banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

Red Team Scenario Terminology

#红队177
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The text discusses various terms related to red teaming, cybersecurity, and threat modeling and emulation. It emphasizes the importance of effective communication and collaboration between red and blue teams and the need for organizations to take action based on the results of red team testing. The text also defines and explains the significance of terms such as threat modeling, threat emulation, TTPs, vulnerability assessment, and webshell.

Understanding common terms used in red teaming can help us better understand red team attacks.

Based on: RedTeam Development and Operations

Allow-List#

An allow list, also known as a whitelist, contains trusted content. An allow list is typically used to grant access to specific resources. It can specify multiple rules, such as users, IP addresses, file extensions, domains, etc. Only resources that match the allow list rules can access the resources. Creating a good set of rules is generally considered a better practice than using a blacklist. The allow list enhances security by defaulting to deny access.

ASSUMED BREACH#

The "assumed breach" model assumes that a certain level of access has already been obtained before the red team-blue team attack and defense. Each organization has a different understanding of this simulation model. Immature organizations often argue that "assuming someone can invade a network is unusual," and those who ask for proof usually do not appreciate this attack-defense scenario. However, this assumption is crucial when assessing whether a threat can gain entry. If it is not a critical target, using the "assumed breach" model can save time and money, allowing the red team to explore more targets. More mature organizations value this model more because it uncovers more threat scenarios from more complex attack threats.

BLUE CELL#

The blue cell refers to the opposing team to the red team, responsible for defensive work. The blue cell usually consists of blue team members, organizational management, and internal technical personnel. They detect traffic from the red team within the internal network using perception devices.

BLUE TEAM#

The blue team is the defensive team against threat intrusion.

COMMAND AND CONTROL (C2)#

Command and Control (C2) refers to the attacker's remote control system (such as Cobalt Strike). C2 consists of a main server and a client. The client connects to the main server to generate payloads, uploads the payloads to the target server, runs them on the target server, bounces back a shell, and then controls the target server to execute any command.

C2 is usually divided into three levels: Interactive, Short Haul, and Long Haul. Sometimes they are labeled as Level 1, 2, or 3. Each level does not have any unique characteristics except for their different usage.

  • Interactive Level: Used for general commands, enumeration, scanning, data exfiltration, etc. This level has the most interaction and faces the greatest exposure risk. It is expected to lose access during communication failures, proxy failures, or blue team actions. Run enough interactive sessions to maintain access. Although it is interactive, it does not mean sending a large number of packets to the client. Use judgment to minimize interaction to the extent necessary to perform operations.

  • Short Haul Level: Used as a backup plan to recover interactive sessions. Use covert communication integrated with the target. Slower callback time. Callback times of 1-24 hours are common.

  • Long Haul Level: Similar to short haul but slower and lower. Slower callback time. Callback times of more than 24 hours are common.

Different C2 categories aim to prevent exposure and should not be mixed.

CONTROL CELL#

The control cell, also known as the white cell or purple team, acts as a referee during the attack-defense exercise. It coordinates the blue team and red team, controls the environment and network, sets exercise rules, and supervises the execution of rules of engagement (ROE).

DENY-LIST#

A deny list, also known as a blacklist, denies access to specific resources for anything listed in the blacklist. It is usually used to filter out harmful content.

ENGAGEMENT/EXERCISE CONTROL GROUP (ECG)#

The ECG is responsible for all activities during the exercise. It consists of one or two senior executives (such as the Chief Information Officer or Chief Operating Officer), a member of the IT department, a liaison from the purple team, and a liaison from the red team. Additional personnel can be added as needed. Everyone is considered Trusted Agents.

EXFILTRATION#

The process of extracting sensitive information from a target through covert channels.

GET IN, STAY IN, ACT#

The three steps of a red team attack.

GET IN#

Obtain access to the target's internal network. The red team needs to gain access to the target's network to enter the target's internal network environment and proceed with STAY IN and ACT. This can be achieved through legitimate intrusion or assuming internal network intrusion.

STAY IN#

Establish a persistent connection within the internal network. The red team usually maintains permissions in the internal network to prevent detection by the blue team, which could result in disconnection.

ACT#

The phase of conducting internal network penetration, obtaining more targets, sensitive data, and achieving exercise goals.

IOC (INDICATOR OF COMPROMISE)#

An Indicator of Compromise (IOC) is a specific clue or indicator used in computer network security to identify and detect malicious activities. These clues or indicators can include characteristics of malware, abnormal behavior of systems and applications, modifications to system files, abnormal network traffic, abnormal user account activities, etc.

IOCs can be used to detect and locate security vulnerabilities or attack behaviors in computer and network systems and prevent future security threats. When a system or application is attacked or infected with malware, IOCs can help security experts quickly identify, locate, and eliminate security threats. In addition, IOCs can be integrated with other security systems, such as intrusion detection systems, security information and event management systems, to enhance the overall security performance of the system.

Some common IOCs include:

  1. Hash values: Unique hash values of malware can be compared to identify and analyze them.

  2. IP addresses and domain names: Identifying network addresses of infected computers and communication servers to determine attack sources and command and control (C2) servers.

  3. Abnormal behavior: Monitoring activities in the system by comparing normal and abnormal behaviors, such as file changes, processes, and scheduled tasks.

  4. Threat intelligence: Using publicly available information about malicious activities, such as hacker forums and vulnerability advisories, to understand potential attackers, attack methods, and targets.

OPFOR#

The opposing force in an exercise or simulation.

OPLOG (OPERATOR LOG)#

The attack logs generated by the red team operators during the exercise.

OPERATIONAL IMPACT#

The goals and effects achieved by the red team during the exercise, including strategic, tactical, and operational impacts on the target environment, as well as an assessment of the success of the mission.

Operational impact may vary in different attack-defense tasks and depends on the specific circumstances. For example, in a network penetration test, operational impact may include obtaining sensitive information, exploiting vulnerabilities to infiltrate systems, and establishing backdoors for persistence. In a red team exercise, operational impact may include disrupting business processes, damaging critical equipment, and stealing sensitive data.

OPSEC#

Operational Security (OPSEC) is the attacker's security awareness of treating defenders as enemies. It focuses on identifying critical information that may be observed by the adversary through intelligence gathering and whether it may be used by the adversary to trace back and take specific measures to eliminate or reduce the adversary's exploitation of critical information. In red team testing, OPSEC helps understand actions that the blue team may notice and minimizes exposure.

Reference: 浅谈 OPSEC 和 C2

OUT BRIEF, EXECUTIVE#

The first meeting held after the exercise, before the red team attack summary report is available. The meeting is aimed at the management level and should include key personnel from the target organization. The results of the red team test may impact the future operations of the organization, requiring funding for vulnerability remediation or personnel changes. Management awareness and buy-in are crucial for using the results of the red team test to improve the organization's security posture against threats.

OUT BRIEF, TECHNICAL#

A technical meeting for two-way technical information exchange between the red team, blue team, and the organization. In this exchange, both the red team and the blue team provide highly detailed technical reviews of the execution process and results (including all relevant details). It combines training and education and is one of the most valuable opportunities for learning in all aspects.

PENETRATION TESTING#

The systematic examination of a target system within a defined time frame to discover vulnerabilities. In terms of business risk, penetration testing aims to reduce the attack surface by identifying and fixing vulnerabilities, which ultimately reduces the attack surface. Penetration testing typically does not focus on how the entire organization responds to threats.

PERSISTENCE#

The process of maintaining network access in the target environment, using various techniques to maintain network connections.

Red Cell#

The red cell refers to the components that make up the attacking part of the red team, simulating strategic and tactical responses to a designated target. The red cell usually consists of red team leaders and operators, often referred to as the "red team" rather than the "red cell."

Red Team#

The attacking team that simulates attacks from the perspective of threats or adversaries.

RED TEAMING#

Red teaming is the process of simulating real-world threats using tactics, techniques, and procedures (TTPs) to train and assess the effectiveness of personnel, processes, and technologies used to protect an environment.

In terms of business risk, red teaming focuses on understanding the ability of security operations to handle threats through training or measurement. Technical findings are often revealed during the exercise, but they are not the main focus. The goal of red teaming is to challenge the defense strategies and assumptions of security operations to identify vulnerabilities or flaws in defense strategies. The improvement of security operations through training or measurement is the objective of red teaming.

RED TEAM LEAD#

The operational and administrative lead of the red team. Responsible for the participation, budget, and resource management of the red team, as well as supervising and guiding the participation, capabilities, and technical research of the team. Ensures compliance with all laws, regulations, policies, and rules of engagement.

RED TEAM OPERATOR#

The red team attacker responsible for carrying out the attacks during the exercise.

As an attacker in the exercise, complies with all requirements set by the red team lead, participates in missions using red team tactics, techniques, and procedures (TTPs), and provides technical research and capability support to the red team. Records detailed logs at each stage of the mission and provides log and information support for the final report.

RULES OF ENGAGEMENT (ROE)#

The rules that establish the responsibilities, relationships, and guidelines between the red team, the client, system owners, and executing participants to ensure the effective execution of the mission.

THREAT#

A potential cause that could lead to an incident, causing harm to systems and organizations. Threats in information security include any situation or event that may result in unauthorized access, destruction, disclosure, modification of information, or interruption of services, causing adverse effects on an organization's operations (including tasks, responsibilities, image, reputation), resources, individuals, other organizations, or countries.

THREAT MODE#

Threat modeling is a process that identifies potential threats or lack of appropriate security measures, lists them, and prioritizes measures to mitigate these threats.

THREAT EMULATION#

The process of simulating scenarios in which threats invade an organization, emulating the effects of real invasions.

Threat emulation is the process of emulating the tactics, techniques, and procedures of a specific threat.

THREAT SCENARIO#

A scenario focuses on how defense solutions are executed and aligns with the processes, procedures, policies, activities, personnel, organizations, environments, threats, constraints, assumptions, and support involved in security tasks. Scenarios typically describe how threat roles interact with systems and networks in the target environment and simulate the effects of real invasions. In short, it answers the question of how the defense side dynamically executes operations to provide results, outputs, or evidence of defensive capabilities.

TTPs#

Tactics, techniques, and procedures.

VULNERABILITY ASSESSMENT#

A systematic examination of information systems to determine if security measures are sufficient, identify security flaws, provide data to support the effectiveness of security measures, and confirm the adequacy of measures after implementation. In terms of business risk, vulnerability assessments aim to reduce the attack surface by minimizing vulnerabilities discovered and ultimately reducing the attack surface.

webshell#

A webshell is a command-line interface executed on a web server that allows attackers to interact with the server through a web application and execute system commands. Attackers can use webshells to gain access to sensitive information on the server, modify files, upload malicious code, etc.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.