100% found this document useful (1 vote)

451 views18 pages

Red Team Assessment

This document discusses PwC's red team assessment services. It provides an overview of the concept and purpose of red team assessments which is to conduct comprehensive security testing from the perspective of malicious threats to understand an organization's security posture. It then outlines the types of threat actors, various threat vectors like social engineering, network and application attacks, and physical intrusion that are evaluated. Finally, it describes PwC's methodology and services for conducting red team assessments.

Uploaded by

Vignesh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

451 views18 pages

Red Team Assessment

Uploaded by

Vignesh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 18

Red Team Assessment

PwC India
October 2019
Table of Contents
Section 1
Red Team Assessment- Concept & Purpose

Section 2
Who are the threat actors ?

Section 3
What are the threat vector ?

Section 4
Global cyber incidents

Section 5
Our Services

Section 6
Approach & Methodology

PwC PwC 2
1 Red team Assessment – Concept &
Purpose

PwC
PwC | Client 3
Red Team Assessment
• Red Team Assessment is an amalgamated and
comprehensive attacks assessment which covers various
threat vectors related to physical security, social
engineering, application penetration testing and both internal
and external network penetration testing.
Awareness
• Purpose behind a full fledged red team assessment is to reveal Assessing people awareness
by conducting attack
the possible opportunities for malicious hackers, oriented social engineering
activity
disgruntled employees and bad actors. realistic view and
understanding of testing of an organizations people,
technology, and process
Red Team
• Red Team assessment is fully an attack driven approach using Assessment
various Tools, Techniques and Procedures (TTP’s) where
every aspects of People, Process and Technology is Assessment Management
Assessing the security
technically assessed to gather a comprehensive insight of the Assessing the security
posture of an organization implementation process
such as patch management,
current security posture of an organization. by exploiting the flaws in
various security. vulnerability management
process

Red Team Assessment Services October 2019

PwC 4
Who are the threat actors ?
Script Kiddies
Third Party vendors/
These are not actual
Guests hackers but perform
Driven by malicious malicious activities for fun
State Sponsored intention of deteriorating without understanding the
hackers company. Financial gains consequences
These are well funded and
government backed threat Hackers/ Hacktivists
actors who performs Attackers with genuine/
malicious activities for the Disgruntled Employees
malicious intentions of
sponsored governments/ compromising the Motivated by dis-
Individuals. organization satisfaction, frustration,
Financial gain etc.

Red Team Assessment Services

PwC
5 October 2019
5
What are the various threat vectors ?
• OWSAP top 10 attacks • Identify whether the Internet facing applications are vulnerable towards
• Network Intrusion by Compromising OWASP top 10 vulnerabilities.
External • To Perform penetration testing and gain access into vulnerable systems; and
external IP’s Applicati to move laterally in to the banking network.
• External Denial of Service attacks ons • To Perform external DDoS attack on selected applications; studying the
response mechanism

• Network Intrusion Attempts • Intrude and attack internal network from chosen locations
• Compromising hosts & stealing • Bypassing the existing Antivirus & Host intrusion detection system (HIDS)
sensitive Information Internal and gaining access to computer systems to obtain sensitive information.
• Internal DoS attacks • To Perform an internal DoS attack from compromised internal systems.
• By passing work station Security – • Exploits the vulnerable systems, moves laterally and gains enterprise admin
account credentials.
AV & HIDs

• Malicious USB drop Malware • Gaining access to the systems, inserting pen drives containing malware
& • Sending phishing emails with malicious attachments.
• Macro & Malware via e-mail
Wireless • Creating a rogue access point and gaining passwords.
• Rogue Access Point • Bypassing the wireless security controls and gaining access to the
attacks
• Wireless Network Intrusion Attempt organizations network

• Sending phishing emails to selected key personnel's/ mass employees and

• Phishing identifying the user who are vulnerable to phishing emails
Social • Making vishing call to selected users and gathering sensitive information
• Vishing Engineeri from them.
• Pretexting ng • Making pretexting call to teams and gathering sensitive information such as
• Dumpster Diving passwords.
• Performing dumpster diving and gathering sensitive information

Red Team Assessment Services October 2019

PwC 6
What are the various threat vectors ?
• Threat actor gains unauthorized physical entry inside the company premises
• Physical security breach by bypassing the existing security controls.
• Tailgating • Gains unauthorized entry inside critical departments such as Data Centres,
• War Driving. War Chalking Physical Research & Development unit, critical laboratory etc. to obtain sensitive
intrusion data.
• Impersonating as employee
• Threat actor searches for an available/ displays Wi-Fi connection and
performs malicious activities.

Illustrative Field Activities

Wireless Network
Intrusion USB Drop Custom Malware Dumpster Diving
Phishing

Physical
Vishing Social DoS/ DDos
Intrusion Pretexting
Engineering attack

Red Team Assessment Services October 2019

PwC 7
How attackers gain access to our system??
Below is an illustration of high level attack kill chain where a potential threat actor gains access to the system by skill fully compromising
the systems without our knowledge. Admin Recon
Utilising the compromise credential
a Threat Actor hunts for high Compromise Credentials
privileged accounts Threat actor post local privilege
escalation gathers the cached
Compromise Credentials credentials from systems
memory
Remote code execution Threat actor post local privilege
Threat actor performs a remote code escalation gathers the cached Remote code execution
execution on servers/ systems which credentials from systems
Threat actor utilizes the
can be accessed through the memory
gathered credentials to perform
compromised credential. reconnaissance of critical assets

Low
Exploitation
Privileges Lateral High
Threat actor compromises the
identified vulnerable system by Movement cycle Priv. Esc Privileges Lateral
exploiting the hosted services /
sending out malicious emails etc. Access the Movement cycle
assets by high
privileged
accounts.

External Compromised Internal Local Privilege Domain Asset Access Exfiltration

Domain Admin Creds
Recon System Recon Escalation Dominance

Reconnaissance Internal Recon and Privilege Compromise Domain Access to crown jewels and exfiltration
Threat actor performs and initial Escalation Threat actor gathers Domain Threat actor gains access to critical assets
intelligence gathering using various Threat actor performs an internal Administrator credentials and gains such as Domain controllers, exchange
TTPs to gather information related to recon by mapping of the internal full privileged access to internal servers, file servers, critical infrastructure
application, mail addresses, server domain and elevates the current domain etc. and successfully Exfiltrates sensitive data.
configurations etc. privilege.
Red Team Assessment Services October 2019
PwC 8
Global Cyber Attacks

Red Team Assessment Services October 2019

PwC 9
How PwC can help ??
Pillars driving meaning assessment for an organization
In the modern cyber threat landscape, malicious attackers are constantly trying to get into your systems.
1 Thus, it is important to understand how cyber attackers work in order to effectively defend against them.
Offensive Security Mind-set
At PwC, we invest time and effort to understand and emulate how real attackers work. Our ethical
hackers are very passionate about offensive hacking methodologies that simulate what real attackers use.

2 Your advisor will provide you with greater value if they understand your business and industry
environment, culture, and operations.
Deep understanding of •We know various industry operations, systems, and leading practices, and have extensive experience
security in various and expertise in red team and penetration testing services, privacy and security, breach notification, and
industries incident response planning.
•We have developed proprietary assessment tools, templates, and project documents that will
accelerate progress in many of the areas in scope and reduce effort and fees.

3 PwC has a comprehensive, tailored and well refined approach to conducting cyber attack simulations:
●Perform testing in a stealthy fashion that mimics real threat actors. We can adjust our testing to meet
your needs and test the effectiveness of your team’s incident response capabilities.
●Intelligent hacks that leverage configuration errors and exploit business logic flaws, rather than one-
Cyber Attack simulation click “zero-day” exploits. Automated tools and exploits will never identify business logic flaws in
applications that may result in exposure of sensitive data in your organization.
●We understand the “big picture” (root causes) and convey this in our work. Technical changes to
remediate security findings are only a small piece of the overall puzzle. We identify the root cause of each
finding, typically associated with people, processes, or technology, to help enable the prevention of
similar findings in the future.

Red Team Assessment Services October 2019

PwC 10
Our Services

Social Engineering activities Intelligence Gathering

Our team will mimic as areal world Our team will utilize various OSINT tools to
threat actors to perform various social perform a real world intelligence gathering for
engineering assessments such as identifying the sensitive data such as email
Phishing, spear phishing, vishing, Intelligence addresses, web server technology, company
Social
Employee impersonation etc. to assess Gathering
domain and sub domain etc.
people awareness of security aspects.

External Assessment
Internal Infrastructure
Assessment Perform testing on externally facing systems identified
during the planning phase. Identified vulnerabilities will
Our team will assess the internal IT Malware/ External be exploited in order to gain access to sensitive data and
infrastructure using various TTP’s to Backdoor Assessment the internal network
compromise the internal IT domain to
gain access to crown jewels such as
exchange servers, Internal Applications,
Domain controllers etc. Red Team
Rouge Device Deployment Phishing / Spear Phishing attacks
PwC team will attempt to physically breach Using data gathered from reconnaissance, multiple
Rouge Phishing/
an organization's security controls and employees/ key personnel's would be targeted
Device Spear
deployed a custom device to gain access to Deployment Phishing using a tailored email designed to lure them into
the internal IT network and access the disclosing credentials or executing malicious file to
device from internet. gain initial foothold or sensitive information.

USB Baiting Physical Security Breach Assessment

Malicious USB drives will be thrown among the Physical Attempt to bypass physical security controls by
employees workspace as a bait to connect to the USB Baiting
Security tailgating, RFID cloning etc. within the premises
domain systems to execute malicious codes/gain like data centers and offices posing as different
access to the systems. threat actors in order to implant devices on the
. network and gain access to systems
Red Team Assessment Services October 2019
PwC 11
2 Our Approach

PwC
PwC | Client 12
Our Approach

Planning Threat Threat

Testing Intrusion & Exposure Observation
& vector Actor
approach Setup Exfiltration Analysis & Reporting
Scoping Analysis

• Perform • Gather • Imposing as • Range of • Survey testing to • Gather • Create a draft

footprinting of information various threat techniques identify target evidence for report with
company’s from Open actors multiple will be used to systems and the information detailed
external Source tools, craft a weaknesses identified and observations,
network Intelligence techniques and customized access gained recommendati
presence to gain (OSINT) procedure based attack • Establish on, and risks
an testing would be scenario in foothold by • Determine root
understanding • With these performed. line with MoE compromisin cause and • Finalize the
of externally details, we requirements g systems and business report and
facing determine • With this move laterally impact if the support in
websites and viable attacks approach real • The breaches are internal
resources that real threat actors techniques • Escalate achieved in a communication
from which threat attempts to designed are privileges and similar manner
intelligence actors would breach a used to gain access to
can be gathered use to breach company would replicate the sensitive data /
company be assessed. modus systems
operandi of
real-world
attackers

Red Team Assessment Services October 2019

PwC
High Level attack scenarios

Access to Crown
Jewels

Adversary performs an intrusive malicious

WWW Internet
scans on hosted application to exploit and WWW
application
gain access to the internal network targeting
the crown jewels.
Web Confidential
Applications Data
Adversary bypasses the physical Attacker Compromise
security controls perform malicious Physical
External
activities such as USB drop, Rouge Breach
device deployment, Shoulder surfing services

Lateral
Servers and Movement
Adversary sends a customized email with
Access to Workstations
malicious attachments, links to lure the end Data Centre
Phishing Building
user and gains sensitive information, access
to the systems etc. Physical
Security
Breaches
Drops a malware responsible for
infecting the internal systems and
Malware
gather sensitive data to exfiltrate to
an externally hosted C&C server or infections Compromise
encrypts the data. endpoints and
Phishing User credentials
Insider Threat Critical
Infrastructure

Organization Infrastructure
Red Team Assessment Services October 2019
PwC
14
Key use Cases: physical Security Breach

Physical Intrusion
Confidential Dumpster Diving
Documents

Breach into critical

Tail gating areas for confidential
Information War chalking , War
walking, Evil twin
Wi-Fi to harvest
credentials

Password harvesting
Social Engineering

Desktop & Shoulder

USB drop to breach surfing for data
systems / Malware
drop
ID Cloning

October 2019
PwC
Key use Cases: phishing
Phishing Email Email-Filtering
Compromised User
(Anti-Virus/Spam)

Firewall

Attacker

Sensitive Data Proxy, IPS/IDS Sensitive Data

October 2019
PwC
Methodology
Phase # Scenario Approach

Intelligence Gathering Passive reconnaissance on external identifying various relevant infrastrucutre inofrmations available on
(External) footprint of the domain infrastructure oublic internet.

Active reconnaissance on external Perform active queries like DNS Zone transfer, subdomain bruteforce,
environment of infrastructure nmap scans to identify information of external infrastructure of
Domain
Intelligence Gathering Identifying the internal Network Plugin a non-domain laptop to the network and do
(Internal) Range nslookup,Responder,Ping the passing gateway,Internal Ports
DC’s (Domain Controllers),DNS Zone transfer

Identification of common ports and Initiate Nmap scans for the top common ports such as
services 8000,8080,8009,445,3200-3299 etc. and analyse the scan results in
order to identify various services.

Vulnerability Analysis Identification of vulnerable services Import scanned results within the Metasploit database and use
various auxiliary modules in order to identify the exploitable systems
running with Tomcat, Jenkins, Boss etc..

Exploitation Attempt to exploit vulnerable Attempt brute force, weak password cracking, vulnerable service
services exploitation, to gain a foothold on the network and attempt to
compromise credentials on accessed computers utilizing memory
dumping techniques
Red Team Assessment Services October 2019
PwC 17
Methodology
Phase # Scenario Approach

Post Exploitation Identification of privileged user Utilize custom PowerShell Scripts and various tools to gather
(Discovery) accounts, user sessions, computers, information from active directory to perform attacks on it.
network segments, zones, critical
users, critical user groups.
Post Exploitation (Lateral Utilize identified paths of compromise Utilize exploitation tools for lateral movement, in order to laterally move
Movement) to target critical users and groups within the environment with compromised credentials.

Post Exploitation Utilize compromised credentials to Utilize compromised credentials to access critical applications, e.g.
(Pillaging) access critical applications SharePoint, Citrix, Exchange, etc..

Post Exploitation Identification of privileged user Utilize Powersploit, tools to identify the various information from active
(Discovery) accounts, user sessions, computers, directory to perform attacks on it
network segments, zones, critical
users, critical user groups.

Red Team Assessment Services October 2019

PwC 18

Vulnerability Assessment and Penetration Testing
No ratings yet
Vulnerability Assessment and Penetration Testing
48 pages
Cyber Security Incident Response Planning - Guidance
No ratings yet
Cyber Security Incident Response Planning - Guidance
45 pages
Radascan View Installers Guide
100% (1)
Radascan View Installers Guide
63 pages
Report Cybersecurity Great Consultant
No ratings yet
Report Cybersecurity Great Consultant
24 pages
The Penetration Testing Execution Standard Documentation: Release 1.1
100% (1)
The Penetration Testing Execution Standard Documentation: Release 1.1
233 pages
Owasp Api Security Checklist - Updated
100% (1)
Owasp Api Security Checklist - Updated
13 pages
Attack Surface
No ratings yet
Attack Surface
28 pages
Red Team Assessment V1.0
No ratings yet
Red Team Assessment V1.0
15 pages
Red Team Engagement Sample Report PDF
No ratings yet
Red Team Engagement Sample Report PDF
60 pages
ICDL
No ratings yet
ICDL
50 pages
Sample Questions For Cisco Certified Support Technician CCST Networking Exam by Wade
No ratings yet
Sample Questions For Cisco Certified Support Technician CCST Networking Exam by Wade
10 pages
CompTIA Security + Chapter 2
No ratings yet
CompTIA Security + Chapter 2
28 pages
User Manual - V10 - AGS20
100% (1)
User Manual - V10 - AGS20
224 pages
Infrastructure Pentesting PDF
No ratings yet
Infrastructure Pentesting PDF
13 pages
Hooli Phishing Simulation Report v1.0
0% (1)
Hooli Phishing Simulation Report v1.0
13 pages
OptiX OSN 3500 Presentation
No ratings yet
OptiX OSN 3500 Presentation
38 pages
Threat Model For Bwapp
100% (1)
Threat Model For Bwapp
38 pages
1.1network Attack and Defense Strategies
No ratings yet
1.1network Attack and Defense Strategies
18 pages
CCNA 3 Final Exam Answers
100% (1)
CCNA 3 Final Exam Answers
83 pages
SOC
50% (2)
SOC
3 pages
DTE M: Operations
No ratings yet
DTE M: Operations
26 pages
Network Threat Hunting - 202303
0% (1)
Network Threat Hunting - 202303
178 pages
OWASP Vulnerability Management Guide
No ratings yet
OWASP Vulnerability Management Guide
20 pages
OWASP WSTG Checklist
No ratings yet
OWASP WSTG Checklist
74 pages
OPSEC Fundamentals For Remote Red Teams
No ratings yet
OPSEC Fundamentals For Remote Red Teams
64 pages
Webserver Checklist Pentest
No ratings yet
Webserver Checklist Pentest
5 pages
2025 Ransomware Survival Guide
No ratings yet
2025 Ransomware Survival Guide
17 pages
Web Application Compromise Response Playbook
No ratings yet
Web Application Compromise Response Playbook
7 pages
Cyber Security Reference Guide
No ratings yet
Cyber Security Reference Guide
14 pages
Information Security Awareness
100% (1)
Information Security Awareness
184 pages
Security Awareness and Training Policy
No ratings yet
Security Awareness and Training Policy
3 pages
Red Team Ops pt1
No ratings yet
Red Team Ops pt1
25 pages
Security Testing Report: Snakerr
No ratings yet
Security Testing Report: Snakerr
37 pages
Scoping Questionnaire Template
No ratings yet
Scoping Questionnaire Template
3 pages
Cyber Security & Penetration Testing Services Cyber Radar Systems
No ratings yet
Cyber Security & Penetration Testing Services Cyber Radar Systems
15 pages
Pentest Report
100% (1)
Pentest Report
19 pages
Cyber Scape
No ratings yet
Cyber Scape
1 page
MSP Cybersecurity Checklist Final
No ratings yet
MSP Cybersecurity Checklist Final
12 pages
Azure Security Benchmark v3.0
No ratings yet
Azure Security Benchmark v3.0
290 pages
Pentest Report
No ratings yet
Pentest Report
63 pages
ASI - IT Risk and Controls
No ratings yet
ASI - IT Risk and Controls
19 pages
Data Protection Impact Assessments
No ratings yet
Data Protection Impact Assessments
6 pages
Sample Network Vulnerability Assessment Report: Sales@purplesec - Us
No ratings yet
Sample Network Vulnerability Assessment Report: Sales@purplesec - Us
5 pages
Proposal VAPT Web Softlogique
No ratings yet
Proposal VAPT Web Softlogique
17 pages
Pentesting Report
100% (2)
Pentesting Report
3 pages
Penetration Testing Report Rhs5dn
100% (1)
Penetration Testing Report Rhs5dn
3 pages
How To Response Against Web Security Incident Signed
No ratings yet
How To Response Against Web Security Incident Signed
38 pages
Penetration Testing
No ratings yet
Penetration Testing
3 pages
AWS Certified Solutions Architect Associate SAA C02 Demo
No ratings yet
AWS Certified Solutions Architect Associate SAA C02 Demo
12 pages
Toshiba Satellite l310 Quanta Te1m Laptop Schematics
No ratings yet
Toshiba Satellite l310 Quanta Te1m Laptop Schematics
37 pages
Penetration Test Report: Example Organization
No ratings yet
Penetration Test Report: Example Organization
17 pages
Call Flow - Comprehensive Model
No ratings yet
Call Flow - Comprehensive Model
12 pages
Report
No ratings yet
Report
17 pages
Abs Red Team Adversarial Attack Simulation Exercises Guidelines v1 5 PDF
No ratings yet
Abs Red Team Adversarial Attack Simulation Exercises Guidelines v1 5 PDF
47 pages
TATA Communications VAPT Service Overview
No ratings yet
TATA Communications VAPT Service Overview
20 pages
Exploiting Active Directory Administrator Insecurities: Sean Metcalf S e A N at Adsecurity - Org
No ratings yet
Exploiting Active Directory Administrator Insecurities: Sean Metcalf S e A N at Adsecurity - Org
163 pages
Automotive Security
No ratings yet
Automotive Security
18 pages
Penetration Test: Technical & Commercial Proposal
100% (1)
Penetration Test: Technical & Commercial Proposal
35 pages
System Administration and Network Management
No ratings yet
System Administration and Network Management
7 pages
Lessons Learned Applying ATT&CK - Based SOC Assessments - PDF
No ratings yet
Lessons Learned Applying ATT&CK - Based SOC Assessments - PDF
47 pages
Its Time To Go Hunting - IOC Vs IOA - OWASP Buc 2016
No ratings yet
Its Time To Go Hunting - IOC Vs IOA - OWASP Buc 2016
30 pages
AlienVault Incident Response Guide
No ratings yet
AlienVault Incident Response Guide
46 pages
Penetration Testing Report
No ratings yet
Penetration Testing Report
10 pages
Incident Response Playbooks 1687937708
No ratings yet
Incident Response Playbooks 1687937708
21 pages
Kiwiqa Services: Web Application Vapt Report
No ratings yet
Kiwiqa Services: Web Application Vapt Report
25 pages
Web PEN Test Report
100% (1)
Web PEN Test Report
8 pages
CERT Exercise Toolset
100% (1)
CERT Exercise Toolset
52 pages
Cyber Threat Intelligence Plan
No ratings yet
Cyber Threat Intelligence Plan
8 pages
Incident Response Plan Basics - 508c
100% (1)
Incident Response Plan Basics - 508c
2 pages
Embedded Systems:: Jonathan W. Valvano
No ratings yet
Embedded Systems:: Jonathan W. Valvano
7 pages
HSS9860 V900R008C20 Data Configuration and O&M (LTE)
No ratings yet
HSS9860 V900R008C20 Data Configuration and O&M (LTE)
51 pages
FTTH Accessories Fiber Optic Closures: (Fiber To The Home)
No ratings yet
FTTH Accessories Fiber Optic Closures: (Fiber To The Home)
8 pages
Pentestreport Romio
No ratings yet
Pentestreport Romio
72 pages
TTC Mobile: Profile
No ratings yet
TTC Mobile: Profile
14 pages
Sta4setup$ PDF
No ratings yet
Sta4setup$ PDF
8 pages
EVS5016S-R: 16-HDD Enterprise Video Storage
No ratings yet
EVS5016S-R: 16-HDD Enterprise Video Storage
3 pages
Broadcom Bcm53158xub1kfbg Apr22 Xonlink
No ratings yet
Broadcom Bcm53158xub1kfbg Apr22 Xonlink
109 pages
Lab 4 - Passive Identity (Easy Connect)
No ratings yet
Lab 4 - Passive Identity (Easy Connect)
23 pages
Ag Overview 683458 666707
No ratings yet
Ag Overview 683458 666707
58 pages
Appendix: Recommendation Summary
No ratings yet
Appendix: Recommendation Summary
31 pages
Bekkali 2018
No ratings yet
Bekkali 2018
6 pages
CloudStorm XP 100GE Application and Security Test Load Module
No ratings yet
CloudStorm XP 100GE Application and Security Test Load Module
9 pages
Arista Product Quick Reference Guide
No ratings yet
Arista Product Quick Reference Guide
2 pages
The Smart Approach To Transactional Printing
No ratings yet
The Smart Approach To Transactional Printing
2 pages
Flashwave 7420
No ratings yet
Flashwave 7420
7 pages
Norton Cibercrime Report 2013
No ratings yet
Norton Cibercrime Report 2013
28 pages
Google Compute Engine Pricing
No ratings yet
Google Compute Engine Pricing
3 pages
ECSE 308 Final Cribsheet
No ratings yet
ECSE 308 Final Cribsheet
2 pages
Dell KMM Rack Console Spec en
No ratings yet
Dell KMM Rack Console Spec en
2 pages
Intrusion detection system Standard Requirements
From Everand
Intrusion detection system Standard Requirements
Gerardus Blokdyk
No ratings yet