View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 21, 2019

Lessons from Six Years of Red Teaming

Shared admin credentials are rife

By CBR Staff Writer

CIOs and CSOs are increasingly turning to Red Teaming to assess their organisations’ cyber resilience. A red team exercise is a simulated, targeted cyber-attack that mirrors the tactics, techniques and procedures used by real hackers, writes Andrew Scott, Assurance Regional Lead, Scotland at Context Information Security

These exercises often start from a ‘no-knowledge’ perspective and don’t offer instant gratification: they typically last between four and six weeks and result in a better understanding of the security risks and what steps can be taken.

Andrew Scott, Assurance Regional Lead, Scotland at Context Information Security

Red Team findings are very different from penetration testing findings. Key to this is the wider scope of the Red Team, not just from a technology side, but also from the People and Processes perspective.

Obtaining real data on what a simulated attacker was doing on a network when the Security Operations Centre were unable to track them is invaluable in helping mature the team and technologies in the SOC.

At Context, we have been performing Red Team engagements for some 20 years, but have based the findings in this article on tests carried out in the last six years from Europe, US and Asia Pac and across industries from finance, retail, regulators and healthcare to Governments and media organisations.

From these engagements we have analysed the findings to identify key ‘pivot points’ in the simulated attacker’s interaction with the target. These are the enabling weaknesses that turned the attack from an annoying intrusion to a potential disaster for the customer.

Red Teaming Engagements: The Findings

Lack of Patching and Unsupported Software

The fact that patching reached third place won’t be a surprise to anyone, yet it continues to be a thorn in system administrator’s sides and a huge opportunity for attackers. Even in the enterprises that we find that have the basics fixed, such as a successful Windows update cycle setup, there is always other vulnerable software running that can be leveraged to increase access and attack other users or systems.  The most common areas that we find opportunities to dig deeper into an organisation are:

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?
  • Third-party software. All software installed on a system needs maintenance and new versions and patches applied. Whether it’s FileZilla, the organisation’s management instrumentation or Chrome, all software needs to be considered as part of a patching cycle.
  • Usually business applications exist on the network, and we find they are not well maintained and patched. Or there are no patches but the application relies on outdated software and no mitigating actions have been taken.
  • OS updates. Although in a better place than third-party and hosted application patching, operating system patches are still not consistently and ubiquitously applied.
  • Outdated OSs. Yes, we still find Windows 2003 and XP in organisations. Everyone knows they are bad, but they have not successfully eradicated them from their estates. Not only are these old systems outdated and vulnerable, they can also hold back connected modern systems from being able to use some of the latest security settings available.
  • Out of support hardware. As with software, hardware goes out of support, get vulnerabilities and needs patching. Not supported but often not replaced, these can also be a treasure trove for attackers looking to gain additional access to a network.
  • Browser plugins. With the use of a modern browser this is becoming less of a problem. However, Red Teams do still find an installed base of Flash, old versions of Java and Adobe products which mean that they are usually able to find a reliable way to gain access to people’s desktops if needed.

Network Segregation

In two-thirds of our Red Team engagements we find we can jump straight from our initial point of compromise and start interacting with the targeted ‘Crown Jewel’.

Ten years ago, we used to talk about the crunchy exterior of networks and the soft squishy interiors and this seems to still be very much in evidence. When any connected device can connect to any system, eventually one will.

With the rise of VDI based infrastructures, new software tools and advanced host-based firewalls available in most operating systems, organisations can address this problem without necessarily re-architecting.

Poor Credential Handling

And in first place… in fact this was the biggest surprise when compiling the stats.

While ‘getting Domain Admin’ is required on some tests, no one imagined that this would be the key to as much as 85 percent of Red Team engagements, a full 20 percent up on second place.

Delving into the results more deeply reveals several ways that credentials are exposed to a Red Team, divided into those that increase risks and those that result in instant failure.

The most common point of single failure is passwords, for powerful domain administrator level accounts, added to logon scripts, or saved on a file share ‘in case someone forgets’.

Often these repositories allow everyone on the network to read them, compromising the credentials. Sharing administration credentials, either between users or between accounts, makes compromising them much easier for the Red Team or an attacker to gain access to them. The other problems are all common issues, which every system administrator knows they shouldn’t do.

When it comes to issues that increase risks, rather than acting as single points of failure, they mostly feature account configuration options.

It is common to find high power accounts with passwords which have not changed for more than five years, or the local administrator across a whole organisation to have the same password on every PC.

But the standout is simply that passwords used on important accounts are too easy to guess, or crack because they are not complex enough.

See also: The 5 Most Commonly Used Hacking Tools – and How to Defend Against Them

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.