Red Team Non-Attributable Infrastructure and the Executive Order

The January 19, 2021 Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (mouthful) naturally started various debates and discussions around how this affects Red Team Non-Attributable Infrastructure. If you have not read the Executive Order or want a TL:DR from our very own @LawyerLiz, then read her summary here. 

As Liz notes: “The Executive Order is a regulatory play in three main acts best described as: Get to Know Your Customers (Section 1), Blocking Bad Foreign Actors (Section 2), and Sharing the Bad News (Section 3).”

The concern for Red Teams is around obtaining non-attributable infrastructure as per Section 1 and Section 2. Red Teams performing “zero-knowledge” engagements must set up non-attributable attack infrastructure for various components:

• Command and Control (C2) Servers
• Relays/Redirectors
• Phishing Sites for Credential Harvesting
• Payload Delivery Sites
• Email servers to send phishing emails
  

The concerns Red Teams will have because of this Executive Order is around hosting attack infrastructure in US-based Cloud Providers (Infrastructure as a Service) that will soon require real information about the user. If you want to learn more about how to set up Red Team Attack Infrastructure, check out this post. 

Obtaining Non-Attributable Infrastructure

There are multiple methods to obtain non-attributable infrastructure and some of these methods may have to change due to this Executive Order. A method we have used and should still work is to pay a Value Added Reseller (VAR) a retainer and have them purchase the infrastructure for you with their real, US-based information. The downside is that Blue Teams will be able to identify the owners being a US based VAR and not a malicious actor. This may cause them to act differently in the response, especially if they realize it is a Red Team engagement.

In a previous post, we spoke with Joe Slowik from Domain Tools and SCYTHE Advisory Board member, Tim MalcomVetter, about Attack Infrastructure: Red Teams vs. Malicious Actors. Tim shared a method how other Red Teamers go about acquiring infrastructure that will be impacted by this executive order:

We usually use corporate cards, but will use fake names, emails, etc. with the accounts, and use real names/addresses on the purchases. The reason being is that we're not breaking any laws so we are fine with it; we've never had an OPSEC issue with using a corp card, but we have with using corp email addresses or even personal emails with real names. We've used privacy temp card numbers that wrap corp cards, but those often don't work with corp cards, and privacy credit card companies are increasingly getting banned from infra providers since shady actors use them. Also, having accounts with physical addresses that fail USPS validation, or with different names/addresses for billing vs. technical contacts tend to cause issues. We've also had accounts that we set up with only throwaway email addresses get banned after signup and before they can be used. Bottom line: the more realistic the data is that you provide to the infra providers, the more likely you'll get to age and deploy infra there.

As Tim alluded to at the end of his comment, using real information for obtaining infrastructure is the shift we were already seeing by US-based Infrastructure as a Service providers. This Executive Order further pushes that shift to using real information for obtaining US-based attack infrastructure.

Conclusion

For Red Teams performing “zero-knowledge” engagements, review your purchasing process for non-attributable infrastructure. If you are leveraging US-based Infrastructure as a Service, you may need to leverage a Value Added Reseller to obtain that infrastructure using real US-based employee information. If you are performing Purple Team Exercises, non-attributable infrastructure is not required as these are full-knowledge exercises and therefore you will not be impacted by this Executive Order as it relates to attack infrastructure.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.