An Automated Post-Exploitation Model for Cyber Red Teaming

Abstract

Red teaming is a well-established methodology for ensuring and augmenting cyber system security; however, the training, expertise, and knowledge of appropriate tools and techniques required to perform effective red teaming come with a significant cost in time and resources. Large organizations such as the Department of Defense (DOD) use vulnerability assessment to identify software patches and other remediations for cyber systems to mitigate cyberspace exploitation. If a patch cannot be applied in a timely manner, for instance to minimize network downtime, measuring and identifying the impact of such unpatched vulnerabilities is left to scarce red teaming services. These services typically concentrate on initial access exploitation, which stops short of exploring the larger security impacts of cyber threats performing post-exploitation actions. This gap in post-exploitation red team analysis results in increased susceptibility to adversary offensive cyberspace operations (OCO) against DOD systems. This research extends the Cyber Automated Red Team Tool (CARTT), developed at the Naval Postgraduate School, by implementing automated red team post-exploitation analysis. The intent of this extended capability is to reduce the workload on limited DOD red teams and penetration testers by providing system administrators with the ability to perform deeper system analysis for the impacts of exploited vulnerabilities.