For some people Red Teaming seems to be something like the holy grail and many people want to do it. In my opinion a Red Teamer should have experience in Penetration Testing before starting. Some experience in DFIR might also be useful, or at least you should have some understanding of this topic.
For me (I am planning and leading internal Red Team engagements since about two years now), Red Teaming is very different from pentesting, although experience here is important.
“Penetration testers have this problem where they frequently can’t see past the end of their Kali USB. They establish the false equivalence of: “China hacked $X; I can hack $X; therefore, I am an APT and an APT is like me.” An APT is literally the instantiation of a nation state’s will. It is not a toolchain.”
This sums up my experience. Some pentesters think: OK, let’s just use bloodhound, mimikatz and empire and and start firing, when I am domain admin it is red teaming. Well, maybe kind of.
But do real attackers think that way? Think more about WHY a malicious actor is trying to hack you, and then how. What are attackers looking for? That might define the scope of your engagement. You should read threat intel and incident reports for being up to date regarding TTPs and scope. When doing Red Teaming you should start thinking more into this direction.
I also tend to go through single scenarios, and not only full blown attack simulations, like:
• Account compromisation
• Exfiltration if possible
• APT traffic simulation for testing and enhancing capabilities of the blue team
• Water Holing
• Malware Simulation
This is also a good starting point for enhancing a penetration tester career, since usually you are not able to start with full blown Red Team engagments.
I can recommend “The Hacker Playbook” series, review for the third issue here. Further the book “Advanced Penetration Testing” is a good read.
The Hacker Playbook 3
Authors: Peter Kim
Content: Main focus is on Red Teaming
Career: Penetration Tester
Level: Intermediate, Expert
This week I did read the great book The Hacker Playbook 3 by Peter Kim. The focus of the book lies on Red Teaming, it makes sense to read also the first two books if you do not have prior knowledge to penetration testing.
- Difference between pentesting and red teaming
- MITRE ATT&CK framework
- Tools setup
- Reconnaissance phase
- optional lab setup & exercises
- about web attacks like node.js, nosql injections, deserializiation attacks and more
- hacking the (windows) network for example with responder, password spraying
- privilege escalation with misconfigured services, exploit suggester and more
- mimikatz magic of course
- attacks on macs with empire
- bloodhound and sharphound
- lateral movement using different techniques
- social engineering campaings & physical attacks
- recompile meterpreter dlls for avoiding detection
- password cracking
- write your own droppers
I highly recommend this book, especially if you are into Red Teaming it is a good resource. Maybe a report about owing the Cyber Space Kittens lab would have been nice, since reporting in Red Teaming is a non trivial task.
x33fcon is a nice & small conference in Poland, Gdynia near to Gdansk.
“Welcome to x33fcon, a new gathering for IT security professionals and enthusiasts. It’s a new event where blue and red teams meet to exchange views and ideas, share experiences, and discuss the latest security challenges in the industry.”
The ticket price is low (also if you plan to travel there privately), the content was really professional and interesting, a bit more than someone might expect when you see the size of the con. Kudos to the organizers for getting so many interesting speakers and talks. Besides the talks there is also a CTF and workshops, after the conference trainings take place. There is also some great food for lunch, in the breakes there is coffee and small snacks. The breakes are long, so you have some time to talk with speakers and other folks around. Seems to be that ATT&CK is the hot topic currently, at x33fcon alone they had three talks about that.
From my point of view as a Red Teamer some more talks about breaking stuff on exploitation level would have been great. x33fcon is a great conference, the only critics from my side is that the attendees are being filmed in every talk from any perspective possible. At other conferences they ask when making photos or filming, maybe that might be an idea when not filming the whole audience.
Besides the conference Gdynia, Gdansk and the beaches around are really nice:
Conclusion: Highly recommended.