So long and thanks for all the phish: Red teams need to be smarter now
Pen-testers face new challenges as defences evolve
BSides The opening talk at BSides Manchester on Thursday examined how red team tactics are evolving beyond phishing to include a wider variety of methods.
For example, internet-facing ADFS (Active Directory Federation Services) endpoints can be abused to gain entry to corporate environments without needing to trick staff into opening booby-trapped emails. Alternatively, pushing fake Skype updates through recently expired Microsoft domains offers another attack technique, according to security researchers Dominic Chell and Vincent Yiu. The pair showed how a tool called LinkedInt could be used to scrape the professionals' social network LinkedIn during reconnaissance.
Red team penetration testing emulates a real-world attack against a company to evaluate the effectiveness of its security defences. It's wider in scope than regular pen-testing exercises, which are normally to focus solely on specific corporate resources such as a range of IP addresses.
As defensive technologies and detection capabilities improve, red team aggressors must evolve, adapting their tactics to avoid the spotlight shone by the blue (defence) team.
Chell and Yiu examined the most significant advances in red team tactics over the past 12 months. In addition to public research, the duo detailed some of the research performed by MDSec's ActiveBreach team. Specifically, the research included domain fronting, using high-reputation domains to evade controls such as proxy categorisation in the course of exfiltrating data. The presentation also covered how popular (and expensive) malware protection sandboxes can be bypassed.
Chell predicted that over the next year we will witness a greater focus in red teaming on defensive tech evasion such as approaches to defeating Windows 10's Device Guard and Credential Guard as the technologies become widely deployed.
Chell and Yiu's talk opened the one-day security conference, attended by around 500 pen-testers, app developers and other infosec pros. The conference closed with a plea that white-hat hackers need to go beyond being engineers to become teachers, diplomats and negotiators as computer security issues and concerns become more mainstream. The plea was delivered by Charl van der Walt in a talk entitled Return of the Jedi – Considering the role of the Security Professional in Extraordinary Times. ®