How we helped
With the project complete, Encode Team created a detailed report for the CISO outlining the steps it had taken and vulnerabilities it had exploited to breach Bank security and ultimately gain domain administrator privileges. The report also provided clear guidance as to the remediation steps the Bank should take to fix specific issues general recommendations on the best approach to address such threats. The report, which was welcomed by the CISO, was subsequently used to strengthen IT security controls, as well as a motivating factor in raising awareness among C-level executives. The successful project has helped the bank to dramatically improve its IT security processes and provide a timely warning of the dangers of complacency.
Encode assigned its Red team to the project that ran over roughly four weeks. Encode Team worked exclusively with the bank’s CISO, who set out a list of goals and acted as a liaison for the project. The Bank’s Security Operations team were not informed of the project with only the CISO providing oversight and authorization for the various phases of the simulated attack and system takeover.
With goals set, Encode Red Team began a reconnaissance phase to gather information on bank employees, the organizational structure and key systems with the aim of finding an initial entry point to gain a foothold into the Bank’s systems.
This reconnaissance enabled the Red Team to create a target-user list, which following approval from the Bank CISO, was attacked using a range of social engineering techniques, such as “spear-phishing” and other e-mail spoofing techniques, to prompt an action that would lead to the compromise of their endpoints. This usually covers tricking staff into downloading and opening a “weaponized” file, or visiting a faked website, as part of a web-born attack. In this instance, it took a couple of minutes from sending a few spear-phishing e-mails for a member of the Bank’s staff to unwittingly allow the team to plant a Remote Access Tool (RAT) onto a local PC. The RAT is custom-build and tested against a full range of Anti-Virus and Advanced Malware Detection software to ensure it won’t be detected by the Bank’s AV software and other controls when it is surreptitiously downloaded and executed on the target PC, as well as when communicating with its Command and Control (C2) server.
Having established a foothold inside the internal network, Encode Red Team took steps to make sure that the endpoint will remain persistently compromised (e.g. the RAT will survive reboots) and for preparing the compromised endpoint as a “stepping stone” for further attack escalation. Using the capabilities of the RAT the Team was able to take-over the access privileges of the compromised user and then traverse the internal Bank network, exploiting established Trust relationships, inherently insecure IT operations practices and common architectural deficiencies before establishing itself on one of the Bank’s SQL servers.
With a second foothold established on the SQL server, the team then used additional Account Take-Over (ATO) techniques to gain domain administrator privileges. Throughout the entire exercise the RAT’s communication with its Command & Control (C2) server and all lateral movement and access escalation activities went undetected by the Bank’s Security Operations Team, Intrusion Detection Systems (IDS) and SIEM systems.
Along each phase of the attack simulation, the Team took a careful audit of vulnerabilities it had discovered and exploited including evidential data captures and logs. With the mission set by the Bank’s CISO now achieved, the Team performed clean-up to remove all trace of the breach and presence of the RAT.