Tasked with unique testing objectives, expert testers start an engagement like any real-world attacker would, by gathering the information they need to meet their goal.
In this video, Mike Kelly, Principal Consultant in the Secureworks Adversary Group, walks through the steps the Red Team took to test a client’s enterprise-wide physical security. When the team found a previously undisclosed vulnerability, it not only benefits the client, but everyone using the product since the vendor was able to work on a fix following notification by our testers.
We had a client come to us with a pretty unique request in that they wanted to see what kind of attacks would be possible against their enterprise-wide physical security. So not just any one building, but all their buildings at once. We started this engagement like any attacker would, with our goals of figuring out the people and the products that they're using to control their physical security. We ended up finding a testimonial from the integrator who recently installed all of their physical security devices at their new data center. This testimonial included specific makes and models of the devices they were using, particularly their door controllers. So with that information, we were able to go find one of those devices online. We purchased it and spent about a week reverse engineering it, looking for vulnerabilities that we could leverage to gain physical access. We eventually landed on a remote vulnerability that would allow us to control the full door's functionality. So we could open and close the door whenever we wanted.
Additionally, we could implant our own credentials, like an RFID badge or something like that, to effectively create a back door, that we could show up with a badge that we've created and gain access to that door. So with that vulnerability, in order to execute that, we needed to have network connectivity to their door controllers. As they are a TV service provider, one of the things that they have is a set-top box that they deliver to all of their customers so their customers can receive the service. We found one of those online as well. Spent about another week reverse engineering it. We found a hardware-level vulnerability that allowed us to acquire the entire system's firmware. Within that firmware, we found some hard-coded credentials that the set-top box used to communicate to our client's back end systems. So with those credentials, we were able to gain access into their network, began enumerating all their door controllers, and eventually executing our exploit to add our own credentials, effectively giving us access to every door in their enterprise. Completely undetectable, the softwares don't alarm on these, and there's really not a way to detect that. The client was surprised. I don't think that they imagined that we'd be presenting them with undisclosed vulnerabilities that have never been found before, at least publicly. We did disclose it to the vendor. The vendor worked on a fix. And so now one of the results is that everybody who uses that product is now more secure, not just the client.
The old approaches to cybersecurity are no longer adequate. It’s time for something new. Layered defenses can create almost as many problems as they solve, and security teams struggle to keep up with the threat. What you need is context across all your layers of defense with the right people, processes, and technology working together in concert. That’s how Secureworks can help. Using 20+ years of industry knowledge, advanced analytics, industry-leading threat intelligence, and the network effect of more than 4,000 customer environments, we provide world-class cybersecurity solutions to customers around the globe. This unmatched experience empowers our customers to be Collectively Smarter. Exponentially Safer.™
Our Managed Detection and Response (MDR) solution is comprehensive, powered by our cloud-native software Red Cloak™ Threat Detection and Response that uses AI and machine learning to deliver better outcomes for your security operations. MDR unifies telemetry from your existing security technology to maximize visibility, reduce complexity, and enable you to move at the speed of the threat. Learn more about how Managed Detection and Response uses contextualized visibility to improve your organization’s security posture.