Red Teaming for Blue Teamers: A Practical Approach Using Open Source Tools

Image

For the majority of people in the information security world, the act of offensive hacking is something they are tasked with protecting against but have little ability to do themselves. That is like asking a professional boxer to enter the ring without knowing how to throw a punch. Sure, you may be able to get in and last a few rounds, but eventually, a formidable opponent will wear you down and knock you out. In the information security world, the individuals who would perform offensive hacking against your own organizational assets are known as the red team. On the flip side, those defending against any attacks are known as the blue team. Both sets of team members have their unique set of skills. In an ideal world, both teams work together and learn from each other, aptly called a purple team. However, many organizations do not have the budget in the security team to operate a red team. The focus is heavily on protecting what is in house, and the resources to do that are often times stretched thin. If your staff is already understaffed and overworked, there are not a lot of options to introduce the concept of red teaming in your organization. If you are able to though, there are opportunities to gain the benefits of red teaming without the operational overhead of running a full red team program. Two of the better free tools I use when performing security assessments are Atomic Red Team and Caldera. Atomic Red Team is from Red Canary and has a repository of hundreds of atomics, which are individual items mapped directly to MITRE ATT&CK. The beauty of these atomics is that they provide simple commands you can run directly on assets to test the security of the endpoint. For example, copy a command into a PowerShell prompt to attempt to Bypass User Account Control. Caldera is also mapped to the MITRE ATT&CK framework, as it is made by the fine people at MITRE. Caldera is based on an agent that can be deployed to your endpoints. The agent can then chain together multiple techniques together to determine if they are able to successfully run. This allows you to automate a lot of what is in Atomic Red Team without having to even launch any command prompts to do so. Testing your organization to see if something is able to run is only half the battle. There are also the blue team operations which are equally, if not more, important. Each organization will have its own security tools which can collect log data from endpoints. On Windows-based machines, I like to use Sysmon, which is a free SysInternals tool to collect process level data and log it into the Windows Event Log. Likewise, each organization should be sending their logs into a centralized log management solution, such a Tripwire Log Center. In keeping with the free tools, I like to use the Elastic Stack to collect, normalize, store, and search through logs. Winlogbeat can collect the Sysmon logs and send them to Elasticsearch. Kibana can then view the data in Elasticsearch. If you run through Atomic Red Team or Caldera, you will know what the chain of events look like, so it makes it easy to start training teams on how to hunt for incidents. This introduction to threat hunting is a great way to increase the maturity of your security organization without having to spend a ton of money on training or tooling. I will be teaching a Learning Lab class at this year’s RSA Security Conference on Wednesday, February 26^th. This lab will cover both Atomic Red Team and Caldera to get students used to some of the simple acts of red teaming. The second half of the class will be training their threat hunting skills to not only find evidence of the attacks but also how to chain them together to find the full scope of the attack.