Financial Services Case Study
A comprehensive red team engagement demonstrating sophisticated attack paths and identifying critical security improvements.
→ Engagement Objectives
- ▸Gain access to the internal network through external attack vectors
- ▸Access and exfiltrate sensitive customer data
- ▸Compromise critical trading systems
- ▸Maintain persistent access without detection
- ▸Test blue team detection and response capabilities
Reconnaissance
Activity
The team began with extensive open source intelligence gathering (OSINT) and external reconnaissance, identifying potential entry points through the organisation's public-facing infrastructure, contact methods and employee profiles.
Defences in Use
- ▸Next-Gen Firewalls
- ▸Web Application Firewalls
- ▸Email Security Gateway
- ▸Multi-Factor Authentication
Outcome
Detailed OSINT information allowed the team to build a number of viable attack vectors, including a phishing campaign targeting specific employees.
Planning and Development
Activity
With clear attack vectors identified, the team began planning and developing the attack, including the development of a phishing campaign utilising a trusted 3rd party cloud service targeting specific employees. The team developed and tested viable delivery mechanisms against the identified protections.
Defences in Use
- ▸Next-Gen Mail Security Gateway
- ▸Multi-Factor Authentication
- ▸Endpoint Detection & Response
Outcome
The Red Team have fully deployed all required tooling and systems ready to execute the attack.
Initial Access
Activity
Using a bespoke service portal combined with embedded attacker in the middle techniques, the Red Team were able to gain initial access to the organisation's cloud environment, intercepting authentication tokens and using them to access the cloud environment.
Defences in Use
- ▸Monitoring and Alerting
- ▸Conditional Access
- ▸Two-Factor Authentication
- ▸URL and File Scanning
Outcome
The Red Team gained initial covert access to the organisation's cloud environment. No detections were observed, at this stage.
High Value Internal System Access
Activity
The team examined internal documentation available in the cloud environment and identified the use of Azure Virtual Desktops. The team were able to gain access to a generic host pool, and load a custom C2 agent to the host. Persistent access was installed using a shared program, which when executed would run the C2 agent.
Defences in Use
- ▸Endpoint Detection & Response
- ▸Network Monitoring
- ▸Network Segmentation
- ▸Outbound Network Filtering
Outcome
The Red Team were able to gain and maintain access to the Azure Desktop host, which had access to the organisation's internal network and domain controllers.
ADCS Compromise
Activity
The Red Team exploited the Azure Virtual Desktop host to gain access to the organisation's Active Directory Certificate Services (ADCS). The team were able to compromise the ADCS server and impersonate any user in the organisation. The access and unusual request to the certificate service, by the compromised user was detected. However, root cause investigation failed to identify the persistance mechanism in use, or revoke the created certificate. Meaning the team retained network access.
Defences in Use
- ▸Endpoint Detection & Response
- ▸Network Monitoring
- ▸Network Segmentation
- ▸Outbound Network Filtering
- ▸SIEM Solution
Outcome
The Red Team were able to gain access to critical systems and exploit them to gain control of the organisations users and Domain Admins. However, they were detected by the blue team and the account was locked. Cutting access to the cloud systems. However, everytime the shared application was started by another user on the system, the attacking team regained access on a new AVD session host.
ADFS Compromise
Activity
The Red Team carefully identified the use of Active Directory Federation Services (ADFS) within the organisation's environment. The team modified tooling, traffic profiles and techniques to insulate them from the earlier detected activitiy. Using compromised credential material from the ADCS exploit the team were able to leverage access to the ADFS server and impersonate any user in the organisations cloud estate.
Defences in Use
- ▸Endpoint Detection & Response
- ▸Network Monitoring
- ▸Network Segmentation
- ▸Outbound Network Filtering
- ▸SIEM Solution
- ▸Azure AD Identity Protection
- ▸Azure AD Conditional Access
- ▸Multi-Factor Authentication
Outcome
At this stage the Red Team were able to access the organisations cloud estate as any user in the organisation. This would allow them to target key users with access to sensitive data and the trading systems, which utilised single sign on (SSO).
Complete Objectives
Activity
The Red Team accessed critical information stores, documenting and redacting the available information. The team were then provided with a sample data set to exfiltrate from the clients cloud based databases. The team were also able to access the trading systems as a senior user and documented the level of access achieved.
Defences in Use
- ▸Endpoint Detection & Response
- ▸Network Monitoring
- ▸Network Segmentation
- ▸Outbound Network Filtering
- ▸SIEM Solution
- ▸Azure AD Identity Protection
- ▸Azure AD Conditional Access
- ▸Multi-Factor Authentication
Outcome
The Red Team had completed all of their objectives within the engagement timeframe. The trusted contacts were kept informed of the progress throughout with live updates.
Additional Value
Activity
The Red Team had a small amount of time left in the engagement to perform additional actions. The team adopted a less covert approach using common tools and techniques used by ransomware groups. These actions were designed to gauge the maturity of the detection and response systems. A wide array of detections were observed for the common threat activity. The Blue Team were finally notified of the engagement, before serious escalation of the incident was required.
Defences in Use
- ▸Endpoint Detection & Response
- ▸Network Monitoring
- ▸Network Segmentation
- ▸Outbound Network Filtering
- ▸SIEM Solution
- ▸Azure AD Identity Protection
- ▸Azure AD Conditional Access
- ▸Multi-Factor Authentication
Outcome
The Red Team were able to show that although the detections were effective against commodity threats. Attackers operating at a higher maturity level would be able to evade them. The Blue Team leads were invited to the engagement chat to discuss the detections and the Red Team shared insights prior to the final report.
Engagement Impact
The red team engagement revealed several critical security gaps that could have led to significant business impact. The organisation had a robust and well designed cloud estate, using modern defensive tooling throughout. The Red Team however, were able to show how lateral movement and the exploitation of on premise systems could be leveraged to compromise a linked cloud estate. Through careful documentation and detailed reporting, we provided actionable recommendations that led to substantial improvements in the organisation's security posture.
Post-engagement, the client implemented a comprehensive security enhancement program based on our findings, resulting in measurable improvements across their defensive capabilities.
Key Improvements Implemented
Enhanced Detection Capabilities
Custom detection rules were implemented to detect the TTPs observed during the engagement. Allowing the defensive teams to identify malicious activity earlier in the kill chain.
Network Segmentation
The network architecture was reviewed and improved to implement strict segmentation between cloud and on-prem systems. Limiting the impact of a breach of Virtual Desktop systems.
Access Control Refinement
Conditional Access policies were redesigned to prevent the compromise of authentication tokens during the early stages of the engagement.
Security Monitoring
Clear gaps were identified in the monitoring of the cloud environment. Custom monitoring rules were implemented to detect known activity patterns within the cloud estate.
Incident Response
The organisation designed and implemented new root cause analysis responses and widened the response activity required when isolating threats.
Security Training
Bulletproof delievered a final washup and training session to the organisation. Covering the key findings and the impact of the engagement. This session allows the defensive teams to ask questions and understand the root behavious of the attacks not just the tooling.