Cybersecurity

‘Stepping Stones’ tool helps red teams log their many moves

Otherwise, attack simulators may have to comb through a pile of notes.
article cover

Peter Cade/Getty Images

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Sure, being an adversary-emulating red teamer sounds thrilling when you’re hired to phish a CFO and sneakily bypass a company’s security defenses, but nobody ever talks about all the paperwork.

Red teams frequently have to document the many steps of their path inside a company–and then present those notes to blue-team defenders for review. A “Stepping Stones” logging tool from NCC Group, released in June 2024, aims to help organize the infiltration.

“It helps with that retrospective tracking for the blue team, because all of the events are logged at a specific time against a specific machine. So the blue team knows where to go and hunt for any logs that might have been missed,” Stephen Tomkinson, principal security consultant at NCC Group, told IT Brew.

As a member of NCC Group’s Full Spectrum Attack Simulation (FSAS) team, Tomkinson often infiltrates the IT systems of big companies, including those in the financial sector. An exercise may feature a red team phishing their way into one laptop, which then potentially leads to access to additional company systems, or leads to the testers installing the adversary-simulation program Cobalt Strike, which simulates attacker tactics like recon and lateral movement.

The NCC Group tool allows both manual and automated methods for recording events during an attempted intrusion. In a spreadsheet-like dashboard, red teamers log the actions, and the blue teamers see the events.

Manually a red teamer can fill in web forms related to event details like source and target (employee John Doe’s laptop); description (“user enabled macros"); detection (“no trace”); and a labeling of the tactic, according to the MITRE database (“account manipulation”).

Stepping Stones works with PowerShell functionality that logs commands to enable automatic populating of forms. A bot, according to NCC Group’s announcement of the tool, can connect to one’s Cobalt Strike team server and stream activity directly to Stepping Stones.

The NCC team had been using the tool internally before releasing the free, open-source Stepping Stones, available on GitHub currently.

What did the teams use before Stepping Stones? OneNote, according to Tomkinson. Teams would have to rely on the accuracy of individual notetakers, who may have provided details in different formats, he said, or who may have recorded commands without explaining why they were made.

Stepping Stones responds to the logging logjam.

“This kind of forces people to make accurate records, makes that a little bit easier, and provides a way of sharing that in a more real-time sense than having to wait until the end of the job,” Tomkinson said.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.