When should you introduce a formal red team into an organization’s security program?
I often tell people that they don’t need a red team engagement until they think they don’t need a red team engagement. As soon as the organization feels like they understand all of the threats and have a good handle on things, it’s time for a good red team to challenge those assumptions. And that first report won’t be pretty.
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?
Learning the business! I can’t stress this enough. The red team has to understand what they are attacking in the context of the business they are supporting. Showing this understanding will go a long way toward establishing trust and true partnership with the customer.
What is the least bang-for-your-buck security control that you see implemented?
Vulnerability scanning. While this is an important security function, I rarely see it done correctly, especially at scale. If an organization is too large to keep an accurate asset inventory, how can they possibly expect to be able to scan all the things?
Have you ever recommended not doing a red team engagement?
Yes, quite often. I’ve found that while many customers are asking for a red team engagement, they’re often really (unknowingly) looking for a web app test or another form of limited-scope penetration test. In these cases, I will facilitate an introduction to another team that can better meet their needs. Some may see this as “losing business,” but I see it as building trust.
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?
Endpoints rarely need to be able to communicate with each other across the network. Blocking or monitoring this type of traffic should go a long way toward limiting an attacker’s lateral movement. Keep in mind that the attacker is after data that will reside in a database, and so on. Lateral movement is used to locate and acquire the permissions needed to gain access to this data. Limit that movement as much as possible, and force the attackers to make mistakes.
Why do you feel it is critical to stay within the rules of engagement?
Rules of engagement (ROE) are used to define how the engagement should be conducted, the scope of the engagement, who should be contacted in case of emergency, and any other items of importance. The ROE is the primary safety net for both the red team and the customer, so if the red team were to deviate from those rules, systems could be damaged, or physically unsafe conditions could be created. Accidents can and do happen, however, so good ROE will define reporting processes for those incidents, and the red team will be completely honest about what happened.
If you were ever busted on a penetration test or other engagement, how did you handle it?
I’ve never done a penetration test, but I have been part of many red team engagements, including network exploitation, wireless, and even physical assessments overseas. One of my favorite stories is when my teammate and I got busted trying to convince some military personnel to let us plug in a USB thumb drive. A higher-ranking officer overheard the conversation from the next room and immediately rushed in to confront us. He was shaking with anger and informed us, “The red team did this to me last year, and you’re not going to do it again!”
I had no idea what he was talking about, but knew I had two choices: I could either back down and admit I was caught, or I could maintain character and react the same way anyone else in that position would have. I chose the latter and started shouting back that I didn’t appreciate accusations while I was just trying to do my job. He didn’t buy it for a second, but I wasn’t going to give him the satisfaction. He took us to his security officer, who informed him that our (actually fake) ID cards looked normal to him. While the first officer left the room to retrieve the encryption key for his phone (so he could call “my boss”), I explained to the security officer that we had an authorization letter in the car, and we would just grab that and be right back.
Once we got in the car, we still had to get off the base, which was nerve-wracking as well! That evening I discovered that there was a “be on (the) lookout” alert (BOLO) for me issued by the local host-nation police (no doubt the work of the angry senior officer), so I left the country shortly after. I didn’t fully relax until I cleared customs in the United States.
What is the biggest ethical quandary you experienced while on an assigned objective?
Being asked to “target” specific individuals is always a little creepy. I prefer not to and will always argue against it. I have no problem targeting specific roles or positions within an organization, however, as long as there is a solid threat model justifying it. One example is that I’ve been asked to look at the social media profiles of executives and their families. Careful controls need to be in place, and permission given, before I will entertain tasks like this.
How does the red team work together to get the job done?
The ability to function as a cohesive team is often what separates highly effective teams from those that are not. While every team member is important, skilled, and talented, no team member is so highly skilled that they can complete an engagement without the help of their teammates. Similarly, no red team operator should ever work on an engagement alone. Either physically or virtually, another operator should be working on the same engagement so they can function as a safety/sanity check for each other.
Detailed documentation is of the utmost importance during red team engagements. The customer is paying for the information contained in the report, which is derived from detailed, disciplined logging done during the actual engagement.
What is your approach to debriefing and supporting blue teams after an operation is completed?
Debriefs should always be tailored to the audience. Defenders should get an in-depth technical report that walks them through the attack path from start to finish. Ample time for questions should be scheduled, and the red team should be prepared for any follow-up reports for key people who weren’t able to attend for some reason. I also encourage the teams to be available for mini-retests or other forms of support to enable defenders to learn from the engagement.
This is a partnership, and the report should reflect that—you should state facts without ego and recognize that some people are going to be embarrassed or defensive. Be sure to also give credit where credit is due.
If you were to switch to the blue team, what would be your first step to better defend against attacks?
Prevention is preferred, but detection is a must. My first step would be to understand what data sources were available and make sure they were accessible to defenders. Many defenders have complained of data overload, but almost every engagement I’ve ever been part of had shown some kind of blind spot. The more data available to automation and manual queries, the more likely an attack will be detected.
What is some practical advice on writing a good report?
Stick to the facts, and paint the picture of the attack path. Don’t use jargon, and provide references to CVEs or technical guides wherever possible. The report is the product you are providing; it is what the customer is paying for. Nothing else matters, so get this right every time. If there are follow-up questions, answer them promptly and accurately and make note of them for your next report.
How do you ensure your program results are valuable to people who need a full narrative and context?
This will vary with each organization, but a good way to start is to identify who the red team’s true customers are. Customers are different than stakeholders, and this differentiation becomes important when trying to prioritize engagements and reports.