Red Team in mysterious waters

Posted date 16/02/2023

Autor

INCIBE (INCIBE)

Day after day, the news related with cybersecurity incidents keeps going. This situation is no different in the industrial world and, as a result, some sectors are exploring new proactive ways of analyzing their infrastructures.

For this reason, the cybersecurity departments, responsible for defending against any computer security attack, have taken on greater importance within companies, with one or their most important tasks being the correct development and execution of a security incident response plan, since, although companies have different security devices that help prevent and defend against various attacks, none of them is 100% exempt from being affected by a security incident.

At this point is where the Red Team exercises execution come in, where and authorized team of attackers (called as Red Team) will attempt to perform a real intrusion into the company. In this way, the security devices and the correct execution of the incident response plan will be tested, since the team in charge of the defense will have no knowledge that it is a controlled attack.

Red Team in industrial environments

The industrial environments are considered sensitive and highly critical infrastructures, since a small uncontrolled modification at any point could have catastrophic consequences, such us heavy money losses for the company or industrial incidents with human victims. Therefore, these environments are often a target for attackers, either with the aim of damaging industrial equipment, company production or the surrounding natural environment, industrial espionage, and so on.

This is why, while the execution of Red Team exercises is important in companies or environments where an attacker could compromise date inside a broad spectrum of sensitivity. In an industrial environment it would not be less important. But there will be a small difference: Test executed within an industrial environment have to be within a specific framework, since the impact of the tests is greater than in other environments.

Given this need to find a common framework for conducting this type of exercise in industrial environment, the Threat Intelligence-based Ethical Red Teaming (or TIBER-EU) framework has been adapted. This framework originally was created for financial environments.

TIBER-EU framework implementation process

When implementing the ‘TIBER-EU’ framework, the next stablished process is followed:

Starting with the generic threat assessment of the sector to which the company that is going to apply the ‘TIBER-EU’ framework belongs.
Next, the preparation phase is entered, where both the scope and the members of the different security teams involved are defined, in addition to establishing the objectives to be achieved by the attacking team or Red Team.
After the preparation phase, we enter the testing phase where the cyber intelligence team will provide a TTI (targeted Threat Intelligence) report through which the Red Team will develop attack scenarios.
Finally, the is a closing phase, where the team will produce a report collecting all the information obtained during the execution of the scenarios developed and executed in the previous phases, with its corresponding corrective plan.

Phases for the TIBER-EU
- Phases for the ‘TIBER-EU’ -

Tactics and techniques for Red Team in industrial environments

Although the Red Team exercises follow a series of tactics and techniques defined in matrices as if they were a knowledge base, at the industrial level, it is also important to keep other factors in mind such as:

Executing attacks under certain conditions of the industrial environment.
Potential impacts of the executed attacks.
Attempting to run the tests in a prepared laboratory environment before running them in a production phase.

If the MITRE ATT&CK matrix oriented to the industrial part is consulted, taking into account the potential emulation of criminals who have attacked industrial environments, it is possible to highlight two tactics that allow, both the initial reconnaissance of the organization, as well as the initial access by these to the victim companies networks.

These tactics are:

Reconnaissance: Tactic used for information gathering. In the industrial environment, knowledge of the architecture (the IT network structure and the OT network structure) is a very important asset for the attacker. The Red Team has to test this tactic in order to have a baseline knowledge of the entire industry that can serve as a starting point for further attacks. The most commonly used techniques within this tactic that, if executed correctly, have zero impact on production, would be:
- [T0842] Network Sniffing: Currently, there are different tools that allow capturing traffic, both natively and with tools external to the operating systems. With these captures, attackers would be able to analyze industrial protocols, whose specification is public, and proprietary protocols. An example of this pre-analysis was demonstrated with the TRITON attack.

To avoid this technique, it is possible to use different defensive methods such us:

Correct configuration of the industrial networks.
Cipher of the communications.
Restricted access to some network segments.
Initial Access: This tactic is of great importance once the attacker clearly knows the target assets within the victim network. It is very common that the malware sent by attackers in industrial networks to start by means of techniques related to the art of social engineering, as in the case of:
- [T0865] Spearphishing Attachment: Many attacker groups have used this technique to gain initial access through sending emails with malicious attachments. An example of such groups can be seen with ALLANITE, which targeted companies in the energy sector, focusing its attacks on the US and UK regions.

[T0817] Drive-by Compromise: Through more elaborate attacks based on the infection of external web pages consulted by the victim organization (watering hole), attackers are able to circumvent the cybersecurity measures in place in many companies. An example of these attacks was demonstrated by the Dragonfly 2.0 group of attackers who focused all their attacks on companies in the energy sector.

To avoid this type of techniques within companies it is possible to implement cybersecurity measures such as:

Employee awareness with specially designed phishing campaigns.
Use of sandbox tools or tools that allow an isolated analysis of attachments to avoid the execution of malicious code through attachments.
Updating as much as possible all the systems available to the organization.
Restrict browsing of certain assets through proxies.

The execution of Red Team exercises in industrial environments involves setting as an initial objective a preliminary analysis of the organization, seeking to detect its exposure to attacks originating on the Internet and any other useful information from tenders, organizational documentation, etc., which may provide clues for implementing elaborate attacks.

In cases where more advanced and complex tactics are to be used, it is advisable to use a Purple Team exercise approach, whereby both the Red Team (attacker) and the Blue Team (defender) share information with the aim of providing feedback to each other. This also implies greater security when using these trainings in high-risk industrial processes.

Conclusions

Red Team exercises are here to stay, both in IT and industrial environments, as they have become a basic service to be hired by companies wishing to test both cybersecurity systems and containment plans in the event of a real security incident.

As we have seen, although Red Team exercises are simulations of real cyber-attacks, an established framework is required to identify the company at all times, the identity of the members of the Red Team, the tests performed and their impact on the infrastructure.

Content produced in the framework of the Spanish Government's Recovery, Transformation and Resilience Plan financed by the European Union (Next Generation).

Etiquetas