Assessments

Chapter 1

1. There are a wide range of objectives and goals for establishing a red team program. The following are some common ones:

   1. Improve the performance of the blue team to successfully detect and recover from a breach.

   2. Identify security and organizational deficiencies across the organization.

   3. Improve security awareness and its culture across the organization.

   4. Practice the remediation and eviction capabilities of the organization by emulating a real system compromise.

   5. Help to further improve the understanding of offensive security across the organization and industry.

2. An internal red team program can provide a variety of services to the organization, including, but not limited to, the following:

   1. Perform penetration testing and traditional application-level security assessments.

   2. Perform source code audits and code reviews.

   3. Perform offensive security operations, including end-to-end breach emulations.

   4. Develop a security training program and educating engineers and others in the organization to improve their understanding of attacks and defenses.

   5. Perform theoretical tabletop exercises.

   Although in this book we focus on red teaming in the context of cybersecurity, the concept of red teaming goes beyond this and includes challenging the organization's processes as well.

3. Rules of Engagement define the core operational guidelines that red teamers must agree to follow when performing operations. The rules include clear boundaries and limitations that are established together with the legal department and the other appropriate stakeholders of an organization. Rules of Engagement are also there to enable a red team program to operate, because company policy and employment handbooks typically highlight hacking as a reason for employment termination. This means an important part of the rules is to protect the red teamer.
4. There is a wide array of adversaries, and some being focused on your organization depends on the business of the organization. Common adversaries includes Script kiddies, Hacktivists, Criminals, Espionage, Nation states.

Chapter 2

1. Homefield advantage is the benefit that the internal security team has compared to an adversary. Realizing and successfully leveraging that advantage allows us to be one step ahead of an adversary. Internal red and blue teams can practice on the homefield to improve their capabilities of quickly and effectively detecting, responding to, and remediating an attack. Part of a homefield advantage strategy includes close collaboration between all stakeholders to ensure findings are shared and remediated quickly, as well as shared with others in the organization via training to help raise security awareness and understanding of attacks across the board.
2. STRIDE is a threat classification framework developed by Microsoft. It models threats via the following categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
3. The normalization of deviance highlights the slow but steady process within an 
organization where slight but continuous deviations from acceptable practices occur over a long period of time without negative consequences. The current state is seen as acceptable. However, a more objective outsider would strongly disagree with the internal deviation and justification for the deviation that occurred. This concept is frequently highlighted when seemingly preventable and terrifying incidents occur and the internal deviation becomes public.
4. There are multiple management behaviors that prevent the formation of effective teams, some of which are as follows:

   1. Asking the team to deliver poor quality work due to time pressure or other resource constraints.

   2 .Bureaucracy.

   3. Publicly critiquing an individual or an entire team. Good advice is to praise in public and provide constructive feedback in private.

   4. Defensive management.

To learn more about such Teamicide tactics, I recommend the book Peopleware by Tom DeMarco.

Chapter 3

1. The most useful fields will enable better insights into common vulnerabilities and exploitation patterns, as well as support reporting and communicating findings with other stakeholders. The following are some useful metadata fields for findings:

   1. Security Cause (CWE, CAPEC, and the MITRE ATT&CK tactic and technique)

   2. Category, as per STRIDE

   3. Security Severity (such as Critical, High, Medium, and Low)

   4. CVSS Scoring and CVSS Vector

   5. Asset Owner or Team

2. Qualitative measures are derived via a subjective insight as part of an expert opinion. They typically use an ordinal scoring system that cannot be leveraged easily using math. Quantitative measures are based on numbers, probabilities, and calculations that are done through mathematics. Cybersecurity today typically operates based upon qualitative measurements and ordinal scales, which is not ideal.
3. There are multiple tools and techniques that can be used to visualize attack graphs. For presentations and education, creating and building out a graph step by step using something such as PowerPoint can be very effective. This allows us to tell the story of an attack step by step. For operations and effectiveness, storing knowledge about all the assets and relationships in graph databases helps to analyze the organization at scale.
4. There is a wide array of metrics the red team can track and use to communicate with the blue team and other stakeholders, such as the following:

   1. Number of accounts the red team has valid credentials for

   2. Number of zombies the red team controls

   3. Current computational power (based on a cryptocurrency hash rate)

   4. Number of days or hours since the last blue team detection

   5. Red team techniques used as per MITRE ATT&CK versus number of automated detections triggered

Chapter 4

1. The motivated-intruder test refers to the threat of someone attempting to reidentify an individual by combining a variety of anonymized datasets. In this book, we freely refer to any kind of insider threat related to the privacy of customer data as a Motivated Intruder.
2. Tabletop exercises can be performed to simulate attack scenarios that are difficult or challenging to do during real-world cyberoperation red teaming.
3. Cryptocurrency mining is a technique that's used to measure the persistence, strength, and computational power the red team has acquired.

Chapter 5

1. The core types of objects that exist in graph databases are Vertices, Edges, Properties, and Labels.
2. Apache TinkerPop, TinkerGraph, Neo4j, OrientDB, Amazon Neptune, and Redis Graph.
3. The names of the popular query languages are Cypher and Gremlin.
4. The command to create a node and assign a property named hostname to it in Neo4j's query language is CREATE (c:Computer { hostname: "SATURN" } ).

Chapter 6

1. Identity and Access Management.
2. The AWS client utility stores credentials in the user's home folder inside ~/.aws/credentials, and $env.USERPROFLE.awscredentials (%USERPROFILE%.awscredentails), respectively.
3. APOC is a plugin package for Neo4j. Like stored procedures in relational databases, it contains useful helper utilities, such as enabling JSON imports.
4. MATCH is the Cypher command for selecting nodes and relationships from the graph database.
5. Active Directory, port scanning results, vulnerability scan results, cloud asset inventory (AWS, Azure, GCP, and so on), social media accounts (Twitter, Facebook pages), IT asset management information, vulnerability information, CVE, and so forth.

Chapter 7

1. The Select-String (or sls) PowerShell command can be used to find strings in text.
2. The -v grep command-line option does not match a pattern.
3. Yes. A Windows Search index can be queried remotely if file sharing is enabled. To do so, specify the scope parameter in the SQL query.
4. The name of the command-line tool to query Spotlight on macOS is mdfind.

Chapter 8

1. There are multiple ways an adversary might try to gain access to cookies, including, but not limited to, the following:

   1. Using Chrome's remote debugging capabilities

   2. Debugging the process memory of a process

   3. Accessing the cookies on the hard drive directly

   4. Using the tracing features of an operating system

2. The name of the go-to debugger on macOS is LLDB.
3. The osascript Apple utility can be used on macOS to run automated scripts.
4. Rootless on macOS refers to the security enhancements that prevent even the superuser (root) from modifying or tampering with critical operating system resources. This is often referred to as System Integrity Protection.

Chapter 9

1. The New-Object command is used to instantiate COM objects with PowerShell.
2. The name of a common automation framework for web browsers is Selenium WebDriver.
3. Probably somewhere between 5-20 views!
4. Zone.Identifier is an Alternate data stream.

Chapter 10

1. A simple command-line utility on Linux to configure the firewall is ufw (of course, iptables would also be correct).
2. netsh and PowerShell commands such as the New-NetFirewallRule command.
3. Ctrl + B then C is the default keyboard binding.
4. On Unix-based systems, the PS1 environment variable controls the default shell prompt.

Chapter 11

1. The Windows Security Event ID for a failed logon is 4625.
2. The command-line utility on Windows to schedule tasks is schtasks.exe.
3. The auditd notifications be extended on Linux by using custom auditd plugins.
4. The few shell alternatives to bash for Unix-based systems are zsh, fish, and pwsh (PowerShell).

Chapter 12

1. Yes, osquery can be used to perform file access monitoring.
2. The query to list the bash history in the interactive osquery tool is: select * from shell_history;. Processes such as osqueryd, auditd, falcond, auditbeat, and filebeat.
3. It's a reference to the Elastic Stack, previously referred to as Elasticsearch, Logstash, and Kibana.