Chris Sienko: We recently hit yet another huge milestone here at the Cyber Work Podcast, 25,000 YouTube subscribers. Thanks to all of you who watch and listen each week, to those of you who watch the YouTube videos go live and chat with other and comments and everyone who is helping us to grow this great community.
To give back, we’re now giving you 30 days of team training for teams of 10 or more. Your Infosec Skills account will help your entire team develop their skills and earn CPEs through hundreds of IT and security courses, cloud hosted cyber ranges, hands-on projects, skills assessments and certification practice exams. Plus, you can easily monitor, assign and track training progress with team admin and reporting features.
If you have 10 or more people who need skills training, head over to infosecinstitute.com/cyberwork or click the link in the description to take advantage of the special offer for Cyber Work listeners. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week. On that note, I’ve got someone I’d like you to meet. So let’s begin the episode.
Welcome to this week’s episode of the Cyber Work with Infosec Podcast. Each week I sit down with a different industry thought leader and we discuss the latest cyber security trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break in or move up the ladder in the cyber security industry. We’re going to be talking about red team operations again today as this is a listener favorite and there’s always a lot to say about the subject, and we got a great guest with whom to discuss it.
John Cartrett of the SpiderLabs team at Trustwave leads clandestine style operations and simulated tech organizations to help them find their least expected most-dangerous vulnerability points and tighten them up. Despite being a newly hot practice that a lot of people are just getting into, John has been red teaming for five years now with another 13 years under his belt of IT experience and other forms of offensive testing.
Because listeners are always asking us about how to get started in red team, because it obviously sounds very exciting, and what they need to know to get on that ladder, we’re going to talk about career strategies and skillsets, but I want also to know a bit about whether anything has changed or will not change in the light of the current global COVID-19 pandemic and whether it’s even possible to red team with staffs currently scattered and isolating at home and whether this change in business practice and the economy will change the nature of red teaming in the years to come. I got a big docket today. I look forward to it.
John is a principal consultant and the red team lead for the SpiderLabs team at Trustwave. His responsibilities mainly include managing all red team services in the Americas from start to finish as well as being a subject matter expert on red team services globally. He has 18 years of information technology experience and 10 years in offensive testing experience with at least 5 years focused on clandestine style red teaming. He has directed and executed close to 100 full-scope red team operations for organizations of all sizes and geographic locations. He has obtained many certification from organizations such as Microsoft, Cisco, GIAC and Offensive Security as well as attended thousands of hours of skills-based training.
John, welcome to the program. It’s great to have you here.
John: Thank you, sir. I appreciate it.
Chris: I want to start the show and especially with a guest like you about hearing the roots of your interest in computers and security. This is obviously kind of an obsession for you. Did this start very early on in life?
John: I would say that I’ve always been interested in kind of how things work, and I was a notorious as a youngster and breaking things because I wanted to understand how they worked. I would take them apart, and a lot of times you wouldn’t put things back together. It’s always easier to break things, right?
John: I would say that that curiosity really started at a young age. I didn’t get my first computer until I was probably about 9 years old, and I did kind of the normal stuff. Trying to kind of figure it out, take it apart, look at the stuff on the inside, put stuff together, upgrade components when I could and mainly just kind of play video games and whatnot with my folks and by myself.
I did a little bit of coding, but nothing that really kind of took off from that standpoint that kind of launched me into IT career or even the security career. Personally, I wouldn’t say that that was a really launch bed for me to kind of get into IT. Later on in life, kind of after high school, I got an IT job and that’s kind of when for me things kind of took off, right? Before then I kind of almost saw computers as a hobby, even though I’ve seen lots of hacker movies and thought that was really cool.
Chris: Yeah. It was entertainment at that point.
John: Yeah, right. I visited lots of hacker blogs and kind of read, do some of the things. For me, it just kind of didn’t take off from that perspective until I got my first IT career and really got my first certification back in XP. That kind of dates me a little bit. From there, it was that journey of knowledge, right? Jumping from one certification to the next.
As you said in the intro, I’ve done tons of education stuff and I’ve even taken more or studied more things and I’ve actually taken certifications for simple because I loved to learn. I loved to understand things. Especially in my IT career, whenever I was met with a problem for something, I didn’t want to reach out and ask somebody to fix it for me. I would want to research it to figure out how do I make this work? It can’t be rocket science. Do you know what I mean? That’s kind of what has led me into the career that I’m currently in today.
Chris: Okay. What brought you specifically to sort of attack focus pentesting and red team operations? Is there something about the thrill of the hunt that brought you in this career direction?
John: Yeah, for sure. Right? There again, it was very much a slow transition. It wasn’t like one day I woke up and I’m like, “I want to be a hacker.”
John: I started off in the standard IT help desk administration and kind of moved into servers and networks, and networks I think is really where the security focus kind of took hold for me. As I started paying attention to network traffic and looking deep into packet analysis kind of stuff and really trying to kind of look at IDS type stuff and all that kind of stuff has really what got me interested in looking at the hacking tools themselves to see what they would look like on the network. From that perspective, that’s what kind of launched me into my security career.
At first I was focused on IDS type stuff, SOC analysis type of stuff, and that’s kind of where I really kind of got my roots in infuse, was focused on that, was sitting behind a SYM, an ARC-SYM and kind of looking at the information that flows in and out of that stuff. Trying to kind of find malice, and while managing a NIPS device, looking at things that it said were this was an actual attack and trying to kind of unroll those things and actually look at the endpoint device that it’s saying was being attacked. It became very interesting. That was almost like a puzzle of, “Well, look at this. If you do this with this particular web service, all of a sudden you see a bunch of documents on it that you shouldn’t be able to see or whatever.”
From that point is where I really got interested in the whole hacking thing, looking at the different hacking tools. I like probably a very few in the industry who started off with the CEH certification, which at that time – Honestly, I think there’s value in that one, because it gives you that transition knowledge between being an IT admin to what a hacker kind of is. From there, it was like, “This is awesome.” The rest is history, and I can’t get enough of it.
Chris: There’s a lot of sort of close variations of what you just described, sort of active versus passive hacking and ethical hacking and so forth. For those of us coming to the topic, what specifically is a red team and how does it different from, say, white hat hackers, or pentesters, or vulnerability researchers or others areas?
John: Yeah. I mean, a lot of those things you talked about have very specific things, like vulnerability research is very specific to finding vulnerabilities and documenting those things for whatever reason. There’s a lot of motivation that goes behind vulnerability research, but it’s very specific to finding flaws in different types of software, right?
If you move up the stack kind of into the pentesting realm, you’re specifically looking for those vulnerabilities in software not from a research perspective, but from a – You’re looking for known vulnerabilities to be able to compromise those and to kind of see where it takes you, right? A pentest is very vulnerability focused for a lack of better terms, especially in a non-goal-based pentest, you can think about it as almost like a vulnerability assessment with exportation, right? Because it’s kind of the goal, is to read out the things that aren’t interesting for the organization and tell them, these are the things you should focus on to fix, right?
Whereas a red team, is really goal-focused and is more specifically outcome-focused, right? It’s outcome-focused via the clandestine style operations. Meaning the organization has identified a certain set of goals that what we typically call nightmare scenarios thing. If X, Y, Z happened to my organization, it’d be completely catastrophic. One side of a red team, we basically try to make that stuff come true without being detected. The mantra there with a red team, which is different from a pentest, is if we get caught, we go to jail. I mean, that’s all within reason simply because red team is kind of a flavor of adversary simulation, but there’re always budget constraints, right?
An organization can’t pay us enough money for us to act or simulate a true nation state, right? I always consider ourselves a emulated cybercrime group for lack of better terms. But even then, the amount of effort that you can really bring to bear against an organization really depends on the amount of budget that they have. Typically, you will operate in those guidelines as efficient as you can in those guidelines, but ultimately it kind of comes down to that.
Chris: Right. Okay. I mean, I love hearing that, because we’ve had several red teamers on our show and I feel like we’ve gotten kind of a spectrum of responses in terms of what you just said, which is basically how far can you go? Budget is a consideration and ethics are always a consideration. You can’t kidnap the CEO, but what are some of the things that you can realistically do that you wouldn’t be expected to do, or I guess what is your take on the spectrum of sort of acceptable behavior and how do you sort of establish it with the organization.
John: Yeah. Ingest. I’ve actually made that comment multiple times to people, and to-date, nobody has ever signed on the dotted line to give us authority to kidnap their CEO. They always laugh like, “Are you serious?” I’m like, “If you signed on the dotted line and you give me authority, sure, we’ll give it a go.” You know what I mean?
John: The most important thing like you said is ethics, right? The difference between us and the other side, the blackhead guys, is intent, right? We’re not here – We don’t have the same intent that a criminal does, right? We’re not here to deface things, to destroy things, to cause harm. At the end of the day, we’re security professionals and we’re here to make organizations more secure tomorrow than they were today, right? By us causing harm, that doesn’t do anything for the organization. In fact, it hurts the organization.
Typically what we will do and very rarely do organizations want us to really exercise access that we have, especially mission critical things. We’ve done red teams for government entities. We’ve done red teams for critical infrastructure organizations for a whole host of different organizations that have mission critical assets. Very, very, very rarely do they actually want us to do anything or to manipulate their systems. Most the time it’s just show that you have access to it.
Basically my analogy is this. They want us to walk up to the door, open the door and take a screenshot that, “Hey, look. We could have walked or we could have done something to anything that’s in that room, but we’re not actually going to do that, right?” Most days is – That does two things. It removes the possibility that we’re going to cause harm by accident, but also it allows them to kind of control budget, because instead of us having one specific goal to focus on, we can actually do maybe a couple things.
For example, when you talk about extreme siloed, as in you’re super focused, laser-focused on a specific goal, you would look at something like Stuxnet. Think about the amount of money and time that they poured into building that thing and it was laser-focused on this one goal to do this one thing. That’s not realistic from a corporate perspective. Do you know what I mean? Typically, when we have red teams, we always try to limit the amount of goals that they want us to do and we kind of set expectations on what we have time to do based on how much budget we have. Ultimately, we’ll start with a single goal and we’ll take it down from there. By stopping at the point of access and not actually going through it, we’re able to actually complete more goals and show more value to the organization.
We’re not spinning the time to really understand that particular system. How to manipulate it? How to operate in it without being detected? All that kind of stuff. But every once in a while, we do have clients that had the extra budget or they’re really laser-focused on – Yeah. If somebody does get access to this, what are the implications of it? Typically, those come from – Or off the heels of a pentest. Like the head of pentest and pentester says, “Hey, look, we could have compromised this thing.” You’re like, “Well, could you really? Do you have expertise to actually do something with this thing?” We’ve had some custom scenarios like that where they’re super focused on not just getting access, but actually doing something or actually Excel trading data or those type of things.
Chris: Right. Okay. That’s a really good point of comparison. Sometimes I have a hard time clarifying my mind the difference between a red team and a pentest, other than obviously the sort of fun of it But yeah, the point that a pentester can see the vulnerability but might not necessarily have the skill to sort of act on it or actually pull the data or whatever, I guess.
John: Definitely, with pentesting, you don’t have time to do that kind of stuff especially when it comes to custom stuff, because most pentester are short in comparison to red teams. But even red teams are short in comparison to true adversary simulation.
Chris: Okay. Without giving any secrets of your trade away or your big tricks or whatever, what are some of the common methodologies that red teams regularly employ in their work and sort of where do you get started? It’s like day one, zero day, whatever, and we got to hit this place. Where do you start? Do you start throw in thumb drives in the parking lot? What’s the usual starting point and where does it sort of escalate from there?
John: Right. The most important thing from a red team operation is really being slow and methodical, right? I would say that depending on what avenue we’re going to start on really depends on what type of operation an organization has purchased. From our perspective, we got multiple different flavors of red team. They’re just like any other pentest if you will. They have multiple different flavors. We have a full scope red team that kind of is all inclusive from an electronic perspective. We also have an add-on piece that is the physical piece where we’ll have a couple consultants come on site and do clandestine reconnaissance and all that kind of stuff. Then we also have just an internal piece where we consider the same breach where the clients seeds us with access and we test as specific variant, but it’s almost like we realize the breach ourselves, right?
Depending on where we start in that chain is kind of dictates I guess with the first activities, but all of our activities regardless of kind of where we physically start, all starts with research, right? We really have to understand the organization, the people and the technologies are in play so that we know exactly what to bring to bear.
The other thing is that we always want to know, because we’re security professionals, right? I personally believe that we shouldn’t bring to bear a level of sophistication that is above what the client truly is. Meaning if a client purchases a red team and they’re relatively new to the red team space. Maybe this is their first or maybe it’s only first couple that they’ve done and they don’t have a lot of sophisticated technologies or they don’t have an internal SOC, those types of things, then it’s really not fair for us to come in and do our most sophisticated stuff. They don’t see anything and then we’re like, “Look, we stole all your stuff and you’re in bad shape.”
I mean, if their C-level suite doesn’t see a point to paying for security and the internal security teams aren’t getting budget, then yeah. The shock and awe type engagement where they get punched in the mouth and they realize, “Wow! I didn’t have a plan,” is fun, right? We consider those grudge red teams and we get those kinds of things. Those usually give really good traction to the internal teams.
For most people, it’s about maturing that organization. It’s not about just showing them how they bad they suck. It’s helping them move forward. The most cordial way to do that is to kind of ratchet it up, and those particular things, that really kind of dictates. Once we understand the organization, understand the actual people they have in play through open job recs or resumes posted to career sites, those types of things, as well as any technology that we see, especially via partnerships. We kind of get an understanding of typically how big the organizations is, how many infosec staff they have. Then based on titles and stuff and technology that is in play, we kind of guess at how mature they are.
Based on that, we’ll kind of know how sophisticated we should be for this particular organization. I mean, at the end of the day, we always want to win regardless from selfish perspective. But we also at the same time, we want to win in a way that has the absolute, most value for our clients, right? That’s kind of the way that we try to operate in that perspective.
Chris: Okay. What is sort of the like the average timeframe of like a full scale red team thing? I think I’m imagining in my mind something like laser tag where everyone is just like running and on top of each other and stuff, but I realize it’s a longer game than that, right?
John: Yeah. The bear minimum that we will do full scope red team is a month and very quickly become there to six months to a year-long with the adversary simulation type stuff. The reason is, is because if you were to break a red team down, it’s basically just a bunch of little pentest kind of stuck together for lack of better terms. Like you’ve got a section where you’re going to do that research open source intelligence gathering type phase where you’re just trying to kind of understand who’s in the ring with you, right?
The second phase is once you come out of that information or that phase, you’re going to have DNS hostings that are owned by that organization. You’re going to have potential IT spaces owned by that organization. You’re going to have a list of usernames, of emails, of all that kind of stuff from an employee perspective and you’re going to start enumerating and looking for services and kind of open stuff and validating the information you found and really kind of start that internet exact phase. In tandem, typically we’ll start the socio-engineering phase where we initially just want to kind of open a dialogue with people internally. We’re not going to just lob a spear phishing email with a payload directly at somebody for the first time, because a lot of times people are going to be like, “I don’t know what this is. I’m not clicking that link, or I don’t what this document is.
Chris: Because they’re under the spotlight anyway.
John: Yeah, exactly. What we do is during the OSINT phase, we’ll look for opportunities to open a dialogue with a person. If there’s a person that is interested in puzzles or cars or stamps or whatever, we find that on a blog or a form. We know that we can potentially communicate with that person directly about this thing, or there’re some other different types of things that we have come up that allow us to interact with people in a way that they don’t distrust immediately.
For example, HR people and recruiters are always looking to hire new people. So they’re always interested in talking to new candidates. Any relationship like that where an untrusted person can talk to a person and there’s immediately a level of trust are the things that you can really take advantage of, and that’s usually the types of things that we start. I would say that the second piece is really looking at the internet exact surface stuff looking for all opportunities and then also kind of starting the socio-engineering piece and it kind of leads into that, and that’s usually one of those two things is usually what brings up our – Or allows us to breach an organization. That’s typically where breaches come from.
Chris: If you’re on a red team for a certain company, now you’re saying that these could be three to six months, to a year-long. Are your red teams members working on sort of multiple red team operations at once, or if you get a red team job for six months, is that your only job in the company at that time or do you have to sort of like stop it and then work on other things as well?
John: Typically the way that we do that is it’s almost like a pot, right? We put all the clients kind of in a pot kind of at a tandem and we will do research on individual things. Like one of is interested in OSINT. We’re going to be focused on a couple of weeks or whatever till we get bored with it OSINT. Looking at all of the different aspects of a specific organization until we find something that’s interesting.
As soon as we find something that’s interesting, we’ll kind of run that to ground to see how far we can take it. The same is also true. We have guys that monitor GitHub repositories and follow different guys in the industry. When new tools or techniques are released to blogs or whatever, we’ll have that time to kind of weaponize those things, and then as those are weaponized, ready to go, we’ll add those to specific scenarios that are potentially are going to work. Someone will kind of sling that at the wall to see what sticks.
It’s very opportunistic at that point when you’re talking about that leap of an engagement, which is exactly what a true adversary does, right, because they’re very opportunistic. They send out spam emails and if somebody clicks on it they’re like, “Yeah! I’ve got a show and I’m going to learn and see who it’s connected to,” right? The same is also true. We do research, and as we come out with new tools or new techniques or look at old stuff and we’re like, “If we tweak this in this manner, I wonder what would happen.” Then all of a sudden you have a new technique. It’s like, “Well, let me see this line passes X, Y, Z.”
There’s a lot of research that kind of goes into those types of activities to make sure that when you pull the trigger, those things aren’t detected or at least there’s a higher likelihood that they’re not.
Chris: Okay. What types of companies employ red teams to try and attack their defenses? It sounds like you said that there’s kind of a wide variety of the sort of grudge things where you’re trying to sort of get through the C-suite, the importance of it, but there’s also the sort of laser-focus. What kind of industries? What types of companies and sort of where are they in their sort of cyber posture that they need to go to a red team next?
John: I’ve been asked that several times and I don’t know that I personally can identify a pattern, because I’ve done red teams for organizations all across the spectrums, and it’s almost like every time that I do one, I think, “Oh, okay.” Sometimes I expect this type of organization – Their organization to do it, and then other times I totally wouldn’t have expected this.
I mean, I’ve done red teams for small, private-owned organizations that have really, really deep pockets and have like 100 people on staff. I’ve done red teams for small organizations that are a part of the government or branch of the government for local and state government, and there’s a finite budget for those types of things.
I’ve done red teams for multinational financial organizations that are in like 150 countries, 130 countries, something like that. Have millions of dollars or tens of millions of dollars in security budget and have way too many people to count. Typically, those kind of environments are almost like a bowl of spaghetti once you get on the inside. It’s like I have no idea where I’m headed.
Chris: God! I can imagine. Yeah.
John: To also speak about the grudge matches. We have done red teams for organizations, or umbrella organizations as they purchased or they are in a process of purchasing subsidiaries, because a subsidiary, it was like, “Yeah, we’re secure,” and the parent organization is like, “Well, we’re going to buy a red team to see if we can validate that,” right?
We’ve also done ones for organizations that typically wouldn’t do them, but the internal audit has decided that they don’t trust IT and they want us to do a red team to kind of validate the stuff that’s coming. It’s like it’s been all over the spectrum and I’ve personally done red teams in tons of different verticals and everybody that I talk to that is kind of a peer, it’s kind of the same thing. Especially now, it’s become a buzzword, and as more people are interested in it, I’ve had a lot more conversations around it and some of those people, they say they want a red team, but then when you start talking about the level of effort, the money and all that stuff that goes into it, they’re like, “Whoa! That’s not what I was expecting it to be.” Honestly, what they’re wanting is just pentest, right?
It’s becoming kind of a muddy term like you’ve kind of alluded to at the beginning. Much is like what pentesting did whenever it first came out, right? Initially it was – Honestly, red team is almost kind of a return to what pentesting once was in the beginning. Then it became very commoditized and I assume that red team will probably at some point become very commoditized and kind of the same thing and we’ll want to come up with a new term or some other way to differentiate the cool or lead stuff that a part of the industry does.
Chris: Okay. That jumps into my next question or something that I thought while you were saying that is do you have examples or does it happen commonly where someone comes to you and says we want to – A red team thing and you see the state of their security and you’re like, “You just need a pentest. You need to get your house in order before we start doing this kind of like upper level stuff.” Is it because red team is such sort of sexy term right now, do you find that people are ordering red teams on their company when they really just need to sort of like get it together first?
John: If you just look at somebody’s state of security, sometimes you’re going to miss a chance to really show value to that client, right? From my own perspective, because I’m part of a consulting wing security company. That’s our main focus, is about value to the customer. It’s not just about doing cool things and doing cool hacks and that kind of stuff.
There are times that I’ve done over my career where I’ve done engagements that I would consider not fair, but ultimately it motivated the organization to really see they were at to really get buy-in. There’s one that comes to mind immediately. There’s a really, really big organization and they spent lots of money on lots of things, but security wasn’t one of those, right? Internally, internally, they thought that they were – They had an internal risk department and whatnot and had a few people in IT and few people “security hats” and few people in IT risk and they truly thought they were at a – If I was to give them a score, at an 8, right? If they ask me after I was doing the debrief, “If you had to give us a letter grade, where you would you put us?”
I thought for a second and I said, it would either be a C+ or a B-. There were some people that were truly shocked at that outcome, and it’s because they had this kind of false sense of security that I guess they didn’t think they had been beached and they were spending money on IT and they were really focused on from an IT perspective was about like 5 9s. It was all about uptimes and SLAs and those such things, but it wasn’t really about security and I just figured that they were I guess secure and that. But if you looked at their IT security, this is an engagement that we did relatively recently. It had security, like the companies did back in the late 90s, early 2000s. From that perspective, it really wasn’t a fair engagement, but it was one that delivered value because of the outcome of the engagement. They’re again, like I said, we only bring the level of sophistication that the client is really ready for, right?
If they’re willing to pay for the engagement – I would say the one plus side that you see out of a red team that you’re not going to get out of a pentest is there’s a lot more handholding in a red team, because with the pentest, they’re very short. You’re only going to get to spend a week, two weeks with a consultant. You’re probably only going to talk to them a handful of times and then you’re going to get the report. They’re going to do a debrief and then kind of move on, because that’s the nature of pentesting, right?
With red team, you’re going to be with us for at least four weeks, if not five weeks and not longer, right? Throughout that process, we will be as collaborative as the client wants to be. We do have clients that come to us and like, “We want complete black box zero knowledge. Hack us like the real hackers do,” kind of nonsense, right?
Yes, we can do that, but the client isn’t going to get as much value out of that as if there’s a collaborative approach. I myself and most of my colleagues were teachers, and any chance that we get to be collaborative and to truly teach the internal organization, we’ll talk to the internal defenders and show them what we’re doing. We love to do that. As long as it doesn’t compromise our forward trajectory inside of their apartment. Do you know what I mean?
Chris: Yeah, absolutely. Now, I want to talk to you, because you talked about being a former teacher and sort of like your background. Actually, the Cyber Work podcast, we want to talk about sort of work side of this software. People who might be interested in transitioning towards red teaming either from other forms of security or even just other industries. What types of experiences or skills should they be building up to appear competitive in the resume pile? Are there any soft skills, hard skills that they should be focusing at and to get your attention?
John: For me personally, like I mentioned earlier, I’m very much an advocate or learning. Personally, I’ve always been a person that loves to learn. Even as simple as TV, I don’t watch a lot of TV, but when I do, I watch shows that I have to walk away with something. Do you know what I mean? I binge from a big history buff, a big science buff, those kinds of things.
For me personally, it’s all about education and moving forward, because in red teaming, specifically red teaming, but I guess infosec and pentesting is really kind of along the same thing. It’s a fast-moving industry and there’s always something to learn. If you as a person don’t demonstrate that you have a willingness to learn, you’re probably not going to excel at red team, right? Because there’s always some new technique that’s come out that you have to research and understand. There’s always a new target or a new piece of software that you have to understand how to manage or whatever, or even a minimum. You have to learn or research the organization that truly understand where their attack surface is and where the chains in the armor maybe. If you don’t have that kind of motivation to be a self-started or self-learner, then you’re probably going to struggle from a red team perspective.
John: The second thing I would say is really technical skills, right? No one red teamer is going to be good at the entire chain, right? I would say most of the red teamers, especially if you’re talking about small shop versus a big shop, right? The bigger the organization is, the more compartmentalized the different steps become and the more specialized each one of the operators become. For instance, if you’re talking about like kind of going back to the nation state stuff, which is what everybody tries to say that they’re modeling. Those organizations are highly specialized. You have people that are just about finding vulnerabilities. You have people that are just about exporting vulnerabilities. You have people that are just about in planning, rats and those types of things, and then people that bilateral. It’s very, very specialized.
The larger the organization becomes, the more specialized things will become. Typically you’ll see red teams where people will wear multiple hats. Like they’ll be really good at OSINT and really good at social engineering, or they’ll be really good at physical, really good at wireless, or they’ll be really good at spear phishing emails and maybe password spring, attacking external stuff or whatever, those types of things, right? Then you have guys that are really good at lateral and those types of things.
The larger the shop is, the more specialized they will become, and those jobs recs will reflect that. They’ll be looking for specific set of skills or handful of skills – For instance, if you have a decent-sized team and you’re lacking in web skills, like let’s say you have all these guys that are good at all these things, but we don’t really have like a real developer on the team who really knows how to tear stuff apart. I’m going to be like, “I need a red teamer who has web skills,” right?
But in a smaller shop where people are kind of a jack of all trades, master of none if you will, the it’s really about being a senior pentester who is good at doing an advance level pentest all by themselves. They can usually fit well into a red team.
Chris: It’s an interesting point. Now, I’m wondering if that sort of could be beneficial for our listeners in the sense of like if you’re already working in an aspect of tech, say, you’re a web developer just making websites or whatever, that if you sort of add that extra level of, “Well, how can I do it in a way that can be in an attacked vector?” Then you already have the skills you need. You just need to add that extra layer. If you’re a marketer who does blast emails, you might know social engineering really well, things like that.
John: Yes, 100% that. There was a quote that I heard years ago, is that it’s easier to turn a developer into a web application penetration tester than it is to turn a pentester into a developer. Do you know what I mean?
If you understand the mindset or the technology that you’re looking at, it makes it easier to attack. Like you said, you touched on it. It was a great example. Sales guys and marketing people make the absolute best social engineers. Sales people that are used to talking to people face to face, it’s much easier. They’re more natural to be able to flip that switch and start lying to people when they’re talking to them than it is somebody who’s like, “Oh! First, I got to get over the fear of actually talking to people, and then I got to figure how to like to them? Oh wait! Do they see it on my face? Is it written all over me?”
The same thing with like web stuff. If you as a developer understand the code and can write the code yourself, it’s going to be easier to tear that stuff apart. You’re going to be able to look at the application and go, “Wait. Wait. Wait. Wait. See that function right there? I know exactly what that’s doing on the backend.” Whereas somebody who’s just a network pen guy going to be like, “I don’t know. I fuzzed it and it didn’t do anything.” Do you know what I mean?
John: There’s a deeper level of knowledge there that comes to bear. Honestly, especially with red teaming, the biggest hurdle to getting into red teaming is the mindset, right? Especially if you’re doing the correct part of the industry considers red team. It’s not like this is just a pentest, right? The mindset if what I talked about earlier, right? If I get caught, I go to jail. That’s the easiest, or I guess not really the easiest. That’s the hardest part of red team to kind of get over especially if you already have a senior set of skills regardless of where it comes from, like marketing or development or just pentesting in general. It’s that mindset of if I do this action, what types of logs does it generate and what’s the visibility on that particular action? That’s the hardest thing to kind of overcome, but once you overcome that, then all of your other skillsets you’ve gotten from the rest of your industry or the rest of your experience comes to bear.
Chris: When we started planning for this interview about a month ago, I was simply excited to talk to John Cartrett red teamer, but obviously things have changed a bit in the last month. Can we talk a little bit about red teaming in the present day? I’m guessing that the concept of a comprehensive red team attack is harder to do or different to do now that the world’s taken this particular turn. Is red teaming even possible in the age of COVID-19 and hunkering down and does your practice change?
John: It’s changed a little bit but almost in an unnoticeable way, right? I would say the biggest challenge is going to be in the onsite world. We’re not typically scheduling any, the onsite or the physical portions of the red team, right? There’s no physical breaches happening because the locations are shut down. They don’t have people there to kind of liaison that type of stuff. Then any type of red team where the client wants us to come onsite to actually do those types of red team operations. That small piece of it is something that we’re not currently doing in the current climate, right?
But everything else, there are current cyber attacks in the internet haven’t stopped. The true adversaries of bad guys haven’t given up. If they have to, they’re going to slightly modify their attack techniques and continue to operate, right?
The other thing is that in times of stress, those things present new opportunities, like COVID, right? Now everybody’s freaking out. They’re reading everything they can about COVID. That’s another way for people or adversaries to send out notifications that people will immediately trust. They can take advantage of that stuff, and you’ve seen that in the news where – In fact, even the WHO was attacked, and they were trying to get data out of the WHO, and that’s because of the whole COVID-19. It brings new opportunities.
I would say 90% to 95% of our red teams are all remote electronics based, and in my particular industry, most of this work from home anyway. Life is kind of business as usual. We’re going to continue to operate the same way we would if COVID-19 had never happened. The only difference that I would say that comes into play is that when you’re dealing with individuals now, they’re going to be on their home networks at home and you have to, from a security professional perspective, you have to be a little more careful.
Did this employee open this particular payload on a home computer that they’re just using the like Outlook web access? Am I on the corporate network or am I on an asset that’s connected to their network.
Chris: Blowing up their own – Yeah. Yeah.
John: Yeah, right. I mean, we have been doing that for years with like anytime that we can put in environment variable checks, we will do so. We’ll look for things like is this computer joined to a domain, or if we know the internal domain through OSINT, does the domain, the user domain equal this or does it contain this kind of thing? If it does, then don’t detonate, right? As a way to bypass different protections, sandboxes, those types of things as well as to not infect devices that are kind of out of scope if you will.
Chris: Okay. It doesn’t sound like even we come out to the other side of this and there’s a possibility there’s being a lot more working from home or sort of remote status, but it doesn’t like red team operations are really going to have to address their strategies that much.
John: Not too much.
Chris: With the economy and everything. Okay. From a red team leader’s point of view, are there any suggestions you might have for these currently scattered organizations to make sure that their temporarily displaced staff, variety departments aren’t inadvertently creating huge security crisis?
John: Yeah. Even though we’re currently in a crisis, and I would say even more so now, because people are standing up services as quickly as they can to kind of enable their business to continue when historically there haven’t been a work from home organization. But we’ve had a couple clients that have had budget for different types of security things that have told us, “Hey, we’ve got to put this on hold, because we had to buy a whole bunch of laptops for our people because our people didn’t have laptops before,” right?
In doing so, they’ve stood up a Citrix gateways or RDP gateways or VPNs or those types of things. Anytime that anyone rushes through something and they don’t slow down, be methodical and plan it out, they’re going to introduce issues, right? Those security issues currently in this day and age can be catastrophic for an organization. I would tell organizations to continue to think through the things that they’re doing and slow down and actually plan it out instead of just slapping stuff together to enable the business, that even if they have a few more hours or another day or even another week, that extra time is going to vote well for them from a security standpoint.
Additionally, if organizations are standing on these services, then they should definitely consider to have external pentest on. If there’s budget for it to do red team operations so that they could understand basically where the rubber meets the road. How secure am I if an opportunistic attacker comes after me or a cyber crime group specifically targets your organization because they think that you’re a weak point on the herd. I don’t see any less importance in the current day and age. The economy and budget is a factor, right? But I don’t think it’s any less important.
Chris: Okay. As we wrap up today, just tell me a bit about the SpiderLabs team at Trustwave and what it’s all about and what’s some of the exciting projects you have going on right now.
John: Cool. Yeah. The SpiderLabs division is a global offensive testing organization and we do basically everything under the sun from a lack of better analogies from an offensive testing perspective. We do everything from ATM and SCADA and mainframe style open testing to your standard netpen, web application, mobile, wireless. We do physicals and all that kind of stuff. The standard range of penetration testing activities.
Additionally, we have developers on staff who can do code reviews and those types of things, but it all comes down to kind of an offensive testing arena. We also do the high-level red team, purple team collaboration style adversary simulation engagements. We are a global organization and we’ve got kind of hot spots all across the world. We got a big presence in APJ market. We got a big presence in the VM market. We got a big presence here in the American market as well. We can kind of meet an organizations need on a global scale.
Chris: Okay. One last question as ever, if listeners want to know more about John Cartrett or Trustwave, where they can go online?
John: I would say the easiest way to find me is either from my GitHub repository or on LinkedIn. We got usually a big social media guide. You have a Twitter account, but I don’t do a lot of posting and whatnot. My hacker handle if you will from a GitHub perspective is John Q. Public. But if you search my name, just John Cartrett. It will be one of the first things that comes up.
Chris: All right. John, thank you so much for your time and insights today. This is awesome.
John: Absolutely. Thank you, sir. I appreciate it.
Chris: All right, and thank you all for listening and watching. If you enjoyed today’s video, you can find many more no our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec. Check out the collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice.
For a free month of our Infosec’s skills platform, just go to infosecinstitute.com/skills and sign up for an account. In the coupon line, type cyberwork, all one word, all small letters and no spaces to get your free month.
Thank you once again to John Cartrett and thank you all for watching and listening. We will speak to you next week.