Red Teaming

Description

A targeted spear-phishing campaign leveraging LinkedIn reconnaissance achieved credential capture for 3 employees (12% success rate). The campaign used a convincing Microsoft 365 login page with organisation-specific branding. MFA was present but bypassed using an adversary-in-the-middle (AiTM) proxy that relayed session cookies in real time.

Recommendation

Deploy phishing-resistant MFA (FIDO2 hardware keys or passkeys) for all privileged and remote access users. Implement anti-phishing browser extensions and enforce managed device policies. Conduct quarterly phishing simulations with tailored, role-specific lures.

Description

From initial foothold on a workstation, the red team achieved Domain Administrator through a chain: Kerberoasting a service account (SPN) → cracking the RC4-encrypted ticket → pivoting to a server with unconstrained delegation → DCSync attack extracting all domain credential hashes. The entire escalation path was completed without triggering any EDR or SIEM alerts.

Recommendation

Disable RC4 for Kerberos authentication (enforce AES256). Identify and remediate all unconstrained delegation configurations. Enable Protected Users security group for all privileged accounts. Implement Tiered Administration model.

Description

Using domain admin credentials, the red team accessed the SWIFT Alliance Access server, authenticated using harvested operator credentials, and simulated the initiation of a high-value international transfer (testing-flagged, not executed). The SWIFT system lacked dedicated Privileged Access Workstations and operator session monitoring.

Recommendation

Implement Privileged Access Workstations (PAWs) for all SWIFT operator access. Deploy SWIFT Customer Security Programme (CSP) controls in full. Enable out-of-band transaction verification for all high-value transfers. Implement SWIFT inspector monitoring.

Description

A simulated dataset equivalent to 2 years of transaction records (14GB) was staged and exfiltrated over 3 days via encrypted HTTPS to an attacker-controlled cloud storage bucket, using DNS tunnelling as a secondary channel. No DLP alert, proxy alert, or network detection alert was generated throughout the exfiltration.

Recommendation

Deploy data loss prevention (DLP) with financial record fingerprinting. Implement strict egress filtering — block uploads to personal/unmanaged cloud storage. Enable network behaviour analytics to detect volumetric data transfers. Configure UEBA rules for after-hours bulk data access.