A Command and Control Approach to Red Teaming

Haynes, Kaitlin Britt

13 December 2014

As the military has to react and respond to cyber attacks, they also are having to develop a way to apply cyber operations to the command and control hierarchy already in use. This thesis studies the requirements for a cyber command and control (C3) and conducts an experiment to test whether a C3 approach to red teaming helps users find more vulnerabilities. Since red teaming is similar in setting to the cyber operations setting, if the team finds that a C3 helps team members find more vulnerabilities, then a C3 environment can help the military better respond to cyber attacks. As a result of the experiment, the control team and the team using the C3 tied. However, participants surveyed indicated that using a C3 environment was more helpful than not using the C3 environment.

cyber command and control

red team

command and control

Metodologisk jämförelse av automatiserade och manuella penetrationstestning : En studie på bristen av manuella penetrationstestare / Methodological comparison of automatic and manual penetrationtesting

Palmgren, Kristoffer, Nordstrand, Simon

January 2022

Idag utvecklas IT branschen otroligt snabbt. Det framkallar även utvecklingen av internetbrott. Ransomware täcker den största delen av internetbrott. Högsta offentliggjorda summan mot ett svenskt företag var 290 miljoner SEK. Enligt statistik saknas det personal inom cybersäkerhet. Just nu arbetar färre personer med cybersäkerhet än antal jobbmöjligheter som ligger öppna. Atea vill ta reda på om Pentera, ett automatiserat penetration-testnings system kan fylla kompetensbristen inom arbetsmarknaden eftersom ett penetrationstest är både resurs- och tidskrävande att utföra. I den här studien utförs ett experiment där det manuella penetrationstestet jämförs mot det automatiserade. I resultaten visade det sig att det automatiserade programmet lyckades ta fram mer resultat än det manuella testet på kortare tid. Den tog även fram fler sårbarheter och utförde fler exploits än det manuella testet. Det manuella testet utfördes under längre tid än det automatiserade. På grund av detta framkom information som det automatiserade programmet ej hittade. Det är möjligt att det automatiserade programmet hade lyckats ta fram dessa delar om den fick arbeta längre. I resultatjämförelsen mellan dessa tester kan en markant skillnad i fördel för det automatiska testet synas. / Today the IT industry is developing rapidly. This also induces the development of internet crimes. Ransomware covers most cybercrimes. The highest announced amount against a Swedish company was 290 million SEK. According to statistics, there is a lack of cybersecurity staff. Right now, fewer people work with cybersecurity than the number of work opportunities that are open. Atea wants to find out if Pentera, an automated penetration testing system, can fill the lack of competence within the labor market as performing a penetration test is both resource and time consuming. In this study an experiment is performed where the manual penetration test is compared to the automated one. In the results it turned out that the automated program managed to bring forth more results than the manual test in a shorter time. It also brought forward more vulnerabilities and performed more exploits than the manual test. The manual test was performed for a longer time than the automated one. Due to this information emerged that the automated program could not find. It is possible that the automated program would have succeeded in producing these parts if it had been allowed to work longer. In the comparison between these tests there is a clear difference in advantage for the automatic test that can be seen.

Penetrationtest

cybersecurity

pentest

Pentera

red team

recon

Penetrationstest

cybersäkerhet

pentest

Pentera

red team

recon

Computer and Information Sciences

Data- och informationsvetenskap

C&C architecture : Automation of the deployment of a sophisticated infrastructure, for new malicious uses, harder to detect

Glasser, Timon

January 2021

Today cybersecurity is becoming a major concern for all of society. Companies can lose billions of dollars because of cyberattacks. States need to keep the vital infrastructure of the country running and must prepare for cyberwar against cyberterrorism and other states. And finally, everyone can also suffer a cyberattack, like credit card stealing, ransomware asking for money, etc. In this tensed context, botnets and Remote Access Trojan are emerging as one of the major threats against cybersecurity.  In this master thesis we will focus on Command & Control (C&C) architectures, which can be used as a first step on a network, to compromise it entirely afterwards. To do so, the malware used to put in place the C&C architecture must first bypass all antivirus protections, and then establish a connection with a C&C server. This master thesis will be about the automation of the deployment of such architecture, which should be stealth enough to bypass the common protections.  This master thesis took part at Wavestone company, which performs cybersecurity audits. After a brief presentation of Wavestone, we will first explain why a C&C architecture is very useful for auditors (and consequently for cybercriminals as well), and what steps will be taken to achieve this project. Then, we will focus on the history and the functioning of botnets: botnets are indeed the most common use of C&C architecture. Afterwards, we will focus on the detection of a C&C architecture, to understand what challenges the implementation will have to meet. Finally, we will present an implementation that was made during the thesis of an end-to-end C&C scenario, based on an open software called SilentTrinity, and corresponding to the needs of the auditors. / I dag är cybersäkerhet en viktig fråga för hela samhället. Företag kan förlora miljarder dollar på grund av cyberattacker. Stater måste hålla landets vitala infrastruktur igång och måste förbereda sig för cyberkrig mot cyberterrorism och andra stater. Och slutligen kan alla också drabbas av en cyberattack, som t.ex. kreditkortsstöld, utpressningstrojaner som ber om pengar osv. I detta spända sammanhang framstår botnät och Remote Access Trojan som ett av de största hoten mot cybersäkerheten.  I denna masteruppsats kommer vi att fokusera på Command & Control-arkitekturer, som kan användas som ett första steg i ett nätverk för att sedan kompromettera det helt och hållet. För att göra detta måste den skadliga kod som används för att sätta C&C-arkitekturen på plats först kringgå alla antivirusskydd och sedan upprätta en anslutning till en C&C-server. Denna masteruppsats kommer att handla om automatiseringen av införandet av en sådan arkitektur, som ska vara tillräckligt smygande för att kringgå de vanligaste skydden.  Denna masteruppsats deltog vid företaget Wavestone, som utför cybersäkerhetsrevisioner. Efter en kort presentation av Wavestone kommer vi först att förklara varför en C&C-arkitektur är mycket användbar för revisorer (och följaktligen även för cyberkriminella), och vilka steg som kommer att tas för att genomföra detta projekt. Därefter kommer vi att fokusera på botnets historia och funktion: botnets är faktiskt den vanligaste användningen av C&C-arkitektur. Därefter kommer vi att fokusera på upptäckten av en C&C-arkitektur för att förstå vilka utmaningar som genomförandet måste möta. Slutligen kommer vi att presentera ett genomförande som gjordes under avhandlingen av ett C&C-scenario från början till slut, baserat på en öppen programvara som heter SilentTrinity, och som motsvarar revisorernas behov.

Command & Control

botnets

RAT

detection

implementation

Red Team

Command & Control

botnät

RAT

upptäckt

genomförande

Red Team

Elektroteknik och elektronik

PERCEPTIONS OF PURPLE TEAMS AMONG CYBERSECURITY PROFESSIONALS

Siddharth Chowdhury (6613439)

15 May 2019

With constant technological advancements, the attacks against existing infrastructure is constantly increasing and causing more damage. The current Red and Blue team approach to cybersecurity assessments is used to test the effectiveness of security defenses and in identifying vulnerabilities before they are exploited. Due to a lack of collaboration and inherently contradicting natures of these teams, the credibility of audits is impacted. While this has led to the synergistic and collaborative Purple team, it is important to understand how cybersecurity professionals perceive this new concept and its function. Analyzing perceptions of self-reported cybersecurity professionals via an online survey showed most believed Purple teams were beneficial and should be created from and collaborate with Red and Blue teams. However, past Red team experience was negatively linked to perceived benefit. Those who had more years of experience or had been on Red teams were more likely to believe Purple teams may have ownership or learning issues. Furthermore, professionals identified active managerial involvement and project clarity as critical success factors for Purple teams. Alongside these, management could help find the right skillset, provide resources, and offer active direction in order to avoid issues and maximize outcomes. Based on assessment relevance, a collaborative agreed-upon methodology for Red, Blue, and Purple teams was provided.

Computer System Security

Innovation and Technology Management

purple team

cybersecurity

red team

blue team

perception

methodology

assessment

Training Security Professionals in Social Engineering with OSINT and Sieve

Meyers, Jared James

01 June 2018

This research attempts to create a novel process, Social Engineering Vulnerability Evaluation, SiEVE, to use open source data and open source intelligence (OSINT) to perform efficient and effectiveness spear phishing attacks. It is designed for use by "œred teams" and students learning to conduct a penetration test of an organization, using the vector of their workforce. The SiEVE process includes the stages of identifying targets, profiling the targets, and creating spear phishing attacks for the targets. The contributions of this research include the following: (1) The SiEVE process itself was developed using an iterative process to identify and fix initial shortcomings; (2) Each stage of the final version of the SiEVE process was evaluated in an experiment that compared performance of students using SiEVE against performance of those not using SiEVE in order to test effectiveness of the SiEVE process in a learning environment; Specifically, the study showed that those using the SiEVE process (a) did not identify more targets, (b) did identify more information about targets, and (c) did lead to more effective spear phishing attacks. The findings, limitations, and future work are discussed in order to provide next steps in developing formalized processes for red teams and students learning penetration testing.

social engineering

open source intelligence

ethics

IEEE

ACM

red team

cyber kill chain

cyber security

Science and Technology Studies