Red team assessment
CASE STUDY |
Many of our clients only perform the minimum security assessments required by industry regulations. While these assessments provide useful information on the weaknesses of an organization’s security posture, they don’t always provide an accurate picture of how a real-world attack might affect the company. During real incidents, attackers are not limited by time or scope, and can often work to gain access using many different approaches all at once for months on end. With unlimited time and resources, attackers can often find strange and unique ways to gain access that are not part of traditional attack and penetration testing. With this in mind, one of our clients reached out to us to test how vulnerable they would be to realistic threats.
RSM’s red team assessment simulates how a real world attack could affect a company, allowing our clients to gain a full understanding of many of the ways they could be vulnerable to attackers.
RSM began this assessment by working with the client to develop a list of specific targets for our ethical hackers to attempt to access. While not all clients will identify a specific set of targets, it can often be useful for addressing any concerns an organization has about specific security issues. For this particular engagement, the client wanted to know if RSM could gain access to information on mergers and acquisitions, pre-patent intellectual property and any employee personally identifiable information.
Multiple attack vectors
With the targets identified and a time frame set for three weeks, RSM utilized a variety of techniques to attempt to gain access to this information. Normally, a red team assessment would include attempts to physically penetrate the client’s locations, but for this assessment, the client specifically requested that we avoid physical penetration. Due to this, our methods included:
- Social engineering: Most social engineering centers on either phishing attempts via email, or direct interaction with employees of a target organization. While RSM did attempt a phishing attack on the target, RSM’s most successful social engineering in this engagement used custom manufactured USB devices to gain access to the target company’s systems. For $200, RSM created 25 USB drives with the logo of the company printed onto them. We loaded the USBs with software that instantly granted access to a user’s computer when plugged in. Instead of using an email to deliver the software, we sent the USB devices in envelopes to employees all across the country, using the company’s main office location as the return address. After waiting patiently for several days, we were able to gain access to several systems within the company, relying on the human element to let us inside the network.
- Email server access: Using an intranet web portal that allowed us to use one login for multiple services, RSM was able to gain access to many different web applications used by the client. RSM eventually accessed the company’s email server by taking advantage of weak passwords and a lack of two-factor authentication. While this allowed us to gain access to several of the targets identified by the client, it also allowed us to monitor the internal communications of the company about the attack itself, giving us ample opportunity to evade any countermeasures put in place by the company’s incident response (IR) team.
Aside from specific tactical adjustments to their intranet portal (including increasing password strength and requiring two-factor authentication), the client learned some major long-term lessons about how to handle an attack. While the organization already had a mature IR program in place, the members of that team were using email to communicate with each other about the suspected incident. By assuming the email servers were still secure, the IR team was unknowingly providing the attackers with valuable intelligence. A major lesson from this is to assume that any degree of breach is a full breach and to treat any electronic communication as potentially compromised. In a real-world incident, attackers often take the time to passively monitor actions taken at a target company, using this type of intelligence to determine the best method for attack.
While many companies focus on implementing large-scale security solutions, much of RSM’s access in this assessment was the accumulation of smaller problems. If taken individually, these would have been relatively minor issues, but when combined in a full attack, they allowed access to sensitive information. For example, the access gained from the USB drives would have been bad, but the effect was compounded due to a largely flat, unsegmented network. This allowed RSM to gain access to almost any other computer on the client’s network.
While many of the companies we work with are often frightened of such a wide-open assessment, this particular client viewed it as a learning opportunity. With the knowledge that their large size also makes them a large target, they wanted to see what could really happen in an attack, and how well they would deal with it. They realized that any negative feedback they might receive related to weaknesses identified by this assessment would be far outweighed by the damages of a real-world attack. By working with RSM to conduct a full scale red team assessment, our client realized how devastating these attacks can be, with the assurance that we would address problems while respecting and protecting their privacy concerns.