Cybersecurity Attacks:Red Team Strategies
Johann Rehberger更新时间:2021-06-30 15:01:39
最新章节:Leave a review - let other readers know what you think封面
Cybersecurity Attacks – Red Team Strategies
Cybersecurity Attacks – Red Team Strategies
Why subscribe?
Contributors
About the author
About the reviewers
Packt is searching for authors like you
Preface
A note about terminology
Who this book is for
What this book covers?
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Reviews
Disclaimer
Section 1: Embracing the Red
Chapter 1: Establishing an Offensive Security Program
Defining the mission – the devil's advocate
Getting leadership support
Convincing leadership with data
Convincing leadership with actions and results
Locating a red team in the organization chart
The road ahead for offensive security
Building a new program from scratch
Inheriting an existing program
People – meeting the red team crew
Penetration testers and why they are so awesome!
Offensive security engineering as a professional discipline
Strategic red teamers
Program management
Attracting and retaining talent
Diversity and inclusion
Morale and team identity
The reputation of the team
Providing different services to the organization
Security reviews and threat modeling support
Security assessments
Red team operations
Purple team operations
Tabletop exercises
Research and development
Predictive attack analysis and incident response support
Additional responsibilities of the offensive program
Security education and training
Increasing the security IQ of the organization
Gathering threat intelligence
Informing risk management groups and leadership
Integrating with engineering processes
I feel like I really know you – understanding the ethical aspects of red teaming
Training and education of the offensive security team
Policies – principles rules and standards
Principles to guide and rules to follow
Acting with purpose and being humble
Penetration testing is representative and not comprehensive
Pentesting is not a substitute for functional security testing
Letting pen testers explore
Informing risk management
Rules of engagement
Adjusting rules of engagement for operations
Geographical and jurisdictional areas of operation
Distribution of handout cards
Real versus simulated versus emulated adversaries
Production versus non-production systems
Avoiding becoming a pawn in political games
Standard operating procedure
Leveraging attack plans to track an operation
Mission objective – what are we setting out to achieve or demonstrate?
Stakeholders and their responsibilities
Codenames
Timelines and duration
Understanding the risks of penetration testing and authorization
Kick-off meeting
Deliverables
Notifying stakeholders
Attack plan during execution – tracking progress during an operation
Reconnaissance tasks and results
Attack scenarios
Covering vulnerability classes
Managing defects and incidents
Purple team sync and triage meetings
Documenting activities
Screenshots and logs
Screen recordings
Peer testing
Wrapping up an operation
Cleaning up and archiving
Eviction and remediation support
Report and summaries
Debrief
Reflecting
Overarching information sharing via dashboards
Contacting the pen test team and requesting services
Modeling the adversary
Understanding external adversaries
Considering insider threats
Motivating factors
Anatomy of a breach
Establishing a beachhead
Achieving the mission objective
Breaching web applications
Weak credentials
Lack of integrity and confidentiality
Cyber Kill Chain by Lockheed Martin
Anatomy of a cloud service disaster
Modes of execution – surgical or carpet bombing
Surgical
Carpet bombing
Environment and office space
Open office versus closed office space
Securing the physical environment
Assemble the best teams as needed
Focusing on the task at hand
Summary
Questions
Chapter 2: Managing an Offensive Security Team
Understanding the rhythm of the business and planning Red Team operations
Planning cycles
Offsites
Improving team coherence and identity
Sharing information
Brainstorming ideas for the future
Wrapping up offsite sessions early!
Encouraging diverse ideas and avoiding groupthink
Planning operations – focus on objectives
Impacting system availability
Simulating data/system deletion
Data exfiltration
Ransomware
Cryptocurrency mining
Testing for account takeovers and other client-side attacks
Planning operations - focus on assets
Planning operations - focus on vulnerabilities
Planning operations – focus on attack tactics techniques and procedures
Planning operations – focus on STRIDE
Spoofing
Tampering
Repudiation
Information disclosure
DOS
Elevation of privilege
Managing and assessing the team
Regular 1:1s
Conveying bad news
Celebrating success and having fun
Management by walking around
Managing your leadership team
Managing yourself
Handling logistics meetings and staying on track
Team meetings
Working remotely
Continuous penetration testing
Continuous resource adjustment
Choosing your battles wisely
Getting support from external vendor companies
Growing as a team
Enabling new hires quickly
Excellence in everything
Offensive security test readiness
Building an attack lab
Leading and inspiring the team
For the best results – let them loose!
Leveraging homefield advantage
Finding a common goal between red blue and engineering teams
Getting caught! How to build a bridge
Learning from each other to improve
Threat hunting
Growing the purple team so that it's more effective
Offensive techniques and defensive countermeasures
Surrendering those attack machines!
Offensive security operations and tooling improvements
Providing the blue team with hands-on forensics investigation opportunities
Active defense honeypots and decoys
Protecting the pen tester
Performing continuous end-to-end test validation of the incident response pipeline
Combatting the normalization of deviance
Retaining a healthy adversarial view between red and blue teams
Disrupting the purple team
Summary
Questions
Chapter 3: Measuring an Offensive Security Program
Understanding the illusion of control
The road to maturity
Strategic red teaming across organizations
The risks of operating in cloak-and-dagger mode
Tracking findings and incidents
Providing necessary metadata
Integrating with the risk management process
Establishing timelines for triage and fixes
Exceptions! Accepting risks to the business
Repeatability
Automating red teaming activities to help defenders
Protecting information – securing red team findings
Measuring red team persistence over time
Tackling the fog of war
Threats – trees and graphs
Building conceptual graphs manually
Automating discovery and enabling exploration
Defining metrics and KPIs
Tracking the basic internal team commitments
Attack insight dashboards – exploring adversarial metrics
Red team scores
Gamifying security
Reporting on findings
Blast radius visualization
Reporting on compromised accounts
Tracking the severity of findings and measuring risks
Moving beyond ordinal scores
Using mean-time metrics
Experimenting with Monte Carlo simulations
Threat response matrix
Test Maturity Model integration (TMMi )and red teaming
Level 2: Managed
Level 3: Defined
Level 4: Measured
Level 5: Optimized
Level 6: Illusion of control – the red team strikes back
MITRE ATT&CK Matrix
MITRE ATT&CK Navigator
Visualizing the red and blue team views
Visualizing the combined purple team view
Remembering what red teaming is about
Summary
Questions
Chapter 4: Progressive Red Teaming Operations
Exploring varieties of cyber operational engagements
Cryptocurrency mining
Mining crytocurrency to demonstrate the financial impact – or when moon?
Red teaming for privacy
Getting started with privacy focused testing
Customer data in widely accessible locations
Malicious insider and privacy implications
Exploiting system vulnerabilities or weaknesses
Performing de-anonymization attacks
Sending a virtual bill to internal teams
Red teaming the red team
Targeting the blue team
Leveraging the blue team's endpoint protection as C2
Social media and targeted advertising
Targeting telemetry collection to manipulate feature development
Attacking artificial intelligence and machine learning
Operation Vigilante – using the red team to fix things
Emulating real-world advanced persistent threats (APTs)
Performing tabletop exercises
Involving the leadership team in exercises
Summary
Questions
Section 2: Tactics and Techniques
Chapter 5: Situational Awareness – Mapping Out the Homefield Using Graph Databases
Understanding attack and knowledge graphs
Graph database basics
Nodes or vertices
Relationships or edges
Properties or values
Labels
Building the homefield graph using Neo4j
Exploring the Neo4j browser
Creating and querying information
Creating a node
Retrieving a node
Creating relationships between nodes
Indexing to improve performance
Deleting an object
Deleting all objects from the database
Alternative ways to query graph databases
Summary
Questions
Chapter 6: Building a Comprehensive Knowledge Graph
Technical requirements
Case study – the fictional Shadow Bunny corporation
Employees and assets
Employees and group memberships
Assets
Building out the graph
Creating accounts groups and group memberships
Creation of computer nodes
Adding relationships to reflect the administrators of machines
Configuring the query editor to allow multi-statement queries
Who uses which computer?
Mapping out the cloud!
Importing cloud assets
Creating an AWS IAM user
Leveraging AWS client tools to export data
Installing the APOC plugin
Using APOC to import JSON data into Neo4j
Loading CSV data into the graph database
Loading CSV data and creating nodes and relationships
Grouping data
Adding more data to the knowledge graph
Active Directory
Blue team and IT data sources
Asset management systems
Non-collaborative blue team?
Cloud assets
OSINT threat intel and vulnerability information
Address books and internal directory systems
Discovering the unknown and port scanning
Augmenting an existing graph or building one from scratch?
Summary
Questions
Chapter 7: Hunting for Credentials
Technical requirements
Clear text credentials and how to find them
Looking for common patterns to identify credentials
Hunting for interesting patterns and strings
Using old-school findstr on Windows
Retrieving stored Wi-Fi passwords on Windows
Tooling for automated credential discovery
Leveraging indexing techniques to find credentials
Using Sourcegraph to find secrets more efficiently
Searching for credentials using built-in OS file indexing
Using Windows Search and directly querying the system index database
Options for using Windows Search
Exploring more advanced full-text search features
Searching remote machines
Using mdfind and Spotlight on macOS
Indexing code and documents using Apache Lucene and Scour
Hunting for ciphertext and hashes
Hunting for ciphertext
Hunting for hashes
Windows – LM (Net-)NTLM and NT Hash
Looking at shadow files on Linux
Accessing hashes in the directory service on macOS
Bash Bunny – stealing password hashes from locked workstations
Summary
Questions
Chapter 8: Advanced Credential Hunting
Technical requirements
Understanding the Pass the Cookie technique
Credentials in process memory
Walkthrough of using ProcDump for Windows
Understanding Mimikittenz
Dumping process memory on Linux
Debugging processes and pivoting on macOS using LLDB
Using Mimikatz offline
Abusing logging and tracing to steal credentials and access tokens
Tracing the WinINet provider
Exploring the EVT file
Decrypting TLS traffic using TLS key logging
Searching log files for credentials and access tokens
Peeking at shell command-line history files
Searching Windows Event Log for process creation events
Looking for sensitive information in command-line arguments
Using ps to explore command-line arguments
Using Task Manager and WMI on Windows to look at command-line arguments
Windows Credential Manager and macOS Keychain
Understanding and using Windows Credential Manager
Enumerating secrets using cmdkey.exe
Reading secrets from Credential Manager using CredMan.ps1
Looking at the macOS Keychain
Using optical character recognition to find sensitive information in images
Exploiting the default credentials of local admin accounts
Phishing attacks and credential dialog spoofing
Spoofing a credential prompt using osascript on macOS
Spoofing a credential prompt via zenity on Linux
Spoofing a credential prompt with PowerShell on Windows
Credential dialog spoofing with JavaScript and HTML on the web
Using transparent relay proxies for phishing
Performing password spray attacks
Leveraging PowerShell to perform password spraying
Reviewing password policy settings
Performing password spraying from macOS or Linux (bash implementation)
Summary
Questions
Chapter 9: Powerful Automation
Technical requirements
Understanding COM automation on Windows
Using COM automation for red teaming purposes
Using PowerShell to invoke COM objects
Using VBScript to create COM objects
Achieving objectives by automating Microsoft Office
Automating sending emails via Outlook
Using COM automation for effective phishing attacks
Searching inboxes for passwords and secrets
Automating Microsoft Excel using COM
Searching through Office documents using COM automation
Windows PowerShell scripts for searching Office documents
Automating and remote controlling web browsers as an adversarial technique
Leveraging Internet Explorer during post-exploitation
Automating and remote controlling Google Chrome
Using Chrome remote debugging to spy on users!
Cleaning up and reverting changes
Exploring Selenium for browser automation
Understanding the prerequisites to leverage automation
Using ChromeDriver via PowerShell scripting
Using Firefox and Edge with Selenium
Capturing screenshots
Exfiltrating information via the browser
Summary
Questions
Chapter 10: Protecting the Pen Tester
Technical requirements
Locking down your machines (shields up)
Limiting the attack surface on Windows
Becoming stealthy on macOS and limiting the attack surface
Exploring the application firewall
Diving into packet filtering using pfctl
Enabling packet filtering upon reboots
Configuring the Uncomplicated Firewall on Ubuntu
Locking down SSH access
Considering Bluetooth threats
Keeping an eye on the administrators of your machines
Enumerating administrators on Windows
Enumerating administrators and superusers on macOS and Linux
Using a custom hosts file to send unwanted traffic into a sinkhole
Keeping a low profile on Office Delve GSuites and Facebook for Work
Securely deleting files and encrypting hard drives
Improving documentation with custom Hacker Shell prompts
Customizing Bash shell prompts
Customizing PowerShell prompts
Improving cmd.exe prompts
Automatically logging commands
Using Terminal multiplexers and exploring shell alternatives
Multiplexing the Terminal experience
Exploring alternative shell environments
Monitoring and alerting for logins and login attempts
Receiving notifications for logins on Linux by leveraging PAM
Setting up mail notifications for logins on Linux
Testing the configuration for sending emails
Adding pop-up notifications to the desktop experience
Notification alerts for logins on macOS
Alerting for logins on Windows
Using EventLogWatcher to bootstrap notifications
Leveraging scheduled tasks and custom event filters for notifications
Summary
Questions
Chapter 11: Traps Deceptions and Honeypots
Technical requirements
Actively defending pen testing assets
Understanding and using Windows Audit ACLs
Configuring a file to be audited by Windows using SACLs
Triggering an audit event and changing the Windows Audit Policy
Notifications for file audit events on Windows
Sending notifications via email on Windows
Creating a Scheduled Task to launch the Sentinel monitor
Building a Homefield Sentinel – a basic Windows Service for defending hosts
Installing Visual Studio Community Edition and scaffolding a Windows Service
Adding basic functionality to the scaffold
Adding logging functionality to the service
Leveraging a configuration file to adjust settings
Adding an installer to the service
Uninstalling the Homefield Sentinel service
Monitoring access to honeypot files on Linux
Creating a honeypot RSA key file
Using inotifywait to gain basic information about access to a file
Leveraging auditd to help protect pen test machines
Modifying the auditd configuration
Notifications using event dispatching and custom audisp plugins
Alerting for suspicious file access on macOS
Leveraging fs_usage for quick and simple file access monitoring
Creating a LaunchDaemon to monitor access to decoy files
Observing the audit event stream of OpenBSM
Configuring OpenBSM for auditing read access to decoy files
Summary
Questions
Chapter 12: Blue Team Tactics for the Red Team
Understanding centralized monitoring solutions that blue teams leverage
Using osquery to gain insights and protect pen testing assets
Installing osquery on Ubuntu
Understanding the basics of osquery
Using osquery interactively
Understanding and leveraging the osquery daemon
Using osquery to monitor access to decoy files
Leveraging Filebeat Elasticsearch and Kibana
Running Elasticsearch using Docker
Installing Kibana to analyze log files
Configuring Filebeat to send logs to Elasticsearch
Alerting using Watcher
Summary
Questions
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Another Book You May Enjoy
Leave a review - let other readers know what you think
更新时间:2021-06-30 15:01:39