Red Team Assessment

Editorial Type: Case Study Date: 2019-03-01 Views: 805 Tags: Security, Bridewell Consulting
Bridewell Consulting were engaged by a financial services organization were looking to undertake a real-world test of their security controls

A large financial organisation engaged Bridewell Consulting to discuss providing a testing scenario that could simulate real world attack scenario. This organisation placed a large focus and pride on the security of their network perimeter, providing a significant amount of confidence to their board that they would be protected from any form of external cyber attack. Bridewell’s account manager and security consultants held several meetings to fully understand the client’s requirements, agree timescales and identify the core scope and objectives of the assessment, which were identified as;

• A real-world approach would be taken, simulating attacks from all possible vectors and without scope limitations with the exception of denial of service attacks.

• Attack vectors could include social engineering, physical access attempts, active reconnaissance and full suite of technical penetration testing techniques such as infrastructure, web applications, mobile applications and controlled forms of malware deployment.

Bridewell agreed that the engagement would be undertaken over the period of 3 months and from the point of contract signature and go-live, there would be no further contact between the parties (with the exception of any validation of testing vs real-life attacks taking place).

ENGAGEMENT MILESTONES
In addition to the detailed scoping requirements, Bridewell agreed an overview of the key milestones with the client, so that the Executive Board could be available for presentation of the assessment findings following completion. Key milestones of the assessment were;

• Identify scope, objectives of the assessment and the client and safeguards.
• Agree start and end dates.
• Conduct multi-faceted testing techniques.
• Conclude testing.
• Presentation to Executive Board.

GETTING TO WORK
Following agreement with the client Bridewell assembled their internal team. This consisted of various employees across the company, each with various skill sets that range across technical skills, physical entre and social engineering. It is key that multiple attack vectors are effective and for that we needed various skills and people.

RECONNAISSANCE IS KEY
Bridewell’s team of consultants devised a detailed plan and storylines for the assessment, which commenced with a reconnaissance phase to build a more detailed picture of the client, understand any weaknesses and to ensure that any attacks were credible. This consisted of:

Physical – Bridewell Consultants performed reconnaissance on several client sites across the country, which consisted of assessing the physical security controls, dress code such as lanyards, company culture in terms of behaviours like tailgating and finally whether any wireless signals were broadcasting from nearside building locations.

Online - Bridewell carried out reviews of the client’s website, job descriptions, social media and Open Source Intelligence (OSINT).

Technical vulnerabilities – Bridewell also performed checks against the client’s external infrastructure to ascertain any entry points or open ports that can be utilised against the client.

Relationship building – Several LinkedIn profiles were created and Bridewell started building relationships with the employees of the client, enquiring about roles within the company over telephone and email. ATTACK PATHS TO SUCCESS
Following the reconnaissance phase Bridewell utilised several attack methods to obtain a foothold, which were focused around physical access to enable remote access into the network and social engineering to deliver malware payloads.

GAINING PHYSICAL AND REMOTE ACCESS
Bridewell developed a remote access device using a Raspberry Pi. We were able to ascertain that there was a seven second delay between an access card being swiped and we cloned the client’s badge to obtain physical access. Following successful attempt into the building, Bridewell plugged in a remote access device and were able to successfully connect into the client network. Bridewell consultants commenced assessing the internal infrastructure where they were able to exploit a known vulnerability, which provide local access to a server and associated credentials from within the server’s memory. Following account compromise Bridewell accessed other services until eventually gaining Domain Administrator privileges. Bridewell pivoted further into various network segments and managed to gain access to the client’s main customer database, which consisted of an approximate 5 million customer records.

SOCIAL ENGINEERING AND MALWARE DEPLOYMENT
Bridewell had built several relationships with individuals across the client’s various departments but decided to focus around the Human Resources (HR) area, applying for a role within their IT teams. This was done by creating fake LinkedIn profiles, CV’s and contacting the department via telephone to discuss the various roles. Bridewell had also developed their own malware, which if successfully executed would provide our consultants with remote access onto the infected user device. The malware was tested in a mock environment to maximise the chances of successfully bypassing the client’s mail filters. Following further assessment of the client’s external infrastructure and liaising with the HR Department Bridewell also discovered that the client was using a well known email filtering product. However, on further analysis Bridewell discovered a configuration within the implementation of the product that was available for Bridewell to exploit in order to bypass the mail filtering completely.

Bridewell were able to send email attachments to the client and successfully deploy the malware onto the client’s laptops, which provided Bridewell Consultants remote access to a large set of personal data files, which were screen shot for evidence gathering.

PRESENTING THE KEY OUTCOMES AND FINDINGS
Following the assessment period Bridewell met with the Executive Board to present the full details of the assessment approach, whether they were successful in their attempts and the findings. The assessment began with Bridewell Consultants having no knowledge or access of the client’s systems or premises and concluded with Bridewell having the highest levels of access to the client’s network and the highest levels of access to their key customer database, which contained approximately five million records.

Bridewell walked the board members through each phase of the engagement, explaining some of the complex aspects of the test in a way that could be understood by some of the non-technical audience. The client thanked Bridewell for the assessment but also the professional, proportionate approach in presenting the findings to the board. Following the assessment Bridewell were also requested to continue to work with the client and help them improve their internal security architecture, so identify and prevent similar attack scenarios and a layered approach to security.