Posing as an external consultant, the team
will clone the company employees
identity card to bypass the RFID based Physical Intrusion
authentication to gain access to critical and Confidential Dumpster Diving
restricted areas. Documents
PwC 13
Key use Case: phishing
1. An attacker gathers publicly exposed employees email
addresses using various OSINT (OpenSourceINTelligence)
Sends to Targets
malicious mail
tools.
2. Crafts a customized email attached with malicious
Crafts
links/payload and lures the victim.
Recipients
3. Victims without verifying the legitimacy of the received
clicks
links/ domain clicks on the malicious link and provides
sensitive information such as passwords, PII data etc.
4. An attacker then utilizes the gathered credential to Gathers
access the targeted systems and installs malicious Trojan Credentials Enters Credentials
file which gathers the sensitive data.
5. The gathered data is then uploaded to an externally hosted
C&C server. Legitimate
6. An adversary can perform a phishing attack form the looking website
internal domain as well. Install
7. In this case an attacker can host an internal server and Uses Credentials to access
send malicious emails to the employees and tricks them
to provide their Domain credentials.
Trojan File
8. Using the gathered data an attacker attempts for a lateral
movement and compromises the internal domain. C&C server
Exfiltration
Gathers
Sensitive
Data
PwC 14
Key Use Case: External Compromise of applications
An adversary gathers the publicly exposed web applications and attempts to compromise by
exploiting weakness in coding, unpatched systems etc.
During our assessment below are the Key activities in each stage: The following key areas are targeted to compromise an application:
Unauthenticated Testing
1. Conduct security testing of the web applications from the vantage point of an unauthenticated
user (anonymous web user)
2. Conduct automated scan in following steps:
➢ Update application security testing tools with latest files and attack database.
➢ Configuration of tools and customization to include all the threat models.
➢ Collection of logs and evidences
3. Manual testing will be performed to identify security exposures and exploit findings discovered
from automated vulnerability scanning
Authenticated Testing
1. Conduct security testing of the web applications from the vantage point of an authenticated user
(user with valid credentials)
2. Conduct automated scan using varied security tools
3. Manual testing will be performed in following steps:
➢ Collection of application logs and threat models from previous steps.
➢ Understanding business logic and application architecture.
➢ Combining multiple vulnerabilities to compromise application
PwC 15