I didn’t get as much time as I needed, so here is the briefing with a few additional slides added.
It was interesting to see several other briefings that were about the same exact underlying point, but coming up with different creative solutions.
1. Real world attackers have more resources than Red Teams
3. Detecting a Red Team may give a client the wrong impression that they are resilient to targeting by an APT
Both of their talks addressed this fact by releasing new and novel tools. In this case endpoint agents (Gryffindor), and C2 (FoxTrot C2). My idea was just to skip the details of endpoint compromise and phishing, whitelist the payload, and by doing so bring yourself into parity with an APT. You are inside the network, you have persistence, let the real test begin. So I guess you could say my idea was born out of pragmatism and the notion that although staying even with APT’s may be possible for periods at a time it is not sustainable for the red teaming community over the long haul.
This is just a call to use stealthy Internal Penetration Testing where the SOC is being tested. This is not a new idea, or something I made up. This is simply a new way to frame and think of an already existing style of engagement. If we agree with the “Assume Breach” mentality we should consider a stealthy internal test as the closest thing to real world threat emulation. Unless you are a red team with a golden ticket to break the law. If that’s the case, let me know if you are hiring. Let me know what your thoughts are.
Sam (keyzer a.T. protonmail.ch).