On hack.lu Thursday I attended a workshop on Red Team Testing. Red Team testing comes from military jargon. It means to try to break into a facility. Not only on electronic or network way but also, if needed, physically. At the very first beginning there was a video presented, showing a show called Tiger Team breaking in to a jewelry store. This action was done on behalf of the owner. If you would like to get an impression of such things take a look at trutv.com. They produced a show where the team broke into a car dealer facility.

Talking about read team testing, the testing team need always to have the permission of the owner or their representatives. Without this written permission all actions are illegal and should not be done. After having the permission the next step is to gather information on the target. This step will most likely take about 60% of the overall time for the test.

The target

Together with the customer first the business is evaluated with respect to the three aspects of security: Confidentiality, Integrity, Availability. For this task, first a list with all parts of the business is created. An example in case of a hospital could be:

  • billing,
  • health care,
  • credit card handling,
  • client data
  • etc.

The next step is to evaluate, the criticality of each aspect on each part of the business.

Looking at a hospital, it is important that patient data is kept confidential, integer and always available, simple because people can die if it is not. Dying people in a hospital will destroy this business, especially if it is in the responsibility of the hospital. On the other hand looking at credit data, confidentiality has to be high, but if the credit card information is not available for an hour it is not critical for the business. The money can be taken later from the account. After finishing the matrix the targets for the attack are the highest rated parts of the business.

Scope

After defining the target, the scope has to be clarified. Scope means, what is allowed and what is forbidden. If the goal is to break in to a facility, it has to be clarified, if you are allowed to use brute force, like driving a truck through the front door, or softer approaches have to be chosen. In general a good team should always be able to work without harming the systems with force. If during the test the team encounters opportunities, which are beyond scope or which had not been discussed, a call to the customer can clarify if the scope can or should be changed.

Information gathering

As in the beginning mentioned, 60% of the time needed is used for information gathering. During information gathering, it is important to stay out of the scope of the security team of the customer. Therefore you can not use portscanners or something similar, since the security team of the customer would get on red alert and therefore raise the alert level of the target. Your victim will immediately know that it is being attacked and take countermeasures. A better way is to use google or other sources to get information about your victim. Also their webside is a good information source. Looking at the job opportunities you can learn which kind of software they use just by looking at the required skillset. For Information gathering have a look at

Maltego or Foca

Foca allows you to search for files published by the victim and extract metadata from it. Maltego gathers information from various sources and puts everything together. Also mindmapping tools will help to organize the collected data.

The plan

Having all information gathered it is time to make a plan. In the planning phase the team should not only concentrate on one plan, but also think about a plan B, C, D … and so on. It is always good to have a lot of options in the back, in case something unexpected happens. This can range from some security guards, which catches the team, to the team cannot open a lock.

The second last step is then the attack by itself. This step is built a lot on experience. During the attack the team should document each target which is successfully taken. This can be a picture of the team holding some documents or something similar. Whichever documentation is choosen the customer should at the end be convinced that the goal was reached.

Debriefing

After the attack it is time to debrief the customer. The customer should get a full report, covering the parts of his business together with the security aspects which have been broken. Every step performed during the attack needs to be added to a report, together with the found weaknesses and suggestions how to improve the overall security. In this step the customer can be reminded that security is not only about performing tests but also that the security is a process. A process to which the customer needs to commit himself to. It is then up to the client, to make the needed changes to his habit, to his facility and to his processes to improve security.

Inside this article I could only cover a very small amount of the content of the workshop. I would like to thank Chris Nickerson and Ryan Jones for holding this workshop.