Since we didn't meet the minimum, the orders will not be fulfilled. Maybe next time.
One of the things that makes the security field so interesting is that it’s mostly about people. Security efforts (even if assisted by security systems) are usually directed at people, and largely executed by people for the protection of people. The most important assets are usually people, most of the highest risks we try to mitigate have to do with people and most screening and assessment efforts are attempts to distinguish between people who pose a security risk and those who do not.
If you can’t understand people, you can’t fully understand security.
This coming April 5th, we'll be recording live episode 21 of the Red Team Podcast in NYC. Starting after 1700 hours (5pm), we'll be at Harding's - 32 E 21st St, New York, NY 10010.
Come and see what's up.
This approach and way of doing things was good, however it presented a challenge. Most organizations are not ready for this kind of security assessments. Their security programs and people are not mature enough to really understand the need for Red Teaming, and they were not ready for the assessment, often resulting in wasted efforts and the fact that the Team penetrated them using techniques they never thought about.
"WORST CASE SCENARIO: Even when the probability of that happening is low. Work from there, addressing all cases with higher probabilities that may lead to that worst case. Walk in the adversaries shoes."
Sure, you write the report, you list the findings and their solutions, you wrap it up with a good executive summary, pictures of the engagement and a closing statement. But, is that it? Is your job done?
There are a few things you still need to communicate. This is the key of a good Red Teaming engagement. No, it's not "I breached everything, bypassed all and got your data". It's not "your security sucks and we are so cool, look how we pwn you!".
The 5th phase of a Red Team engagement is the report. But, there are few more things you need to do. These are the key pieces that will not only bring your customer, or you team, to the next level, but also keep them engaged and thinking the way you want them, effectively making them think like the adversary going forward.
There are, in my opinion, two things needed during and after the report:
- A clear explanation of why they need to implement the security solutions you are recommending
- A clear view of what their industry, and more importantly, their competitors and peers are doing to be more secure
You would be surprised how often red teamers forget these.
Let's see those two points.
The more your customer, or the people you are red teaming understand why you are suggesting they do something, the what you are solving, and how this directly correlates to real world attackers, the more they will work with you, and buy your strategy and solutions. It is important they understand how attackers work, how they change and they need to change with them. Explain how you, the red teamer, need to adapt as well in order to effectively mimic and emulate the attackers that would come after this organization. Explain very simply and without technical buzzwords the gaps found in the assessments. Explain why we, the red teamers, do what we do.
It's a simple step, yet it is so hard to do. The benefits of this are enormous.
What are the competitors and peers doing with their security. Why. What are the standards out there today that they are not meeting. What security controls, and possibly the strategy, the competition saw fit to put in place to solve what problem, what attacker.
This is very important. Explain this very clearly. Explain what you did to understand the industry, gaining several points for really speaking their language. Explain the process an attacker would use to do the same, to understand the vulnerabilities and gaps in organizations within this industry, and how they would leap from there to the targeted reconnoissance of your customer. The more they understand the security needs of their industry, the more they will understand the need to Red Teaming. This is key to working the right way with an external Red Team.
Give them all the transparency you can. Work with them, make them understand the what.
The more you do this, the more you will begin to see a change on mindset in people that tend to be overly defensive when you break into their stuff. The moment they begin to understand what you do, how you do it and why, the more they will be inclined to work with you in the future.
I speak from experience.
When in doubt, red team it.
Since several people asked, here are some of the past books reviewed on the blog.
There are more. Search for "books"
Team of Teams
When I first thought Team of Teams by General Stanley McChrystal, I thought this was another one of those book where a high ranking officer recounts some of the stuff he did when he was in charge of certain missions in Iraq or Afghanistan. But given that he commanded the Joint Special Operations Command (JSOC), and he is regarded and one of the people that made JSOC one of the most formidable, fluid and adaptable special operation organizations, I figured I'd give it a try.
What a great book.
This book is not about war. This book is about how to apply small team tactics and its mindset to large organizations, with ever changing landscapes and the human factor. This book helps cope with chaos and shows a different approach to adaptability.
Left of Bang
Left of Bang: How the Marine Corps' Combat Hunter Program Can Save Your Life, by Patrick Van Horne.
I finished reading this book last week and I took some time to digest all the material. It is filled with invaluable lessons from the Marine Corps Combat Hunter Program, presenting several strategic ways or systems for making decisions under pressure and on less than permissive environments. Left of Bang will enhance the level of observation and awareness of your surroundings. It is an excellent text about decision making in any time-critical profession where safety and lives are on the line.
Learning how to read the environment and respond to it properly is sometimes the difference between coming out alive or not. The book does a great job about explaining baseline body language, atmospherics and what is normal or not, in other words, detection of anomalies. You begin to understand the importance of trying to think proactively, 2-3 steps ahead of a possible threat.
The material in the book is taken from the US Marine Corps Combat Hunter Program, which was implemented as a way to better prepare Marines for counterinsurgency environments just as those found in Iraq and Afghanistan. In these environments the enemy hides among the civilians and blends in, coming out to attack and returning to being a "civilian". THe book touches some of the best profiling methods, some used by Israel, a country with a history of situational awareness. These are methods that anyone can apply to their daily lives and ennhace personal security.
Human Intelligence Counterterrorism and National Leadership: a Practical Guide
This is a book about the current art of human intelligence and counterterrorism. Mr. Berntsen wrote this in an effort to make policy-makers more aware of the current efforts against terrorism worldwide. It is a simple, yet very informtative book about the topic and one, in my opinion, that not only must be read by the top brass, but by everyone. We are all part of this war.
On the Red Teaming side, this book has a wealth of information about the human condition, about working the angles, about social engineering and HUMINT. It is a great book to have in your bookshelf.
The Unfettered Mind
The Unfettered Mind: Writings from a Zen Master to a Master Swordsman. By Takuan Soho.
This is a Zen book, a philosophy work. While this is not a Red Teaming or technical book per se, I think if you are looking to really understand the mindset, the human nature and how to better yourself, this book has a lot of value. I'm a long time Aikido practitioner, where Zen elements are present in every aspect of the Martial Art. One of my early Sensei requested that we read this book before taking our Shodan (Black Belt exam) and that we write a small work about our minds.
Many years later, I found the book again and I read it. Now after having served in the military and working already as a Red Teamer. I understood the contents differently and I began applying those concepts during the anaylsis phase of the project. The results were surprising.
We must know that it is not enough just to see what the Mind is, we must put into practice all that makes it up in our daily life. We may talk about it glibly, we may write books to explain it, but that is far from being enough. However much we may talk about water and describe it quite intelligently, that does not make it real water. So with fire. Mere talking of it will not make the mouth burn. To know what they are means to experience them in actual concreteness. A book on cooking will not cure our hunger. To feel satisfied we must have actual food. So long as we do not go beyond mere talking, we are not true knowers.
It is a small book, but highly recommended.
Here's Takuan Soho on Red Teaming:
When you look at a tree, see it for its leafs, its branches, its trunk and the roots, then and only then will you see the tree.
This book review is not about a technical book, it's about a modern science fiction novel: Kill Decision by Daniel Suarez.
Kill Decision is a mix of a cyberpunk, military and actual science stories that come together is a great and frightening view of what it's coming in the very, very near future. Daniel Suarez makes a compelling point about the automated drones. A team of Special Operations Forces (The Activity) join forces with a University professor to fight a new threat to the United States and the world. The story is fast paced and violent with hints of humoer as well.
In any case, it's a fantastic book if you want to get a story that mixes several types of literature and contains a lot of good Red Teams Mindset in it.
Open Source Intelligence Techniques
Open Source Intelligence Techniques - 3rd edition (2014) by Michael Bazzell.
This was a present from a friend. I was a little skeptical given than in the past the OSINT (Open Source Intelligence) books that I've read were very vague, however I was surprised with this one.
This is a nice introduction to OSINT. It provides beginners and seasoned researchers with a good review of current tools and techniques. The author does a good job of presenting the material in an easy-to-read format. Again, mostly tailored for beginners, however there are few tips and tricks that will surprise also the professionals.
The books presents techniques for searching information using plain search engines, deep web search engines, social networks, online maps and resources (photos and videos), people search engines, documents and public domain gov records and others. Full of tools you can use and with screenshots of those tools, it walks you to a simple, yet useful, way to search and collect OSINT.
Find, Fix, Finish, Exploit, Analyze, and Disseminate (F3EAD), pronounced “F-three-e-a-d” or “feed,” is a version of the targeting methodology utilized by the special operations forces (SOF) responsible for some of the most widely-publicized missions in support of overseas contingency operations. F3EAD is a system that allows SOF to anticipate and predict enemy operations, identify, locate, and target enemy forces, and to perform intelligence exploitation and analysis of captured enemy personnel and materiel. Central to the F3EAD process is the functional fusion of operations and intelligence functions throughout the SOF organization. In F3EAD, commanders establish targeting priorities, the intelligence system provides the direction to the target, and the operations system performs the decisive operations necessary to accomplish the SOF mission. This paper explains the F3EAD process, examines how it is used by SOF and general purpose forces, and provides recommendations for its further implementation and inclusion into formal doctrine.