Understanding common terms of the Red Team, these terms can help us better understand Red Team attacks.
Based on: RedTeam Development and Operations
Allow-List#
Allow list can also be called a whitelist, and the content in the whitelist is trusted. Whitelists are usually used to grant access to specific resources. By specifying rules in the whitelist, multiple rules can be specified, such as users, IPs, file extensions, domain names, etc. Only those that match the whitelist rules can access the resources. Compared to blacklists, creating a good rule list is generally considered a better practice, and whitelists enhance security by default denial rules.
ASSUMED BREACH#
The "assumed breach" model assumes that a certain level of access has been obtained before the red-blue attack and defense. Each organization has a different understanding of this exercise model. Immature organizations often argue that "assuming someone can invade a network is unusual," and those who ask "prove it" usually do not appreciate this attack and defense scenario. However, this assumption is very important when measuring whether a threat "can enter." If it is not a key target, using the "assumed breach" model will save time and money, and the red team can explore more targets. More mature organizations value this model more because it uncovers more threat scenarios from more complex attack threats.
BLUE CELL#
Also known as the blue team, the opposite team of the red team, mainly responsible for defensive work. The blue team is usually composed of blue team members, organizational management personnel, and internal technical personnel. They detect traffic from the red team through perception devices in the internal network.
BLUE TEAM#
The team responsible for defending against threat intrusion, the defensive side.
COMMAND AND CONTROL (C2)#
C2 refers to the attacker's remote control system (such as Cobalt Strike). C2 has a main server and a client. The client connects to the main server to generate payloads, uploads the payloads to the target server, and after the target server runs, bounces back the shell, and then controls the target server to execute any command.
C2 levels are usually divided into three categories: Interactive, Short Haul, and Long Haul. Sometimes they are labeled as levels 1, 2, or 3. Each level does not have any unique characteristics except for their different usage.
-
Interactive Level: Used for general commands, enumeration, scanning, data leakage, etc. This level has the most interaction and faces the greatest exposure risk. Plan to lose access in case of communication failure, proxy failure, or blue team action. Run enough interactive sessions to maintain access. Although it is interactive, it does not mean sending a large number of packets to the client. Use good judgment to minimize interaction to the extent necessary to perform operations.
-
Short Haul Level: Used as a backup plan to recover interactive sessions. Use covert communication integrated with the target. Slow callback time. Callback times of 1-24 hours are common.
-
Long Haul Level: Same as short haul, but lower and slower. Slow callback time. Callback times of more than 24 hours are common.
Different C2 categories are designed to prevent exposure and should not be mixed.
CONTROL CELL#
The role of the control cell is to act as a referee during the attack and defense exercise, coordinate the blue team and the red team, coordinate the progress of the game, control the participating environment and network, establish exercise rules, and supervise the execution of the ROE rules.
DENY-LIST#
A blacklist that denies access to specific resources. It is usually used to filter out harmful content.
ENGAGEMENT/EXERCISE CONTROL GROUP (ECG)#
The ECG is responsible for all activities during the exercise. The ECG consists of one or two senior management personnel (such as the CIO or COO), a member of the IT department, a liaison officer for the purple team and the red team. Additional personnel can be added as needed. Everyone is considered Trusted Agents.
EXFILTRATION#
The process of extracting sensitive information from a target through covert tunnels.
GET IN, STAY IN, ACT#
The three steps of a red team attack.
GET IN#
Obtain access to the target's internal network. The red team needs to obtain access to the target's network to enter the target's internal network environment and proceed with STAY IN and ACT. Access to the internal network can be obtained through legitimate intrusion or assuming that the internal network has been invaded.
STAY IN#
Establish a persistent connection in the internal network. The red team usually maintains permissions in the internal network to prevent detection by the blue team and disconnection of the connection.
ACT#
The stage of conducting internal network penetration, obtaining more targets, sensitive data, and achieving exercise goals.
IOC (INDICATOR OF COMPROMISE)#
An Indicator of Compromise (IOC) is a specific clue or indicator used in computer network security to identify and detect malicious activities. These clues or indicators can include characteristics of malware, abnormal behavior of systems and applications, modifications to system files, abnormal behavior of network traffic, abnormal activities of user accounts, etc.
IOCs can be used to detect and locate security vulnerabilities or attack behaviors in computer and network systems, as well as to prevent future security threats. When a system or application is attacked or infected by malware, IOCs can help security experts quickly identify, locate, and eliminate security threats. In addition, IOCs can be integrated with other security systems, such as intrusion detection systems, security information and event management systems, etc., to enhance the overall security performance of the system.
Some common IOCs include:
-
Hash values: Unique hash values of malware can be compared to identify and analyze them.
-
IP addresses and domain names: Identify network addresses of infected computers and communication servers to determine the source of the attack and command and control (C2) servers.
-
Abnormal behavior: Monitor activities in the system by comparing normal and abnormal behaviors, such as file changes, processes, and scheduled tasks.
-
Threat intelligence: Use publicly available information about malicious activities, such as hacker forums, vulnerability advisories, etc., to understand possible attackers, attack methods, and targets.
OPFOR#
Opposing forces.
OPLOG (OPERATOR LOG)#
Attack logs generated by red team operators during the exercise.
OPERATIONAL IMPACT#
The goals and effects achieved by the red team during the exercise, including the strategic, tactical, and operational impact on the target environment, as well as the assessment of the success of the mission.
Operational impact may vary in different attack and defense tasks and depends on the specific circumstances. For example, in a network penetration test, operational impact may include obtaining sensitive information, exploiting vulnerabilities to invade systems, setting up backdoors for persistence, etc. In a red team exercise, operational impact may include disrupting business processes, damaging critical equipment, stealing sensitive data, etc.
OPSEC#
Operational Security (OPSEC) is the attacker's security awareness of treating the defender as an enemy, focusing on key information that the enemy intelligence may observe, and whether it will lead to the enemy's utilization of this key information for tracing back. Specific measures are taken to eliminate or reduce the opponent's utilization of key information. In red team testing, OPSEC is used to understand the actions that the blue team may notice in order to minimize exposure.
Reference: 浅谈 OPSEC 和 C2
OUT BRIEF, EXECUTIVE#
The first meeting after the exercise, when the red team attack summary report is not yet available. The meeting is aimed at the management level and should include key personnel from the target organization. The results of the red team test may affect the future operation of the organization and require funding for vulnerability remediation or personnel changes. Management awareness and buy-in are crucial for using the results of the red team test to improve the organization's security posture in response to threats.
OUT BRIEF, TECHNICAL#
A technical meeting for two-way technical information exchange between the red team, blue team, and the organization. In this exchange, both the red team and the blue team provide highly detailed technical reviews of the execution process and results, including all relevant details. This is a combination of training and education and one of the most valuable opportunities for learning in all aspects.
PENETRATION TESTING#
The systematic examination of a target system within a defined time frame to discover vulnerabilities. In terms of business risk, penetration testing reduces the attack surface because fixing discovered vulnerabilities will reduce the attack surface. Penetration testing usually does not focus on how the entire organization responds to threats.
PERSISTENCE#
The process of maintaining network access in the target environment, using various techniques to maintain network connections.
Red Cell#
The red cell refers to the components that make up the attacking part of the red team, simulating strategic and tactical reactions to a designated target. The red cell is usually composed of red team leaders and operators and is often referred to as the "red team" rather than the "red cell."
Red Team#
The attacking team that simulates attacks from the perspective of threats or opponents.
RED TEAMING#
Red teaming is the process of simulating real-world threats using tactics, techniques, and procedures (TTPs) to train and assess the effectiveness of personnel, processes, and technologies used to protect the environment.
In terms of business risk, red teaming focuses on understanding the ability of security operations to handle threats through training or measurement. Technical findings are often revealed during the exercise, but they are not the focus. The goal of red teaming is to challenge the defensive strategies and assumptions of security operations to identify vulnerabilities or flaws in defense strategies. The goal of red teaming is to improve security operations through training or measurement.
RED TEAM LEAD#
The operational and administrative leader of the red team. Responsible for the participation, budget, and resource management of the red team, and provides supervision and guidance for participation, capabilities, and technologies. Ensure compliance with all laws, regulations, policies, and rules of engagement.
RED TEAM OPERATOR#
The red team attacker responsible for carrying out the attacks during the exercise.
As an attacker in the exercise, comply with all requirements of the red team lead, participate in tasks using the tactics, techniques, and procedures (TTPs) of the red team, and provide technical research and capability support to the red team. Record detailed logs at each stage of the mission and provide log and information support for the production of the final report.
RULES OF ENGAGEMENT (ROE)#
The rules of engagement (ROE) are intended to establish the responsibilities, relationships, and guidelines between the red team, the client, the system owners, and the executing participants to ensure the effective execution of the mission.
THREAT#
A potential cause that may lead to an incident, causing harm to systems and organizations. Threats in information security include any situation or event that may result in unauthorized access, destruction, disclosure, modification of information, or interruption of services, causing adverse effects on the organization's operations (including tasks, responsibilities, image, reputation), resources, individuals, other organizations, or countries.
THREAT MODE#
Threat modeling is a process that identifies potential threats or lack of appropriate security measures, lists them, and prioritizes measures to mitigate these threats.
THREAT EMULATION#
The process of simulating scenarios of threats invading an organization, simulating the effects of real invasions.
Threat emulation is the process of simulating the tactics, techniques, and procedures of a specific threat.
THREAT SCENARIO#
Scenarios focus on how defense solutions are executed and comply with the processes, procedures, policies, activities, personnel, organizations, environments, threats, restrictions, assumptions, and support involved in security tasks. Scenarios typically describe how threat roles interact with systems and networks in the target environment and simulate the effects of real invasions. In short, it answers the question of how the defense side dynamically executes operations to provide results, outputs, or evidence of defensive capabilities.
TTPs#
Tactics, techniques, and procedures.
VULNERABILITY ASSESSMENT#
A systematic examination of information systems to determine if organizational security measures are sufficient, identify security flaws, provide data to support the effectiveness of security measures, and confirm the adequacy of measures after implementation. In terms of business risk, vulnerability assessments aim to minimize the attack surface by reducing the attack surface through vulnerability remediation.
webshell#
A webshell is a command-line interface executed on a web server that allows attackers to interact with the server through a web application and execute system commands. Attackers can use webshells to gain sensitive information from the server, modify files, upload malicious code, etc.