Last ever run of t-shirts

Red Teaming: Closing the Gaps | Red Team Journal

Here's a companion text to Episode 6 of the podcast, written by Mark Mateski at the Red Team Journal.

Despite the fact that we pride ourselves on thinking laterally and creatively, we red teamers are still human, and as humans, we share a host of “wetware” issues with our non-red teaming colleagues. The difference? We’re aware of the issues (or at least we should be), and we (usually) try to do something about them. Even so, the issues persist.


Because Multicam, right? It makes all look good!
Click on each image to download the wallpapers.

Or download them directly here:

Why Red Teaming?

Why we believe in Red Teaming?

Modern organizations are too complex to really consider themselves “secure”. Breaches can and will occur, it’s a matter of when, not if-it is more likely that an organization has already been compromised, but just hasn’t discovered it yet. It is critical to assume this is true, and preparing for this will greatly enhance your chances of continuing business when a breach happens. One of the best things an organization can perform to be better prepare for the impact of current and future threats, is simulating real-world attacks, and bringing to bear tactics, techniques and procedures (TTPs) that a determined and persistent adversary uses during breaches. The information gained from Red Teaming and live site assessment exercises helps to significantly strengthen defenses, pointing what works and what doesn’t, holes in plans, improving response strategies, train defenders, and drive greater effectiveness of the entire security program.

Start with the assumption that you have been breached!

In the current world, a prevention-only program is not enough to address determined and persistent adversaries. You have to be proactive and address the what, where and how.

Red Teaming also plays a big role when planning your business continuity strategy. Traditional security methodologies have largely been focused on prevention. Prevention is a defensive strategy that, while a vital part of any good security program, doesn’t address post-breach or emergency planning. Red Teaming can steer decision makers in the right direction, helping the teams create preventive plans, as well as TTPs to be use during an incident and immediately post-incident.

The ever-changing perimeter

With the evolution of networking, and adoption of the cloud paradigm, the boundaries or perimeter of the organization can no longer be defined by a network perimeter managed physically or virtually through firewalls and network devices. Corporate data, including sensitive data and source code, can be found spread everywhere: on-prem, in datacenters (co-located or fully owned), in the cloud, with partners, with vendors and services providers, and on a variety of user devices. All of which require a different security strategies that most companies haven’t even began to address. This is why factoring Red Teaming on a security program will help look at all the different corners of the organization, allowing the decision makers to address issues that were unknown until then. The role of a Red Team is to attack and penetrate environments using the same steps and TTPs as an adversary, and often creating new attack methodologies made specifically for the organization. Red Teaming verifies that protection, detection and response mechanisms are implemented properly.

The “social” aspects

Last but not least, there is one very important aspect that security plans often overlook: people and social media / the internet. A capable adversary will often begin reconnoissance of a target by looking at the employees and service providers of an organization. There is a lot to learn from what people comment on social media sites, the pictures they post (often with pictures taken inside the office and other locations of interest). A good security plan should account for this, but often this last bit is neglected. Red Teaming looks at this as well. A good Red Team spends time learning the target, combing the internet for any publicly available piece of data. Most of the time, the people supply all this information for free. Open for the taking. Don’t forget the people. Act, don’t react. Actively looking at the threat footprint of an organization is one of the first steps towards making the organization more secure and resilient to attacks. Look at the people.

An overall look

At the end of a Red Team assessment, a very thorough report and review is presented to all interested parties. This report describes every failure and success, the response by the defenders, and things that need to be addressed immediately, from controls to planning to better TTPs. Lessons learned is the name of the game. A Red Team engagement will provide solutions and enhance decision making. Organizations open to this, allowing Red Teaming as part of their security strategy, will remain the top players, even if a breach occurs.

When in doubt, Red Team it.

Quote of the day

"Israel’s security doctrine was built around layers—each layer being more difficult to penetrate—and it was always best to engage a threat at the outermost layer. This was one of the pillars behind Israel’s reliance on dynamic proactive deterrence to strike out preemptively rather than absorb a preventable blow."

-- The Ghost Warriors: Inside Israel's Undercover War Against Suicide Terrorism, Samuel M. Katz

Gegenspielers Unite! | Red Team Journal

Mark hit the nail dead center. This is something we firmly believe in.

  • Gegenspiel is the practice of exploring a situation from the perspective of an adversary or opponent with the purpose of strengthening plans, strategies and systems.5, and
  • Kontraspiel is the practice of exploring a situation from a critical perspective with the purpose of exposing flawed thinking.

If you care to join me in employing this dichotomy for the purpose of focusing, refining, and innovating the practice of Gegenspiel, please do. I am, after all, a Gegenspieler at heart, and perhaps you are, too.


Playing the Part

Over the years I've found several techniques that, no matter how trained the security personnel of a corporation is, tend to work one way or another.
In this case "the angry executive speaking in another language on a cellphone".

I've used this many times and with good results. After researching a bit the target, learning what are the baselines in term of dress code for the top executives and diversity of the employees, coupled with the atmospherics of the location and its patterns of life, you can put together a very credible employee from another office act.
The idea is both show that you belong there, but that you are coming especially coming here from another location. It causes whoever happen to be in front of you to be a little more sympathetic.

In one particular case, I was outside, on the street, but the booth keeping the entrance to the underground parking. The guard was looking at me. I was wearing the proper suit and tie, with a fake, though very realistic badge clipped to my jacket's pocket. On cue, another guy from the team call my cellphone. I answered in English and switched to another language. I increasingly become more and more agitated as minutes passed. The guard kept an eye on me. I made it a point to walk back and forth the booth, and give him consternated looks. He began giving me small smiles... And after about 20 min, he lost interest in me. Having seen my badge and sensing that I belong there.
Once I saw that, and still arguing on the phone, I slowly began walking towards the parking. Going down the ramp step by step, still on the phone still gesticulating and never looking back, at the guard. I belong there, right? I wouldn't worry about the guard.

Boom. I was in. I was freely walking on the underground parking.

Next was to get inside the building. My badge was a good copy, but it wouldn't open the door from the underground parking to the elevators. So I stood there, still angry on the phone, until 5 min later, someone came back to his car. As he walked by me, i gave him a smile as I walked in. He never questioned me. So... Now I was really in.

After that it was just stuff, but, once you understand the environment, and know how to play the part... It's just a matter of time.

Quote of the day

"It is not good to settle into a set of opinions. It is a mistake to put forth effort and obtain some understanding and then stop at that. At first putting forth great effort to be sure that you have grasped the basics, then practicing so that they may come to fruition is something that will never stop for your whole lifetime. Do not rely on following the degree of understanding that you have discovered, but simply think, “This is not enough.” One should search throughout his whole life how best to follow the Way. And he should study, setting his mind to work without putting things off. Within this is the Way."

— Hagakure