book

Cybersecurity Attacks- Red Team Strategies

Name: Cybersecurity Attacks- Red Team Strategies
Author: Johann Rehberger
ISBN: 9781838828868

by Johann Rehberger

March 2020

Intermediate to advanced

524 pages

11h 23m

English

Packt Publishing

Read now

Unlock full access

Cybersecurity Attacks – Red Team Strategies
Why subscribe?ContributorsAbout the authorAbout the reviewersPackt is searching for authors like you
Preface
A note about terminologyWho this book is for What this book covers?To get the most out of this book Download the example code files Download the color imagesConventions usedGet in touchReviewsDisclaimer
Section 1: Embracing the Red
Chapter 1: Establishing an Offensive Security Program
Defining the mission – the devil's advocateGetting leadership supportConvincing leadership with dataConvincing leadership with actions and resultsLocating a red team in the organization chartThe road ahead for offensive security Building a new program from scratchInheriting an existing programPeople – meeting the red team crew Penetration testers and why they are so awesome!Offensive security engineering as a professional disciplineStrategic red teamersProgram managementAttracting and retaining talentDiversity and inclusionMorale and team identityThe reputation of the teamProviding different services to the organizationSecurity reviews and threat modeling supportSecurity assessmentsRed team operationsPurple team operationsTabletop exercisesResearch and developmentPredictive attack analysis and incident response supportAdditional responsibilities of the offensive programSecurity education and trainingIncreasing the security IQ of the organizationGathering threat intelligence Informing risk management groups and leadershipIntegrating with engineering processesI feel like I really know you – understanding the ethical aspects of red teamingTraining and education of the offensive security teamPolicies – principles, rules, and standardsPrinciples to guide and rules to followActing with purpose and being humblePenetration testing is representative and not comprehensivePentesting is not a substitute for functional security testingLetting pen testers exploreInforming risk managementRules of engagementAdjusting rules of engagement for operationsGeographical and jurisdictional areas of operationDistribution of handout cardsReal versus simulated versus emulated adversaries Production versus non-production systemsAvoiding becoming a pawn in political gamesStandard operating procedureLeveraging attack plans to track an operationMission objective – what are we setting out to achieve or demonstrate?Stakeholders and their responsibilitiesCodenamesTimelines and durationUnderstanding the risks of penetration testing and authorizationKick-off meetingDeliverablesNotifying stakeholdersAttack plan during execution – tracking progress during an operationDocumenting activitiesWrapping up an operationOverarching information sharing via dashboardsContacting the pen test team and requesting services Modeling the adversary Understanding external adversariesConsidering insider threatsMotivating factorsAnatomy of a breach Establishing a beachheadAchieving the mission objectiveBreaching web applications Weak credentialsLack of integrity and confidentialityCyber Kill Chain® by Lockheed MartinAnatomy of a cloud service disasterModes of execution – surgical or carpet bombingSurgicalCarpet bombingEnvironment and office spaceOpen office versus closed office spaceSecuring the physical environment Assemble the best teams as neededFocusing on the task at handSummaryQuestions
Chapter 2: Managing an Offensive Security Team
Understanding the rhythm of the business and planning Red Team operationsPlanning cycles OffsitesEncouraging diverse ideas and avoiding groupthinkPlanning operations – focus on objectivesPlanning operations - focus on assetsPlanning operations - focus on vulnerabilitiesPlanning operations – focus on attack tactics, techniques, and proceduresPlanning operations – focus on STRIDEManaging and assessing the teamRegular 1:1s Conveying bad newsCelebrating success and having funManagement by walking around Managing your leadership teamManaging yourselfHandling logistics, meetings, and staying on trackTeam meetingsWorking remotelyContinuous penetration testingContinuous resource adjustment Choosing your battles wiselyGetting support from external vendor companiesGrowing as a teamEnabling new hires quicklyExcellence in everythingOffensive security test readinessBuilding an attack labLeading and inspiring the team For the best results – let them loose!Leveraging homefield advantageFinding a common goal between red, blue, and engineering teamsGetting caught! How to build a bridgeLearning from each other to improveThreat huntingGrowing the purple team so that it's more effectiveOffensive techniques and defensive countermeasuresSurrendering those attack machines!Active defense, honeypots, and decoysProtecting the pen testerPerforming continuous end-to-end test validation of the incident response pipelineCombatting the normalization of devianceRetaining a healthy adversarial view between red and blue teamsDisrupting the purple teamSummaryQuestions
Chapter 3: Measuring an Offensive Security Program
Understanding the illusion of controlThe road to maturityStrategic red teaming across organizations The risks of operating in cloak-and-dagger modeTracking findings and incidentsRepeatabilityAutomating red teaming activities to help defendersProtecting information – securing red team findingsMeasuring red team persistence over timeTackling the fog of war Threats – trees and graphsBuilding conceptual graphs manuallyAutomating discovery and enabling explorationDefining metrics and KPIs Tracking the basic internal team commitmentsAttack insight dashboards – exploring adversarial metricsRed team scores Tracking the severity of findings and measuring risks Moving beyond ordinal scoresUsing mean-time metricsExperimenting with Monte Carlo simulationsThreat response matrix Test Maturity Model integration (TMMi ®)and red teamingLevel 2: ManagedLevel 3: DefinedLevel 4: MeasuredLevel 5: OptimizedLevel 6: Illusion of control – the red team strikes backMITRE ATT&CK™ MatrixMITRE ATT&CK Navigator Remembering what red teaming is aboutSummaryQuestions
Chapter 4: Progressive Red Teaming Operations
Exploring varieties of cyber operational engagementsCryptocurrency miningMining crytocurrency to demonstrate the financial impact – or when moon?Red teaming for privacyGetting started with privacy focused testingSending a virtual bill to internal teams Red teaming the red teamTargeting the blue team Leveraging the blue team's endpoint protection as C2Social media and targeted advertisingTargeting telemetry collection to manipulate feature developmentAttacking artificial intelligence and machine learningOperation Vigilante – using the red team to fix thingsEmulating real-world advanced persistent threats (APTs)Performing tabletop exercises Involving the leadership team in exercisesSummaryQuestions
Section 2: Tactics and Techniques
Chapter 5: Situational Awareness – Mapping Out the Homefield Using Graph Databases
Understanding attack and knowledge graphsGraph database basicsNodes or verticesRelationships or edgesProperties or valuesLabelsBuilding the homefield graph using Neo4jExploring the Neo4j browserCreating and querying informationCreating a nodeRetrieving a nodeCreating relationships between nodesIndexing to improve performanceDeleting an objectAlternative ways to query graph databases SummaryQuestions
Chapter 6: Building a Comprehensive Knowledge Graph
Technical requirementsCase study – the fictional Shadow Bunny corporationEmployees and assetsBuilding out the graphCreation of computer nodesAdding relationships to reflect the administrators of machinesConfiguring the query editor to allow multi-statement queriesWho uses which computer?Mapping out the cloud! Importing cloud assets Creating an AWS IAM userLeveraging AWS client tools to export dataLoading CSV data into the graph databaseLoading CSV data and creating nodes and relationshipsGrouping dataAdding more data to the knowledge graphActive DirectoryBlue team and IT data sourcesCloud assetsOSINT, threat intel, and vulnerability informationAddress books and internal directory systemsDiscovering the unknown and port scanningAugmenting an existing graph or building one from scratch?SummaryQuestions

Chapter 7: Hunting for Credentials
Technical requirementsClear text credentials and how to find themLooking for common patterns to identify credentialsRetrieving stored Wi-Fi passwords on WindowsTooling for automated credential discoveryLeveraging indexing techniques to find credentialsUsing Sourcegraph to find secrets more efficiently Searching for credentials using built-in OS file indexingIndexing code and documents using Apache Lucene and ScourHunting for ciphertext and hashesHunting for ciphertextHunting for hashesSummaryQuestions
Chapter 8: Advanced Credential Hunting
Technical requirementsUnderstanding the Pass the Cookie techniqueCredentials in process memoryWalkthrough of using ProcDump for WindowsUnderstanding MimikittenzDumping process memory on LinuxDebugging processes and pivoting on macOS using LLDBUsing Mimikatz offlineAbusing logging and tracing to steal credentials and access tokensTracing the WinINet providerDecrypting TLS traffic using TLS key loggingSearching log files for credentials and access tokensLooking for sensitive information in command-line arguments Using Task Manager and WMI on Windows to look at command-line argumentsWindows Credential Manager and macOS Keychain Understanding and using Windows Credential ManagerLooking at the macOS KeychainUsing optical character recognition to find sensitive information in imagesExploiting the default credentials of local admin accounts Phishing attacks and credential dialog spoofing Spoofing a credential prompt using osascript on macOSSpoofing a credential prompt via zenity on LinuxSpoofing a credential prompt with PowerShell on WindowsCredential dialog spoofing with JavaScript and HTML on the webUsing transparent relay proxies for phishingPerforming password spray attacksLeveraging PowerShell to perform password sprayingPerforming password spraying from macOS or Linux (bash implementation)SummaryQuestions
Chapter 9: Powerful Automation
Technical requirementsUnderstanding COM automation on WindowsUsing COM automation for red teaming purposesAchieving objectives by automating Microsoft Office Automating sending emails via OutlookAutomating Microsoft Excel using COMSearching through Office documents using COM automationWindows PowerShell scripts for searching Office documentsAutomating and remote controlling web browsers as an adversarial techniqueLeveraging Internet Explorer during post-exploitationAutomating and remote controlling Google ChromeUsing Chrome remote debugging to spy on users!Exploring Selenium for browser automation Exfiltrating information via the browserSummaryQuestions
Chapter 10: Protecting the Pen Tester
Technical requirementsLocking down your machines (shields up)Limiting the attack surface on WindowsBecoming stealthy on macOS and limiting the attack surfaceConfiguring the Uncomplicated Firewall on Ubuntu Locking down SSH accessConsidering Bluetooth threatsKeeping an eye on the administrators of your machinesUsing a custom hosts file to send unwanted traffic into a sinkholeKeeping a low profile on Office Delve, GSuites, and Facebook for WorkSecurely deleting files and encrypting hard drivesImproving documentation with custom Hacker Shell promptsCustomizing Bash shell promptsCustomizing PowerShell promptsImproving cmd.exe promptsAutomatically logging commands Using Terminal multiplexers and exploring shell alternativesMonitoring and alerting for logins and login attemptsReceiving notifications for logins on Linux by leveraging PAMNotification alerts for logins on macOSAlerting for logins on WindowsSummaryQuestions
Chapter 11: Traps, Deceptions, and Honeypots
Technical requirementsActively defending pen testing assets Understanding and using Windows Audit ACLsConfiguring a file to be audited by Windows using SACLsTriggering an audit event and changing the Windows Audit PolicyNotifications for file audit events on WindowsSending notifications via email on WindowsCreating a Scheduled Task to launch the Sentinel monitorBuilding a Homefield Sentinel – a basic Windows Service for defending hostsInstalling Visual Studio Community Edition and scaffolding a Windows ServiceAdding basic functionality to the scaffoldAdding logging functionality to the serviceLeveraging a configuration file to adjust settings Adding an installer to the serviceUninstalling the Homefield Sentinel service Monitoring access to honeypot files on LinuxCreating a honeypot RSA key fileUsing inotifywait to gain basic information about access to a fileLeveraging auditd to help protect pen test machinesNotifications using event dispatching and custom audisp pluginsAlerting for suspicious file access on macOS Leveraging fs_usage for quick and simple file access monitoringCreating a LaunchDaemon to monitor access to decoy filesObserving the audit event stream of OpenBSMConfiguring OpenBSM for auditing read access to decoy filesSummaryQuestions
Chapter 12: Blue Team Tactics for the Red Team
Understanding centralized monitoring solutions that blue teams leverageUsing osquery to gain insights and protect pen testing assetsInstalling osquery on UbuntuUnderstanding the basics of osqueryUsing osquery to monitor access to decoy filesLeveraging Filebeat, Elasticsearch, and Kibana Running Elasticsearch using DockerInstalling Kibana to analyze log filesConfiguring Filebeat to send logs to ElasticsearchAlerting using WatcherSummaryQuestions
Assessments
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7Chapter 8Chapter 9Chapter 10Chapter 11Chapter 12
Another Book You May Enjoy
Leave a review - let other readers know what you think

Overview

Cybersecurity Attacks: Red Team Strategies provides a comprehensive guide to building and enhancing an internal penetration testing program with an emphasis on applying real-world offensive techniques. The content is designed to help readers adopt the red team mindset and strategies, improving security response and organizational defense.

What this Book will help me do

Understand how to set up and manage a penetration testing program effectively.
Learn techniques for hunting and tracking credentials with practical tools.
Master the use of knowledge graphs for mapping an organization's security landscape.
Gain insights into automation techniques for enhancing red team operations.
Discover methods for employing traps and decoys to strengthen security measures.

Author(s)

None Rehberger is an experienced cybersecurity professional specializing in penetration testing and red teaming. With a career dedicated to developing secure systems and training security teams, they bring hands-on expertise and a practical approach. Rehberger's writing reflects a commitment to sharing actionable strategies and instilling best practices in future cybersecurity practitioners.

Who is it for?

This book is tailored for penetration testers, cybersecurity analysts, and red team professionals eager to enhance their skills. It appeals to security managers and CISOs who aim to improve their organization's defense by leveraging red teaming techniques. Beginners with a foundational understanding of penetration testing will find it a practical learning resource, while experienced practitioners will expand their toolkit with advanced methods.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Cybersecurity Attacks (Red Team Activity)

Publisher Resources

ISBN: 9781838828868

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills