Let me help you with that...

The current catch-all phrase in Team is: It's a Red Teaming thing, you wouldn't understand. 

This became very evident during a project a few weeks ago. In that project we were tasked with a simple threat assessment of the high-level executives of this company. The CIO wanted to know what kind of image the executives were giving to the outside world and, more importantly, what possible threats they were exposed to, either digital or physical (during their travels, talks, etc).  
It was a fun project that demanded a lot of data gathering and understanding not only of our customer, but their potential adversaries.

Read More

Expecting too much

This is a small rant about how sometimes businesses just don't get it and they fail to deliver. You can stop reading if you are not interested in this.

Read More
/

Red Teaming: It’s Not Just for Security Anymore | Red Team Journal

Red teaming is the practice of viewing a problem from an adversary or competitor’s perspective.1 For most businesses, it surfaces as a method of enhancing cybersecurity (and so it is), but it’s potentially much more. After all, the practice itself is agnostic; a business can aim it at just about any issue, from cybersecurity to proposals to strategic plans to competitive analysis–each is worth a second look from the red teamer’s critical eye.

Yes, today Red Teaming is so much more and can be apply to almost anything that entails decision making, from critical thoughts to tactical planning to every aspect of a plan.
The majority of the people in charge fail to see this. Red Teaming can benefit not only security and its siblings (safety, well-being and assurance) but also it can provide hands-on valuable lessons on what's coming next, what's around the corner, helping make plans, decisions and overall strategy better focused.

Quote of the day

"It's not a mistake. They don't make mistakes. They don't do random. There's always an objective. Always a target."

-- The Bourne Supremacy

There is a lot of the Red Team Mindset in all the original Bourne movies and also in the books.

One of my favorite dialogs of the 3rd one, The Bourne Ultimatum, is:

Noah: Noah Vosen.
Jason Bourne: This is Jason Bourne.
Noah: I was wondering when you were going to make this call. How did you get this number?
Jason Bourne: You didn't think I was actually coming to Tudor City, did you?
Noah: No, I guess not, but if it's me you want to talk to, perhaps we can arrange a meet.
Jason Bourne: Where are you now?
Noah: I'm sitting in my office.
Jason Bourne: I doubt that.
Noah: Why would you doubt that?
Jason Bourne: If you were in your office right now, we'd be having this conversation face to face. (Camera switches to a shot of Bourne in Noah's office, breaking into the safe with Noah's voiceprint from the call.)

/

Fun at IT audits, part 4 or "I am not the threat you're trying to protect against" | Reddit

This post at Reddit was bringing a lot of traffic to the blog, so I went to check it out - it turned out that they posted a link to one of the posts in the blog: Always search for the next thing.

The Reddit post provides a good example of the Red Team Mindset.

Next, I want to see their print shop. They run on what essentially are truck sized inkjets. Once the statements are printed, they're put into lockable, wheeled cabinets until they're assembled and mailed. I reach over and touch the padlock- a nice, reliable Master #4. The Director of Compliance snaps at me:

DoC:"What, do you think you could pick that?"

me:"Well, yes. Masters are hard to break but not too difficult to pick. My local lockpicking group uses them to teach people to pick locks"

At this point, everybody's staring at me. The Director of Compliance is not happy.

DoC:"So, you're saying you could waltz in here and steal anything you wanted?"

me:"Well, my job requires me to think like a bad guy. If I were so inclined, I'd make a pretty good thief"

Bank Compliance person:"So do you think they're insecure?"

me:"Listen, listen. They've got multiple controls in place. They've got cameras. They've got key cards. I've been stopped on the way to the bathroom. If I were going to steal data, I'd try to get the feed into the printers- get tens of thousands of records rather than a few hundred"

Director of Compliance:"Where did you learn to think this way?"

me:"Law school"

Quote of the day

Scott: What they gotcha teachin' here, young sergeant?

Jackie Black: Edged weapons, sir. Knife fighting.

Scott: Don't you teach 'em knife fighting. Teach 'em to kill. That way, they meet some sonofabitch who studied knife fighting, they send his soul to hell.

-- from the movie Spartan.

What I like about this quote is the mindset. The being prepare and always being one step ahead of your enemy.
When I was in the military, this kind of midset kept us alive in very hostile places.
Apply this to Red Teaming and you can see why Red Teaming is such a powerful force and how it can help.

Robert Rogers Standing Orders

Rogers is famous for his 28 "Rules of Ranging". A series of rules originally created during the French and Indian War. They have morphed today and the US Army Rangers still carry them to combat.

His Standing Orders can be applied to many things, including Red Teaming. Here they are:

  1. Don't forget nothing.
  2. Have your musket clean as a whistle, hatchet scoured, sixty rounds powder and ball, and be ready to march at a minute's warning.
  3. When you're on the march, act the way you would if you was sneaking up on a deer. See the enemy first.
  4. Tell the truth about what you see and what you do. There is an army depending on us for correct information. You can lie all you please when you tell other folks about the Rangers, but don't never lie to a Ranger or officer.
  5. Don't never take a chance you don't have to.
  6. When we're on the march we march single file, far enough apart so one shot can't go through two men.
  7. If we strike swamps, or soft ground, we spread out abreast, so it's hard to track us.
  8. When we march, we keep moving till dark, so as to give the enemy the least possible chance at us.
  9. When we camp, half the party stays awake while the other half sleeps.
  10. If we take prisoners, we keep 'em separate till we have had time to examine them, so they can't cook up a story between 'em.
  11. Don't ever march home the same way. Take a different route so you won't be ambushed.
  12. No matter whether we travel in big parties or little ones, each party has to keep a scout 20 yards ahead, 20 yards on each flank, and 20 yards in the rear so the main body can't be surprised and wiped out.
  13. Every night you'll be told where to meet if surrounded by a superior force.
  14. Don't sit down to eat without posting sentries.
  15. Don't sleep beyond dawn. Dawn's when the French and Indians attack.
  16. Don't cross a river by a regular ford.
  17. If somebody's trailing you, make a circle, come back onto your own tracks, and ambush the folks that aim to ambush you.
  18. Don't stand up when the enemy's coming against you. Kneel down, lie down, hide behind a tree.
  19. Let the enemy come till he's almost close enough to touch, then let him have it and jump out and finish him up with your hatchet.
  20. Don't use your musket if you can kill 'em with your hatchet.

Fascinating attack on gapped networks

Last week, Adi Shamir gave a presentation at Black Hat Europe on using all-in-one printers to control computers on the other side of air gaps.

Theoretically, if a malicious program is installed on an air-gapped computer by an unsuspecting user via, say, a USB thumb drive, attackers should have a hard time controlling the malicious program or stealing data through it because there is no Internet connection.

But the researchers found that if a multifunction printer is attached to such a computer, attackers could issue commands to a malicious program running on it by flashing visible or infrared light at the scanner lid when open.

[...]

The researchers observed that if a source of light is pointed repeatedly at the white coating on the inside of the scanner's lid during a scanning operation, the resulting image will have a series of white lines on darker background. Those lines correspond to the pulses of light hitting the lid and their thickness depends on the duration of the pulses, Shamir explained.

Using this observation the researchers developed Morse code that can be used to send pulses of light at different intervals and interpret the resulting lines as binary data­1s and 0s. Malware running on an air-gapped system could be programmed to initiate a scanning operation at a certain time -- for example, during the night -- and then interpret the commands sent by attackers using the technique from far away.

Shamir estimated that several hundred bits of data can be sent during a single scan. That's enough to send small commands that can activate various functionality built into the malware.

/ /Source