Yesterday I had a very interesting discussion with the security director of a large corporation. He began making changes to the way they handle corporate security after having two Red Team assessements done in the past year.
The conversation centered around the way I think about security and the way today's majority of organizations handle their IT and Security departments. He was really interested in knowing our (the Team) opinion about his new approach.
During the conversation, I mentioned several times that security is dynamic and not static. In today's world, where adversaries come from different parts of the world and have different motives/goals, you can't just fill up a security checklist and call it a day. Today's adversaries are not static, they adapt, find new techniques constantly, new exfiltration ways, new ways to bypass current security measures and, more importantly, new ways to trick people. You have to contantly challenge your security measures and play by the same rules as the attackers: no rules. If you only focus on past threats, as most checklists and security guidelines often do, then you remain wide open to attacks.
Being PCI compliance, for example, will only get you to a basic level of security, a starting point. But it is important that you improve and build from there. You can't rely on lists or certications alone, the world of security is fluid. Fail to see this and it doesn't matter how much money you throw at the latest Firewall or monitoring software, you will get breached. In fact, you need to realize that you will get brached regardless. Plan for that, know what to do and how to make it harder for the adversary to get what they want.
I am not a good hacker or even a good physical security profressional, I'm quite average, in my opinion. However, I think I have the right mindset and to me that is important. I try to show, to explain this mindset to the people that ultimately will benefit the most: the decision making people.
Red Teaming is a key for this. Red Teaming is dynamic, like the attackers. Red Teaming can challenge each part of the security plans separately, or as a whole - or both. A good Red Team can help bring awareness to the right people, the decision making people. And yes, sometimes it scares the living shit out of the top executives and senior management, but then they can really begin to address the problem.
You have to continuously challenge your assumptions. In fact, don't assume, verify. If you keep on throwing money at the problem, without focusing on the roots and causes, without focusing on how the problem changes when you interact with it, it will only make the problem worse.
The way I see it, the current world of security is devided into two very distinctive groups: the "saving-my-ass people" and the "risk-taking people". The former, the majority, are contented with the checklists. Their assess are legaly covered and when the next breach happens they can say "but we followed the standards...". The later, well, these are the people making the difference in the security world, coming up with new ideas and taking the fight back to the adversary. Red Teaming lives in this world, the world that is ready to take the next step.
In what group do you belong?
Think about it.
Anyone up for a beer this coming Saturday or Sunday evening in or around Cleveland, OH? We are finishing a project over there.
Let me know and we can set it up.
As red teamers, we sometimes assume that the need for red teaming is self-evident, and, given this assumption, we proceed to promote the practice through example and anecdote (the more entertaining, the better): “Look what happened to Company X! They forgot to red team, poor fools,” or “You won’t believe what our extremely clever red team uncovered!” While anecdotes can be illustrative and persuasive, grounding our efforts on a more solid foundation is an effort that is past-due.
Let’s start with the goal. Red teaming can be fun, and it can give a team a surge to identify an unexpected vulnerability, but the real purpose of red teaming is to help improve the client’s decisions. If we all made great decisions all the time, red teamers would be out of business. The root of red teaming, then, is the poor decision, and it’s there that we should look in order to unpack the need.
"In battle, if you you make your opponent flinch, you have already won."
― Miyamoto Musashi
A penetration test that focuses on vulnerabilities and ignores most of the attack process doesn’t help a customer defend their network better. As offensive professionals, it’s on us to know the steps attackers take and to arm ourselves with knowledge and tools to reproduce them. If we can’t persist, move laterally, steal data, and defeat defenses in a credible way, what use are we to help customers understand their security posture? Creative thinking about these problems won’t happen if we focus too much on one (optional) piece of the hacking process.
Standby for the answer.
"There is a theory which states that if ever anyone discovers exactly what the Universe is for and why it is here, it will instantly disappear and be replaced by something even more bizarre and inexplicable. There is another theory which states that this has already happened."
— Douglas Adams, The Restaurant at the End of the Universe
The current catch-all phrase in Team is: It's a Red Teaming thing, you wouldn't understand.
This became very evident during a project a few weeks ago. In that project we were tasked with a simple threat assessment of the high-level executives of this company. The CIO wanted to know what kind of image the executives were giving to the outside world and, more importantly, what possible threats they were exposed to, either digital or physical (during their travels, talks, etc).
It was a fun project that demanded a lot of data gathering and understanding not only of our customer, but their potential adversaries.