Using Red Team Tactics to Secure Your Virtual and Physical Perimeter

by July 26, 2011 07/26/11

The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
– Sun Tzu

Defined loosely, a Red Team is a group of experts engaged in the practice of viewing a problem from an adversary’s perspective. This adversary can be an enemy trying to infiltrate the perimeter, a competitor trying to get the latest marketing documents or a robber trying to break into a house.

The goal of most Red Teams is to enhance decision making, either by finding and pointing to the weak links in a security system or by simply acting as a devil’s advocate.

Red Team

Red Teams are used frequently in the world of computer security. A group of penetration testers will assess the security of an organization, which is often unaware of the existence of the team or their exact assignment. Red teams can test the security of computer systems and networks, as well as the physical security.

The same idea can be applied by you to help identify and protect your network, computer and property.

With a little thinking outside the box you can perform a Red Team assessment on your assets: put yourself in the attacker’s shoes. If you were to penetrate your perimeter, knowing what you know about it (since you put all the defence mechanism in place), how would you do it? If you can find a hole so can an attacker.

Identify Targets with CARVER

One of the methods you can use to start identifying security issues is the CARVER Matrix.

CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability. It’s a system used to assess targets and decide which one needs to be secured first. Let me write down what each component means in terms of computer security:

Criticality
The target value. How vital is this to the overall organisation? A target is critical when its compromise or destruction has a highly significant impact in the overall organisation.
Accessibility
How easily can I reach the target? What are the defences? Do I need an insider? Is the target computer accessible via a network?
Recuperability
How long will it take for the organisation to replace, repair, or bypass the destruction or damage caused to the target? Once the compromise is found, how long will it take for the system to recuperate from the breach?
Vulnerability
What is the degree of knowledge needed to exploit the target? Can I use known exploits or should I invest in new, possible zero-day exploits?
Effect
What’s the impact of the attack on the organisation? Similar to the first point (Criticality) this point should also analyze possible reactions from the organisation.
Recognizability
Can I identify the target as such? How easy is it to recognise that a specific system, network, or device is the target and not a security countermeasure?

Using the Matrix

The CARVER Matrix maps all this into an easy to quantify table or grid, where the high-risk targets are easily spotted. How do we use the CARVER Matrix? Write down the targets in a table. The top of the table will have the components of CARVER. Each target will have its own row, with each component being ranked from one to five. Five is the highest priority or, in our case, the highest value.

TARGET C A R V E R TOTAL
SQL Server 3 2 4 2 5 5 21
Mail Server 5 5 2 3 3 5 23
CEO’s workstation 5 1 2 5 5 1 11

This example shows that in our fictitious network the most vulnerable part is the mail server (total score 23). Why? Let’s look at the components.

Criticality
In this organisation the mail server is vital to daily work. It scores a five.
Accessibility
The mail server is easily accessible from the Internet. There are some defences, but they’re trivial. It earns a five.
Recuperability
The organisation IT personnel know that the mail server might be vulnerable. They make a backup every day so that in the event of something going wrong there will be some downtime, and some messages might be lost, but the backup will be up and running soon. The score then is a two.
Vulnerability
The attacker doesn’t have to be an expert or have a high degree of knowledge to attack the mail server. However, some degree of knowledge and proficiency is required (a script kiddy could not do this). It gets a three.
Effect
We know that mail is critical, but what will happen when it is compromised? The organisation will be down for some time and that’s bad. However, since a backup is in place no one will panic. The score is three.
Recognizability
It is trivial to recognise a mail server as such, so it gets a five.

Beyond the fact that the mail server’s score is 23, the matrix shows that since it’s a critical part of the organisation (C = 5) and the knowledge required to penetrate this server is medium-to-low (V = 3), this resource should be secured first.

Using CARVER can be a bit cumbersome in the beginning, but, once you start using it, the matrix becomes easier and you will begin to see a system’s weak points almost immediately.

Conclusion

In addition to utilizing the CARVER Matrix, there are other points that you need to take into account when trying to defend your virtual (and physical) perimeter.

Control Your Environment

Controlling the environment is one of the most important aspects in physical security. It should be the same in cyber-security. Be aware of your surroundings, and make the environment work for you. Where is each computer, and where is the information stored in them? What are the connection channels between the machines? How is external data able to flow? Know the DMZs, firewalls and routers, external networks and failure points, points of connection to the Internet, ISPs and backups (internal and off-site).

By knowing your environment intimately and by performing assessment and penetration testing often, you can react to changes in the environment – however subtle they might be – and spot the potential or actual threats quickly. By knowing your environment and placing protection and defensive measures you make it harder for the attackers to operate in your environment.

Change Your Habits

Habits play against you. An attacker can build and plan an attack based on these habits. If you are using a specific personal firewall or version of software, try changing it with the next install. If your IP addresses all follow a certain pattern for servers with Internet connectivity and those kept out of the Internet, or the addresses are assigned in a different way that may alert an attacker to what computers might have sensitive data, change it. Change the patterns. Change the way you connect servers and other network elements.

Remember, no person acts truly at random, and no person has truly infinite resources at their disposal. If you record, track, and group information on your possible adversaries you can develop profiles. With these profiles, you can draw inferences, and with those inferences, you can be more adaptive and effectively secure your perimeter. This is called “intelligence-driven response.” (1)

Editor-in-Chief’s Note: Please join us in welcoming U. Fridman as a contributor on ITS Tactical. He’s currently a senior information security consultant that specializes in detection of information security threats and response to security incidents. His background includes extensive experience in red team activities and management, information warfare, counter cyber-terrorism, industrial espionage, forensics analysis and other security services.

(1) Source: Attacking the Kill Chain


Are you getting more than 14¢ of value per day from ITS Tactical?

Please consider joining our Crew Leader Membership and our growing community of supporters.

At ITS Tactical we’re working hard every day to provide different methods, ideas and knowledge that could one day save your life. Instead of simply asking for your support with donations, we’ve developed a membership to allow our readers to support what we do and allow us to give you back something in return.

For less than 14¢ a day you can help contribute directly to our content, and join our growing community of supporters who have directly influenced what we’ve been able to accomplish and where we’re headed.

Click here to learn about all the benefits and Join!


MrEthiopian
MrEthiopian

CARVER - is a great starting point, but just like your example that a mail server is somehow more critical than a SQL server, the usage of CARVER is suggestive and can be inherently incorrect if not used with another matrix of qualifications.

If I was so inclined and wanted access to data that I could use to make money with, I wold never go after a mail server, its stupid who stores critical data on a mail server? Granted you might find some NPI from blockheads openly conversing with other idiots.

The SQL in a DMZ will likely have an AD subset that can then be used to gain access to the core. Once in the core I would go after the data on other SQL servers I'm talking PCI, HIPAA, CFR 11 data that includes an abundance guaranteed money making information. I will tell you from a plethora of professional experience, many organizations have no idea how to properly protect themselves, I could go on and on and delve much deeper into this subject and tell you many life story's about such escapades, but professional ethics and singed contracts keep me from truly opening up.

Great site btw, incredible amount of useable data, keep up the great work.

Th3

MrEthiopian
MrEthiopian

CARVER - is a great starting point, but just like your example that a mail server is somehow more critical than a SQL server, the usage of CARVER is suggestive and can be inherently incorrect if not used with another matrix of qualifications. If I was so inclined and wanted access to data that I could use to make money with, I wold never go after a mail server, its stupid who stores critical data on a mail server? Granted you might find some NPI from blockheads openly conversing with other idiots. The SQL in a DMZ will likely have an AD subset that can then be used to gain access to the core. Once in the core I would go after the data on other SQL servers I'm talking PCI, HIPAA, CFR 11 data that includes an abundance guaranteed money making information. I will tell you from a plethora of professional experience, many organizations have no idea how to properly protect themselves, I could go on and on and delve much deeper into this subject and tell you many life story's about such escapades, but professional ethics and singed contracts keep me from truly opening up. Great site btw, incredible amount of useable data, keep up the great work. Th3

StealthNinja
StealthNinja

Well, if you're a CIA Red Team Commander or a NSA Red Team Commander in Intelligence Analysis or Counter Intelligence Analysis, then you better have some infilltration tools, such as lock picks, heavy duty 50 lb. ers bolt cutters, multi meter, soldering kit, mxz folding pocket saw and some other hard ware with a pair of Mechanix Covert gloves, and a balclava and a CIA DEF CON/ Ninja Strike Force / Cypher Punks gear and a slim jim and an ir cracking micro hacking kit and lots of softwares and some Sig Pro pistols or a B &T MP9 or H &K MP7 with "Silencers" ready to do some "wet work" if you are doing some penetration testing live as a Black Ops Secret Agent in the shadows of The looking glass war!

Tchao with respect-

The Stealth Ninja.

StealthNinja
StealthNinja

Well, if you're a CIA Red Team Commander or a NSA Red Team Commander in Intelligence Analysis or Counter Intelligence Analysis, then you better have some infilltration tools, such as lock picks, heavy duty 50 lb. ers bolt cutters, multi meter, soldering kit, mxz folding pocket saw and some other hard ware with a pair of Mechanix Covert gloves, and a balclava and a CIA DEF CON/ Ninja Strike Force / Cypher Punks gear and a slim jim and an ir cracking micro hacking kit and lots of softwares and some Sig Pro pistols or a B &T MP9 or H &K MP7 with "Silencers" ready to do some "wet work" if you are doing some penetration testing live as a Black Ops Secret Agent in the shadows of The looking glass war! Tchao with respect- The Stealth Ninja.

Eric
Eric

Excellent article and welcome to ITS.

Blake Dela
Blake Dela

Very nice artical. Thank you for taking the time out of your day to inform us users on the CARVER matrix.

But I would like to point out the incorrect math in your target chart.

*Attention to detail*

Blake Dela
Blake Dela

Very nice artical. Thank you for taking the time out of your day to inform us users on the CARVER matrix. But I would like to point out the incorrect math in your target chart. *Attention to detail*

Eric S.
Eric S.

Remember you can use the CARVER concept for route surveys to determain your "best" and "worst" routes.

Great article and welcome to ITS!

Eric S.
Eric S.

Remember you can use the CARVER concept for route surveys to determain your "best" and "worst" routes. Great article and welcome to ITS!

BrokenTrace
BrokenTrace

Great article on the CARVER concept and red teams.

brendan murphy
brendan murphy

Excellent article Mr. Fridman! It's great to have a way to mentally and practically approach security. Honestly I've never really thought of a matrix system to analyze security risks. While I do think about priority and response - this immediately strikes me as a much more effective and accurate way gauge security risks. Thanks!

brendan murphy
brendan murphy

Awesome- thanks again!

And thanks to the rest of the CREW for getting such great contributors! Cheers!

brendan murphy
brendan murphy

Awesome- thanks again! And thanks to the rest of the CREW for getting such great contributors! Cheers!

The Latest
Squawk Box

ITS Guy Fawkes Morale Patch - Inspired by our original ITS Guy Fawkes design and numerous requests, we’ve created a patch to “remember, remember, the fifth of November.” November the Fifth marks a day of celebrating in Britain by burning effigies of Guy Fawkes and remembering the Gunpowder Treason & Plot. The history surrounding the plot, which created a day of infamy, is an interesting one with many lessons learned. Click here to learn more about the history behind this patch.

13 hours ago
Leave a Comment