Red Teaming and Recon

Red Teaming and Recon

06.07.2020
15:18
Security Testing

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).

What is this?

Recon and red teaming can be done separately, but they also work hand in hand. It may be a good idea for a company to do a thorough recon to understand the adversaries view on the organization – and this not only in the technical sense. This may provide good input and updates to the risk register as well as prepare for an in-depth threat modelling session.

While the recon phase may seem a bit theoretical (and rightly so), the red teaming exercise is where recon results as well as the red team skillset is put to the test. This is where the enterprises defenses are torn down – except for specific (business or technical) limitations (specifically set by the customer) on what the red team can do – there are essentially no limitations.

Tell me more about recon

Recon (or cyber reconnaissance) is what we do when we need to find out as much as possible about the enemy – this is after all, a military term. The enemy, or in this case the target, is our customer. Any recon is both ethical as well as legal. We do not use any techniques that put you or us in a legal conundrum. During the recon we provide a picture of your cyber landscape, a vision on how you are perceived by your enemies. Of course, a recon exercise also gives insight into how susceptible you may be to occasional spray-and-pray attacks as well as “shit happens” -scenarios.

The main reason for doing a recon is simply to level the playing field. The opposition knows your weaknesses – so should you. A recon exercise uses a vast amount of different techniques to assess the threats and risks. Some are very standard – some may be business or domain specific.

It is good to understand that effective recon may take time. Longer than your average pentest. A recon may also require us to sit still and wait. We cannot tell you if you are threatened by bears unless we sit down and wait for them to show up. To continue the analogy – the recon might conclude bears are not an issue.

A continuous recon provides constantly up-to-date information on what is going on. This is especially beneficial for organizations with complex structures, assets, and many stakeholders.

Examining whois data

Examining a company website for organizational information and personnel

Looking into the past for things that organizations want to forget – the Wayback machine

Consulting Shodan for low hanging fruits on existing assets

Previous slide

Next slide

Recon - tools of the trade

The following are examples on what a recon mission may include:

Examining a company website for organizational information and personnel
Using a search engine to further refine the understanding of the organization as well as its assets – including non-public
Review Job postings for information on technologies and infrastructure
Searching for leaked credentials for employees
Looking into the past for things that organizations want to forget – the Wayback machine
Consulting Shodan for low hanging fruits on existing assets
Examining whois data
Delving into certificate transparency logs
Scavenging storage services

Tell me more about red teaming

A penetration test (or pentest) is limited by both (calendar) time and scope. This is good for finding out the weaknesses about something very specific – a web application, a server, or a cloud service. Red teaming, however, focuses on the bigger picture. A red team does not care which application, which service, which configuration – or door – has a vulnerability. Once a vulnerability is found, the scope is narrowed down to focus on exploiting. This means that a red teaming exercise gives real world results on how the adversaries would think and act. Of course, all the vulnerabilities found in previous pentests have already been fixed – naturally. A red team makes heavy use of recon findings – the weaknesses that have been found in one way or another.

The resources needed for red teaming is very different than for pentesting. Red teaming – even digital approaches (which exclude physical entrance) may need a long time to be successful. It may also require time to just be quiet – and stay dormant.

Red teaming targets all resources – technical, physical, and human. That said, red teams stay within the legal boundaries – and even more importantly no harm is ever (ever) done to any living beings.

Using a search engine to further refine the understanding of the organization as well as its assets – including non-public

Searching for leaked credentials for employees

Review Job postings for information on technologies and infrastructure

Delving into certificate transparency logs

Scavenging storage services

Previous slide

Next slide

Red teaming - tools of the trade

Red teaming tactics and tools include

Phishing
Social engineering
USB-sticking
Hacking
Scanning
Opening (and closing) doors
Waiting – repeating – and waiting some more

Where, how and when do we start?

We are here to help. We do one-off recons as well as continuous recons providing constantly up to date information on your organization. We can do one off red teaming exercises or set up a yearly contract where we will surprise you a few times during the year.

Let’s get the party started – yesterday. You have already been bleeding information for a long time. Your information is already out there for others to find. Start now, prepare to defend, and then fight back. Fighting back is when the blue team kicks in – but that is a completely different story.