Threat-Led Penetration Testing (TLPT) Red Team Operations Methodology
Release: Version 1.0
Document
| Field | Description |
|---|---|
| Name | TLPT Red Team Operations Methodology |
| Creators | Hacken OU |
| Subject | Red Team; Security Testing; Cyber Attack Simulation; Ethical Hacking |
| Description | The methodology outlined in this document offers specific guidance on how to plan and execute a TLPT engagement through Red Team operations. It provides detailed steps for simulating advanced persistent threats, testing operational resilience, and evaluating the effectiveness of security controls against real-world attack vectors. This document is intended for use by security engineers, client stakeholders, and regulators to ensure the integrity and success of the TLPT engagement. |
| Contributor | Luciano Ciattaglia | VP of Services at Hacken OU |
| Contributor | Stephen Ajayi | Red Team Lead |
| Date | October 1st, 2024 |
| Rights | Hacken OU |
Background and Overviewā
Overviewā
The Threat-Led Penetration Testing (TLPT) Red Team Operations Methodology is a comprehensive framework designed to simulate sophisticated cyberattacks against an organization's critical infrastructure and processes. The purpose of TLPT is to validate the effectiveness of security controls, identify vulnerabilities, and assess the organization's ability to detect, respond, and recover from complex cyber threats. By leveraging this methodology, Red Teams can systematically assess an organization's defenses while adhering to industry and regulatory requirements such as DORA (Digital Operational Resilience Act) and the TIBER-EU framework.
Executive Summaryā
This methodology is created to guide security engineers and clients through the TLPT process. It is designed to mirror real-world threats while ensuring that all activities remain controlled and ethical. The methodology focuses on testing the security, availability, and integrity of critical systems, while providing actionable insights and recommendations to improve overall cybersecurity posture.
Glossaryā
| Term | Definition |
|---|---|
| Red Team Auditor | A group of security professionals who simulate the behavior of real-world threat actors to evaluate the security posture of an organization. |
| Control Team | A small, trusted group within the client organization responsible for overseeing the TLPT engagement and ensuring that security and operational integrity are maintained throughout the testing process. |
| Blue Team | The organization's internal or contracted defensive team responsible for detecting and responding to incidents. In a TLPT, the Blue Team is often unaware of the Red Team activities to simulate realistic conditions. |
| Rules of Engagement (RoE) | A set of guidelines that define the scope, limitations, and acceptable activities for the Red Team during the engagement. |
| Kill Chain | A model that describes the stages of a cyberattack, including reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. |
| Adversary Simulation | A method of simulating the tactics, techniques, and procedures (TTPs) of known threat actors to test the effectiveness of security controls. |
Importance of TLPT in Operational Resilienceā
As organizations face increasingly sophisticated cyber threats, Threat-Led Penetration Testing (TLPT) plays a crucial role in validating their preparedness. TLPT focuses on evaluating the organization's critical systems and processes, ensuring they can withstand and recover from cyberattacks. By simulating real-world threats, TLPT provides invaluable insights into an organization's resilience against Advanced Persistent Threats (APTs), cybercriminal groups, and nation-state actors.
TLPT is particularly important for organizations within regulated sectors, such as financial services, that are required to comply with DORA, the TIBER-EU framework, and similar regulatory standards. Regular TLPT engagements ensure that the organization's operational resilience remains robust and aligned with evolving cyber threats.
TLPT Red Team Operations Processā
The TLPT Red Team operations are broken down into three main phases: Planning and Pre-Engagement, Execution of Red Team Operations, and Post-Engagement Reporting and Follow-up.
4.1 Planning and Pre-Engagementā
The pre-engagement phase involves preparation and coordination between the Red Team, the client's Control Team, and any necessary regulatory authorities. This phase ensures that both parties understand the scope, objectives, and limitations of the engagement.
Key Steps:
-
Scope Definition: Identify critical systems, networks, applications, and physical locations within the engagement's scope.
-
Threat Intelligence Gathering: Use threat intelligence to create a threat profile based on the organization's industry, attack surface, and historical attacks.
-
Rules of Engagement (RoE): Develop the RoE that outlines what activities are authorized, prohibited, and the criteria for escalation during the testing.
-
Kill Chain Development: Create a tailored kill chain model that reflects the stages of the attack to be simulated during the engagement.
-
Legal and Compliance Review: Ensure all activities comply with applicable laws, regulations, and contractual obligations.
-
Control Team Preparation: Ensure the Control Team is briefed on their responsibilities during the engagement, including communication and escalation protocols.
4.2 Execution of Red Team Operationsā
During the execution phase, the Red Team conducts simulations of real-world cyberattacks against the scoped environment, mimicking adversarial behaviors.
Key Steps:
-
Reconnaissance:
- External Reconnaissance: Gather information about the organization's external-facing assets, such as domain names, IP addresses, and publicly accessible services.
- Internal Reconnaissance: If initial access is obtained, gather information about internal network topology, user accounts, and infrastructure.
-
Weaponization:
- Payload Creation: Develop custom payloads that can be used to exploit vulnerabilities within the scoped systems.
- Phishing and Social Engineering: Craft and execute phishing campaigns aimed at gaining initial access or sensitive information.
-
Exploitation:
- Privilege Escalation: Attempt to elevate privileges within the compromised systems to gain administrative or root-level access.
- Lateral Movement: Move through the network using compromised credentials or vulnerabilities to reach critical systems.
-
Persistence:
- Backdoor Installation: Install backdoors or persistence mechanisms to maintain access to the environment after the initial compromise.
-
Command and Control (C2):
- C2 Infrastructure: Set up secure communication channels to allow the Red Team to remotely control compromised systems without being detected.
-
Actions on Objectives:
- Data Exfiltration: Attempt to access and exfiltrate sensitive data from within the environment.
- Impact Simulation: Test the organization's ability to respond to actions that could impact operations, such as ransomware attacks, data deletion, or critical system shutdown.
4.3 Post-Engagement Reporting and Follow-upā
Once the Red Team operations are complete, the post-engagement phase involves documenting findings, conducting debriefs, and working with the client to implement remediations.
Key Steps:
-
Reporting: Produce a detailed report of all vulnerabilities discovered, successful exploits, and the attack paths used. Include recommendations for remediation.
-
Executive Debrief: Present high-level findings and strategic recommendations to senior management.
-
Technical Debrief: Conduct a detailed debrief with the Blue Team and technical stakeholders to discuss vulnerabilities, attack paths, and recommended remediation actions.
-
Remediation Support: Provide ongoing support to assist the client in mitigating identified risks, including validating fixes and helping with follow-up tests.
-
Regulatory Reporting: Submit any required documentation or attestations to regulatory authorities to demonstrate compliance with relevant frameworks (e.g., DORA, TIBER-EU).
Red Team Tools and Techniquesā
Red Teams use a combination of proprietary and public tools to conduct TLPT engagements. These tools enable them to replicate advanced adversarial behaviors and assess security controls effectively.
Key Tools:
-
Reconnaissance Tools: OSINT frameworks, such as Shodan, Maltego, and Recon-ng.
-
Exploitation Tools: Metasploit, Cobalt Strike, custom scripts, and zero-day exploitation frameworks.
-
Social Engineering Tools: Phishing kits, spear-phishing frameworks, and tools to automate social engineering attacks.
-
Post-Exploitation Tools: PowerShell Empire, BloodHound, and Mimikatz for privilege escalation and lateral movement.
-
C2 Frameworks: Cobalt Strike, Mythic, and Covenant for remote command and control.
Attack Vectors and Scenariosā
Digital Attack Vectors:
- Network attacks (e.g., exploitation of misconfigurations, lateral movement, privilege escalation)
- Application layer attacks (e.g., SQL injection, command injection, API exploitation)
Human Attack Vectors:
- Social engineering (e.g., phishing, vishing, smishing, impersonation)
- Insider threat simulations (e.g., abuse of access privileges)
Physical Attack Vectors:
- Physical penetration testing (e.g., bypassing access controls, implanting rogue devices)
Issue Severity and Risk Definitionā
| Severity | Description |
|---|---|
| Critical | Vulnerabilities that allow complete system compromise or immediate data breach. Requires urgent remediation. |
| High | Vulnerabilities that pose a significant risk but may require multiple chains. Should be addressed promptly. |
| Medium | Moderate risk vulnerabilities that could lead to exploitation if combined with other issues. Addressed in a reasonable time frame. |
| Low | Minor issues or recommendations that do not pose an immediate risk but could be used to improve security posture. |
| New | The issue was recently identified as a concern by the auditing team, impacting the overall security score of the report. |
| Reported | These reported issues remain unresolved despite remediation efforts. The customer has been notified of the associated risks. |
| Fixed | These issues were successfully resolved based on auditor recommendations, no longer affecting the security score. |
| Acknowledged | Assigned to an issue recognized by the client but intentionally not addressed, either as an intentional feature or a consciously ignored concern. While unaddressed, it has been formally acknowledged. |
| Mitigated | Changes that partially address an issue or introduce safeguards to reduce risk without completely eliminating the vulnerability. |
Findings and Documentationā
Red Team findings will be meticulously documented, including:
- Issue Title and Description: A clear summary of the vulnerability and how it was exploited.
- Severity Level: The assigned severity of the vulnerability.
- Proof of Concept: Evidence supporting the finding, including screenshots, logs, and data exfiltrated during the attack.
- Recommendations: Detailed steps on how to remediate the vulnerability.
- Common Weakness Enumeration (CWE): Reference to the CWE associated with the vulnerability for further context.
Limitationsā
While this methodology provides a comprehensive approach to assessing the security posture of an organization, it does not guarantee that all vulnerabilities will be identified. The scope, time constraints, and engagement boundaries limit the findings to what is tested during the TLPT.
Appendixā
A. List of Tools for Red Team Operationsā
The following is a list of open-source and widely-used tools in recent Red Team operations. These tools are divided into categories based on the phase of the attack kill chain they support.
1. Reconnaissance and Information Gathering:
- Shodan: A search engine for Internet-connected devices, useful for identifying open ports and services.
- Maltego: A graphical link analysis tool that helps in gathering and connecting public data.
- Recon-ng: A reconnaissance framework with modules for gathering open-source intelligence (OSINT).
- SpiderFoot: An open-source intelligence automation tool for gathering information on domains, IP addresses, emails, etc.
- TheHarvester: A tool for gathering email addresses, subdomains, IPs, and URLs from various public sources.
2. Vulnerability Scanning and Exploitation:
- Metasploit Framework: An open-source penetration testing framework used for developing and executing exploit code against a target machine.
- Cobalt Strike: A commercial threat emulation software, though it can be paired with open-source alternatives like Armitage.
- Nmap: A network scanning tool for discovering hosts and services on a computer network.
- CrackMapExec: A Swiss Army knife for pentesting networks, particularly useful for post-exploitation activities like lateral movement.
- Impacket: A collection of Python classes for working with network protocols and performing attacks like SMB relay.
3. Privilege Escalation:
- Mimikatz: A tool to extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory in Windows.
- WinPEAS: A privilege escalation script for Windows that searches for misconfigurations or vulnerabilities that could be exploited for privilege escalation.
- LinPEAS: A similar tool to WinPEAS but designed for Linux environments.
4. Post-Exploitation and Lateral Movement:
- BloodHound: A tool for analyzing Active Directory (AD) and visualizing attack paths within a network.
- Empire (PowerShell Empire): A post-exploitation framework that uses PowerShell agents to provide flexible, modular command and control.
- SharpHound: The data collector for BloodHound, written in C#.
- Responder: An LLMNR, NBT-NS, and MDNS poisoner useful for network-based credential harvesting.
5. Command and Control (C2):
- Covenant: A .NET-based command and control framework with modular implants and encrypted communications.
- Mythic: An open-source C2 platform designed for Red Teams, offering support for various languages and payloads.
- Sliver: An open-source adversary emulation framework designed to aid in Red Team engagements.
6. Social Engineering and Phishing:
- GoPhish: An open-source phishing framework designed to test an organization's security awareness by simulating phishing attacks.
- Social Engineer Toolkit (SET): A framework for automating social engineering attacks like phishing, credential harvesting, and email spoofing.
7. Physical Security and Device Attacks:
- RFIDler: An open-source RFID emulator for testing access control systems.
- Proxmark3: A versatile tool for reading, writing, and emulating RFID and NFC tags, often used in physical security tests.
- USB Rubber Ducky: A keystroke injection tool used for exploiting USB access points.
B. The Kill Chain Processā
The Cyber Kill Chain is a model used to describe the stages of a cyberattack, from initial reconnaissance to the final objective. Red Team operations often follow this process to simulate advanced adversarial behavior.
-
Reconnaissance:
- Gathering information on the target to identify potential attack vectors (e.g., domain names, IP addresses, email addresses, and publicly exposed systems).
-
Weaponization:
- Creating payloads, such as malware or exploits, that are capable of taking advantage of vulnerabilities identified during reconnaissance.
-
Delivery:
- Transmitting the weaponized payload to the target (e.g., via phishing emails, drive-by downloads, or physical media).
-
Exploitation:
- Exploiting the vulnerability on the target system to gain an initial foothold (e.g., exploiting a buffer overflow vulnerability or using stolen credentials).
-
Installation:
- Installing malware or backdoors on the target system to maintain access over an extended period (e.g., installing a remote access trojan or persistence mechanisms).
-
Command and Control (C2):
- Establishing a communication channel between the compromised system and the attacker's infrastructure to issue commands and retrieve data.
-
Actions on Objectives:
- Executing the final objectives of the attack, which could include data exfiltration, lateral movement, privilege escalation, or disrupting operations (e.g., deploying ransomware, stealing sensitive data, or corrupting databases).