red team (5)

  • Here is a snip from a conversaton listed over at

    hoff posed the question of

    “does the team dial-up or dial-down the aggressiveness of the approach and execution KNOWING that they won’t be prosecuted, go to jail, etc.?”

    Below was a response I wrote that may be of value or at least a good debate we can all go through.

    To get to the answer of this, or at least my opinion, we need to start off with WHY they are Red Teaming. Now that this is becoming a bit more of an en vogue service there is starting to be a large degree of variance of “WHY and HOW.” for this one… let’s just take Red Teaming as “Modeling an adversarial force and executing the attacks with the expected capabilities of that force.” If we can stay to those definitions we get to some of the answer in a less grey area.

    We like to look at testing like a fight.

    First off, Its a fight. It is not theory, there isn’t some ” theoretical risk ranking” to how you are going to feel or a mapping to some color wheel that can communicate to you how you “WILL” feel during the event. It IS the event.

    Now…. there are a few types of fights/fighters each type breeds a different type of fighter. (mind you… there are anomaly’s in all of these but let’s take it as sweeping generalizations)

    Typical playground fight (Vulnerability Assessment):
    The adversary is usually around the same size, motivation is similar, they aren’t out to kill ya, and over all they very rarely even know HOW to hurt you. Since the adversary has not had a lot of time to train or lots of experience in fighting the overall risk of total destruction is low. The benefit of it is feeling what it is like to get into a fight. You also take away some things you need to do to either avoid a fight or fight better.

    training: Low
    benefit: Low
    risk: Low

    True /Bar/Early Adult/Public Fight (Penetration Testing):
    The adversarial gap is much larger an unknown. The size and strength difference is an assumption, as is their ability to hurt you. The adversary could be an expert or a first timer and the only time you will realize it is by the time the fight is underway or sometime OVER. The real thing to be concerned about in this type of fight is that the risk of “impact” is substantial. Mature humans with potentially TONS of experience may have the ability to completely destroy someone if the reigns are not pulled tight. The benefit of this fight is that they are usually over a specific threat and the winner can support the desired outcome **getting robbed and overpowering the robber …as the example**

    training: Variable based on adversary
    benefit: moderate
    Risk: Moderate to High
    education: moderate * when you are a little bit older is when you start to realize if you can survive it or not.

    Professional fighting (Red Teaming)
    Now apply that to a pro fighter. Their entire life is devoted to the fight. Their financial viability and lifestyle RELY on it. They have sparring partners, coaches, strength trainers, agility trainers, nutritionists, therapists, and more just to get ready for the fight. When they prepare for a fight, they don’t just fight anyone. They prepare for the fight with a very specific regimen. They are well beyond the days where they need to gain a sense of calm during the event. They prepare for the fight with a sense of purpose and extremely well defined goals

    training: HIGH
    benefit: HIGH
    Risk: Low to Moderate ( these are trained professionals…. although death happens it is VERY rare)
    education: HIGH

    The reason I had to go through all that is to give a sense that this exercise is not just a ” look at how hard I can beat someone up” as a matter of fact it is almost the complete opposite. It is much more about “how many areas can I test, and how will my adversary test those areas.” Each adversarial group will have a higher level of skill/competency in each of the 3 areas of red teaming (Physical, Social, and Electronic). By a company understanding their adversarial classes and their capabilities in each of those areas… they can determine the level of strength they need the red team to test in each. If we are testing an art museum, we can assume that the most likely adversary will be well equipped in the area of physical attack. Depending on the “type” of art museum…..we may find that the adversary has other skills in social or even electronic….. if we model out who the most likely attackers are. Maybe there is a diamond exhibit going on and we know the groups like the Pink Panthers ( are going after it. They have a particular set of skills that are readily available for research. Now there is no need for an insurance company to model the panthers type of attack because we can see through past compromise that the insurance companies get attacked in a much different manner. All of this is much like our pro fighter… they can watch the tapes… identify the likely attacks and the “surprise” moves the other opponent has. they prepare for the fight they ARE going to get in… not the one they MIGHT get in.

    In addition to all of this, there is another component to red teaming…. the blue teamer. On every red teaming engagement we offer a blue teamer to ride along with the internal team. You can get a full picture of where there are breakdowns…. even if the red team does not expose it. The blue teamer also gets to measure how cool under fire people are. They may get lucky stopping an attack and the blue teamers job is to identify whether or not it was a fluke or part of the process. This is much like having a coach and a ref in the ring with you. You walk away with a better idea where/why/how to train while still staying within the comfort/pain level of the fighter. this is a CRUTIAL component and literally doubles the value of testing if done concurrently.

    So … what’s the quick answer without all this blathering on and on and on????

    “The red team’s job is to adequately scope the potential boundaries between training and fight night, and bring their opponent RIGHT TO THAT LINE but never over it”

    A criminal doesn’t care about your safety, if you die as a collateral damage… who cares….. as long as they get what they want they do it. As red teamers we just can’t go that far. Don’t kidnap the CEO…. just show em every bit of Intel and surveillance needed to get to the point right before the bag n tag. Don’t burn down the building just to cause a diversion…. show em how it “would” be done. Don’t sell the data on the black market…. show them how/where /when u could get access. Don’t show them that you can bust a door down….. assess if you DID bust it down… how they would know and what the response would be. It’s a fine line to tow…. but if done right you get to patch the unpatchable…. HUMANS.

    Security is a feeling not a static concept of technology. The only patch we get in our feelings is experience. The more we can get the defense team to experience a likely threat…. the more calm, cool and collected they will be the day that threat is real. Find the real Perimeter and just barely go over it.

    Hunter S Thompson said it best.. ” The Edge… there is no honest way to explain it because the only people who really know where it is are the ones who have gone over. “

    Read more…
  • Vegas week summary

    Red Team Testing Training in BlackHat USA 2013 was a huge success for us. We had a great time working with our students, and cannot wait to meet more at DerbyCon 2013!
    Read more…
  • Attack!

    Well, not really just "Attack!". That's where a lot of the differences between a proper red team and glorified pentest are showing up.

    Previous posts talked about the value of intelligence gathering, and a consistent and exhaustive methodology for red teaming. This stays true for the actual attack phase. One cannot simply "red team" a target by launching some random attack vector at it just to feel special. After all the intelligence gathering, there are two critical phases which include threat modeling, and vulnerability research.

    This post won't go through these in details, but it is important to mention these as without threat modeling, there isn't really a point of red teaming. Otherwise - how would you know _which_ adversary to simulate? Based on what set of capabilities and accessibility to the assents in question? And which assets to target? These all go into the threat modeling phase.

    Furthermore, why launch an attack before conducting proper vulnerability research. And again - this isn't limited to just the software components that one can identify by probing the target's web servers and network infrastructure and searching for exploits for the versions that show up. Proper vulnerability research takes into account all the elements that the target organization operates with - physical presence, operational procedures, 3rd parties and suppliers, customers, personnel, and more. Finding vulnerabilities in these, and especially in elements that traditionally fall "between the cracks" of traditional organizational hierarchies are golden opportunities for later exploitation.

    Which brings us to the "Attack!" part. Much unlike a pentest, launching an attack during a red team is a highly orchestrated act. The premise is that you only have one chance (again - unlike the common perception that attackers need to succeed once, and defenders need to always get it right). Often times, a failed attack would alert the defenders, and induce changes in the analyzed vulnerabilities and attack surface to a point where additional planning would be needed to launch the next attack. This means that you are not just jumping on the first exploitable vulnerability found on some obscure server, but think really hard - now what? Once you got that exploit in, and managed to escalate your privileges - how far did this get you in compromising the assets you were targeting in the first place? Could it be that other "less sexy" exploits would bring you to a more advantageous position on your way to the gold? How would an attack vector be perceived by the defenders? Would it be possible to use the hub-hub caused by such an attack being detected to attack another part of the target and get more leverage? 

    As you can see from this short discussion on "Attack!", there is much more to it at the strategic level, and in terms of accomplishing what you were brought in to do. So yes, the "Attack!" phase IS a lot of fun. It IS exciting to play that game of chess with the organization and map out your moves 3 or 4 plays in advance. It IS extremely more valuable to the organization to experience how an actual adversary would go about when targeting it. BUT - it DOES require a lot of preliminary work to be put in at the earlier stages, it requires planning, analysis, and understanding of what really matters to the organization, and how its adversaries would target it. But I guess that this is what we are all here for :-)

    Last but not least - remember that bag of toys we are bringing to Vegas to hand out to all of our participants? yeah, well, the "attack!" portion has a lot to do with it... We'll learn how to use all the tools we threw in there (I know! these weren't just random items we picked up...), and more importantly - figure out new ways to leverage these in order to get you into a better position on your next red team task.

    Vegas is approaching quickly, and the classes are filling up! Make sure to secure your place in them early (more importantly so we can make sure we have enough bags for everyone)... See you all there!

    Read more…
  • It's all about the intel

    In the previous post we talked a bit about what red team engagements are, and generally what we'll cover during the training. In this post I'd like to talk a bit about one of the critical parts of a red team test, which separates it from a standard pentest: intelligence gathering.

    I often like to think that a red team engagement is decided at it's earliest stages - during intelligence gathering. At that point, I can usually tell how successful will the engagement be. That's because when intel gathering is done correctly, you almost certainly have all the information you need to accomplish your goal. In the "information age" there is so much that can be gathered on an organization, it's employees, and business partners, that it has become an issue of data processing and analysis rather than actual data collection (as the guys who run PRISM ;-) ).

    In the training, we'll focus on different types of intelligence gathering and profiling. We'll obviously cover the OSINT (Open Source INTelligence) methodology, while utilizing open resources, social networks, assortment of government and organizational information sites, and more. 

    Additionally, there is nothing more effective than actually seeing and experiencing your targets, so physical and electronic intelligence are also a crucial part of the intel gathering phase. It's always nice to already have close familiarity with a building (outside, and in) that you may end up operating in, especially when it comes to establishing a backstory and in cases where social engineering is involved. 

    So, DO expect to meet some really cool techniques for monitoring, recording, and visiting physical facilities, along with where and how to obtain the tools to do so (some of which we plan to include in the (in)famous goodie bag that Chris already told you about in the previous post…).

    We'll discuss who to disseminate information effectively, and how to store it in ways that would make it accessible and meaningful in later parts of the red team engagement. As intel is the basis for all red team operations, he who owns the information is more likely to have an advantage when facing challenging circumstances in the field.

    So far for this quick post - as I mentioned earlier, the goodie bag is shaping up to be of epic proportions, and my partner in crime is pulling some amazing tricks to make it happen for Vegas. Until next time!


    p.s. image: red team pulling some intel

    Read more…
  • RedTeam Training comes to Vegas!

    Hi everyone, this is the first in a series of 4-5 posts related to our Red-Team Training class offered during BlackHat USA 2013.

    First things first - why?  Well, we only have two days, and trust us, they are going to be packed. Therefore, we figured it would be best to provide some background material and previews on what to expect from the training.

    First, Red Team. The term itself is overused and abused. This is especially true with the demise of "penetration testing" which has replaced "vulnerability scanning" as the term-du-jour in the security industry. Red Teaming depicts the pinnacle of security and risk assessments for organizations.

    It means a no holds barred testing of one's security and is not limited by scope of a certain technological, social, organizational or physical aspects. In a red-team engagement the point is to simulate a real-world adversary. This is in contrast to more traditional (penetration testing and vulnerability assessments) engagements where specific aspects of the technical infrastructure of the organizations are reviewed for their security posture.

    In the training, we will focus on how red team engagements are ran, and how to provide the best value for the organization they are conducted against.

    The training will combine Red Teaming methodology aspects, as well as technical and hands-on portions in order to gain a bit of experience in how engagements should be executed in the field.

    From a "what you get" perspective - one thing to note is that this is NOT a tools class. Tools are part of every red team engagements, but are not the point of it. Tools can be used interchangeably, and should be used based on the specific challenge at hand and personal taste. There is no "one tool to rule them all" - especially in red-teaming. However, as we try to make sure the training has enough hands-on portions, tool usage will be part of the two day ordeal, and we'll have a chance to use them in situations similar to actual red-team engagements.

    So to conclude the first post in this series - we are expecting a packed schedule, where we will vary between methodology and hands-on practice, we'll get to do some field-work (and in Vegas of all places. get your lawyers/livers ready), and last but not least - have fun! Our goal for the training is to get everyone to a state of mind of constant observation and criticism of anything security. In the past we managed to build our trainings around our classes (i.e. you!) and are really looking forward to challenging ourselves (and everyone who will be in the class) again.

    Lastly, and we'll save some surprises for later posts, everyone in the training will walk away with actual tools they would use on red-team engagements.

    Read more…