When you can actionably digest the results of the red team’s findings. If your security program is immature and you don’t do any threat modeling, letting a red team loose throughout your environment will tell you what you already know—that your security program needs work. First take the time to understand your environment, your security controls, and your potential pitfalls. Once that happens, you can start to bring in the attackers and see where you stand.
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?
Reinforce the fact that we are here to help, not break everything and walk away. This goes back to the natural adversarial stance between the two. We are here to emulate your worst-case scenarios in a controlled fashion, and afterward we will be here to help every step of the way. Too often people see red teamers as those who create more work or leave a bigger headache once the engagement is done, and are reluctant to perform red teaming.
“Reinforce the fact that we are here to help, not break everything and walk away.”
What is the least bang-for-your-buck security control that you see implemented?
Yeah. Definitely antivirus.
Have you ever recommended not doing a red team engagement?
Absolutely. I’ve gotten requests to have a red team engagement on X environment to demonstrate impact or “see how secure it is.” There have been several times when doing an “offensive” architecture review or a review of the security controls in place may be more effective. This allows the customer to understand the theoretical attacks and how we would approach it, assume successful attacks, and approach implementing security controls accordingly.
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?
Implement the principle of least privilege wherever possible. This is cost effective and can prevent some major splash damage upon compromise. Also, keep everything up to date. Lack of patches will be your downfall.
Why do you feel it is critical to stay within the rules of engagement?
Not staying within the rules of the engagement is a breach of trust and also does not provide the exercise its due diligence. I think that breaking the rules results from a selfish desire to prove yourself as 133t or placing the priority of a breach over how it will affect the environment. If you breach the environment but topple over production systems, doesn’t that make you the true bad guy? Your job is to provide business value to the organization, not obstruct it. Stick to the rules; they are there for a reason. If you disagree with the rules, kindly start a conversation as to why and promote a revision.
If you were ever busted on a penetration test or other engagement, how did you handle it?
I’ve always had pretty bad anxiety. I was on a physical penetration test, and after I got onto the floor, I selfishly sat at this lady’s cubicle for two hours just casually performing the assessment. No big deal, just a new employee here. I even asked my “new co-worker” what the password to the Wi-Fi was. It wasn’t long before people started to walk past me several times and whisper to each other before they asked for my badge and eventually called security on me. When they caught me, I shakily pulled out my “get-out-of-jail-free” paper and explained myself. They were pissed, and I just kept sweating and trying to laugh it off, hoping it would lighten the situation.
As I was getting escorted off the floor, employees were looking at me like I was a serious criminal, which didn’t help my anxiety either. I shouldn’t have stayed at the lady’s desk. I had the LAN Turtle beaconing out as soon as I had gained access to the floor, so there literally was no need. To be fair, the mistake they made was escorting me to the elevator and not escorting me outside of the building, so I just went two floors down and sat at another cubicle. I was young and dumb, but looking back on it I still laugh.
What is the biggest ethical quandary you experienced while on an assigned objective?
I think sometimes the methods used to social-engineer people can get really dicey. I personally wasn’t involved in this, but I heard about someone actually getting the client served a falsified court document instructing them to go to a website and schedule their court date. The website snatched their credentials, and they were successful. I don’t have the gumption to do that. The emotional toil put on the client must have been pretty heavy.
How does the red team work together to get the job done?
Red teaming consists of a team of offensive consultants who bring a variety of specialties to the table working cohesively to accomplish the objective. You must rely on each other. For example, if you are a web guy and you pop shell on a web server, pass the shell off to the person with the most experience doing privilege escalation or lateral movement. Once again, you rely on your teammates and work selflessly. All the members of the team should keep good documentation and track everything they do, as it will be critical in the reporting phase. Each person should contribute to the report and, if possible, have a technical editor make sure everything is smoothed together and the language reads well. Delivery to the blue team should also be performed as a team. Either you can take turns walking through the break and explain which role applies to you, or you provide the attack narrative and have each member on standby to explain specifics if requested.
What is your approach to debriefing and supporting blue teams after an operation is completed?
I’m a big fan of helping blue teams, so I try to provide as much remediation support as possible. I take the time to understand their security controls and how things look from the blue team side. From there, I can try to truly explain what the failing control is. Lastly, I give them actionable remediation recommendations that are specific to their environment. You can just say “fix all input sanitization” and leave it to them to provide the solution. Help them out, understand their environment or predicament, and try to come up with the solutions together.
If you were to switch to the blue team, what would be your first step to better defend against attacks?
My first step is to provide education into offensive capabilities, attack scenarios, and true objectives and motivators of attackers. For example, I still do a ton of application development. Throughout my entire development lifecycle, I’m adjusting how I’m architecting solutions or how I’m developing stuff simply because I know how I would attack it. As you develop, or defend, you must keep the adversarial mind-set at the forefront.
What is some practical advice on writing a good report?
It sounds generic, but really know your audience. Your objective isn’t to show off; understand that everything you provide should be actionable in some way. Also, your engagement isn’t known for how sweet your hacks are, but for your deliverable. The report is the primary thing they are left with when you move on to your next gig, so make it count. It’s like dropping off your résumé after you introduce yourself.
How do you recommend security improvements other than pointing out where it’s insufficient?
Typically, I try to discuss security best practices as opposed to failed controls. Like, “Hey, client, it’s standard to implement X because it prevents Y.” It is the opposite of saying “Hey, client, you should implement X because your current X sucks.” I realize that may have been overly casual, but you get the point.
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
The ability to communicate effectively and to understand the bigger picture. If you can’t explain the l33t hacker hacks you performed, how can you expect the client to understand what