Red Team Assessment Methodology

Step 1 – Identification

The aim here is to pinpoint and evaluate potential targets, both human and technical, that could be vulnerable to attacks from outside sources.

• LMNTRIX utilizes a combination of open-source intelligence (OSINT) collection methods and active scanning tools to locate systems and applications that can be accessed through the Internet. In the evaluation process for potential targets for further testing, a myriad of factors come into play. These include exposed ports and services, the technical architecture, the target’s functionality, potential vulnerabilities, ease of exploitation, and the value it holds for an attacker.

• LMNTRIX might use OSINT to pinpoint potential employees of the customer for targeting through social engineering methods. This involves gathering and analyzing data from publicly available sources like search engines, social media platforms, the customer’s websites, and other online channels. This information is crucial for crafting and executing tailored social engineering attacks aimed at specific individuals.

A master list of the potential targets will be the outcome of the Identification phase. These are the targets that will be evaluated and prioritized for exploitation.

Step 2 – Exploitation 

In the Exploitation phase, LMNTRIX will use the insights gathered in the Identification phase to pinpoint promising targets. They’ll then tailor technical and social engineering attacks to these targets and carry them out to infiltrate the customer’s internal networks. This phase might involve various tactics, including:

• Technical Exploitation – Once LMNTRIX identifies vulnerabilities in Internet-facing systems and applications, they may try to exploit these weaknesses to compromise sensitive data or to gain unauthorized access within a network perimeter. Furthermore, they may execute attacks to gather more information about the environment, including discovering additional targets or gathering more information about existing targets. Common attack methods employed during this phase include SQL Injection, uploading and executing web shells, and brute force attacks on login interfaces.
• Social Engineering – LMNTRIX may use phone and email-based techniques to target Customer employees. LMNTRIX selects individuals from the target list based on their job roles, assumed access to critical internal systems, and perceived vulnerability. Then, customized phone and email attacks are crafted for each user, aiming to carry out actions like obtaining login credentials, visiting suspicious websites, or installing malware on the target’s corporate IT device.

The Exploitation phase aims at breaching the perimeter and accessing the internal system. Technical exploitation involves compromising Internet-facing systems and then using that access to target neighboring systems within the environment. On the other hand, social engineering exploitation involves acquiring valid credentials to access the environment remotely, such as through VPNs or executing malware on the user’s device, allowing LMNTRIX to operate within the internal environment with the user’s permissions.

Step 3 –  Post-Exploitation 

After successfully infiltrating the internal environment, LMNTRIX will try to move laterally across the intranet to achieve the predetermined objectives. In the Post-Exploitation phase, they may engage in the following activities:

• Privileged Escalation – Immediately after LMNTRIX gains access to a system, they may use different methods to increase the privileges of the current user to the highest levels. These privileges will enable LMNTRIX to carry out various harmful activities. This includes establishing persistence, adding more malware like key loggers, and capturing credentials.

• Internal Exploitation – To identify high-value targets within the intranet, LMNTRIX utilizes the same techniques employed during the Identification phase. This involves searching internal data repositories, portals, collaboration forums, and other internal sources that provide access to sensitive data. By leveraging these techniques, LMNTRIX can effectively locate and prioritize valuable targets within the organization’s internal network. Furthermore, LMNTRIX may pinpoint internal systems vulnerable to technical exploits, which can gain deeper access to the environment or acquire additional credentials.

• Credential Harvesting – After gaining entry to internal systems, LMNTRIX might start gathering account credentials for authorized internal users. They’ll particularly concentrate on acquiring privileged domain credentials, as these offer broad access within the environment. Common credential harvesting attacks involve extracting information such as hashes, Kerberos tickets, and clear text credentials from local system memory or accessible virtual machine files. Additionally, attackers may identify scripts and configuration files containing hard-coded credentials for unauthorized access.

In many cyber attacks, the post-exploitation phase is a repetitive process. It includes identifying internal targets, compromising them, and extracting more information and credentials to move laterally within the intranet. As mentioned earlier, the main aim of this phase is to achieve the predetermined attack goals. To meet their goals, LMNTRIX often secures complete administrative access to vital systems like financial application servers, key databases, executive email, and file shares. They may also target internal authentication and authorization systems such as Active Directory, LDAP, and two-factor authentication, as well as the core network infrastructure like RADIUS and TACACS.

Another aim of this assessment is to gauge the information security team’s capability to detect and address threats. To do so, LMNTRIX will utilize testing approaches and attack tactics tailored to circumvent or evade current security protocols. This includes deploying custom malware that might slip past commercial anti-virus software and refraining from using scanning or exploitation methods that could raise suspicion among system users or trigger alarms on network sensors and endpoint controls. If the Customer information security team discovers the ongoing test, LMNTRIX and Customer project managers will collaborate to determine the most suitable approach for continuing the testing process.

At the project kickoff meeting, Red Team activities will be thoroughly discussed and mutually agreed upon by both LMNTRIX and the Customer. This may include the scope of the engagement, such as whitelisted and blacklisted targets. Moreover, the approval and coordination procedures required prior to exploiting targets, schedules and timeframes, data handling and communications, and the escalation policy will also be established.