Time for your quarterly / semi-annual / annual red team engagement! You picked a vendor you might want, and now you are going to sit down and chat a bit (if you aren’t sitting down and chatting….Question 0 should be to yourself — why aren’t you doing that?!). They get some testers and a product manager on, you talk about the weather a bit, and all of a sudden….you don’t know what to ACTUALLY ask. Use this as a cheatsheet. To be clear, this is for full-scope red team engagements. Super stealthy or not, hopefully some of these questions help!
Question 1: What’s Your Structured Approach to External Recon and Attack?
Average Answer:
We are going to do some scanning and look at your attack surface. Then….we are going to look for vulnerabilities in any open ports and check for exploits!
Best Answer:
We will systematically observe your attack surface for hanging staging and development endpoints, along with any login portals that can be used for further enumeration and credential stuffing. Our approach is structured and consistent scanning along with deep manual enumeration.
This is sort of a noob-trap question. If you have a consulting firm cosplaying as a security firm, you’ll get them saying the “Average Answer” It doesn’t need to be word-for-word, but that general gist of “we have a defined process and act upon it”.
Question 2: What Are Your Methods for Phishing?
Average Answer:
We will get a list of emails and send them out to your users! There will be a payload attached which will get us internal access!
Best Answer:
Depending on your environment, we will craft a portal to harvest login tokens. If Microsoft, we will attempt device code phishing (shoutout our article here) and leverage a tool like GraphSpy to pivot into your network. Otherwise, we will try getting a token from your identity provider with a tool like EvilGinx . After receiving a token, we may give them a payload to obtain a C2 payload for good measure.
The days of standard phishing are pretty much over. Give them bonus points if they answer with some type of SMS phishing or vishing. Payloads can get pretty whacky too, so also make sure they aren’t feeding you some “generic macro or binary payload in an email” gimmick that usually is a waste of time and gets blocked by every email security gateway there is.
Question 3: What’s Your C2 of Choice?
Average Answer:
We use Cobalt Strike, Meterpreter, and Covenant! Sometimes we only need reverse shells!
Best Answer:
We use renditions of Cobalt Strike that fully operationalize its different kits and UDRLs. Other C2 frameworks like Havoc and Mythic are also in use, but we use custom solutions when possible.
If they’re using Meterpreter and Covenant they might actually just be a low-skilled Russian threat actor in disguise. Otherwise, make sure they have some sort of creativity. Countless resources are available nowadays for C2 development, and C2s themselves aren’t in short supply whatsoever. Honestly, this is one of the most entertaining parts of offensive security, so make sure they even get a little excited talking about it!
Question 4: What Type of Internal Attack Paths Are You Going to Look For?
Average Answer:
Once inside, we will sort of do what we did externally! We will scan for open ports and look for exploits! Also, we will run BloodHound and look for the short path to domain admin!
Best Answer:
Some things we do inside will be the same, like looking for internal web servers. Certain flaws with ADCS, SCCM, and credentials in file shares will be enumerated for. Active Directory objects will be observed with tools like BloodHound and some custom queries to make sure we find all paths possible.
You’ll be able to tell immediately if the testers have been doing recently relevant activities if they mention SCCM or ADCS. Make sure certain tools are mentioned that AREN’T vulnerability scanners (Nessus, etc.). There is no way I’d let you pay for a red team/pentest where they get inside and run Nessus.
Question 5: How Do You Convey Risk In Your Report
Average Answer:
We categorize our findings based on our risk matrix.
Best Answer:
We take into account your own risk matrix and combine it with our own. Taking a realistic look at the impact versus the environment how it is will allow us to appropriately rate the finding.
There are plenty of things that can be found on an engagement that might be “High” on paper but are a “Low” in actuality within your environment. Be collaborative and share a risk matrix or something similar with your testers!
All in all, there are plenty of things you can ask — these are just the most common we have seen! Get creative, and don’t get tricked! Red team engagements are expensive, so make sure your money is going to the right folks!
English