Two Sides of the Same Coin: A Glimpse into Red Teaming and Security Analytics

by James Stanger | May 23, 2019

I’m often asked to present examples of how a pen tester applies steps of what cybersecurity professionals often call the hacker lifecycle. I’m also often asked what these steps look like from not only the red team and/or pen tester’s perspective, but also from that of the security analyst. The analyst is the person who sifts through network traffic and visuals to find evidence of the compromises that a pen tester generates.

Lately, I’m very interested in how the most mature organizations combine these two teams to provide more visibility and context. In fact, I like to refer to the red and blue teams as cybersecurity context engines. This is because they help organizations understand exactly how to provide a strong, accurate narrative concerning threats and vulnerabilities.

By the way, there’s a difference between a pen tester and a red teamer:

  • A pen tester is a cybersecurity professional who, with explicit permission, identifies a specific weakness (e.g., a vulnerability in Apache Server) and then attempts to exploit that specific vulnerability.
  • A red teamer is part of a group that, with explicit permission, works to exploit various vulnerabilities across various resources. These resources can be people, IoT devices, mobile phones, notebook computers, routers, servers, or any other type of system. The red team then applies the entire hacker lifecycle during a series of activities. From now on, I’ll use the term pen tester.
Here’s a quick overview of some of the tools that both pen testers and security analysts use.

Pen Tester

Security Analyst

Discovery tools (e.g., OSINT tools, Nmap, Maltego) Packet capture tools (e.g., Wireshark, tcpdump –here's a handy tcpdump cheat sheet)
Exploit tools (e.g., Metasploit and BeEF) Security information and event management (SIEM) and intrusion detection (e.g., AlienVault, Splunk, Bro, Snort, OpenWIPS-ng, Process Explorer)
Crackers (John the Ripper, THC Hydra) Logs, and log analysis tools (WinMerg, lnav, lynis, DiffNow, CyberChef, ManageEngine)
Dedicated operation systems (e.g., Kali Linux or Parrot,which are Debian Linux and include hundreds of tools) Security Onion (Debian Linux – includes many tools)

 

This quick and dirty table is nowhere near perfect or thorough; but, it’s sometimes useful to think about the same activity – hacking – from two different perspectives, or buckets. I say this model isn’t perfect, because after all, a pen tester can use Wireshark just as effectively as a security analyst. The red teamer/pen tester, though, simply would use it in a different way. Security analysts use these tools to visualize what the red teamer/pen tester/attacker does.

Hacker Lifecycles

First, there is no single, perfect hacker lifecycle. I’ve found that there are quite a few useful pen testing/hacker lifecycle models.

Here are two of the more popular models:

  • The Lockheed Martin Cyber Kill Chain: This is one of the first peer-reviewed, accepted models of what I call the hacker lifecycle.
  • The Mitre ATT&CK Model: Useful for not only establishing steps of the hacker lifecycle, but also for mapping specific hacker activities to each step. Mitre makes it possible to identify specific traces, or signatures, of a hacker group to determine if the attacks you are seeing have similarities to known hacker groups, such as FIN 6 or FIN 7. 

In my experience, pen testers and security analysts customize the lifecycle based on the systems and organizations they are working with. You modify your model and paradigm based on the current conditions, kind of like how a good hiker uses different clothing and equipment based on the conditions of the mountain being climbed. 

Same Activity, Two Perspectives

Based on the models given above, the table below gives a quick overview of the steps a pen tester takes, and also, what the security analyst uses to discover what the pen tester – or hacker – is doing.

Activity

Description

Pen Testing Tool

Security Analyst Tool

Discovery/Reconnaissance Use active and passive scanning techniques to identify vulnerable people, processes, and systems Whois, Shodan, Nmap, Metagoofil Phone call logs, end point log files (e.g., Windows/mobile phone logs)
Penetration Use social engineering to deliver attack vector End user/Metasploit, shell commands Antivirus, centralized logging tools for end point and firewall
Pen/Escalation/Lateral Movement Transfer the Windows security account manager (SAM), or the Linux/etc/shadow file Metasploit (includes Meterpreter), BeEF

Active Directory/Keberos/LDAP logs, SGUIL

Pen/Persistence

Decrypt the accounts database file/info

John the Ripper/Online resources Tripwire, Splunk
Persistence Insert a specific registry key to open a port or activate a service such as the Remote Desktop Protocol (RDP) Meterpreter/BeEF, scripts Regshot, WinMerge, RegistryChangesView
Action on Objectives/Data Egress Obtain or change sensitive information Native tools on victim system Process Explorer, Snort, Sagan, Bro, any SIEM tool

Lateral Movement

Identify pre-existing shares and stored credentials Native tools/Meterpreter AlienVault, Suricata

 

Action on Objectives

Using a tool such as Metasploit, a pen tester can attack a system. In Figure 1, below, a pen tester has used Meterpreter, which is a specific application found within Metasploit. Using Meterpreter, I have navigated to the /windows/smb/ms17_010_psexec/ directory. This directory contains specific exploits I can then deliver via social engineering to a victim.

To create the exploit code, I set the local and remote IP addresses and ports and then compile the code. By using the run command, I then connect to the victim system. In this case, the victim system is an older Windows 7 system that is being used to control a supervisory control and data acquisition (SCADA) system.

Using Meterpreter to identify exploit codes

Figure 1: Using Meterpreter to identify exploit codes.

Notice the last message in this image: It means that I’ve been able to compromise the system. 

Now, I can engage in some credential harvesting. Or, I can establish persistence. Or, I can move laterally to other systems.

Figure 2 shows I have uploaded the Windows Credentials Editor (WCE) from the /usr/share/wce/ directory. This file allows me to easily obtain user credentials from a Windows SAM. Notice that I’m doing this from within the already-established reverse shell that I created earlier. Once I upload the wce64.exe file, I can then execute it; it will discover any particular user credentials on the victim system. Notice the portion of the readout outlined in white in the image below.

Using the wce64.exe to obtain a user's credentials

Figure 2: Using the wce64.exe to obtain a user’s credentials.

In this case, I was able to grab the credentials for a default account that has been activated. This is the most important element, because it is the Windows SAM hash for a particular user. Now that I have obtained this hash, I can decrypt it using various tools. For example, I could use John the Ripper. In my case, I’ve decided to use an online password cracking tool, as shown in Figure 3.

Decrypting user credentials using an online cracking tool

Figure 3: Decrypting user credentials using an online cracking tool.

The result is that I have now been able to crack at least one user account. I can now go in any number of directions. To avoid creating further indicators of compromise, I could simply close down my connection and then simply walk up to the the victim system and log in interactively. 

From the security analyst’s perspective, I have various tools that will help me discover the above activities. Figure 4 shows a copy of Security Onion running SGUIL, which has logged how new groups and users have been created in the Windows system.

Running SGUIL with Security Onion

Figure 4: Running SGUIL with Security Onion.

The security analyst can also use Wireshark (Figure 5) and Process Explorer (Figure 6) to further trace attacks. Many other tools are available, including forensics tools such as Encase. But I thought it'd be good to stick to the free/open-source tools I've seen cybersecurity analysts use in the field. 

Wireshark viewing packets from the attack

Figure 5: Wireshark viewing packets from the attack.

 

Viewing an attack in progress using Process Explorer

Figure 6: Viewing an attack in progress using Process Explorer.

The above applications make it possible to view exactly what the pen tester – or hacker – is doing. 

Next month, I'll be discussing the importance of the red team and blue team while I'm at InfoSecurity Europe. If you're going to be in London on June 4, please join me and my co-presenter Gary Fildes for the presentation. Gary is an experienced security analyst and works for the Office for Nuclear Regulation (ONR) in the United Kingdom. I'm excited to be presenting with Gary and look forward to seeing you there!

4 Comments

  • Marc Harter

    Thursday, December 20, 2018

    Wow this is really good information. Thank you!

  • James Stanger

    Monday, January 14, 2019

    Any time, Marc. If you're interested, we're continuing our investigation of security and deep network analysis. For example, tomorrow (January 14th, 2019), I'll be doing an overview of Wireshark: https://certification.comptia.org/it-career-news/post/view/2019/01/03/webinar-using-wireshark See you then! James

  • Fern Bowers

    Friday, May 24, 2019

    This is POWERFULL STUFF!!!!! Wow!

  • Mozze Kimathi

    Friday, June 7, 2019

    Very helpful and appreciated.

Leave a Comment

Boost your Career with a Certification

Find out more about our Certifications

How to get Certified

4 Steps to Certification

Already certified? Let us and others know!

Share Your Story