you from compromising a system or network?
Implement the principle of least privilege wherever possible. This is cost effective and can prevent some major splash damage upon compromise. Also, keep everything up to date. Lack of patches will be your downfall.
Why do you feel it is critical to stay within the rules of engagement?
Not staying within the rules of the engagement is a breach of trust and also does not provide the exercise its due diligence. I think that breaking the rules results from a selfish desire to prove yourself as 133t or placing the priority of a breach over how it will affect the environment. If you breach the environment but topple over production systems, doesn’t that make you the true bad guy? Your job is to provide business value to the organization, not obstruct it. Stick to the rules; they are there for a reason. If you disagree with the rules, kindly start a conversation as to why and promote a revision.
If you were ever busted on a penetration test or other engagement, how did you handle it?
I’ve always had pretty bad anxiety. I was on a physical penetration test, and after I got onto the floor, I selfishly sat at this lady’s cubicle for two hours just casually performing the assessment. No big deal, just a new employee here. I even asked my “new co-worker” what the password to the Wi-Fi was. It wasn’t long before people started to walk past me several times and whisper to each other before they asked for my badge and eventually called security on me. When they caught me, I shakily pulled out my “get-out-of-jail-free” paper and explained myself. They were pissed, and I just kept sweating and trying to laugh it off, hoping it would lighten the situation.
As I was getting escorted off the floor, employees were looking at me like I was a serious criminal, which didn’t help my anxiety either. I shouldn’t have stayed at the lady’s desk. I had the LAN Turtle beaconing out as soon as I had gained access to the floor, so there literally was no need. To be fair, the mistake they made was escorting me to the elevator and not escorting me outside of the building, so I just went two floors down and sat at another cubicle. I was young and dumb, but looking back on it I still laugh.
What is the biggest ethical quandary you experienced while on an assigned objective?
I think sometimes the methods used to social-engineer people can get really dicey. I personally wasn’t involved in this, but I heard about someone actually getting the client served a falsified court document instructing them to go to a website and schedule their court date. The website snatched their credentials, and they were successful. I don’t have the gumption to do that. The emotional toil put on the client must have been pretty heavy.
How does the red team work together to get the job done?
Red teaming consists of a team of offensive consultants who bring a variety of specialties to the table working cohesively to accomplish the objective. You must rely on each other. For example, if you are a web guy and you pop shell on a web server, pass the shell off to the person with the most experience doing privilege escalation or lateral movement. Once again, you rely on your teammates and work selflessly. All the members of the team should keep good documentation and track everything they do, as it will be critical in the reporting phase. Each person should contribute to the report and, if possible, have a technical editor make sure everything is smoothed together and the language reads well. Delivery to the blue team should also be performed as a team. Either you can take turns walking through the break and explain which role applies to you, or you provide the attack narrative and have each member on standby to explain specifics if requested.
What is your approach to debriefing and supporting blue teams after an operation is completed?
I’m a big fan of helping blue teams, so I try to provide as much remediation support as possible. I take the time to understand their security controls and how things look from the blue team side. From there, I can try to truly explain what the failing control is. Lastly, I give them actionable remediation recommendations that are specific to their environment. You can just say “fix all input sanitization” and leave it to them to provide the solution. Help them out, understand their environment or predicament, and try to come up with the solutions together.
If you were to switch to the blue team, what would be your first step to better defend against attacks?
My first step is to provide education into offensive capabilities, attack scenarios, and true objectives and motivators of attackers. For example, I still do a ton of application development. Throughout my entire development lifecycle, I’m adjusting how I’m architecting solutions or how I’m developing stuff simply because I know how I would attack it. As you develop, or defend, you must keep the adversarial mind-set at the forefront.
What is some practical advice on writing a good report?
It sounds generic, but really know your audience. Your objective isn’t to show off; understand that everything you provide should be actionable in some way. Also, your engagement isn’t known for how sweet your hacks are, but for your deliverable. The report is the primary thing they are left with when you move on to your next gig, so make it count. It’s like dropping off your résumé after you introduce yourself.
How do you recommend security improvements other than pointing out where it’s insufficient?
Typically, I try to discuss security best practices as opposed to failed controls. Like, “Hey, client, it’s standard to implement X because it prevents Y.” It is the opposite of saying “Hey, client, you should implement X because your current X sucks.” I realize that may have been overly casual, but you get the point.
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
The ability to communicate effectively and to understand the bigger picture. If you can’t explain the l33t hacker hacks you performed, how can you expect the client to understand what their pain points are and effectively implement mitigating controls? Also, exercise sympathy. I get that you are excited about your l33t hacker hacks, but you’re not here to brag. Sometimes you have to be able to step out of the terminal and understand the true objective.
What differentiates good red teamers from the pack as far as approaching a problem differently?
I think it all boils down to the ability to adapt. You see a lot of red teamers fold when the tricks they already know fail or the tutorials they read aren’t giving them shell. I’ve seen several cases where the big break is right on the other side of banging your head against the wall because you are at the point of giving up. Being able to go that next step and leave the realm of comfort makes all the difference. Lastly, I think it goes without saying that a good teamer “thinks outside of the box.” In this case, the box would be the comfort zone and the tricks you know so well. ■
8 Ben Donnelly
“There isn’t just one type of red team job. There are quite a few subtle differences between different companies/groups that perform this type of work.”
Twitter: @Zaeyx
Benjamin Donnelly is an
