Over the weekend we had to respond to a call from a customer. The Team not only provides Red Teaming services, but we can act as first responders due to our experience in digital forensics as well.
This particular customer had a breach via one of his new suppliers. One we hadn't tested yet. We work very closely with this customer and every time a new service or supplier is brought on board, we provide the initial security and threat asessment. In this case, we hadn't have the chance to test them. The supplier, we learned during the weekend, was wide open to attacks.
The Team is now helping mitigate the issue with the supplier, while our customer's CERT is looking into their own networks and systems.
All this brings me to a very simple truth that I've mentioned before many times: the real world is a special case.
The real world is more complex than your testing lab. The real world doesn't obey the rules you impose. The real world is not a vacuum, like most security certifications will have you believe. The real world behaves following its own chaotic rules, or lack thereof. If you try to plan for it, set your defenses only once and call it a day, the real world will eat you alive.
Attackers, adversaries - the bad guys - don't play by your rules. They play by their own and, like the numbers of adversaries, these come in many shapes, colors and intensity. If you think you know your adversary and plan for it only once, based on only one assumption... Well, you are not thinking straight.
The real world is a special case.
More and more we are seeing the increased complexity of the adversaries. Whether it is nation sponsored, crimilar or simply curiosity, the new breed of attackers don't get stuck trying to find the right exploit for your firewall or web server, they just go around them, they find the weak links somewhere else. And yes, more often than not the weak link is the people that provide you with services, the suppliers, the partners...
Do they know your adversaries? Do you know their adversaries? When it's the last time your partners had a security assessment done? How often they do it?
Are they compromising your security posture? A posture you worked hard to build and implement?
Always cover your angles. Never assume, always verify.
Yes, the real world is a special case.
Plan, execute and vanish. These 3 words should tell you how to go about doing your business. Just figure it out, make it happen and then leave... No trace.
This is the last Red Teams shirt that will be printed. No more shirts, so you better get it while you can. The goal is set low, 50. I'm sure you will find a good option, either a T, or a long sleeve or a hoodie. There are different colors as well. I am getting 7.
Also, this is the last time I'll be using Teespring. Unfortunately, as much as I don't like them, they are the only ones that deliver fast. But, like I said, this is the last tshirt, so make it count.
And some of the old shirts can still be ordered if enough people want them.
"RTJ Red Teaming Law #39 (“Ark”): It’s our sad experience that most people don’t think about red teaming until it’s already been raining for 39 days. The forecast for today is..."
This is one of those simple truths that unless you are told about it, you will always fail to see it.
Thank you Red Team journal for pointing this out.
"Plans are nothing; planning is everything."
— Dwight Eisenhower
We are lucky to have met a lot of really cool people during the past few years. Special operations, law enforcement, blue teams, hackers, emergency response teams, and many more.
These guys have a lot of cool stories, some of them we were part of as well. And they want to tell those stories.
So, in a few days we'll be launching a new part of the blog that we began calling Guerilla Red Team. The name, like most names, just came out during a discussion and well, it stuck.
This part of the blog will have stories from other red teamers, security teams, military units and law enforcement where either our Red Team was involved or the main story includes a Red Team or Red Teaming.
Now, we also want to hear from you. If you have a Red Teaming story, please send it. Please sanitize it, any OPSEC violation will trash the story. If you want to send along a picture with it, wait until we reply to you and attach it to the email.
What can you send? Any personal story recounting your Red Teaming experiences, or experiences with a Red Team.
So, while we compile some of the stories from our friends, send yours.
Most of you know many digital tools for recon, exploitation, etc. We've mentioned some here in the past few years as well. Of course, for distributed Red Teaming, one of my favorites is still Cobalt Strike and its underlying Metasploit.
There is a relatively new one (well, it's been out there for a while) that we have been testing lately, and while it is still a work in progress, it shows a lot of promise: the BeEF Project.
BeEF, or Browser Exploitation Framework, focuses on attacking and exploiting the web browsers: "BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.".
You can read more about it and its architecture here, but it has been really useful to have it. It can be combined with Metasploit for a great set of web browser attack modules.
We'll continue to play with it.
"Rule 29: If you’re happy with your security, so are the bad guys."
Rule 29 is a rule for a reason. The same with the Red Team Journal Law 36: "Complacency is your next adversary’s best friend. Just when (you think) you’ve overcome one threat, two more are hiding right around the corner".
If you become static and stop checking, moving, developing, updating and performing the next round of security assessements (yes, this includes Red Teaming), then your adversaries will exploit this. Thinking that your perimerter is secure, that your internal networks are protected, that your data is safe, well... It's asking for trouble. If you think you have accounted for all possible attack vectors and all possible vulnerability, you'll be surprised when the breach happens.
You can't stop testing and making better decisions. You can't be happy with your current state of security, even if it seems impressive and everyone assures you that you are air-tight.
There is always a way in. There is always something to exploit.
There is always the people.
Red Teaming has to happen constantly. It has to be an ongoing operation, always searching, always testing, always asking the "what if" questions.
If you are happy with your security, so are the bad guys.