Red teams are being formed at organizations at an increasing rate because of the value that they can bring. Rules of engagement can help ensure a successful red team engagement in a production network. Existing outside the rules of engagement could lead to loss of profit and trust for an organization. More specifically, crashing an application or service that generates revenue for an organization is bad news for everyone. Rules of engagement are expectations that are set and agreed upon. If boundaries need to be adjusted, a professional red team will contact customers or stakeholders to adjust accordingly.
If you were ever busted on a penetration test or other engagement, how did you handle it?
Fortunately, I’ve never been completely busted. However, I have made several messy mistakes creating logs in sources I did not want to be seen in. More specifically, crashing an application can be an attacker’s worst nightmare. When critical services crash, there are many logs created in several sources. It’s the attacker’s responsibility to clean up after themselves. I’ve had a few engagements where I’ve given an engineer a perfect opportunity to upgrade by crashing a service—which ultimately led to a patched vulnerability. If engineers have verbose logging enabled, there’s a possibility that your payload will be revealed and give away the fact that an attack is underway. In situations like this, I make it my mission to find an alternative route for exploitation to ensure that I can clean up my logs and restart crashed services.
What is the biggest ethical quandary you experienced while on an assigned objective?
The biggest ethical quandary I face is teaching exploitation. With great exploits come great responsibilities. I spend part of my time teaching educational content on YouTube, with a portion of it being exploitation. While teaching this skill, I put in extra effort to narrow the focus on professionals in the InfoSec field and avoid viewers who are searching How to Hack {Favorite Website Goes Here}.
How does the red team work together to get the job done?
The red teams that show the most value are the teams that have great documentation practices. Detailed documentation leads to detailed reports and less stress at the end of an engagement. Taking the time to document your work is a team sport in itself. Just one individual not providing detailed documentation could mean missed learning opportunities for the entire team and less understanding of what was completed for the customer. Lastly, if the results are documented well enough, then debriefing blue teams will be a lot more straightforward.
What is your approach to debriefing and supporting blue teams after an operation is completed?
Before an engagement, I work with my customer or organization to set expectations and document each phase of my work. Assuming expectations are set beforehand, it’s easier to collect data/create metrics on what is important. My approach to debriefing is typically sharing details on three pillars: evaluation, scoring/severity, and recommended fixes. My experience with organizations has been ongoing, and I’ve been frequently involved in applying the fix and assisting onboarding new application builds.
If you were to switch to the blue team, what would be your first step to better defend against attacks?
I find myself constantly working with teams focused on defense. There is an abundance of applications with open source packages and libraries. When I’m able to find vulnerabilities in source code, I work closely with engineers to patch and with blue teams to search for activity. After finding vulnerabilities, I enjoy hunting for evidence of similar discoveries. My recommendation for defense is to set up perimeters. It’s vital to set up strong perimeters around your critical assets and entire organization.
Through this process, it’s important to remember that security is ongoing and can’t be solved in a single day. Sometimes turning on an alert will lead to an influx of events/incidents—it takes time to tune alerts and triggers. This should not be discouraging.
What is some practical advice on writing a good report?
Writing a report can seem like a daunting task if you’ve had negative experiences in the past. For a while, writing was something that I thought I couldn’t get excited about. I learned that it’s all about mind-set. By framing the work as valuable and exciting, I’ve made documentation and reporting the favorite aspects of my job. I’ve also learned it’s the easiest way to show long-term value. I recommend shifting to a positive mind-set, making it fun, and being proud of the work. Documentation and reporting are the trophy case to your hard work.
How do you ensure your program results are valuable to people who need a full narrative and context?
Ensuring value can mean many things. It’s important to first know what is the metric for your team’s value. If your team is being measured on a number of engagements per year, then begin collecting that data on that metric and similar metrics. If a red team and blue team are working cohesively as a unit, then each engagement will introduce new results, and the data will reinforce this. If your red team is finding similar or identical findings each engagement, this is a cautionary sign that all teams are not working closely together or the importance is not being highlighted correctly. This is a great opportunity to get involved and provide more contextual information related to findings.
How do you recommend security improvements other than pointing out where it’s insufficient?
Outside of basic security recommendations, it’s vital to search for the root cause of what introduced a vulnerability. Introduce questions such as these: Is it a software issue? Is it an untrained engineer? Is there an organizational process that’s delaying teams from patching? More insightful questions will establish more trust with the customer and make for more interesting red team engagements in the future.
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
I’ve spent most of my career working on larger teams, and I typically look for candidates with eagerness to work with a team. More specifically, I select candidates who can leverage other team members for help. I’m also an advocate of pair programming, hunting, and red teaming. The most beneficial nontechnical skill I find for the red team is the ability to ask questions. Thoughtful questions can satisfy and lead to more positive curiosity.
What differentiates good red teamers from the pack as far as approaching a problem differently?
What differentiates the best from the pack are habits. Acquiring the skills to become exceptional takes time and requires consistency. Often you see the greatest red teamers consistently attending the same meetings and conferences that help them continually succeed and avoiding bad agreements. It’s most beneficial to prioritize what’s most important and avoid distractions while learning and completing tasks. ■
Конец ознакомительного фрагмента.
Текст предоставлен ООО «ЛитРес».
Прочитайте эту книгу целиком, купив полную легальную версию на ЛитРес.
Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного терминала, в салоне МТС или Связной, через PayPal, WebMoney, Яндекс.Деньги, QIWI Кошелек, бонусными картами или другим удобным Вам способом.