How to Improve Red Team Effectiveness using Obfuscation
Setting up an obfuscated network in the cloud gives a red team the flexibility to test security against different cloud vendors
In the cybersecurity field, red teams are unsung heroes. These are the “ethical hackers” or white hats that test an organization’s defenses by staging controlled attacks that simulate a real-life breach. This kind of penetration testing can yield invaluable information to help the defensive “blue teams” build defenses to protect the system before an attack happens.
For red teams to do their work, they need to operate in the most realistic way possible, the better to spot the vulnerabilities that could put your network’s security in danger. Yet, at the same time, the testing procedure needs to protect the system so the pen testing itself doesn’t end up accidentally crippling operations. This is where obfuscation comes in.
What is Obfuscation
At its most basic, obfuscation is camouflage, making things look like something else. In cybersecurity, it’s making data and code look unlike themselves.
Attackers use obfuscation to conceal their tracks and data that is being exfiltrated. Defenders can use it too; to protect intellectual property or hide IP addresses or network identities that could expose the system to attack. Obfuscation using VPNs, browser plug-ins and virtual desktops is an effective way to reduce attack surface, making it harder for bad guys to target networks and slowing down their lateral moves.
For red teams, using an obfuscated network for testing offers the advantage of hiding who is performing the attack and where it is originating, for a more real-life context. It lets the red team blend in with the normal network traffic while performing reconnaissance and test attacks in a more realistic manner.
How it helps red teams
As cybercriminals keep developing ever more sophisticated attack tactics, techniques and procedures (TTPs), it’s important for red teams to keep pace in their simulations. A thorough red-team exercise can last weeks or even months—just as attackers can operate undetected in your network before they are found or assert their demands. Obfuscation allows pen testing to appear as benign activity, much like a criminal would want their own lateral moves to appear, to give defenders a real-time exercise and a wide range of observations from inside the network.
By using Software-Defined Networking (SDN) to build a virtual network, the red team can shift traffic dynamically across multiple network providers, making it nearly impossible to track their location, identity or user information. Redirectors can mask the control and command (C2) infrastructure of the red team by routing traffic between the system being tested and the team’s main server housing the infrastructure orchestrating the attack. That way, if the blue team spots malicious traffic and is able to identify and block the IP address, the red team can just deploy another redirector and continue its work.
Dumb-pipe redirectors are just what they sound like: a server in the middle of the flow, meant to hide the C2 server. They’re easy to set up, but have no control over the incoming traffic. On the other hand, filtration, or smart redirection, lets the red team drop incoming packets before they reach the C2 server or reroute them to another, legitimate website.
Along with redirection, beaconing is another valuable tool for red teams. Attackers use beacons to exfiltrate data or to communicate with a C2 server to get instructions on which commands to execute. For red teams, beaconing serves a similar purpose; the beacon lets the team get progress reports while reducing the risk of the attack in progress being detected by the blue team. The beacons can be configured to report back on intervals of minutes, hours or even days, depending on the expected duration of the attack. They can also be configured to delete when a machine reboots, which makes them harder to detect by the blue team.
Setting up an obfuscated network in the cloud also gives a red team the flexibility to test security against different cloud vendors. With companies now operating in multicloud environments, defenders need to see how attackers can exploit different cloud provider security controls.
Obfuscation can be a useful tool for red teams, just as it works for attackers. As cybercriminals continue to evolve their tactics, adopting their tools for the use of red teams is only fair play. With red teams running more realistic pen testing, blue teams’ defenses can only get better.
Related: Randori Arms Red Teams With New Automated Attack Platform