This is how company employees usually “sting” in Red Team exercises
In Red Team exercises, it is necessary to deceive company employees to achieve the objectives set. Bad cybersecurity practices, carelessness, lack of knowledge, low awareness of the dangers of cyberattacks…
Employees are often the weakest link in a company’s defensive strategy. This is why malicious actors seek to deceive company employees to gain a vector of entry into their technological infrastructure.
Considering that Red Team exercises are simulations of cyberattacks in which cybersecurity professionals use cybercriminals’ techniques, tactics and procedures, it should come as no surprise that one of their tasks is to trick company employees into falling for their trickery.
1. Tricking company employees in Red Team exercises to break into companies is only the first step
Just like cybercriminals do, Red Team practitioners use social engineering techniques to trick the employees of the companies in which they conduct their exercises. It is, therefore, critical that professionals are susceptible to being duped.
Phishing, spear phishing, smishing, vishing… Social engineering allows Red Team teams to get company employees to perform an action that allows them to access corporate networks.
Once inside a company’s network, the Red Team can continue to advance in the Cyber Kill Chain until the objectives established when designing the exercise are met.
2. Objective of the Red Team: To test the entire organization.
In this sense, we must remember that a Red Team campaign needs to have a broad scope, contemplating multiple situations associated with possible real engagement scenarios to provide coverage as close to reality as possible that brings added value to the client.
Throughout this time, Red Team professionals evaluate what actions they can carry out and develop various techniques, tactics and procedures. The work is as comprehensive as possible and representative of a real engagement so that all the problems and weaknesses the company has in terms of cybersecurity can be analyzed and detected.
To do this, the Red Team needs to test the organization’s defensive capabilities in a comprehensive manner. This involves assessing:
- Technology.
- Processes.
- The behavior of the people who are part of the company.
3. Credential theft techniques
With regard to the techniques used by Red Team professionals to deceive company employees, we can highlight two main types that revolve around spear phishing campaigns against specific targets within organizations.
The first of these is the techniques used to steal credentials. Specific users are enticed to access a legitimate-looking web environment, such as a fake login portal, through email or other means, such as SMS or phone calls. For example, a company professional may be asked to sign a certain document. To do so, he or she must authenticate on the company’s portal by entering his or her credentials.
An essential factor in the success of these techniques for tricking company employees in Red Team exercises is the credibility of the context given to the professionals. If the email and request match the company’s daily operations, it is unlikely to arouse suspicion. Even more so when the fake website is aesthetically consistent with the page that is being impersonated.
Employing credential theft techniques, you can get a user’s username and password and force a real authentication, to stand in the middle and get a session token when login and password have been validated.
Why is the session so important? Thanks to it, the Red Team can access corporate resources, even if the login procedure requires a two-factor authentication. In addition, the session can be valid for days, so it is unnecessary to use login and password again to log in.
4. Infection-oriented techniques
The other major group of techniques commonly used by cybersecurity professionals to trick company employees in Red Team exercises are techniques used to infect corporate computers.
In this case, the aim is to get workers to download and install malware. If we return to the example above, a professional can be convinced that to sign the document, he or she must download and execute the file.
Once the malware is installed on a computer, it is already compromised. In addition, Red Team’s teams pre-test the software they use to ensure that it is not detectable by defensive mechanisms and no alerts are generated.
As mentioned above, once Red Team professionals have already compromised a machine or have access credentials, they are already inside the corporate network and can move up the Cyber Kill Chain as cybercriminals would do.
5. Non-phishing techniques to deceive company employees in Red Team exercises
In addition to the techniques we have just explained, in which phishing plays a predominant role and is the most commonly used, Red Team teams can also resort to other methods in which both deception and employee carelessness come into play.
A. Creating fake access points
Illegitimate access points (APs) can be created with the same name as real APs to trick users into trying to log in, present them with a corporate-looking dashboard, and get them to enter their credentials.
B. Collecting credentials through improper configuration on personal mobiles
In many companies, there is a Bring Your Own Device policy; hence, corporate devices and personal devices such as cell phones are used. In case corporate network access profiles have been set up without defining all appropriate security measures, it is possible for an attacker to collect authentication flows that can be cracked to eventually retrieve the credentials in clear text. In this way, a way into the company could be gained via the WiFi network.
C. Exposure of corporate credentials on external platforms
This technique is often used as a complement to others and consists of using:
- Personal credentials of company professionals that they reuse in the corporate environment.
- Users and passwords obtained in previous attacks can be found on platforms and are still valid.
- Exploiting secrets that are unintentionally published in public code repositories. For example, think of an API key that allows access to an application.
D. Watering Hole
On a day-to-day basis, a company’s professionals may routinely access platforms that are not part of the company’s internal network. As a result, employees have full confidence in these external providers and are less cautious about accessing them.
This technique seeks to compromise an external platform the organization uses and exploits to gain access to the company, either, for example, by obtaining a user’s credentials or by forcing the installation of some apparently legitimate software.
This technique is not so commonly used in the course of a Red Team because it involves attacking platforms outside the company where the exercise is being carried out, but it is a very dangerous malicious technique because it is difficult to detect.
E. USB Dropping
This is a social engineering technique that involves leaving a device with malicious software in the vicinity of a company. Some worker picks it up and plugs it into his computer out of mere curiosity. In this way, the device is infected.
F. Deployment of fraudulent devices in the company
In line with the previous technique, it is also possible for Red Team professionals to take advantage of the inattention of company employees and connect malicious devices to corporate computers without any staff member noticing.
Conclusions: Test your company with a Red Team exercise
In short, Red Team teams have extensive knowledge and experience to deceive corporate workers in Red Team exercises successfully. This is because:
- They have a wealth of information on the techniques, tactics and procedures malicious actors use to attack companies.
- They can conduct representative simulations of real cyber-attacks.
- They test organizations as a whole and gain a broad overview of weaknesses that malicious actors could successfully exploit.
- They propose recommendations to remedy problems and strengthen the cybersecurity level of companies.
If you want to prevent your company’s employees from “taking the bait”, contact our team to set up a Red Team exercise.