A red team isn’t a bunch of folks running rampant like a pack of hungry hyenas on the network causing maximum damage. A good red team is like a ninja—it sneaks in, maybe causes diversions or something, but eventually takes care of the task and disappears.
When should you introduce a formal red team into an organization’s security program?
Ask the following multipart question: “Can you, within a 60-minute window, provide me with all of the following?”
A count of all your computing assets, their locations, and any other relevant information within a 5 percent margin of error
If provided a MAC address of a particular machine, its physical location
A complete list of all internet access points as well as a diagram for each one of what your security stack looks like
The last three days’ worth of log data from (random machine)
A written list of policies, procedures, runbooks, and so on for your SOC
An overall network map, dated within the past three months
Detailed policies, procedures, and results from the most recent security awareness testing
If the answer is no to any of these, then the organization’s benefit from a red team would probably be minimal and they need some other sort of assessment. If they answer yes and can back it up, they might be ready for a red team.
What is the least bang-for-your-buck security control that you see implemented?
Threat intel. IMHO, pure snake oil.
Have you ever recommended not doing a red team engagement?
Frequently. I constantly recommend a full-scope pentest (on-site, remote, phishing, physical, wireless) before jumping to a red team. They have to survive and/or do well in a full-scope test before I’d give the go-ahead for an actual red team.
“I constantly recommend a full-scope pentest (on-site, remote, phishing, physical, wireless) before jumping to a red team.”
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?
Privilege separation. Understanding that the average office worker does not need admin access to their PC.
Why do you feel it is critical to stay within the rules of engagement?
The ROE are your boundary line between staying legal and opening up your liability for criminal and civil damages.
“The ROE are your boundary line between staying legal and opening up your liability for criminal and civil damages.”
If you were ever busted on a penetration test or other engagement, how did you handle it?
Once on the Army red team, there was a group of us (5 to 10 people) in a conference room where we weren’t supposed to be when a soldier appeared at the door asking if we had the room booked and what we were doing there. I responded with something like “We’re here collecting metrics for the exercise. Ask Chief <deliberately messed up the name a couple of times, to which they corrected the name> about it. She said we’re good.”
The soldier seemed mollified and wandered off. Right after that, we packed up our stuff and walked out the door. While we were heading out to our cars in the parking lot, we were able to look in the window and see the soldier and some other folks wandering back to the conference room looking confused about where we had gone. In the after action, nobody asked us about it, so it must have been forgotten about.
The trick is to put on an air of confidence when challenged, have a story all ready to go, have names of people on staff, and so on, and then be willing to pull the plug if something doesn’t seem right.
What is the biggest ethical quandary you experienced while on an assigned objective?
The toughest part of the gig is when the client decides as a result of your activities that somebody on their side has to be fired/relieved of their duties. I always try to ensure that everything we do is as nonattributional as possible, because often the problem is systemic and doesn’t reflect the mistakes of one particular person. People can be retrained; at least the good ones can. If asked directly whose fault a particular situation is, I will always avoid using people’s names. It might piss off the client, but ultimately I try to explain that it is usually not any particular person’s fault and that it’s a systematic failure that led to our successes. Generally the client is understanding, although sometimes they are not and have made wholesale staff changes as a result of our success.
How does the red team work together to get the job done?
From a teamwork perspective, everybody brings a different focus, different background, and so on. I’ve had many sessions where we spitball ideas about how to accomplish goals based on what we have in front of us, what we know, what we don’t know, and so on. It’s all about different perspectives. Keeping centralized notes in a wiki or something like that, making sure we had a central pile of screenshots, and then writing up individual summaries of actions taken, objectives achieved, and so on all helped with writing the final report.
What is your approach to debriefing and supporting blue teams after an operation is completed?
On the Army red team, we would hold a Q&A with the blue team. The big thing is that we would kick management out of the room. We wanted the techs and hands-on guys to ask us questions without fear of looking bad in front of management. We were honest and forthright with our answers too. We were there to make them better.
If you were to switch to the blue team, what would be your first step to better defend against attacks?
Take away local admin rights from the 95 percent of people who don’t need them. The biggest reason it is in place is usually because there are not enough help-desk/support people to install software, and thus the populace gets to be local admins because they need to install software or do something that facilitates their work efforts.
What is some practical advice on writing a good report?
Understand that you aren’t getting paid to break into the place; you’re getting paid to write the report about how you broke in and what the client can do about it and what the implications are if an attacker did the same thing.
“Understand that you aren’t getting paid to break into the place; you’re getting paid to write the report about how you broke in and what the client can do about it and what the implications are if an attacker did the same thing.”
The report is not about how badass you are; it’s all about the client. Does your report have actionable information that helps the client to remediate issues? Does your report effectively communicate issues to the C levels? Also understand that in many organizations, the management won’t take their employees’ words at face value that something is wrong. They need an external third party to tell them it’s wrong. Understanding the customer’s motivations and then tweaking the report to help further their goals also leads to better report writing and ultimate client satisfaction.
How do you ensure your program results are valuable to people who need a full narrative and context?
Provide extensive documentation about how to fix the issue. Reporting is for the client and not for the tester. Imagine being on the other side and having this report landing on your desk. What information would you want in there to fix the issues?
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
The