[Dailydave] reach for the sky vs stay airborne

Terry Bradley terry.bradley at gmail.com
Wed Oct 28 19:22:31 EDT 2015


I am imagining a world where a Red Team had a single red indicator
lightbulb in its organization’s Security Ops Center. As long the Red Team
maintained persistence somewhere on the network, that light would stay on.
When a visitor came to tour the 21st-century (cyber) SOC he might ask what
the big red lightbulb meant. The network defender giving the tour could
tell the visitor, “That means we’re ‘owned’ right now.”

If the Red Team was worth two cents, that light would pretty much always
stay lit (each time the network defenders found and removed a backdoor or
an implant, they could call the Red Team and ask if that was the only
access they had…). Of course, this would lead to the unpleasant realization
that the network, its applications, and its staff were not very “secure.”

Which leads to the other big “aha” moment. If the Red Team can get in and
stay in, the real bad guys probably can, too.

Reality is so disappointing.

tb

On Tue, Oct 27, 2015 at 6:41 PM Konrads Smelkovs <konrads.smelkovs at gmail.com>
wrote:

> In my view, security improvements in organisations are driven by breaches
> and red team exercises/pentests. While breaches give hard lessons learned,
> red teams often don't and that's because we reward red teamers for a
> "domain admin" rather than longer term persistent access.
>
> This is what I call reach for the sky/rocket launch: you get domain admin,
> get a screenshot of CEO's e-mail and declare job done. In reality, a good
> simulation would be to "stay airborne" - take a screenshot of CEO's
> e-mail/exfil PST every week.
>
> That's not to say that there isn't a scenario where desctruction of assets
> is the end-goal of an attacker, but even then, I would argue that red
> teamers ought to put an .exe in autoruns for every PC they wish to have
> done a simulated wipe.
>
>
>
> --
> Konrads Smelkovs
> Applied IT sorcery.
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20151028/a8e5514c/attachment-0001.html>


More information about the Dailydave mailing list