A team effort - Part 1

Note: This post doesn't talk about SOF specifically, although many of the members of the red team have SOF backgrounds.

A red team is, like its name states, a team. This is a great thing since each member brings his or her own experiences tot he mix. Each member of the team has a specific area he or she is responsible for. These are usually based on the knowledge of that particular person and on his/her personality. Yes, personality plays a huge role here. For example, not everyone is comfortable with physical security breaches, social engineering, or writing attack code on the fly. Sometimes a person that is not an expert in coding the initial exploit is the one calling the target and causing her to run the exploit. We are masters of our specific sectors, but we do also work on other sectors as well. We all know to how code and the basics of digital and physical security, however some of us are experts in these areas specifically and often take the lead when a operation comes along.

Still, the success of a project or operation is a team effort, always. The combined knowledge and ridiculous thinking is key.

During one project we had two guys on the field trying to assess the personal security of C-level execs of a large corporation while they were abroad. They were working with limited equipment and relied on us, the guys back at the HQ to help them thru the project. These were two of the most capable hackers and security experts I know, both with years of experience, one of them a former SOF operator, yet they knew that they needed help from the team to successfully complete the op. These executives stopped at a local cafe to have breakfast, like they did every morning. One of the execs opened his laptop and began checking the news. The guys from the team started scanning, as we usually do on public networks, and immediately notice someone performing a vulnerability scan on the executive's computer. This is easy to spot if you have a sniffer running on the network. Now, they could have assumed that it was one of those target of opportunity scans, but given who these executives were, the country they were and based on experience the guys decided that this was a targeted attack. They called us back at HQ and requested that we began coding a backdoor for the exec's computer. They sent us the results of their own vulnerability scan.

The project went from being a security assessment about the personal security of the execs to a digital VIP protection operation.

The idea was to breach the VIPs computers ourselves before the attackers have a chance and set a backdoor and monitor program that may allow us to detect who were the attackers. Hard to do, but sometimes it works.

Given that we didn't want to alert our customer yet, Y, the master exploit coder, immediately started reviewing the scan while I was setting a computer that would have the same spec of the executive's: same OS, same apps, etc. Once this was done I moved to write my own program that would eventually be installed on the attacker's computer if we could send them the attack code. The program was a complex one, one that needed to crawl an unknown network, save data such as IP, domain info, OS, etc, from the attacker, find a way out and exfil the data in a way that would not alert the attackers. Right… Hey, that's what we do. We had about 7 hours to do this, taking into account the time difference between the exec's location and HQ. With Y and my code tested in less than 6 hours, we sent the package to the guys deployed: one attack code that would exploit a vulnerability at the OS and install the backdoor, the backdoor then would download from the guys' computer the counter-surveillance code I wrote in the hope that if the attackers would breach the computer we could piggy-back on that connection to the bad guys' computers.

In the meantime, we called the security department of our client and let them know of the development. We wanted to make sure they execs didn't have any sensitive data on their laptops. They corroborated the fact that the two executives did not have any sensitive information (as per our advice to people traveling to this part of the world). They also gave us permission to install the backdoor on the execs' computers. It was easier this way. So, we sent this information to the guys on the ground.

We went to sleep while D stayed at HQ to monitor the situation.

70 minutes later, D came to wake me up - I was sleeping in a sleeping bag in my office. He said: "We have movement."

It was on.

Continues on Part 2. Stanby.