Geekly Articles each Day
📜 ⬆️ ⬇️

Red Team: teamwork during penetration testing



This article will discuss team collaboration, tools and methodologies for conducting Red Team operations. Red Team operations make it possible to imitate the attack of a group of professional outsiders to identify infrastructure vulnerabilities in the most naturalistic way.

Red Team vs Blue Team


The term Red Team came from a military environment and defines a “friendly” attacking team. In contrast, there is a team of defenders - Blue Team.

The difference of the Red Team operations from the classic pentest is primarily in the regulation of actions and anticipation of the protected side. Also, with the “classic” pentest, “white lists” are often used, the time limit for work carried out, the level of interaction with the system. During the Red Team operations there are practically no restrictions, a real attack on the infrastructure is made: from external perimeter attacks, to physical access attempts, “hard” social engineering techniques (not fixing the transition by reference, but, for example, a full reverse shell).
')
The task of the Blue Team is to protect the infrastructure blindly: the team of defenders do not warn about the attack or its differences from real intruders - this is one of the best factors to check both the defensive systems and the ability of the experts to detect and block the attacks and subsequently investigate incidents. After the operation is completed, it is necessary to compare spent attack vectors with recorded incidents to improve the infrastructure protection system.

The Red Team approach is the closest to the Advanced Persistent Threat (APT) target attack. The Red Team team should consist of experienced professionals with extensive experience in building IT / IB infrastructure and systems compromise experience.

What distinguishes the Red Team operations:



Red Team - is an attempt to gain access to the system by any means, including penetration testing; physical access; testing of communication lines, wireless and radio frequency systems; employee testing through social engineering scenarios.

The concept of Red Team operations allows for penetration testing to be as realistic as possible.

Team approach


The Red Team is similar to a military operation: it identifies targets or objects of attack, areas of responsibility and the role of team members. Often in the Red Team a team can be an insider who transmits data from inside the company or who performs auxiliary functions.

A clear distribution of roles, systems for operational interaction and data analysis determine several roles: sniper, medic :


Tools


The use of specific tools in the particular case may be due to the specifics of an application or service and is slightly different from the usual penetration testing. When conducting Red Team operations, there is a question of team interaction and systematization of the results - these are reports of various analysis tools and vulnerabilities revealed in manual mode - all this is a huge amount of information in which you can miss something without proper order and system approach. important or "rake" possible doubles. There is also a need to consolidate reports and normalize them and bring them to a single form.

Usually, Red Team operations cover quite voluminous infrastructures that require the use of specialized tools:


Specialized software:


Attention
There are versions of distributions that have shareware or free versions. Some distributions may not be available in a particular region due to restrictions on export policy.

Cobalt strike
Cobalt Strike is a penetration testing framework. This is an advanced analogue of Armitage, which in turn is a GUI add-on over the Metasploit Framework. An advanced built-in scripting language system allows for the most effective attacks.

Dradis
Dradis Framework is an open source platform to simplify collaboration and reporting in the field of information security. Dradis is a standalone web application that provides centralized storage of information. There are two versions - Community Edition (free) and Professional Edition (from $ 59). In the pro version, there is more functionality, including integration capabilities, a reporting system, support (including priority), available methodologies, etc. Expansion of functionality in the form of plug-ins / add-ons is possible.

Faraday ide
Faraday is the most powerful collaboration environment, true multiplayer penetration testing. Supports work in ArchAssault, Archlinux, Debian, Kali, OSX, Debian. It works in real time, instantly processing the results sent by one or another pentester. In this framework, the concept of gamification is laid, specialists are given the opportunity to try skills on the number and quality of the vulnerabilities fixed.

Nessus
One of the most popular vulnerability scanners developed by Tenable Network Security. Until 2005, it was free open source software, and in 2008 a paid version of the product was released.

Openvas
OpenVAS (Open Vulnerability Assessment System, Open Vulnerability Assessment System, the original name is GNessUs) is a framework consisting of several services and utilities that allows scanning network nodes for vulnerabilities and managing vulnerabilities.

SE Toolkit
Social Engineering Toolkit (a set for social engineering), a classic multi-tool for conducting social engineering attacks.

Gophish
OpenSource phishing framework. Allows you to conduct massive phishing attacks.

Logstash / Elasticsearch / Kibana
Solutions for a wide range of data collection, analysis and storage tasks.


In the comments, I am ready to answer your questions, both on the submitted software and on the Red Team operations.

Source: https://habr.com/ru/post/334620/

More articles:


All Articles