Written by
Christoffer Frödin
Published on
June 19, 2023
Company Profile: Financial institution that continually pushes the boundaries of innovation within their sector.
Executive Summary: Amid the ever-evolving landscape of cybercrime, we undertook a strategic and practical mission to bolster the client's cloud security posture by doing a Red Team drill.
Context: A two week Red Team drill in which we acted as the malevolent party
Impact: Our dedicated efforts resulted in a significantly heightened security posture and an enriched understanding of potential loopholes and exploitation tactics within the cloud environment.
Goal: The primary objective was to delve into the likely actions of an adversary within the cloud infrastructure. Additionally, through a rigorous Red Team exercise, we aimed to test and refine the response mechanisms and capabilities of the institution's Security Operations Center (SOC).
Partnership: We forged a dynamic partnership with the financial institution's IT Security team and the SOC manager, meticulously planning the exercise timeline.
Technical Approach: We executed a new attack scenario each day of the drill. Adopting an 'Assumed Breach' approach, we mimicked real-world scenarios. Every designed attack was intended to trigger alerts and solicit reactions from the SOC.
Tools & Resources: We flexibly adjusted our strategy to each unique scenario, considering varying OS/network layouts and utilizing an array of tools. From performing quiet manual checks for privilege escalation to deploying noisy automated scripts, we covered a broad spectrum. We also simulated Network Discovery in the network of the compromised server, using nmap. At peak impact, we executed mimikatz along with a simulated C2 beacon.
Quantitative Outcomes: The exercise revealed several gaps in the current response plan and process, and pinpointed areas in the cloud configurations that lacked crucial settings. This led to a vital understanding of existing vulnerabilities in the institution's security posture and defense preparedness.
Qualitative Outcomes: The exercise underscored the importance of proactive efforts in securing cloud posture to prevent significant disruptions due to ransomware or other security breaches.
Client's Takeaway: The financial institution was pleased with the outcomes of the exercise.
Our Learnings: This marked our debut as the Red Team in this type of exercise to test a Security Operations Center's response. The experience was invaluable, providing us with rich insights to further fine-tune our cloud security expertise.
