What Is Automated Red Teaming?
LAST UPDATED ON OCTOBER 22, 2024
Organizations' evolving IT environments expand their attack surfaces. Given the ever-changing threat landscape, organizations must identify their most critical attack paths before they are exploited by adversaries. This awareness enables them to address attack vectors that skilled adversaries could chain together. Typically, companies hire red team professionals once or twice a year to identify these paths. However, with IT environments being dynamic—due to factors like employee turnover, improperly segmented networks, or lingering account privileges—the attack surface constantly shifts. Thus, continuous red teaming is essential. As this isn't always budget-friendly, many organizations are turning to automated red teaming processes.
Picus' Attack Path Validation seamlessly addresses this demand by providing organizations with continuous, intelligent, and stealthy automated red teaming simulations. In addition, Picus automated penetration testing allows organizations to proactively simulate adversary tactics to uncover hidden vulnerabilities. By mimicking sophisticated adversaries and the intricacies of their attack patterns, Picus ensures that companies remain one step ahead, identifying and mitigating potential vulnerabilities in real-time, ensuring a safer and more resilient security infrastructure.
What Is Automated Red Teaming?
Automated red teaming is a proactive cybersecurity approach that uses automation to simulate adversarial attack scenarios against an organization's information systems. It mimics the tactics, techniques, and procedures (TTPs) of real-world sophisticated attackers, aiming to identify chains of attack vectors before they are exploited by an adversary.
Unlike traditional red teaming, which often relies heavily on human expertise for planning and execution, automated red teaming uses software tools to rapidly conduct a range of attacks, identify vulnerabilities, and test defensive measures. This method offers the advantage of scalability, repeatability, and consistent assessment of security posture, allowing organizations to continually evaluate and improve their defensive measures against evolving threats.
Why Is Red Teaming Alone Not Enough?
In the dynamic world of cybersecurity, relying exclusively on red teaming isn't sufficient.
As organizations grow and change, so does their attack surface. Employee turnover, both incoming and outgoing, introduces changes to this surface. Overlooking these shifts can lead to potential vulnerabilities, like unmonitored high-privilege user accounts. The absence of effective network segmentation further offers adversaries opportunities for lateral movements, granting them access to confidential data.
Since the threat landscape doesn't remain static, insights from red teaming can become outdated swiftly, especially with issues like misconfigured security controls coming into play. While consistent red teaming is optimal, the associated costs often restrict its regular implementation. To bridge this gap, a blend of automation and conventional red teaming could be the key.
Which Red Teaming Operations Can Be Automated?
Automated red teaming can handle various tasks in the process of simulating cyberattacks:
-
Credential Harvesting: Techniques such as LSASS credential dumping, LSA secrets dumping, and SAM & LSA secrets dumping allow for automated collection of user credentials.
-
Enumeration: Tools can automatically conduct operations like domain trust, domain DNS, and user group enumerations, identifying vulnerable points and potential targets.
-
Access Techniques: Once entry points are identified, automated systems can utilize methods like Windows Management Instrumentation (WMI) and Server Message Block Execution (SMBExec) to access systems.
-
Escalation Attacks: Using strategies such as Modifiable Service Binary Escalation and User Account Control (UAC) Bypass, automated tools can elevate privileges within systems.
-
Scope Definition: The process of designating the specific domain or setting boundaries for the simulation can be automated, ensuring the activity remains within predetermined limits.
However, while these operations can be automated, the presence of a human expert ensures adaptability and an understanding of nuanced threats and vulnerabilities.
Benefits of Continuous Automated Red Teaming
The benefits of continuous automation red teaming can be summarized under seven main bullet points.
-
Identification of choke points where multiple business-critical attack paths converge, allowing for targeted remediation that eliminates several critical threats.
Figure 1. Identifying the Choke Points with Picus’ Attack Path Validation Module
-
Proactive attack path discovery before adversaries can exploit them.
-
Sustained engagement with ever-evolving IT environments, accommodating changing privileges and configurations.
-
Recognition of attack vectors that, when linked, result in the most consequential attack scenarios.
-
Cost-effective scalability compared to human-centric red teaming approaches.
-
While not replacing human expertise, it serves as an effective complementary solution.
-
Delivers comprehensive reports enriched with mitigation recommendations.
Automated Red Team Operations vs. Traditional Security Assessment Approaches
The ever-evolving cybersecurity landscape demands a proactive approach to threat mitigation and response. While traditional security assessments have long provided foundational insights, automated red teaming has emerged as a robust tool for simulating real-world attack scenarios. Here's a comparative breakdown of the two methods:
Traditional Security Assessment Approaches:
-
Typically one-off, scheduled evaluations.
-
Primarily focused on identifying isolated vulnerabilities.
-
Conducted manually by cybersecurity experts.
-
Offers general vulnerability reports, often without contextual risk.
-
Lacks continuous adaptation to evolving IT landscapes.
-
Costs associated with human resources and logistics.
Automated Red Teaming:
-
Uses continuous simulations to mimic real-world cyberattacks.
-
Focuses on chaining vulnerabilities to illustrate an attacker's path.
-
Incorporates an intelligence decision engine for stealthy attack paths.
-
Offers detailed attack path documentation post-simulation.
-
Adapts to dynamic IT environments with changing privileges.
-
Is more scalable and often less expensive.
-
Provides enhanced techniques like fileless implants and advanced enumeration.
-
Adjusts strategies based on in-simulation discoveries.
-
Ensures precise scope definition for compliance and safety.
Continuous Automated Red Teaming with Picus’ Attack Path Validation Module
Within the Complete Security Control Validation platform, Picus offers an Attack Path Validation module. This module harnesses the capabilities of a graph-based intelligence decision engine, pinpointing the most stealthy and evasive attack paths within an organizational landscape.
Simultaneously, its fileless implant design emulates human expertise without necessitating any exceptions, reflecting the advanced security bypass techniques used by sophisticated adversaries we observe growing in prevalence in real-world threats.
Hence, the Attack Path Validation module provides a sophisticated, safe, and continuous automated red teaming practice for organizations without causing any environmental changes and exception requirements.
Here are four steps of the lifecycle of automated red teaming with Picus’ Attack Path Validation module.
-
Step 1: Setting Objectives for Automated Red Teaming with Picus
In real-world scenarios, adversaries have specific objectives, such as
-
financial gain,
-
political motives,
-
destruction, or
-
hacktivism activities.
To achieve these listed objectives and maximize their impact, adversaries target particular assets or accounts within an organizational network, seeking widespread access. Consequently, they aim to infect and affect as many assets as possible with malicious software, including threats like ransomware or wiper malware.
Given that red teaming demands thinking akin to an adversary to pinpoint potential attack paths to an organization's crown jewel, it should closely resemble an actual attack. Therefore, before initiating the automated red teaming process, organizations first determine the objective of the red teaming exercise.
Figure 2. A Lateral Movement Scenario with an Achieved Objective.
For example, referring to the figure above, we observe a typical attack path. This path originates from an endpoint where credentials were captured during the harvesting phase. These credentials enable the agentless intelligent decision engine, a component that mimics hacker tactics in our automated red teaming simulations, to laterally transition to other endpoints within the domain, ultimately accessing a third endpoint with domain admin privileges.
How Does Picus Help You?
Domain admin privileges in Windows Active Directory (AD) grant adversaries unparalleled control. With these rights, attackers can dump user credentials, tweak security policies to their advantage, and establish persistent backdoors. They can deploy ransomware across every endpoint, access and exfiltrate confidential data, or disrupt key operations. In a real-world scenario, imagine an attacker leveraging these privileges in a major corporation; the potential fallout ranges from massive data breaches to paralyzing ransomware attacks. The "Obtain Domain Admin Privileges" objective in the Picus Attack Path Validation platform underscores the high stakes of such access.
Figure 3. Objective of Achieving Domain Admin Privileges with Picus Attack Path Validation
The figure above highlights a clear objective: gaining domain admin privileges. To meet this target, the approach involves stages such as discovery, privilege escalation, credential access, and lateral movement.
-
Step 2: Deciding on Attack Groups for Red Teaming Automation with Picus
Once objectives are set, the subsequent step is selecting the tools and methodologies to employ during the red teaming exercise. At this juncture, a red team expert sketches out a preliminary attack path to meet the set objective. This involves planning specific attack techniques or vectors to utilize during the simulation.
How Does Picus Help You?
Before the simulation is conducted, Picus Attack Path Validation platform asks its users to decide on certain attack groups, which are listed under two categories:
-
Harvest Groups
-
Access Groups
Phase 1. Harvesting Attack Techniques
Typically, a red teaming session starts with an in-depth harvesting phase where valid account credentials are collected. Enumeration might be conducted to identify accounts with specific privileges, such as access to multiple subdomains, thereby establishing potential pivot points for adversaries. Red team professionals might also devise custom shell scripts tailored to the environment or, as another example, use LDAP filters to better understand the AD landscape and discreetly gather sensitive data without triggering SIEM alerts.
Understanding the human-expertise inherent in red teaming, and with the ambition to automate this for a continuous red teaming experience, Picus enables its users to select specific harvesting attack techniques. The outcomes of these techniques then inform our intelligence decision engine, which formulates the most stealthy attack path to achieve the simulation’s objective. The Picus Attack Path Validation module encompasses a broad spectrum of credential harvesting and enumeration strategies.
Below, you can find some of the harvesting techniques presented in the Picus Attack Path Validation module.
-
LSASS Credential Dumping
-
LSA Secrets Dumping
-
Group Policy Preferences Enumeration
-
Organizational Units Enumeration
-
Domain Service Account Enumeration
-
Local Admin Check over SMB
-
SAM & LSA Secrets Dumping
-
Group Managed Service Accounts (sMSA)
-
Domain Trust Enumeration
-
Domain Group Enumeration
-
User Groups and Session Enumeration
-
Domain DNS Enumeration
Phase 2. Access Attack Techniques
Beyond the initial harvesting strategies, it's crucial to conceptualize the attack groups that could enable adversaries to penetrate endpoints. Some notable techniques presented by the Picus Attack Path Validation include:
-
Windows Management Instrumentation (WMI)
-
Server Message Block Execution (SMBExec)
-
Pass the Ticket
-
Unquoted Service Path Escalation
-
Modifiable Service Escalation
-
Modifiable Service Binary Escalation
-
User Account Control (UAC) Bypass
It's important to realize that these plans, formulated prior to the actual attack, might evolve.
Factors encountered during the simulation, such as unexpectedly gaining access to a high-privilege account or discovering a script laden with valuable credentials, can expedite the exercise or prompt course adjustments. In some cases, the red teaming session could wrap up more swiftly than anticipated.
-
Step 3: Defining the Attack Scope of Automated Red Teaming Simulation
Defining the red teaming engagement scope is a crucial step that never needs to be taken underrated.
How Does Picus Help You?
The Picus Attack Path Validation module begins its process by guiding users to designate the specific domain for the simulation. This crucial step guarantees not only the effective operation of the simulation but also strict compliance with the predetermined scope of the automated red teaming engagement.
Figure 4. Defining the Scope of the Automated Red Teaming Practice with Picus Security
Understanding the importance of business continuity, Picus offers an added layer of protection. If customers worry about unintentional interruptions to vital business assets during the automated red teaming practice, they can seamlessly exclude these by omitting their hostnames from the red teaming engagement scope.
To ensure further control and flexibility, the platform provides an option for users to set a simulation timeout, thus determining the maximum duration the simulation can run.
-
Step 4: Starting the Attack Simulation
Once the objective, attack actions, and scope of the automated red teaming engagement have been established, the attack simulation can start.
How Does Picus Help You?
It's important to emphasize that automated red teaming practice with Picus isn't executed using a traditional agent. Instead, the simulation gets triggered by a fileless implant which, once the simulation concludes, is removed along with all the data it processed. Thus, organizational data and sensitive details aren't retained anywhere, ensuring a secure red teaming experience.
Fileless implant (agentless architecture) approach not only mirrors the rising trend of fileless malware seen in real-world scenarios but also bypasses conventional security measures. By doing so, it assesses the efficacy of defensive strategies against stealthy bypass attempts, offering a genuine red teaming experience.
Below, you can find the fileless agents, in the form of binary payloads. These payloads serve as an initial stager to continue with.
Figure 5. Deciding on the Filesless Implant that Triggers the Automated Red Teaming Simulation with Picus
-
Step 5: Automated Red Teaming Engagement Report with Picus
Reporting phase of a red teaming teaming operation is one of the most crucial points.
The report should be comprehensive, highlighting the most business-critical attack paths that enable adversaries to access an organization's crown jewel. It should provide a coherent and visual description of the discovered vulnerabilities and illustrate how these elements, when linked, form the attack path.
How Does Picus Help You?
After the execution of the automated red teaming simulation, the Picus Attack Path Validation module meticulously produces an in-depth documentation of all the attack paths discerned during the activity.
Figure 6. An Example Critical Attack Path Identified During the Automated Red Teaming Simulation by Picus
As an illustration, the graph-based figure referenced above clearly showcases an attack path marked in red, indicating a potential route an adversary might take to access a domain admin account. This specific path is delineated through a sequence of chained attack actions, each detailed sequentially in the report.
Furthermore, Picus' Attack Path Validation module doesn't stop at the mere identification of these paths. It goes a step further by quantifying the data: detailing the number of valid account credentials captured, enumerating hashed credentials harvested during the simulation, and even breaking down the numbers concerning hosts, servers, and users affected.
Such a comprehensive overview empowers organizations, equipping them with the necessary insights to pinpoint the attack vectors. This enables them to comprehend how a seasoned adversary might stringently connect these vectors, formulating a strategy to reach their goal in the most impactful way possible.