Resources: Penetration Testing
Web3 Red Team Assessment
While the blockchain may be decentralized, enterprises which act as investment vehicles or project champions are hosted on and managed by enterprise computing infrastructure. Blockchain projects developed, distributed, and supported by corporations frequently require enterprise networks to organize work, communicate, and provide authentication/authorization. A red team exercise simulates a sophisticated threat actor attacking an enterprise…
While the blockchain may be decentralized, enterprises which act as investment vehicles or project champions are hosted on and managed by enterprise computing infrastructure. Blockchain projects developed, distributed, and supported by corporations frequently require enterprise networks to organize work, communicate, and provide authentication/authorization.
A red team exercise simulates a sophisticated threat actor attacking an enterprise under real-world conditions. Rather than exhaustively uncover vulnerabilities, a red team measures the organization’s ability to detect and prevent an attack from succeeding in the first place. Red Teams determine how difficult it is to compromise the enterprise network, and how such a compromise might impact the security of the blockchain project or product.
A red team exercise should include the following components (based on the well-known MITRE ATT&CK framework)
- Employee security training
- Network security monitoring services
- Security Operations Center (SOC) response
- Anti-Phishing software
- Endpoint Detection and Response (EDR) software
- Antivirus software
- Enterprise computing security policies
This is how the red team gains its foothold on your internal network. This typically means spear phishing with a custom malware payload and custom command-and-control infrastructure. Simple phishing tests that measure “click rate” or even directing users to a fake login portal to capture credentials are not realistic tests of obtaining the remote foothold on the network that an attacker needs. “Assumed breach” red teams that do not include spear phishing can be used in some cases to reduce costs, but assumed breach tests often tell a less effective story and spur less improvement in the client’s security program because they do not prove an attacker could breach the perimeter.
Sophisticated threat actors have the means to evade the latest security controls, and the red team performing the exercise should also. These controls include endpoint detection & response (EDR) software, antivirus (AV) software, email security gateways, and web proxy filtering software. This requires that the red team have a research & development capability to develop payloads, lateral movement techniques, persistence techniques, privilege escalation techniques, and command-and-control (C2) infrastructure that can evade detection.
After gaining remote access to the phishing victim’s workstation, the attacker must obtain persistence on that system to be able to maintain access in case the victim reboots. Simple techniques such as writing to a registry key or the startup folder will be flagged by EDR software, so a defense evasion strategy for persistence is required.
The attacker’s next step is likely to explore the internal network, looking for information that could help with privilege escalation or lead to the attacker’s final objective. This discovery often includes querying Active Directory, internal web portals such as SharePoint or wikis, internal code repositories such as GitLab, and network shares.
To achieve his objective, it is likely that an attacker will need to escalate privileges. This could be performed through default passwords, exposed passwords or password hashes, web application vulnerabilities, unpatched systems, and more.
With a newly acquired privileged account, the attacker will attempt to gain access to the system that contains the information he wants, or a system that gets him closer to that goal. Sometimes, multiple rounds of discovery, privilege escalation, and lateral movement must be performed to reach the goal. Lateral movement techniques must evade EDR detection.
To maximize the impact of the red team exercise and help drive improvement in the client’s security program, an objective should be selected that has a business-level impact. For example, gaining sufficient access to steal cryptocurrency is a business-level impact because one does not have to be technical to understand the impact. Conversely, obtaining “domain administrator” privileges should not be the final objective because a real adversary would not conclude its attack at this point. Privilege escalation is a means to an end, but not the end itself. Other example objectives include the following:
- Access to conduct a fraudulent cryptocurrency transaction
- Gain control of file storage where NFTs are stored
- Users’ Know Your Customer (KYC)/Private Identifying Information (PII)
- Users’ bank account or credit card information
- Ability to mint new tokens