Attack Infrastructure: Red Teams vs. Malicious Actors
Setting up Attack Infrastructure is an important task performed by Red Teamers and malicious adversaries alike. This week, we chat with Joe Slowik, Senior Security Researcher at Domain Tools, about the differences between Red Team and malicious adversary set ups. Joe spends significant research and development time performing external threat hunting against adversary infrastructure. On the other hand, I spend a lot of time working with SCYTHE customers to ensure they are setting up the SCYTHE platform following operational security best practices. In this post, we cover the similarities and differences between Red Teams and malicious actors setting up their attack infrastructure.
Joe writes a lot about adversary infrastructure, check out his posts here. The post that got us thinking about this is the “Extrapolating Adversary Intent Through Infrastructure”. In that post, Joe investigates all the components that go into acquiring a domain as shown in Figure 1.
MITRE ATT&CK Mapping
As usual, we like mapping all our Red Team tradecraft to MITRE ATT&CK. With the October 2020 release, PRE-ATT&CK has been merged with ATT&CK and we have 2 new tactics: Reconnaissance and Resource Development. For this post, we focus on the following techniques and sub-techniques in the Resource Development tactic:
- Acquire Infrastructure: Domains (T1583.001)
- Acquire Infrastructure: DNS Server (T1583.002)
- Acquire Infrastructure: Virtual Private Server (T1583.003)
- Acquire Infrastructure: Server (T1583.004)
- Develop Capabilities: Digital Certificates (T1587.003)
- Compromise Infrastructure (T1584)
Red Teamers and malicious actors need time to set up their attack infrastructure given the components and reputation requirements of these components. Red Teamers have been outspoken about automation steps taken to speed up this process but some items just require time (e.g. TLS Certificates). Below we break down some of the steps required to set up attack infrastructure and follow Operational Security best practices.
Acquire Infrastructure: Domains
Many organizations block direct IP Address access to the Internet. If direct IP Addresses access is allowed, these are easy outliers for defenders to catch. Therefore, domain names need to be acquired (T1583.001). Purchasing a domain name requires an account with a Domain Registrar. GoDaddy and NameCheap are very popular domain registrars but there are many others. Generally Red Teamers will use reputable registrars while malicious actors will generally use registrars from other, less reputable Top Level Domains. When registering a domain name, a name must be chosen. Joe blogged about how domain name themes may allow detection of malicious adversaries. The domain registrant information may be logged in the whois data, however, you can pay for Domains by Proxy to not have the domain name attributable back to you. Lastly, domains need name servers (T1583.002). These servers are generally hosted by the registrar. The name server will point the domain to an IP address.
Acquire Infrastructure: Server
Computing resources will also need to be acquired to point your domain names towards (T1583.004). These systems can serve as Command and Controls (C2) servers, relays, drive-by download sites, and phishing sites. Red Teamers and Adversaries like using cloud computing for the same reasons your business does, it is quick and you pay for what you use. This is often the case so much that it has its own sub-technique: Virtual Private Server (T1583.003). Both Red Teamers and malicious actors may choose to use reputable providers:
- Amazon EC2
- Microsoft Azure
- Google Cloud Platform
- Digital Ocean
Red Teamers and malicious adversaries may also choose to use not-so-reputable providers. Red Teamers do it to emulate the adversary while malicious actors do it to avoid attribution and law enforcement. There are many providers with various reputations including but not limited to Linode, Vultr, and many bulletproof hosting providers.
“I’ve had many cyber intel pros tell me that Linode is a dead giveaway of a pentester or Red Teamer.” - Tim MalcomVetter
Develop Capabilities: Digital Certificates
Generating TLS certificates is almost a requirement when setting up attack infrastructure. As an industry, we have improved and almost every Internet user knows to check for HTTPS before submitting private information. Red Teamers and malicious actors know this and obtain TLS certificates for their servers. Let’s Encrypt allows generating free certificates while most domain registrars sell them for various prices. Purchasing a certificate does buy you some quick reputation given the Certificate Authority.
All of the above steps need to be done with Operational Security (opsec) in mind. Red Teamers do not want to be caught by defenders and called out for doing exercises. Measuring people, process, and technology is a general objective of most Red Team Engagements and people change their behavior when they know the attack is an exercise.
Red Teamers should use non-attributable funds to purchase domains, hosting, and certificates. A method we have used is to pay a Value Added Reseller a retainer and have them purchase the infrastructure for us. In speaking with SCYTHE Advisory Board member, Tim MalcomVetter, he shares how other Red Teamers go about acquiring infrastructure:
We usually use corporate cards, but will use fake names, emails, etc. with the accounts, and use real names/addresses on the purchases. The reason being is that we're not breaking any laws so we are fine with it; we've never had an OPSEC issue with using a corp card, but we have with using corp email addresses or even personal emails with real names. We've used privacy temp card numbers that wrap corp cards, but those often don't work with corp cards, and privacy credit card companies are increasingly getting banned from infra providers since shady actors use them. Also, having accounts with physical addresses that fail USPS validation, or with different names/address for billing vs. technical contacts tend to cause issues. We've also had accounts that we setup with only throwaway email addresses get banned after signup and before they can be used. Bottom line: the more realistic the data is that you provide to the infra providers, the more likely you'll get to age and deploy infra there.
Malicious actors will use a variety of illegal methods to acquire infrastructure from credit card theft to using cryptocurrencies to compromising infrastructure (T1584).
ACL on Management Interfaces
Setting up basic Access Control Lists to only allow Red Teamer IPs to connect to the management interfaces on your attack infrastructure is a simple best practice to follow. Having SSH, RDP, or your C2 management ports open on the Internet is not a good idea. There was a recent Remote Code Execution vulnerability on Covenant that was exploitable if this simple step was not followed.
Authentication to Management Interfaces
Rarely do we see Red Teamers or malicious adversaries implementing multi-factor authentication on their management interfaces. SCYTHE has the capability of enabling Multi Factor Authentication to login to the SCYTHE server as shown in Figure 2.
Relays and Redirectors
Red Teamers should not expose their Command and Control (C2) servers directly to the Internet. Instead, create relays or redirectors on your computing infrastructure so that if those domains/IPs are blocked by the defenders, you can quickly change the relay and continue your operations. Relays and redirectors can be as simple as “dumb” rules in iptables, socat, or netsh, or as complex “smart” redirectors that make decisions based on the source trying to access it (nginx, Apache modsecurity, etc). SCYTHE provides relays as Docker containers, Python scripts, and Windows installers for all the communication protocols we support.
A little more advanced setup is using SSH jump boxes on separate VMs, and ACL to only the jump boxes. Typically, for other reasons, we also only deploy redirectors in disposable cloud infrastructure, and C2 on permanent/managed cloud infra, then we use outgoing SSH connections from the managed infra to the disposable, with reverse port forwards back to the C2 ports. Then on the redirectors, it's typically Apache, nginx, or IPtables to forward the external iface to 127.0.0.1 and the reverse forwarded port.
Identifying Attack Infrastructure
Joe has multiple posts on Domain Tools blog about identifying malicious attack infrastructure. One of my favorites is Analyzing Network Infrastructure as Composite Objects that provided Figure 3. Below is a very summarized version of these techniques:
Domain names may be registered but not point to any IP address. The name may give away a particular theme as the World Health Organization Spoofing Campaign did. Once the domain name forwards to an IP address it can then be visited (securely through VPN, etc.) to see what it is hosting. Some enterprises use brand protection services to monitor for the registration of lookalike domains and request them to be taken down before the adversary can put them into play.
Domain names are also categorized by various vendors which could provide an idea of what is being hosted on that domain. Many organizations block categories by default (e.g. gambling, adult content, weapons) while intrinsically trusting others (e.g. healthcare, finance, government). Note that Red Teamers and adversaries can submit categorization requests to get around outbound proxy controls.
Start by being able to log and detect the Certificate Authority. While Let’s Encrypt is a legitimate service, how often are users visiting sites that have those certificates? With certificate information logged, you can also look at the issue date. Is the certificate less than a week old?
Hosting Providers and Locations
A great place to look for malicious activity is based on the location of the hosting provider and the servers the domains point to. Malicious actors tend to operate from countries with little to no laws related to cyber security. However, they are increasingly using reputable hosting providers and redirecting through other compromised systems.
This week we talked with Joe Slowik from Domain Tools about Attack Infrastructure to compare and contrast Red Teamers and malicious actors. Clearly, there are some similarities but also some major differences. As a Red Teamer, you want to ensure you follow the Operational Security best practices when purchasing domains, computing infrastructure, and TLS certificates. We hope you enjoyed it!
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, visit https://scythe.io, or follow on Twitter @scythe_io.