Mandatory Books

A while back a reader asked me for a list of MUST READ books. While I was compiling a list from our bookshelf, it occurred to me that, a lot of the guys in the Team haven’t read some of these books. So, after talking to them, I decided to make them mandatory reads.

Here’s the list:

Hire the Right Red Team Leader | Red Team Journal

Suppose you hire someone limited to quadrant I to lead your red team. This person exceeds all of your technical requirements and holds a worthy set of certifications. When this person speaks, you listen. And well you should, if the imaginary world you live in is limited to attackers from quadrant I. Unfortunately, the world is much bigger than that, and attackers from quadrants II, III, and IV can hurt you in ways that attackers from quadrant I can’t or won’t. This is a worrisome gap that many firms unknowingly accept, all the while believing their red teams are keeping them safe from surprise.

Getting the Most Out of Shodan Searches | SANS Pentest Blog

A technical post.

Shodan is a search engine that takes a distinct departure from most Internet search engines. Instead of searching through content intentionally served up and delivered to web browsers, Shodan allows us to search for Internet-connected devices. Created by John Matherly, Shodan uses distributed scanners throughout the world to randomly select target IP addresses and identify listening TCP and UDP ports. Listening ports are further enumerated to gather protocol banners, web pages, and other service data. All of this data is then added to an enormous, searchable database that describes the "what" of Internet devices.

Shodan's search feature is powerful, allowing us to specify generic terms such as "camera" or even a specific part number such as "WVC80N" and quickly identify the devices that match.

Beyond the web interface, Shodan offers a full-featured API and command-line tools to search and parse the Internet-device results. In this article we'll focus on using the web interface for effective device searches, as well as tips to use Shodan in your next penetration test.


Why should we care about understanding what an adversary does and how it does it?

First of all, the simplest answer is because exploring the attacker’s perspective helps to identify and qualify the nature of risk to the organization, be it digital, physical or human. It is a simple thing (in theory) that has been around for a long time:

“One who knows the enemy and knows himself will not be endangered in a hundred engagements. One who does not know the enemy but knows himself will sometimes be victorious. Sometimes meet with defeat. One who knows neither the enemy nor himself will invariably be defeated in every engagement.” — Sun Tzu

So, essentially, if you rely only on a good defense you might be somewhat protected against certain attacks but some others will be able to get you. However, if you have a good defense and proactively try to understand and simulate your adversaries, you will be able to build a stronger and more resilient defense (resilient being the key, more on that soon).

The first thing that becomes clear once you begin adding Red Teaming to your security planning, is that a good and capable defense can only be established once you know how it will be attacked. In other words, rely only on the standards or on the checklists of certifications and you’ll be able to cover some basics. Actively test those standards and checklists and you’ll be able to identify what actually works and what needs to be strengthened. Again, look at Sun Tzu’s quote.

Remember a simple fact: the attacker ALWAYS has the advantage, he needs to succeed only once. The defender? Well, he needs to succeed ALL the time.
Add to this the fact that attackers don’t play by any rules (or company policies), generally are free to experiment with attack techniques that the defenders aren’t even aware of… You get the picture.

In 2016, factor in Red Teaming. Bring a good team of attackers to test your security. Let them become your worse adversary. Let them show you how to be more secure.

Quote of the day

"Water does not resist. Water flows. When you plunge your hand into it, all you feel is a caress. Water is not a solid wall, it will not stop you. But water always goes where it wants to go, and nothing in the end can stand against it. Water is patient. Dripping water wears away a stone. Remember that. Remember you are half water. If you can’t go through an obstacle, go around it. Water does."

— Margaret Atwood, The Penelopiad

‘Red Team’: A tale of how a general didn’t listen to internal criticism in Afghanistan

This is excerpted from Red Team: How to Succeed by Thinking Like the Enemy, by Micah Zenko.

In 2009, a Marine Corps colonel with an infantry background and two Army majors — both graduates of the elite School of Advanced Military Studies — were brought to Afghanistan to serve as a small red team, known as the “effects cell.” The three officers operated independently from the chain of command and traveled into the field to assess the robustness of partnerships between NATO’s International Security Assistance Force (ISAF) units and those of the Afghan National Army (ANA). At the time, “partnering” in the field was the primary approach toward building a professional Afghan military, which would presumably then begin to take the lead in independently securing areas where they operated. In 2009, Secretary of Defense Robert Gates said during a House Committee hearing, “Making this transition possible requires accelerating the development of a significantly larger and more capable Afghan army and police through intensive partnering with ISAF forces, especially in combat.” If the partnering mission was not working on the ground, then the overall campaign strategy would not be either.

The effects-cell officers were deeply disturbed by what they witnessed — with little variation — at more than a dozen combat outposts. They found that ISAF troops were living completely separately from the ANA forces that they were supposed to be training. This was even before the outbreak of so-called green-on-blue attacks that began in 2012 — violent attacks by actual or disguised Afghan security forces against ISAF personnel. The effects cell noticed, in particular, that ISAF perimeter machine-gun nests were perched high above their Afghanistan counterparts, with the heavy weapons pointed directly toward where their Afghan colleagues slept and ate. Moreover, the daily security patrols conducted by both forces were poorly coordinated and integrated. Also, on some days, literally no training or advising events took place. The Marine colonel recalled how the company and platoon leaders had developed a “FOB mentality” — a derogatory reference to ISAF forces hunkering down in their forward operating bases — and were “just counting the days until the next guys came in to replace them.”

The Marine colonel briefed the effects cell’s findings, first to senior ISAF staffers and eventually in front of General Stanley McChrystal, the commander of all US and international forces in Afghanistan. The Marine colonel was, and is, a gruff and brutally honest person, which an ISAF staff officer contended “couldn’t have been more different than how the general [McChrystal] liked to run things.” The colonel described in detail instances where the effects cell found that ISAF units were not implementing the commander’s strategic guidance. To drive his point home, the colonel graphically stated, “Sir, if they aren’t shitting together, they aren’t partnering together.” Aides to McChrystal contend that the commander objected to both the tone and content of what he was being told, and, at one point, he berated the colonel, saying, “It sounds like you’re telling me how to run my war.”

The briefing ended soon after, and the impact of McChrystal’s vocalized opposition was soon echoing throughout other staff sections. Ultimately, the ISAF’s plans and operations staffs did not accept what the Marine colonel had revealed, nor did they adjust their campaign plans to reflect the findings. Moreover, the effects cell had difficulty getting traction in the remaining few months that it operated in Afghanistan. This 2009 effects cell study exemplifies an instance when red teaming was rigorously conducted to independently evaluate a plan, but then was ignored by senior leaders and their staffs. It was pointless red teaming, and its assessment was disregarded in part because it conflicted with how the ISAF command hoped things would be going. But, unfortunately, the blunt manner in which the Marine colonel delivered the effects cell’s recommendations undoubtedly made the ISAF command’s senior leadership even less receptive to the bad news. Shooting the messenger accomplishes nothing other than signaling to the entire staff that dissenting viewpoints are neither wanted nor welcomed. The red team is there for a reason, to help improve the targeted institution’s performance, and the boss, general, or leader, whoever they are, should be open-minded toward the red team’s purpose and message.

(via Yahoo News)


Measuring Adversity and Adaptation for Red Teams | Red Team Journal

If you execute without a method to track and measure the results, you’ll never know whether the action was successful. But finding the right metric that truly measures whether you’re on the right path is difficult. It is not necessarily up to the red team to develop such metrics, but it is up to them to identify poor measures of effectiveness and to think creatively about behaviors or indicators that could provide better feedback.