we agree on what a red team is?
Coming from the U.S. military red team community, I have a pretty strong opinion on the misuse of this and other terms with military roots. It’s tempting to blame industry marketing for this, but it really is a community problem. Penetration testing is a distinct and separate discipline from red teaming, and furthermore, there is a significant difference between internal red teams and consultant red teams. These differences can get quite confusing to customers who just want the best engagement they can get with the budget they have, and less principled teams might take advantage of this.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
Red team operations can be painfully boring. It’s mind-numbing, detailed, analytical work, punctuated by moments of sheer elation and adrenaline. Most people only see the highlights in the debriefings or have misconceptions from Hollywood movies.
When should you introduce a formal red team into an organization’s security program?
I often tell people that they don’t need a red team engagement until they think they don’t need a red team engagement. As soon as the organization feels like they understand all of the threats and have a good handle on things, it’s time for a good red team to challenge those assumptions. And that first report won’t be pretty.
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?
Learning the business! I can’t stress this enough. The red team has to understand what they are attacking in the context of the business they are supporting. Showing this understanding will go a long way toward establishing trust and true partnership with the customer.
What is the least bang-for-your-buck security control that you see implemented?
Vulnerability scanning. While this is an important security function, I rarely see it done correctly, especially at scale. If an organization is too large to keep an accurate asset inventory, how can they possibly expect to be able to scan all the things?
Have you ever recommended not doing a red team engagement?
Yes, quite often. I’ve found that while many customers are asking for a red team engagement, they’re often really (unknowingly) looking for a web app test or another form of limited-scope penetration test. In these cases, I will facilitate an introduction to another team that can better meet their needs. Some may see this as “losing business,” but I see it as building trust.
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?
Endpoints rarely need to be able to communicate with each other across the network. Blocking or monitoring this type of traffic should go a long way toward limiting an attacker’s lateral movement. Keep in mind that the attacker is after data that will reside in a database, and so on. Lateral movement is used to locate and acquire the permissions needed to gain access to this data. Limit that movement as much as possible, and force the attackers to make mistakes.
Why do you feel it is critical to stay within the rules of engagement?
Rules of engagement (ROE) are used to define how the engagement should be conducted, the scope of the engagement, who should be contacted in case of emergency, and any other items of importance. The ROE is the primary safety net for both the red team and the customer, so if the red team were to deviate from those rules, systems could be damaged, or physically unsafe conditions could be created. Accidents can and do happen, however, so good ROE will define reporting processes for those incidents, and the red team will be completely honest about what happened.
If you were ever busted on a penetration test or other engagement, how did you handle it?
I’ve never done a penetration test, but I have been part of many red team engagements, including network exploitation, wireless, and even physical assessments overseas. One of my favorite stories is when my teammate and I got busted trying to convince some military personnel to let us plug in a USB thumb drive. A higher-ranking officer overheard the conversation from the next room and immediately rushed in to confront us. He was shaking with anger and informed us, “The red team did this to me last year, and you’re not going to do it again!”
I had no idea what he was talking about, but knew I had two choices: I could either back down and admit I was caught, or I could maintain character and react the same way anyone else in that position would have. I chose the latter and started shouting back that I didn’t appreciate accusations while I was just trying to do my job. He didn’t buy it for a second, but I wasn’t going to give him the satisfaction. He took us to his security officer, who informed him that our (actually fake) ID cards looked normal to him. While the first officer left the room to retrieve the encryption key for his phone (so he could call “my boss”), I explained to the security officer that we had an authorization letter in the car, and we would just grab that and be right back.
Once we got in the car, we still had to get off the base, which was nerve-wracking as well! That evening I discovered that there was a “be on (the) lookout” alert (BOLO) for me issued by the local host-nation police (no doubt the work of the angry senior officer), so I left the country shortly after. I didn’t fully relax until I cleared customs in the United States.
What is the biggest ethical quandary you experienced while on an assigned objective?
Being asked to “target” specific individuals is always a little creepy. I prefer not to and will always argue against it. I have no problem targeting specific roles or positions within an organization, however, as long as there is a solid threat model justifying it. One example is that I’ve been asked to look at the social media profiles of executives and their families. Careful controls need to be in place, and permission given, before I will entertain tasks like this.
How does the red team work together to get the job done?
The ability to function as a cohesive team is often what separates highly effective teams from those that are not. While every team member is important, skilled, and talented, no team member is so highly skilled that they can complete an engagement without the help of their teammates. Similarly, no red team operator should ever work on an engagement alone. Either physically or virtually, another operator should be working on the same engagement so they can function as a safety/sanity check for each other.
Detailed documentation is of the utmost importance during red team engagements. The customer is paying for the information contained in the report, which is derived from detailed, disciplined logging done during the actual engagement.
What is your approach to debriefing and supporting blue teams after an operation is completed?
Debriefs should always be tailored to the audience. Defenders should get an in-depth technical report that walks them through the attack path from start to finish. Ample time for questions should be scheduled, and the red team should be prepared for any follow-up reports for key people who weren’t able to attend for some reason. I also encourage the teams to be available for mini-retests or other forms of support to enable defenders to learn from the engagement.
This is a partnership, and the report should reflect that—you should state facts without ego and recognize
