The term insider threat is brandished around quite a lot these days, companies often talk of the weakest link in security being people. I guess they are almost right in what they say, but I can still dream about a world in which people can actually be one of our biggest strengths. The typical company sees the classic insider threat… Read more →
Corporate Red Teaming To Me
I am writing this blog post to share my thoughts on what it means to run and be part of a Corporate Red Team, I am sure there are similarities with Red Teams outside of the Corporate world but I don’t pretend to talk about things I have little to no experience of. The reason for sharing these thoughts are also because I have had emails and DM’s from people asking me about Red Teaming as well as sharing their experience by CV/Resume, so thought I could share here and have somewhere to direct people. I should caveat that things are abit busy right now, so this covers what immediately springs to mind, so feel free to add comments for further discussion and clarification.
Red Teaming isnt better or worse than other forms of security assessment, it just provides a different perspective and should compliment other forms of security testing and should never be considered a replacement. Red Team engagements should be objective focused not controls focused. The objectives should be relevant to the organisation and of importance, trying to see if you can steal the Christmas Card list isnt going to be that valuable to learn about, you need to be going after the secret sauce and on that journey of looking to achieve that objective the effectiveness of controls will become transparent.
The two most important things for an effective and successful Corporate Red Team is the right support within the organisation, and creative, effective, diverse and trustworthy team members.
When I talk about support within the organisation, I am talking about a realistic understanding of the challenge that exists, this doesn’t mean things magically work and everyone rolls out the Red Carpet for an engagement, but it means a pragmatic approach to what you are trying to achieve that will grow and evolve overtime. So you want the board in agreement and awareness of risk (risk always exists, so consider risk of doing VS not doing), CEO, CIO, CISO, and business leaders brought in, as well as legal, privacy and HR teams, they all play a vital role in being able to do effective and realistic adversarial threat simulations. It is important to push the boundaries that are permitted in Red Team operations, but I always ask myself how would I feel if I found out a company I used / worked for employed professionals to use certain tactics on me, would I think it was beneficial overall, or would I be disgusted in that it was permitted. So far this has helped act as a good barometer on how far you look to push things, with the understanding it does result in limitations and frustrations.
Next the people, I put this second only because if the organisation isn’t GAME ON having a team of superheros is about as effective as a chocolate fireguard. So assuming you are good to go, you want people who can adopt an adversarial, threat centric mindset, people who can remain calm when challenged and think outside the box to achieve their objective. You also want people with different skillsets, backgrounds, experience, and perspective. You also want people who can work effectively in a team, and act and think in a way thats best for the team, no super stars who think they are too good to do a task, or think the process doesn’t apply to them. My reasoning for this is as follows, you need people that can work effectively as its not uncommon to have people globally dispersed, so an ability to think in the interest of the team and have empathy is important, this approach also makes the team more effective and can help facilitate a ‘progress over perfection’ approach where people come together to evolve and grow the team and make it great. You want people who think differently and are willing to share their perspectives and have leaders and team mates that value them. Some leaders want a team of clones, who don’t challenge and think differently. If you have this, you wont have awesomeness, you want people to challenge each other (this is done respectfully), challenge leadership and the way things are done, and strive for excellence. Living in an echo chamber might fuel your ego, which is fine but in my experience will ultimately stifle things. Skillset and experience should be obvious, but you are going to be attacking production environments, here mistakes are costly so you want people who are experienced, and think before pulling the trigger. Having a global team can bring its problems if you are not used to working in such an environment, but its important to be aware of cultures, consider time zones, entitlements and more for all the locations you have your people. Looking after your people should be a top priority and they will look after you. Many people I speak to say they are global, but its 10 people in the USA and a token contractor in Brazil or something, thats not global. Having a globally diverse teams means you can act more like the adversary, have people with different cultural knowledge and approaches, ability to read and write in different languages, and dependant on the dispersal of the team members you have a 24 hour force of awesomeness in play. You need to have reciprocal trust and respect for your team mates, know they have your back and you got theirs. Not everyone is built to work from home, or are able to work and communicate effectively in a remote team, but those that are can be very efficient but what works for one doesn’t work for all, so its important to manage expectations and perception across the team when you are not all sat in the same office.
I once interviewed a really knowledgable and experienced mobile pentester who wanted to move into Red Teaming, he said he wanted to join a Red Team so he could really fuck shit up. A professional answer to an interview question I am sure you would agree, but when challenged had no concern to the potential impact or risk for the business, its people, processes or technology involved.
Red Teaming is about playing devils advocate, challenging perceptions and beliefs through tangible results. If your doing Red Teaming right, your mission isn’t to FUCK SHIT UP, its ultimately to accelerate the organisations ability to handle an adversarial attack. This is done by changing cultures from vulnerability to threat centric thinking, partnering with intelligence, monitoring and response teams to leverage information and improve capabilities to detect and respond to an attack and generally make things hard for the bad guys. You should also be looking to allow the organisation to make more informed risk decisions, by taking the theoretical decisions made in a possible attack, and then proving out the results one step at a time, to decide if the risk decision still makes sense.
Just because you have awesome Zero Day Fu, doesn’t mean you need or should be using it during a Red Team threat simulation. Sure you should be advanced and sophisticated in your approach and skills, but if the real adversary can achieve their goal using the clear text creds in the text file on the desktop you just popped, they wont go flashing their awesomeness just because they can and don’t need to. The attack path taken should be appropriate and relevant to the objectives and the adversarial motivation.
Red Teaming has been all the buzz the last few years, and like most things in the InfoSec / Cyber World there are various shades of grey on what this really means. I have spoken to some Red Team leaders and its clear their pentest team just got a rebranding and nothing else changed. I think its hard to find organisations that take Red Teaming seriously and really look to mimic adversarial activities, and I also think this is because the messaging to boards and executives isn’t clear either. So if you are fortunate enough to work for an organisation that is taking Red Teaming seriously, its a sign of maturity, acceptance of reality and a willingness to embrace a change of thinking. That doesn’t mean its going to be easy or without challenge, but most thing that are worth doing and doing well take some effort
For me Red Teaming should be as close to the mimicking the adversarial approaches as possible. I say as possible, because if you live in the real world you will realise that when you are doing something for a company there are boundaries, codes of conduct, values, ethics and morals that come into play, so you need to work with these and continue to push the boundaries to increase the value as the landscapes change over time, as well as trust and respect in the teams capability.
So even though the Red Team capability may sit in the InfoSec / Cyber function, it should’nt be what defines it. The scope of Red Teaming should cover the physical, technology, social, people, and process components involved to achieve the goal, and you should be able to maneuver across product, test and development environments, essentially if the bad guys could and can go there so should the Red Team. This means its important to have effective relationships and partnerships with many groups, and consider various regional, regulatory and legislative issues along the journey, but its worth it Its also worth noting that over the years the perimeter of an organisation has become hard to define, so 3rd parties, suppliers etc should look to be included over time, but this takes time, contract adjustment, liability acceptance and more, but you should have a vision and be working towards it despite it maybe taking months or years to get there.
The thing most people don’t consider is the psychology of the adversary, they don’t think that if the asset / objective they are looking to achieve is so valuable they will go to great lengths to achieve it. They wont just give up if things seemed locked down, they will take a different approach, that may mean socially engineering someone, bribing someone on the inside, or perhaps they drive a truck through the wall to steal the hard drive. Thats what the Red Team needs to do (within reason), and the end goal is to help the organisation improve their controls and capabilities to a level that the cost and effort is to great and the environment to hostile that only the most determined try, while the others go after someone else.
You achieved the goal of stealing customer data, but you found it in the dev environment? Thats just cheating! People get irked when you find data in places it wasn’t supposed to be, but remember the attacker cares about the data and its value, not where they find it.
Its also important to invest time and money in improving capabilities, evolving the service and investing in your people. The organisations adversaries are constantly upping there game to overcome the obstacles they face, and the Red Team should look to do the same, to find additional attack paths using different methods, as well as keeping things interesting. This requires time and fundings to attend training, work in interesting projects and R&D. The people you have with you on this journey should be passionate and engaged in what they are doing, this should be rewarded. I will also note here that everyone in the team should have a voice in the direction of the team and its capability, it doesn’t matter if you are the seasoned professional, or the new guy or gal out of university, they have perspective and opinions which should be considered, they might have the next great idea. The buck ultimately stops with the leader, but its more effective and productive to have people onboard the fun bus to help keep the wheels and doors on, than dragging them along like cans on the bumper
If you have the privilege to lead a Red Team with the right people, your enthusiasm, dedication and approach sends a message to your team mates, those you serve and those who you engage within the industry and community. Leading a Red Team is about helping the organisation focus on strategic issues, things that can be really beneficial and have quick and long term wins, when this isn’t seen you should fight opposition to be focused on the right things, this means the team is used most effectively and keeps the team engaged and passionate about what they are doing, and the activities undertaken clearly connect to team and organisational goals. Each member of your team is special, and all different, so its important to think of them as people and not simply a headcount figure. Understand their needs, how best to interact, how they prefer to be engaged with, along with helping and coaching them to success. You should respect your team, and they should respect each other regardless of grade, skillset, etc. I wouldn’t expect anyone to do something I haven’t done, or wouldn’t do myself, nothing frustrates me more when people say they are above a task. I agree you should be mindful of how to put someones skills and abilities to best use, but no one should be above chipping in and getting things done to move the team forward. You should celebrate people success and achievements, your goal should be to help each member of your team progress to meet their dreams and full potential, managers feel threatened, where leaders partner for success. Finally process and quality is important, but results are what matter the most and what impact you can have. A good leader is honest and transparent with the team, and ultimately takes responsibility for deficiencies in the team and will back up the team and not air issues in public, if you want to flourish in the glory of success, you should take on the failings and take action to remediate, this is where for me progress of perfection is vital.
Life is short, and we spend a hell of alot of time at work, and I am fortunate enough to be in an industry I enjoy, and for all the challenges that may have to be overcome I am fortunate to do the work I do, and even more so to be in the company of such great co-workers, who share my passion and enthusiasm for doing great things, to a high quality and standard, and looking to have fun at the same time.
So my Dream Team consists of people who are interesting, passionate, reliable, trust worthy, team players as well as self motivated and able to work on their own initiative. Need a variance of skills and disciplines, so this should cover capability to attack web, network, OS, database and more, with capabilities in the physical such as lock picking, alarm system knowledge, access controls systems, and an appreciation around psychology to be effective in social engineering, building effective relationships and abilities to influence and drive change. If you see a problem, be part of the solution by offering ways to improve or overcome, don’t look for others to fix the world for you, instead invite them on the exciting journey.
Like anything on the Internet, these are my thoughts and opinions based on my beliefs and experiences. It doesn’t mean its right, wrong or indifferent, its just how I like to approach Red Teaming.
INFOGRAPHIC: The Cybercriminal Underground
TrendLabs, a leading information security firm, published this really awesome infographic about the cybercriminal underworld. It’s certainly worth a look.
(click to enlarge)