RUAG Breach – A lesson in cyber espionage tradecraft tools & techniques

Following a successful data breach of Swiss defense contractor RUAG – specialising in aerospace technology – the Swiss Governmental Computer Emergency Response Team (GovCERT) took the unusual step of publishing a comprehensive data breach report. The reasons given for publishing the report: …to give organizations the chance to check their networks for similar infections, and to show the modus operandi of the attacker group. You can download the summary technical report here (PDF) – 2 pages And the full espionage report here (PDF) – 34 Pages If the full report is a little TL;DR for your time or taste – or even Read More

Raphael Mudge’s Advanced Threat Tactics Course

Going through Raphael Mudge’s Advanced Threat Tactics Course videos and blog post is akin to rummaging through treasure. Although this is a showcase for Cobalt Strike which is a *must have* tool for IT security Red Team operations and Adversary Simulation, it is so much more. For me, this course catapulted and solidified my thinking and is the pre-eminent single source of information for not only the tools of advanced threat simulation, but the underlying methodology and tradecraft. I’ll make no bones about it, I consider Cobalt Strike a masterpiece put together by a craftsman, and In case you think I’m going overboard, harmj0y described Read More

The Pentest is dead, long live the Pentest!

A great lament for the death of conventional Penetration Testing went up to the cyber heavens yesterday: Penetration testing is to all intents and purposes, dead. It has been killed by an industry driven by profit, and end customers not driven by quality but by cost. The demands for metrics, for compliance, for the quantification and qualification of risk, have not only sounded its death knoll but abused its corpse. Like a pack of jackals providers suck the last of the marrow before they are inevitably replaced by an automated set of tools placed into the hands of functional testers. Read More

Tool agnostic fundamentals for Red Team operations

It was so tempting to call this post “Moving beyond Metrepeter” as the below video entitled Flying a Cylon Raider features Raphael Mudge talking about taking our knowledge of Meterpreter and mapping this to new tools. Quite coincidently – and before this talk was published – I asked Raphael the following: @armitagehacker I've been going thru comparing Tradecraft 2013 to 2015. With all the new Powershell developments do we need Metasploit? — Stuart Winter-Tear (@StegoPax) November 13, 2015 Raphael responded today with these salient Tweets: @StegoPax my $.02: red team ops/adv. sims are not pen testing. These activities really require focused toolsets. Those Read More

Criminals increasingly using social media as command-and-control (C2)

A paper entitled: C&C-AS-A-SERVICE: ABUSING THIRD-PARTY WEB SERVICES AS C&C CHANNELS caught my attention yesterday which looks at the growth in criminals leveraging popular web services for Command & Control (C2). The web services cited are: Google Docs, Twitter, Facebook, Microsoft Technet, YouTube, VKontakte, Jaiku, Tumblr, Google+, Yahoo Mail, Gmail, Google Talk, MSN Messenger, Skype, Google Calender So, quite a few options for the criminal as you can see. Why do criminals use Third-party web services for C2? One benefit for the criminal in utilising this strategy is that traffic to these websites looks legitimate, is often encrypted (HTTPS) and will blend in with legitimate use Read More

IT Security Red Team Post Exploitation Methodology

I want to share a talk given by @davidpmcguire and @harmj0y entitled: Passing the Torch Old School Red Teaming New School Tactics. The premise of the talk is to explain their take on Red Team operations and methodology. An important feature of this is the notion of emulation of threat techniques independent of the toolkit. In other words, the ability to use multiple tools, to perform the same function. The important point being that Red Teams do not need to use the exact tools of adversary’s, but can use any means to accomplish the job, as long as the techniques are mirrored. In terms Read More

IT Security Red Team Operations: The Raison d’être

Basically I’m hijacking and plundering a superb talk given by J Wolfgang Goerlich at GrrCON 2014 to lay out the heartbeat of this blog, which can be summed up as the raison d’être for IT security Red Team operations. The following two stand-out quotes lifted from the talk should be shouted from the rooftops: “Without studying offence we can’t plan for good defence” and “Without exercising the defence, we have no assurance that it works.” Simple truths, not emphasised enough in infosec in my opinion. IT Red Team security operations are a natural response to the above quotes. What are IT Red Team Operations? Read More