<div dir="ltr"><div>I am imagining a world where a Red Team had a single red indicator lightbulb in its organization’s Security Ops Center. As long the Red Team maintained persistence somewhere on the network, that light would stay on. When a visitor came to tour the 21st-century (cyber) SOC he might ask what the big red lightbulb meant. The network defender giving the tour could tell the visitor, “That means we’re ‘owned’ right now.” </div><div><br></div><div>If the Red Team was worth two cents, that light would pretty much always stay lit (each time the network defenders found and removed a backdoor or an implant, they could call the Red Team and ask if that was the only access they had…). Of course, this would lead to the unpleasant realization that the network, its applications, and its staff were not very “secure.”</div><div><br></div><div>Which leads to the other big “aha” moment. If the Red Team can get in and stay in, the real bad guys probably can, too.</div><div><br></div><div>Reality is so disappointing.</div><div dir="ltr"><div><br></div><div>tb</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Oct 27, 2015 at 6:41 PM Konrads Smelkovs <<a href="mailto:konrads.smelkovs@gmail.com" target="_blank">konrads.smelkovs@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>In my view, security improvements in organisations are driven by breaches and red team exercises/pentests. While breaches give hard lessons learned, red teams often don't and that's because we reward red teamers for a "domain admin" rather than longer term persistent access. </div><div><br></div><div>This is what I call reach for the sky/rocket launch: you get domain admin, get a screenshot of CEO's e-mail and declare job done. In reality, a good simulation would be to "stay airborne" - take a screenshot of CEO's e-mail/exfil PST every week.</div><div><br></div><div>That's not to say that there isn't a scenario where desctruction of assets is the end-goal of an attacker, but even then, I would argue that red teamers ought to put an .exe in autoruns for every PC they wish to have done a simulated wipe.</div><div><br></div><br clear="all"><div><br clear="all"><div><div>--<br>Konrads Smelkovs<br>Applied IT sorcery.</div></div>
</div>
</div>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div></div>