The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
– Sun Tzu
Defined loosely, a Red Team is a group of experts engaged in the practice of viewing a problem from an adversary’s perspective. This adversary can be an enemy trying to infiltrate the perimeter, a competitor trying to get the latest marketing documents or a robber trying to break into a house.
The goal of most Red Teams is to enhance decision making, either by finding and pointing to the weak links in a security system or by simply acting as a devil’s advocate.
Red Teams are used frequently in the world of computer security. A group of penetration testers will assess the security of an organization, which is often unaware of the existence of the team or their exact assignment. Red teams can test the security of computer systems and networks, as well as the physical security.
The same idea can be applied by you to help identify and protect your network, computer and property.
With a little thinking outside the box you can perform a Red Team assessment on your assets: put yourself in the attacker’s shoes. If you were to penetrate your perimeter, knowing what you know about it (since you put all the defence mechanism in place), how would you do it? If you can find a hole so can an attacker.
Identify Targets with CARVER
One of the methods you can use to start identifying security issues is the CARVER Matrix.
CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability. It’s a system used to assess targets and decide which one needs to be secured first. Let me write down what each component means in terms of computer security:
- The target value. How vital is this to the overall organisation? A target is critical when its compromise or destruction has a highly significant impact in the overall organisation.
- How easily can I reach the target? What are the defences? Do I need an insider? Is the target computer accessible via a network?
- How long will it take for the organisation to replace, repair, or bypass the destruction or damage caused to the target? Once the compromise is found, how long will it take for the system to recuperate from the breach?
- What is the degree of knowledge needed to exploit the target? Can I use known exploits or should I invest in new, possible zero-day exploits?
- What’s the impact of the attack on the organisation? Similar to the first point (Criticality) this point should also analyze possible reactions from the organisation.
- Can I identify the target as such? How easy is it to recognise that a specific system, network, or device is the target and not a security countermeasure?
Using the Matrix
The CARVER Matrix maps all this into an easy to quantify table or grid, where the high-risk targets are easily spotted. How do we use the CARVER Matrix? Write down the targets in a table. The top of the table will have the components of CARVER. Each target will have its own row, with each component being ranked from one to five. Five is the highest priority or, in our case, the highest value.
This example shows that in our fictitious network the most vulnerable part is the mail server (total score 23). Why? Let’s look at the components.
- In this organisation the mail server is vital to daily work. It scores a five.
- The mail server is easily accessible from the Internet. There are some defences, but they’re trivial. It earns a five.
- The organisation IT personnel know that the mail server might be vulnerable. They make a backup every day so that in the event of something going wrong there will be some downtime, and some messages might be lost, but the backup will be up and running soon. The score then is a two.
- The attacker doesn’t have to be an expert or have a high degree of knowledge to attack the mail server. However, some degree of knowledge and proficiency is required (a script kiddy could not do this). It gets a three.
- We know that mail is critical, but what will happen when it is compromised? The organisation will be down for some time and that’s bad. However, since a backup is in place no one will panic. The score is three.
- It is trivial to recognise a mail server as such, so it gets a five.
Beyond the fact that the mail server’s score is 23, the matrix shows that since it’s a critical part of the organisation (C = 5) and the knowledge required to penetrate this server is medium-to-low (V = 3), this resource should be secured first.
Using CARVER can be a bit cumbersome in the beginning, but, once you start using it, the matrix becomes easier and you will begin to see a system’s weak points almost immediately.
In addition to utilizing the CARVER Matrix, there are other points that you need to take into account when trying to defend your virtual (and physical) perimeter.
Control Your Environment
Controlling the environment is one of the most important aspects in physical security. It should be the same in cyber-security. Be aware of your surroundings, and make the environment work for you. Where is each computer, and where is the information stored in them? What are the connection channels between the machines? How is external data able to flow? Know the DMZs, firewalls and routers, external networks and failure points, points of connection to the Internet, ISPs and backups (internal and off-site).
By knowing your environment intimately and by performing assessment and penetration testing often, you can react to changes in the environment — however subtle they might be — and spot the potential or actual threats quickly. By knowing your environment and placing protection and defensive measures you make it harder for the attackers to operate in your environment.
Change Your Habits
Habits play against you. An attacker can build and plan an attack based on these habits. If you are using a specific personal firewall or version of software, try changing it with the next install. If your IP addresses all follow a certain pattern for servers with Internet connectivity and those kept out of the Internet, or the addresses are assigned in a different way that may alert an attacker to what computers might have sensitive data, change it. Change the patterns. Change the way you connect servers and other network elements.
Remember, no person acts truly at random, and no person has truly infinite resources at their disposal. If you record, track, and group information on your possible adversaries you can develop profiles. With these profiles, you can draw inferences, and with those inferences, you can be more adaptive and effectively secure your perimeter. This is called “intelligence-driven response.” (1)
Editor-in-Chief’s Note: Please join us in welcoming U. Fridman as a contributor on ITS Tactical. He’s currently a senior information security consultant that specializes in detection of information security threats and response to security incidents. His background includes extensive experience in red team activities and management, information warfare, counter cyber-terrorism, industrial espionage, forensics analysis and other security services.
(1) Source: Attacking the Kill Chain
Are you getting more than 14¢ of value per day from ITS Tactical?
Please consider joining our Crew Leader Membership and our growing community of supporters.
At ITS Tactical we’re working hard every day to provide different methods, ideas and knowledge that could one day save your life. Instead of simply asking for your support with donations, we’ve developed a membership to allow our readers to support what we do and allow us to give you back something in return.
For less than 14¢ a day you can help contribute directly to our content, and join our growing community of supporters who have directly influenced what we’ve been able to accomplish and where we’re headed.