TIBER and Red Team Testing Methodology

Threat actors are constantly developing new and more sophisticated attack techniques, and both defenses and security assessments must evolve to keep up.

In this blog we will describe Improsec’s approach to the operational and offensive IT security test methodology known as “Red Team” and briefly touch on the framework called TIBER - Threat Intelligence Based Ethical Red Team.

Red Team exercises are the most advanced element of security assessments and are suitable for all businesses who want to keep abreast of current threats. A Red Team is where you ask some of the most skilled hackers to attack your business! Why? So that you will learn of your organization’s strengths and weaknesses for you to prepare before the real adversary’s attacks!

The TIBER framework was originally created and implemented aimed at financial institutions, but the framework can be fully utilized within all sectors. The framework enhances the threat intelligence part of an offensive security test, as the framework consists of a dedicated phase of gathering threat intelligence and conducting a targeted threat intelligence assessment for the organization.

What is a red team test?

A Red Team test can be compared to a fire drill for the company’s information security organization and provides a unique opportunity for the company to test its Security Incident Response and Crises Management capabilities against a realistic cyber-attack. This provides the organization with the experience needed to react to and mitigate real cyber-attacks.

Improsec’s Red Team exercise involves the use of tactics, techniques, procedures, and tools that reflect today's advanced threats. Unlike regular vulnerability assessments, a Red Team exercise normally includes multiple attack vectors, including phishing emails, social engineering, infected websites, physical devices, physical intrusions, and the use of customized malware.

Red Team tests are normally scenario-based and will be adapted to the customer's organization and information assets. In some cases, a customer might decide to let the Red Team use every means necessary for the attack to be successful, but that is mostly for the most mature organizations out there.

The TIBER framework

The TIBER (Threat Intelligence Based Ethical Red Team) method was originally published in 2014 by the Bank of England for the purpose of stress-testing the capabilities of financial institutions to prevent, detect and respond to targeted cyber-attacks on critical functions in the sector.

In Denmark, the framework was adopted in 2018 by the Danish National Bank under the name “TIBER-DK”. The Danish version was based on guidelines from TIBER-EU published by the European Central Bank, which again is based on and developed from experience from the UK and Netherlands, which already had similar test frameworks. The UK framework is known as CBEST.

The main difference between a TIBER exercise and a normal Red Team is the dedicated focus on threat intelligence (TI). The engagements are furthermore closely followed by national authorities ensuring that the game rules set out by the governing body are followed precisely. In Denmark, the governing body is the Danish National Bank which has established a TIBER Cyber Team (TCT).

In a TIBER exercise, the test scenarios must be simulations of real-life adversaries, who would be likely to aim their attacks on the organization being tested. To identify which adversaries to simulate, a thorough and targeted threat assessment is drafted for the organization being tested. Within the threat assessment the TI-team analyses and specifies which Nation-State Actors and Organised Crime Groups would be of interest, their methods of attack, and their motivations, such as espionage, theft of intellectual property, geopolitical destabilization, monetary theft, or simply digital activism.

After completion and approval by the customer, the targeted threat intelligence report is then passed over to the Red Team. The Red Team then converts the targeted TI report to a Red Team attack plan. The plan is presented to the customers’ White Team, who are the test facilitators. When the plan is approved. The Red Team starts to build relevant infrastructure and creates malware and templates for social engineering e.g., for e-mail phishing.

A final important part of a TIBER is the high demands set out to the vendors. Both a Threat Intelligence team and a Red Team require heavy certifications and years of experience to be accredited by the governing body and by that approved to bid on the engagements.

With the governance aside, let us get down to business on the nature of these friendly hacker tests that a Red Team basically is. Let us look at how Improsec will collaborate with a customer on a test.

The following described methodology is more or less the same whether we are talking standard Red Team or a more controlled TIBER.

Initiation of the test

Before the core part of a Red Team exercise begins, Improsec and the customer’s points of contact conduct a start-up meeting. Key points discussed in the meeting:

  • The overall goals (flags) of the tests

    • Which files, information, servers, and/or customer computers that the testers should try to gain access to.

    • This is usually related to information assets that are critical to the customers' business.

     

  • Any part of the network that is excluded from the exercise

    • Parts of the network or servers that should not be part of the scope for the test.

    • This may be because the infrastructure is mission-critical and/or sensitive and must under no circumstances be interacted with by anyone without detailed knowledge of the system.

       

  • Employees excluded from the exercise

    • Personnel who should not be part of the test.

    • This may be because they have a critical position and must under no circumstances be disturbed in their work.

 

  • Contact information for points of contact at Improsec

    • The customer shall always be able to contact Improsec if there are questions or ambiguities during the exercise.

Finding the gold – the reconnaissance phase

When the flags, rules of engagement, and contact details are in place, we move over to the actual part of the test. The first phase is the reconnaissance phase.

In the reconnaissance phase, the goal is to gather information about the company's activities, customers, partners, resellers, organizational structure, and current projects. In a TIBER exercise, this phase will be known as the Threat Intelligence phase.

A passive way of gathering information on the customer would typically include information sources like company websites, press releases, newspaper articles, annual reports, social media (e.g., LinkedIn and Twitter), and search engines. In addition, Improsec searches for information about the employees to determine which users are good targets for phishing attacks. This includes information about roles in the enterprise, contact info, what projects they are involved in, and which resources they are likely to have access to. Here social media again often becomes a valuable source of information.

Improsec evaluates the technical environment in which employees operate in, an important prerequisite for carrying out a successful attack. As an example, metadata from PDF-, Excel-, and Word documents that are distributed by the business often reveal information about the operating system used, the version of the application that created the file, and the author. User manuals made publicly available can also reveal details about the technical environment.

In the reconnaissance phase, it may be appropriate to send an email with an image hosted remotely to force a web request from randomly selected employees. This is a more active way of gathering information about the target. This often provides information about the operating system, architecture, browser, and installed plugins which normally would not be publicly available and by that subject for passive information gathering.  

By gathering information about the business, employees, customers, and technologies, Improsec’s consultants can tailor the attack to the customer. The quality and quantity of information in this phase govern the likelihood of further attacks being successful.

The heat is on – the attacks begin

A common way targeted attacks are carried out today is through spear-phishing campaigns. In a spear-phishing campaign, the attacker sends specially crafted emails to preselected employees with infected attachments or links. The goal is that the recipient opens the attachments or visits the website. Improsec uses this tactic, along with including more generic phishing campaigns, as one of the attack vectors during an exercise. This gives the customer the ability to measure the employees’ awareness of security and whether a suspicious email will prod a user to notify the company’s IT or security department.

Based on information from the reconnaissance phase, and with input from the project initiation, Improsec will decide on one or more groups of employees, typically a department, which will be the target of a spear-phishing campaign. These will often be people with roles that suggest that they have access to business-critical information or persons who are otherwise privileged in the system. In this phase, Improsec creates a phishing email that is tailored to the target audience, which is designed so that the user will be interested in clicking on the link to the infected page or opening the malicious attachment.

To get an idea of what the level of corporate security is, Improsec will send multiple campaigns with varying audiences and varying targeting of the phishing text. Improsec can create phishing emails with completely random senders or make it look like the emails are coming from colleagues of the recipients.

When a user opens a malicious attachment or clicks on a malicious link Improsec’s specially crafted Trojan attempts to infect the user's computer. This Trojan is designed so that it can only talk to Improsec infrastructure, and only over an encrypted channel.

For the attack to be as realistic as possible, both for the victim and for the IT department trying to detect it, the communication will not be coming from IP (Internet Protocol) addresses associated with Improsec, but from fictitious companies and associated domains. In most cases, the attack will come from an IP address abroad with an associated .com or .NET domain, to reduce detection.

Statistics on how many employees were attacked and how many clicked the link or opened the attachment will be included in the final report. This information will be anonymized and cannot be used to identify individuals who clicked on the link or opened the attachment.

Other ways of gaining access to a customer IT environment besides e-mail-based social engineering involve identifications of internet published IT services or systems vulnerable to external attacks that can open a bridge between the external and the internal environment.

Another tactic is the supply chain risk, where Improsec simulates a compromise of a 3rd party vendor either by placing a physical device within the customer office space or by establishing a connection via a compromised 3rd party software. This way of operating can also be an element testing the physical security of the customer office buildings.

Common for the scenarios is that they can be linked back to the methodology of real-life attacks.

Foothold and impact assessment

When Improsec’s testers have gained access to a customer computer or server, the testers assume the work of gaining a situational awareness of the network. Among other things, the testers try to identify which network they are located in, what access they have, and what kind of system they can access.

Once this reconnaissance is done the testers will try and establish a foothold based on the information obtained. This often involves lateral movement in the network, which in most cases will require the testers to obtain administrator privileges, either locally or in the domain.

When continued access is secured via a foothold, the testers will identify the company's internal resources and assess the impact of the access they have achieved. The testers will note which systems can be reached, the restrictions that they are subject to in the network and whether the agreed-upon targets can be reached. All actions will be executed manually.

Detected - Incident response

An important concept in a Red Team exercise is how the organization handles a security incident. Improsec will at the start of the attack try to remain hidden, making it harder for the customer “Blue Team” to discover the intrusion.

The Blue Team is the whole of the organization defending against an attack. Some primarily larger organizations have a Security Operation Centre (a SOC) or equivalent whose key mission is to collect and analyze security event information to identify an attack. But also, other parts of the IT organization are part of the Blue Team e.g., Service Desk, Incident and Problem Management, server, workstation, and network administration, etc. down to the individual employee who receives a suspicious email and reports it via the proper channels. Some organizations will have part of the Blue Team outsourced to an external managed security service provider, and some will have a very limited Blue Team. If no structured monitoring of security events is implemented the organization should consider if a Red Team test is the right way to spend its money.

But back to the test. If the attack is not stopped, the testers start to generate more noise through increased activity and less complex attacks, allowing the blue team to detect the ongoing attack. When the attack is detected, the goal for the company is to handle the attack as quickly as possible. The company needs to note what was needed for the attack to be detected, what worked, and what did not work during the incident response.

The view on this matter seen from the attacker’s side will be documented in the final report from Improsec.

Blended collaboration - Purple teaming

As earlier described, the core purpose of a Red Team is to mimic the real-life threat actors, which means, that the Red Team will try to stay hidden and undetected as long as possible while they try to achieve the aggreged flags.

But sometimes a different approach is needed. Either because the blue team has detected the attack and is acting on such high alert that further attacks are pointless. Or that the Red Team has achieved most or all flags, making further covert attacks pointless.

In such a situation, purple teaming can be the solution. Purple teaming is when red and blue work together – a “color mix” hence the name.  When switching to a purple team, the Red Team will communicate further attack actions so that the blue team can monitor their security tools for signs of prevention and detection. The teams can have an open dialogue on how the organization can strengthen its defenses and have live correspondence with real hackers.

From the Red Team side, it's possible to continue the test without being blocked, so that all corners of the infrastructure can be tested out thoroughly if the attacks initially were detected. And the Red Team can assist the blue team with optimizing detection rules and playbooks for incident response.

All in all, the purple teaming mode is a possibility for the organization to get the most out of a Red Team or TIBER engagement whether dealing with a mature security organization or a less mature one.

Documentation

After the Red Team exercise is carried out, Improsec drafts a report that the customer may use to deal with the weaknesses that have been uncovered. Such a report is twofold – a high-level overview that will provide management insights and information about the company's risk level, and a technical part dealing with the low-level weaknesses and defense mechanisms.

The part of the report that is targeted at the management level includes a summary of the exercise conclusion and an analysis of the results. This includes an evaluation of the customer regarding information security, detection, and response capability. The evaluation will be based on the result of the test as well as Improsec’s general and industry-specific experience. It can be used as an overview of the major areas for improvement and to measure changes over time the next time the exercise is carried out.

The technical section of the report describes the campaigns that were executed, methodologies, what was achieved, and our recommendations on what measures should be taken to increase corporate security. This report is intended as a working document for the personnel that is tasked to rectify the weaknesses, but it is also intended as a training tool for identifying, discussing, and describing in detail the weaknesses. This forms a good basis for the customer to not only rectify the weaknesses but also to address why the weakness was introduced to the system.

Security standards and compliance

Security, penetration tests, and Red Team exercises are most often used as a means to uncover technical weaknesses, but they can also be used to validate compliance with various security standards and demands. Examples are:

  • Compliance audits and checks of configurations.

  • Compliance with the company’s internal security policies.

  • The security awareness of the employees.

  • The company’s ability to discover and deal with security incidents.

 

Examples of regulative requirements, security standards, and frameworks that can be used to check for compliance are ISO 27001/2, PCI (Payment Card Industry) DSS, NIST (National Institute for Standards and Technologies), Critical Security Controls (CIS CSC), CMMC (Cybersecurity Maturity Model Certification) and of cause TIBER and CBEST.

The execution of  Red Team exercises and the reporting of findings are linked to standard frameworks.

Improsec’s testing methodology is based on the following standards:  

  • NIST SP800-115 Technical guide to Information Security Testing and Assessment

  • ISECOM OSSTMM - Open-Source Security Testing Methodology Manual

  • OWASP Testing Guide / OWASP ASVS (Application Security Verification Standard)

  • PTES - Penetration Testing Execution Standard

  • PCI Penetration Testing Guidance

 

In addition to experience, and information security best practices.

Discover more

To read more on Improsec Security Test services please go to our website service catalog

Services Overview — Improsec | improving security

 

A few selected services can be found here:

 TIBER-DK/EU Red Team Test — Improsec | improving security

 Internal Penetration Test (Assume Breach) — Improsec | improving security

 Ekstern Penetrationstest — Improsec | improving security

 

Feel free to reach out to Business Development Manager Aein Jebelli with any questions. aje@improsec.com