Dark Red Team (DaRT)
Mission “Know your Enemy”
The Dark Red Team (DaRT) will emulate the actions of known Advanced Persistent Threat (APT) groups with the intention of revealing exploitable weaknesses in defenses. Sophisticated and well-resourced threat actors operate over an extended periods of time with specific objectives. While the objectives of known APT groups can vary depending on their motives and affiliations, some common types of objectives they focus on include:
- Intellectual Property Theft: APT groups often target organizations to steal valuable intellectual property, trade secrets, research and development data, or proprietary information. This stolen data can provide them with a competitive advantage or be sold to interested parties.
- Espionage and State-Sponsored Activities: Some APT groups are associated with nation-states and engage in cyber espionage to gather intelligence on political, economic, or military targets. Their objectives can include accessing classified information, monitoring diplomatic communications, or disrupting the operations of rival nations.
- Financial Gain: APT groups may target financial institutions, payment processors, or retail organizations to carry out financially motivated attacks. Their objectives can include stealing financial credentials, conducting fraudulent transactions, or compromising systems for monetary gain.
- Disruption or Sabotage: Certain APT groups aim to disrupt the operations of specific organizations, critical infrastructure, or governmental entities. Their objectives can involve causing disruptions, service outages, or sabotaging key systems, potentially with political or ideological motivations.
- Cyber Warfare: APT groups associated with nation-states may engage in cyber warfare, seeking to compromise the infrastructure, communication networks, or military systems of adversaries. Their objectives can include gaining access to military plans, disrupting military operations, or engaging in information warfare.
- Targeted Surveillance and Reconnaissance: APT groups conduct targeted surveillance to gather information on specific individuals, organizations, or government entities. Their objectives can include monitoring communication channels, tracking individuals, or mapping out organizational structures for future exploitation.
- Influence Operations: APT groups may engage in influence operations to shape public opinion, spread disinformation, or conduct social engineering campaigns. Their objectives can involve manipulating public sentiment, swaying elections, or undermining trust in institutions.
It’s important to note that the objectives of APT groups can evolve over time, and they may adopt multiple objectives simultaneously. These groups employ sophisticated techniques, including social engineering, zero-day exploits, and long-term persistence, to achieve their goals while remaining undetected for extended periods.
Organizations must stay vigilant, adopt robust security measures, and actively monitor for signs of APT activity to mitigate the risks posed by these persistent and determined threat actors. SOC 288 provides the services to defend organizations against APT style attacks. The DaRT acts as an APT group attempting to locate exploitable weaknesses in SOC 288 defenses. This constant feedback loop between the SOC and the DaRT creates an ever evolving and improving defensive posture.
DaRT Actions
There are many phases of an engagement with the target. If a target is lightly defended, only a few phases will be necessary. Organizations that take security more seriously and are willing to invest in time, training, and resources on their blue team are going to require more work.
- Recon (gather priority intelligence requirements)
- Mission Support (logistics and infrastructure)
- Initial Access (aka Foothold)
- DaRT DZ (like an Airborne Dropzone, vulnerable to early SOC actions)
- Patrol Base (gain persistence)
- Establish commo (Command and Control)
- Lay of the Land (Where am I, what’s around me?)
- Sneakin’ and Peekin'(looking for more creds)
- Tip toe thru the minefield (SOC evasion)
- Door to Door (lateral movement thru the neighborhood)
- Gain the high ground (privilege escalation)
- Eyes on the price (target located)
- Going Loud!! (expend all ammunition, burn everything in place, exfil)
- Get to the chopper! (exfiltration with the target)
Recon Checklist
- Archives
- Business records
- Layoffs – WARN Tracker
- Fire
- Imagery
- Ground based
- Metadata
- Satellite
- IP Addresses
- Geolocation
- Reputation
- License plates
- Maps
- People
- Background check
- Credit checks
- Phone numbers
- Public records
- Radio Frequencies for SDRs
- Nelson County = https://www.radioreference.com/db/browse/ctid/1078
- Direction Finding via war driving with Kraken SDR
- Satellites
- Search engines
- Social networks
- Shipping trackers
- Transportation records
- Air traffic
- ADSB Exchange
- FlightRadar24
- NOTAMs (NOTice to Air Missions)
- TFRs (Temporary Flight Restrictions)
- Marine records
- Railway records
- Satellite records
- Vehicle records
- Air traffic
- VPN exit nodes
- Web Reputation