Getting started in red teaming and offensive security

Chris Sienko: Hello and welcome to another episode of Cyber Speak with Infosec Institute. Today's guest is Curtis Brazzell, managing security consultant with cybersecurity firm, Pondurance. Curtis and I are going to be talking about the methodologies and the day-to-day operations involved in red team operations.

Curtis Brazzell is a managing security consultant at Pondurance, a managed detection and response security services firm. Curtis manages the penetration and application testing teams at Pondurance. With a lifelong passion for all things IT, he brings a well rounded skillset to the team. His prior roles include professional experience as a database administrator, systems administrator, senior security analyst in a global SOC, and a lead digital forensics investigator and malware analyst.

Curtis has created his own intrusion detection and response platform in his free time and loves to tinker with innovative ideas. He also like to spend behind with his family and being outdoors. Curtis, thank you for being indoors with us today.

Curtis Brazzell: Yeah, thank you for having me.

Chris: Before I get into your history and so forth, I'm curious about this in your bio here. Tell me a little bit about your intrusion detection and response platform that you've been building in your free time.

Curtis: Yeah, so I created my own little company based on the idea of taking some open source tools and routers specifically. And trying to make like an intrusion-detection platform for home consumers. So the idea was there was a remote security operations center that responded to threats that you would see over the network and then be able to respond to those and help people that had malware infestations on their internet of things devices or their PCs and what have you.

Chris: Oh and it's sort of like a work in progress then. Are you still working on it?

Curtis: Yeah, I am still working on a little bit. I spent a lot of time on it in the last few years and I'm thinking I'm going to open source it at this point. I'm starting to put it on my GitHub repository.

Chris: Very interesting. So it sounds like this is kind of been in your blood for a long time. Can you tell me a little bit how you got started in computers and security?

Curtis: Yeah, absolutely. So computers have been a big passion of mine since, since I was a little kid. In the third grade, I was fortunate enough that my school were donated some original Macintoshes, and so I was obsessed from the beginning. I tried to do everything I could on the computer. I tried to push it to its limit, see what I could do. My dad saw that passion of mine and got a Compaq Presario PC with Windows 95 on it, 233 megahertz.

Chris: Oh, yeah. Top of the line.

Curtis: Exactly. So that was really what opened the door for me. I did some web on my own at that time. Really started learning visual basic. Thought I wanted to be a developer for the rest of my life, and then really got into security probably around 1998. There was this website called crashme.com. Don't know if anybody remembers that.

There was a windows 98 vulnerability. Visiting the webpage would cause your PC to crash with blue screen. And since nobody really patched frequently back then, almost everybody was affected. So I reverse engineered some of that code, played around with it, put it in a one-by-one pixel, and started sending it around to buddies as a joke.

And really learned that if I'm not careful, there's a dark side to this security world, and so I really wanted to help people fix their computers. So I did a lot of that. I was like the known as the kid in the community that fix the computers for everybody. That's really how I got my start.

Chris: So it sounds like pretty early on, you both understood the sort of power but also the responsibility of understanding things from a break it and then fix it kind of perspective.

Curtis: Yeah, exactly. Yep.

Chris: Yeah. So today I want to talk to you specifically about a topic that's been a sort of a hot topic around here, specifically red teams, and the concept of red teaming as a vulnerability testing system. It's a topic our listeners are very excited about. So to those just coming to the topic, could you explain what red teaming is and what their primary purpose is. And sort of how you can differentiate this from saying penetration testing or vulnerability research or other forms of things like that.

Curtis: Yeah, great question, Chris. I think when it comes to red teaming, you're referring to an advanced targeted real-world attack. And so, it's like penetration testing in a sense that you're taking it one step further than vulnerability scanning. You're not just identifying vulnerabilities, but you're actually exploiting them. That would be penetration testing. And then red teaming is taking it a step further. It's throwing the black box mentality into it. The not knowing, not being provided the assets up front maybe by the organization. Going in kind of blind, not knowing your IQ ranges and things like that. A lot of that reconnaissance up upfront work you have to do yourself. And unlike pen testing, red teaming usually involves doing a lot more stealthy operations and more advanced tactics than you might otherwise do with a traditional pen test?

Chris: Yeah. Yeah. And I think that's sort of where a lot of the interest is right now is that it has a kind of a cloak and dagger vibe to it and that there's, people like to talk about this sort of physical aspects of it and, and the break ins and so forth.

Curtis: Yeah. And that's a good point. The physical part is a very big part of it too. So going on site, dropping USB devices that might have remote access Trojans on there, and things like that, are very much in scope sometimes for these tests, as well as advanced spear phishing campaigns. If we're really simulating a real-world attack. Sometimes that's phishing. 91% of the breaches, I think I read in a Verizon report, come from a phishing attack. So we often throw those in as well. I'm not your typical Nigerian friends type email schemes, but something very targeted.

Chris: So you've, you've been a lead AppSec tester, a penetration test, systems analyst, and plenty of other things. So what was it that made you want to go further into this kind of high-intensity process, like zero day operations and red teaming?

Curtis: Yeah, another great question. So for me that was really just a kind of a natural progression. I very much like penetration testing. I liked every aspect of security, but I think I wanted to take things a little bit further, see if I could figure out how much I can push the envelope. I think there is a part of it that's a thrill. It's not as Hollywood-ish in real life, but I think there is that element where you're breaking in and legally doing as much as you can under the radar. I think that's pretty fun.

Chris: Right? And yeah, and I've heard from a few other people who have talked to us about red teaming, that there's, it's part of the excitement is the problem-solving in the moment. That you're seeing things sort of being thrown up in front of you, and you have to sort of think fast and figure your way around it.

Curtis: Yep. Exactly.

Chris: So since red teaming as a process is by nature quite secretive and a lot of what we hear about it is hearsay, and again sort of has a Hollywood vibe to it. Let's start at the beginning. So what makes a good member of a red team? Like if you're putting a red team together, what qualifications and skills are you looking for?

Curtis: Yeah, so I think, a variety of different skills is what's really going to make a good red teamer. Most of the people, including myself on my team here at Pondurance, we have varying backgrounds from from IT. So I came from a database administration role myself. We have ex-network administrators, ex-fire wall admins, and developers. And I really think those skill sets come in handy when you're working on a problem. And it's really nice to know if you're attacking a network, what the underlying infrastructure looks like. And I think having that diverse skillset really makes a good red teamer.

Chris: So does each person who has their own background, is that their primary focus within the red team? You know, the web or the developer person does stuff related to that, or does everyone kind of do a little bit everything?

Curtis: I think sometimes you have a natural progression based on your background to do certain things. I obviously focused on things like SQL injection when I first got started in the security field. Some of the developers came over and started doing some advanced application security type testing. But for the most part I think it's good to have a wide skill set, and the best way to do that as just cross train and everybody kind of gets thrown into it in the same realm.

Chris: So if you wanted to get into this line of work and you're already insecurity, or even if you're not in security, what experience qualifications or accomplishments should you be able to point to that would make you desirable to other members of red team?

Curtis: Yeah, again, so the most important thing for me is just to having a passion. When I'm looking to hire people into the team. If somebody is passionate about security, it usually stands out. If you have that desire to tinker around, to do things at home. The experience in my opinion was kind of a byproduct of having that passion and curiosity. I think a lot of pen testers by nature want to see if they can break things. And then you have to also want to fix things later and be able to document the findings. But I think having that background, doing online capture the flags, things like that, those are all really good resources to get into.

Chris: Okay. We know that red teams, we've already discussed this, have differentiated from penetration testers and white hat hackers by their aggressive process, but sort of in a moment-to-moment process, how do red teams actually work? What are they trying to uncover and what is their sort of unique approach to the task?

Curtis: Yeah, so I think the big thing is just to simulate a real world attack as accurately as possible. And so obviously the bad guys, the real actors out there, are not going to be following a certain set of rules. They may not be testing during business hours. They're going to be throwing more advanced tactics at its. Zero days. Like I mentioned, phishing campaigns. Things like that that may otherwise not be of scope in a traditional pen test.

Chris: So without giving away too many secrets of the trade, what are some of the common methodologies that red teams regularly employee in their work? So like say you get a commission, and you arrive onsite or wherever you are. Where do you start and how do you escalate, and what is your flow chart.

Curtis: Yeah. So good question. I think that can kind of go however you want it to go. But I think with your example, let's go with that scenario where we went on site. Getting in through the door, we have RF badge scanners that we use. A lot of the guys on the team are lock pickers as well. So mostly it you can just walk in and tailgate somebody to get in. And that's kind of a sad reality.

Chris: Distressingly easily sometimes.

Curtis: Yeah, exactly.

Chris: So we can do that. Once you get inside, maybe you can plug into an open port in a lobby somewhere. Maybe you analyze the wireless traffic and the local LAN isn't segmented from the public, wireless LAN. And you can get in that way. Rubber duckies are something that we take on site a lot. I'm still, we're doing, you know, those kind of physical USB-type attacks as well to see if we can't compromise at least one workstation on the environment and then move laterally and compromise the domain is kind of the end goal there.

I'm thinking in terms of maybe like chess or something, do you have like a go-to set of opening gambits that you do with most commissions, or is it really like every new project is different?

Curtis: Every project is different. But I would say it depends on the pen tester. For me, when I'm red teaming, I like to start with phishing just because it is so easy compared to the traditional looking for vulnerabilities and exploiting those on the perimeter. Nowadays, you don't see as much low hanging fruit on the outside. So you have to get creative and try different phishing tactics.

One of the things I try to do is see if they have a VPN on the outside. So if they have, Cisco, a BPN, any kinetics, I look for that client. I see if I can capture their credentials with a clever phishing campaign, get their two-factor authentication token if it's required, and then use that VPN client to get on the internal network. That'll usually be my go-to.

Chris: So I imagine also, if you are able to get in early with a phishing attack that says you kind of learned a lot about the culture of the place anyway.

Curtis: Yeah, that's, that's correct. So you're doing your research up front to see if they use Office 365, what their environment really looks like before you go in with a campaign.

Chris: So what kind of companies, employee red teams to try and attack their defenses? Like what level of security should a company already have in place before they decided to bring on the atom bomb here such as it were?

Curtis: Yeah, that's a really good question. I think that in my experience all companies should eventually get to the point where they're red-team ready. Where they're in a position with a strong security posture where they can do some advanced red-teaming activities. That's not for everybody right out of the gate.

It depends on the security maturity of that organization. So if you have a company that is just now getting into security, maybe they haven't done any vulnerability scanning, or they just started doing vulnerability scanning, I think it makes the most sense for that organization to start there. Make sure they get rid of all the low hanging fruit type vulnerabilities out there, and then bring in the big guns when they're ready to do the red teaming.

Chris: Is there a benefit to having like a red team on staff? I mean I obviously in like mega corporations, that's probably important, but is that overkill for most companies?

Curtis: It probably would be for most companies, I think. But I think, securities and layers, securities always needs to be improved. Nobody's hack-proof. So I think if there is a security operation center, or an organization has their own pen testers, I think that's a great opportunity to come in and do a red team with a third party with a fresh set of eyes to just look at it and see how an attacker would view the organization.

Chris: I imagine this is not a one-time thing. How often do you think an average company should incorporate these kinds of things into their security posture?

Curtis: I think it depends. Depends on if the organization is PCI-compliant or trying to be PCI-compliant. There's requirements there for pen testing. Red teaming specifically. It just depends on the level of risks that the organization is willing to accept and the risk tolerance. So I recommend at least annually, sometimes twice a year. But again, it just depends on the organization.

Chris: So we've already talked to a couple of times about some fairly exciting things where you're thinking your way into the building, or you're getting into a VPN, or you're leaving drives, or whatever. What are some no-nos in red teaming? How far is too far to get in?

Curtis: That is a very important question to ask.

Chris: What are the ethics of this?

Curtis: Exactly. And I think it's very important to have that conversation up front. So one of the things I do with my team is require a meeting at the very beginning where we talk about the rules of engagement. So what's okay, what's not okay. Obviously there's always been a legal and ethical boundary there so we want to be cautious of that. We're not going to do anything that's illegal. But it depends on the organization. Again, some organization organizations may be okay with picking locks in their server cabinets, and trying to get into the backend that way.

Whereas other organizations may not be comfortable with that, and instead they'd rather you come on site and do an escorted wireless assessments, and see if you can take the pen test from there, the red team from there. It really just depends on the organization. But setting those boundaries up front is very important. Obviously we don't want to do a denial of service attack. I don't know any organizations that want us to go in and affect the availability of the business. You don't want to take any systems offline or anything.

Chris: Yeah, there's the illegality of breaking a window and then there's the illegality of kidnapping a CEO. One can be a little farther than the other. So let's say we've gotten to the vulnerability here or multiple vulnerabilities, like how often, first of all, on average, how long does it take to complete a full red team?

Curtis: It just depends on the assessment, but usually about two to three weeks of actual testing. Sometimes it can take a month or two at the most. Pretty rapid turnaround for the most part, though. And then you have to figure in, there's time for the documentation, writing up the findings and everything. Sometimes that can take just as much time as the actual testing.

Chris: That was my next question here. So you've broken the defenses either physically or technologically. How do you report your findings to the company? Do you offer prescriptive solutions that would prevent them getting in a second time?

Curtis: Yeah. So that's what we're really passionate about here. Obviously we want to make sure that we're not just saying, "Here are your issues. Go fix them." We want to make sure that they are leaving in a more secure state than what we started in. So writing up those findings are important. If the findings are more of a critical type of severity, getting on a phone call and calling and waking up somebody in the middle of night is not uncommon. Depending on the context of that finding. If there's something critical on the outside of their infrastructure, and anybody in the on the internet, public internet, could go in and remote code execution on their servers, that's one of those wake me up type of phone calls. Otherwise, I think it's okay to wait until a status meeting to report that, or write it up in the deliverable.

Chris: Okay. So unless it's absolutely like a huge emergency right now, for the most part, you don't really report back to them until after the mission's complete.

Curtis: Correct. Yep.

Chris: Okay. Why do you think red teaming has received such a boost in interest at the moment? I mean I don't think I'm speaking out of school by saying that the last couple of years, like searches for red team operations and so forth have jumped up quite a bit. Do you think there's a certain something in the air, growing unease about the prevalence of major hacks in the news, or something?

Curtis: That's a really good question as well. I think that from my experience I like to believe that it's because organizations are becoming more secure over time. Those basic security practices, are being done. So you don't see as many patching deficiencies on the outside anymore. That low hanging fruit I referenced, I feel like it's not as common as it used to be. And the threat landscape's changing a little bit. So there's a lot more security awareness training that's happening in organizations today. I feel like almost every organization at least implements that at some point in time. So I feel like organizations as they grow as they have their own intrusion detection systems and other kinds of security systems in place, the most, the next logical step is to test those systems. Let's throw a red team at it and see how it holds up in a real-world attack.

Chris: Well, to that end, let's talk about some of the pros and cons of different vulnerability methods that you utilize. It sounds like you use all of them. So for example, run us through situations where an optimal solution is either a red team or a pen tester or zero day operations or white hat or whatever. What are, what are some of the different levels, I guess?

Curtis: Okay. Yep. So I think you can do any kind of level. I think the organization again has to ask themselves, "Am I red-team ready? Am I mature enough where I get the most value now? And, and having people come in and mimic an attacker from start to finish as if a company was targeted by a state actor or something." Or, "Do I need to scale a little back a little bit depending on my security maturity? Maybe I should start with a vulnerability management program just to make sure that I have these techs in place." And then at the end of the year or something, do a pen test until you're ready to do the the red team. I think everybody should try to strive to get to that point, but it's not for everybody right out of the gate.

Chris: Do you think there's something about the, the current thrill of the new of red team as a security process? Do you think companies would tend to overprescribe it as a solution? Is there things where, I want a red team thing, but you haven't figured out your vulnerabilities yet, or anything like that? Has that been an issue yet?

Curtis: I think it's something that you see commonly, but I think it's just a matter of educating the organization, the IT leadership, just to take a step back and see where they're at with their security maturity. Again, it's just a matter of looking at yourself and seeing where you're at. I understand the need to one of our red team. A lot of people are probably thinking, "Well that's the most advanced thing. Why wouldn't I want that right out the gate every time?" But I just think, you know, organizations might get more value in starting small until they're ready to do the red team.

Chris: Yeah. Yeah. You got to walk before you can run. So what are your thoughts on the concept of purple teams, which is sort of a combo of red team attack and blue team pen testing? Is there situations where this is best served by this approach?

Curtis: Yeah, so purple teams are great in my opinion. I think they're wonderful if you're fortunate enough as a red teamer to work in an organization where there's also a blue team. As with my organization, it's really an interesting opportunity where you get to work closely with that blue team and sharpen skills on both sides. So what I mean by that is as we're doing a pen test or red team exercise, if we also have the opportunity to work our SOC or somebody else's SOC alongside that red team, you get to see if, you get to try to bypass their detection, which is really fun. And you get to try new methods and see if you can push that envelope.

And then if you are successful, it's an opportunity to go back to the blue team and say, "Hey, I was able to get by you. This is how we did it." You really need to go back and put these detections in place so that if somebody does this again, you can detect them. So I think it's really beneficial to both sides. The red team gets to advance and try new techniques. The blue team gets to stay on top of emerging threats.

Chris: All right. So as we wrap up today, tell me a little bit about Pondurance. What type of security solutions do you bring to your customers?

Curtis: Yeah, thank you. So Pondurance is based out of the Indianapolis, Indiana. We are a security threat hunting and response company. We specialize in that, but we also do everything from a business continuity to compliance, to all the different security testing and services my team provides from your traditional 10 testing to your red teaming, wireless attacks, application security, you name it. We do all of that.

Chris: Cool. Thank you very much. So as we wrap up today, what do you think the future of red teaming is? Do you think? What will red teams and the companies that hire them have to do to keep steps ahead of hackers and interlopers? Are we going to have to keep escalating things or will there be new sort of methodologies in place.

Curtis: Yeah, I think you hit the nail right on the head. I think it's a constant game of cat mouse. I think it's going to be one of those things where we're constantly having to stay on the bleeding edge of these new techniques, new vulnerabilities, because that's what the attackers are doing in the real world. And so I think it's important to stay on the edge of things. I think obviously, like the rest of the security community, I think this is only going to increase. I think there's only going to be more demand for this. And like I said, as superior organizations get more and more mature in their security posture, which we're seeing today, they're going to want more and more. Red team's done.

Chris: Well Curtis, thank you for joining us today. This was very informative.

Curtis: Yeah, thank you for having me.

Chris: And thank you all today for listening and watching. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to YouTube and type in InfoSec Institute I-N-F-O-S-E-C to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Please visit infosecinstitute.com/cyber speak for the full list of episodes.

If you'd like to qualify for a free pair of headphones with a class signup, podcast listeners can go to infosecinstitute.com/podcast, to learn more about this offer. And speaking of security awareness, if you'd like to try our free security IQ package, which includes free phishing simulators you can use to fake phish, and then educate your colleagues and friends in the ways of security awareness, visit infosecinstitute.com/securityiq. Thanks once again to Curtis Brazzell, and Pondurance, and thank you all again for watching and listening. We'll speak to you next week.