As companies scramble for a way to keep from being the next Sony, they’ve started to search for ways to simulate the sophisticated attackers they now face. Organizations that have started to adopt an “assume breach” mentality understand that it’s not a matter if they’re compromised by these advanced adversaries, but when. Red team engagements allow an organization to better exercise their technical, process, and personnel defenses, but much of this advanced tradecraft has been historically restricted to teams with large budgets and timeframes.
Our approach is to help push down some of this advanced tradecraft, so testers can utilize these powerful tactics in assessments of all types. This presentation will cover our view of the “assume breach” mentality, and the approach for our red team operations. We will then trace through several areas where we’ve made efforts in bringing advanced tradecraft to even constrained engagements. We’ll cover privilege escalation, user hunting, domain trust abuse, persistence, and data mining, along with the tools and techniques we’ve developed to help with these tasks. Adversarial tradecraft isn’t just for red teams any more.