Book Review: Team of Teams

When I first thought Team of Teams by General Stanley McChrystal, I thought this was another one of those book where a high ranking officer recounts some of the stuff he did when he was in charge of certain missions in Iraq or Afghanistan. But given that he commanded the Joint Special Operations Command (JSOC), and he is regarded and one of the people that made JSOC one of the most formidable, fluid and adaptable special operation organizations, I figured I'd give it a try.

What a great book.

This book is not about war. This book is about how to apply small team tactics and its mindset to large organizations, with ever changing landscapes and the human factor. This book helps cope with chaos and shows a different approach to adaptability.

Highly recommended.


Quote of the day

"Today’s systems must anticipate future attacks. Any comprehensive system – whether for authenticated communications, secure data storage, or electronic commerce – is likely to remain in use for five years or more. It must be able to withstand the future: smarter attackers, more computational power, and greater incentives to subvert a widespread system. There won’t be time to upgrade it in the field.

History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did."

--Bruce Schneier

First Unofficial Quarterly Red Teaming Day

In conjunction with the Red Team Journal, we are pleased to announce the First Unofficial Quarterly Red Teaming Day: 1 July 2015. To celebrate, print, cut out, and consider the list of red teaming questions below. Every quarter, we’ll post a new set of questions for you to think about. Given the tremendous need for more and better red teaming, we hope this is one small way to encourage potential red teamers across all domains to pause for a few moments and red team an immediate problem or issue.

For those who might not be able to access the graphic, here are the questions:

  1. What does my adversary or competitor want most?
  2. What could my adversary or competitor learn or acquire that would allow them to achieve this goal quickly and easily?
  3. What if my adversary of or competitor already knows or possesses this?

Red Teaming Across Domains

Question from a reader: When you start a red teaming engagement, how do you know where to focus and what to do?

Well, beyond any information that the customer might give us, we usually focus on the following three activities - at least with the normal engagements. These three are designed to cover the usual three domains: Digital, Physical and Social. The areas are:

  • Passive Red Teaming
  • Active Red Teaming
  • Plans Red Teaming

Let's get to each one.

Passive Red Teaming involves: external recon, infiltration and passive OSINT. Active Red Teaming includes: external recon, infiltration and exploitation, internal recon (moving inside and asset mapping), exfiltration and defense bypass, and disruption (physical or DOS). Finally, Plans Red Teaming involves: policies, controls and Blue Team reaction.

These activites cover the intial map of the engagement, but you have to tailor it to the target. Each type of activity contains a lot of things to check. For example:

External recon: public footprint mapping, network scanning, social network scanning, profile building of key players, social engineering, phishing, others...

Infiltration and exploitation: manual run of exploits, attack code infiltration via various methods, hardware tampering, physical entry, supply chain compromise, covert entry, others...

Internal recon: mapping, pivoting, credentials and data sniffing, key asset identification and compromise, key data store control, physical mapping, wireless access, wireless device introduction (rogue access point installion), others...

Exfiltration and defense bypass: data exfil, C2 access to shells inside, malware updates, physical assets exfil, personnel kidnapping, personnel equipment exfil, access and control of key defense software and devices, installation of firewall rules and routing table options for exfil, bypass of endpoint protection, remote desktop access, others...

Disruption (physical or DOS): destruction of physical assets, data center and key systems DOS, network devices disruption, others...

Policies: mimic various attackers and force the policies to fail (introduce random changes to the way attackers react).

Controls: actively probe the controls and stress test them to failure points.

Blue Team reaction: actively probe the quick reaction teams.

There is a lot to check and plan when you begin an assessment, but once you have a better idea of what the target is like and you can form a basic plan, you can then decide what to do and how.


Quote of the day

"...maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can “self-heal” or “self-limit” the damages inflicted upon them."

--Gen. Michael Hayden


From the inside out

A couple of years back, we performed an assessment on a startup company that was writing security software. At that stage, they were still in stealth mode. They wanted to know, before opening their product to the public, if their networks, systems and products were secure.
Initially they hired us as simple pentesters, but during the initial meeting, it was ovbious that they wanted a full Red Team assessment. So we changed the focus of the engament to all the 3 domains: digital, physical and social.

The company described to us how their development network was segregated from the rest, how they controlled access and how data was flowing in and out of that area. The source code of their product was their main concern, so they put a lot of effort into making this environment secure. The rest of the network had the usual perimeter security. They invested good money in their detection capabilities too. Overall, they have done a good job in covering their basics. But, as we know, the basics don't work anymore.

After reviewing (OSINT) their employees activities online, we targetted one of the sales representatives. We wrote an email supposedly from a very important company that heard about the product from a friend and wanted to reach out for a demo. After a few emails and several phone calls, we managed to get the rep to open a weaponized PDF and we had a backdoor into their internal network.
We focused then on searching a development computer. Since they were segregated from the network we were in, we opted for searching a computer of a developer. These were connected to this network for the purposes of email, etc. When we found one, we copied a digital drone there and we programmed it to start mapping the network when a new network was discovered (i.e. if the programmer connected the laptop to the segregated network).

The next day he did. We received a ping from the drone later in the day, when, apparently, the programmer moved the laptop back to the main network and the drone had once again internet access. The send the download command to the drone, which in turn uploaded to our server the contents of its network mapping.
After some review, we saw their main source code repository and a bunch of other developer computers. So, we sent a new set of commands to the drone: copy yourself, if possible, to the source code repository and copy any file that was accessed or modified in the last 72 hours.

Two days later we were reading several source code files.

We called up for a meeting and presented the initial findings. They were, surprisingly, very receptive and wanted us to begin working with their network guys to help fix this and make it more secure.

The rest of the engament, we focused on their social media and training also the sales people: making them more secure-minded. We also worked with their programmers in how to properly connect to a clean and dirty network in a secure way to avoid this attack.

Anyway, moral of the story: don't assume that because you have a solid perimeter protection and a segregation of environments, you are secure. Today the focus shoulb be inside, in the data you want to protect, in the internal systems. Start by knowing you have been penetrated. You have a bad guy inisde. period. That's the reality of today. your focus should be on how to make it harder for that attacker to move inside, to find what he is looking for and to detect his/her movements.

As always, act, don't react. Run assessments, pentests, red teaming. Ask your people what's not really working. Listen to them.

When in doubt, Red Team it.

Red Teaming: Why We’re (Mostly) Getting It Wrong | Red Team Journal

One aspect of today’s cybersecurity/infrastructure defense/counterterrorism challenge that we sometimes neglect under the press of daily demands is the fundamental imbalance between attacker and defender that continues to characterize the defender’s position. How so? In nearly every scenario we can imagine, the attackers enjoy more degrees of freedom than the defenders, and as a result, every defender in America today starts the day with one hand tied behind his or her back.

You know when we link to our friends at the Red Team Journal, good things are waiting for you to read. Everyone there, especially Mark Mateski, have a clear underdstanding of what Red Teaming is all about. This is the case of their latest post.

This is something we have mentioned before many times. We even have a rule for this (Rule 51). However, Mark and his team managed to articulate this is a way that I hope someone with the right kind of access, money and power can finally understand what Red Teaming is and why we needed to so badly.

I'll leave you here with their graphic.

Patterns of life

Sometimes the boundaries of an engagement or operations are very vague and your team finds itself having to cover a large "area of operations" - too many people to track, too many sites to learn, to many servers to scan and too many different technologies to learn. It can make your team freeze, not knowing where to begin.

One way we found useful, is to focus on learning your target by drilling down on what or who is important for the target. This is key to better simulate their adversary. Concentrating first on the people will provide a better view of the organization, even the digital side. More specifically, learning who is important and has the keys to the gates, so to speak, will pay a big part in achieving your goal.

This is where patterns of life come into play. Patterns of life is essentialy learning how people go about their lives in a certain location, understanding their habits or what's "normal" and what's not. Once you see these patterns you can begin creating a picture of what's important and begin setting priorities. You can quickly shift focus to the people that will give you a better chance of penetrating your target, understanding a plan or the reason behind it.

Focus on the people, their patterns of life, their social landscape and make plan.