Red Team Operations: Attack and think like a criminal

Chris Sienko: Hello and welcome to today's episode of the CyberSpeak with Infosec Institute podcast. This is an audio rebroadcast of a recent webinar we hosted entitled Red Team Operations: Attack and Think Like a Criminal. If you've been interested in the rapidly developing field of red team tactics but want some more info that separates the fact from the fiction, you won't want to miss this episode.

Our guest speaker today is Infosec instructor Jeremy Martin. Over the course of this webinar, Jeremy will help you understand the mindset of an attacker. Among the topics discussed are the job duties of a red team professional, frameworks and strategies for conducting red team assessments, how to get started and progress your offensive security career, and we also have time at the end to take questions from live viewers. Just as a reminder, if you'd like to see this webinar as it unfolds, including presentation slides, you can find this podcast on our YouTube page by searching for InfoSec Institute on YouTube and visiting our channel. As a special opportunity for podcast listeners, you can receive up to $500 worth of hacking toys with class signups. Just visit InfoSecInstitute.com/hacking-toys to learn more. Without further ado, here along with moderator Camille DuPuis, is InfoSec's own Jeremy Martin.

Camille DuPuis: Before I turn it over to Jeremy, I just wanted to share a little bit about him. Jeremy is a Senior Security Researcher and he is an instructor for us here at InfoSec Institute. As a Senior Security Researcher, he has focused his profession around red team penetration testing, computer forensics, open source intelligence and cyber warfare. Starting his career in 1995, Mr. Martin has worked with Fortune 200 companies and federal government agencies, also has received a number of awards for his service.

Jeremy currently provides training and helps manage the computer forensics lab for the Abu Dhabi Judicial Department in the United Arab Emirates. Outside consulting, he is an instructor, security researcher, published author, and speaks at security conferences around the world. Jeremy's current research projects include vulnerability analysis, threat profiling, exploitation automation, anti-forensics, open source intelligence gathering, and reverse engineering malware.

Definitely an incredible person to have with us, someone with a lot of knowledge in the space, Jeremy is also a volunteer for local ISSA and ICFEI chapters. He's held positions for the Open Information System Security Group and sitting on the board of directors for Denver's InfraGard Chapter. Again, just an amazing person to have with us, and on top of that, he also holds over 30 professional certifications.

With that, we'll turn it over to Jeremy now. Thanks for being available to join us and take some time out of your busy schedule. We'll let you go ahead and tell us a little bit about what we're chatting about today.

Jeremy Martin: Basically today we're going to cover what it is to be red team. I personally think it's probably one of the more fun situations in security, because people pay you to pretend to be the bad guy, so you're just doing it legally. What a red team is, traditionally, it's going to be a group of subject matter experts, but you are going to be a subject matter expert, hopefully a team of different skillsets. You might have somebody with, say, physical security background, could be programming, could be, of course, network, cyber com, wireless, and then just work together to achieve the goal.

I know with things like social engineering, that definitely does take quite a bit of skillset. One of the most iconic individuals out there that focused on social engineering specifically, good old Kevin Mitnick. Each person that has a unique skillset on the team is a valued asset, but the biggest thing comes down to trying to pretend to be an adversary. Think of it in this way. Sometimes it might be just break in any way you can. Otherwise, they might say, "We have this specific competitor, they've been attacking us, and we want you to mimic their attack base."

Some tools will even automate the process and do things such as like APT. There's a pretty decent commercial tool out there. It started off from Metasploit and then data interfaced with that called Armitage, good old Cobalt Strike, but when it comes down to it, the biggest thing comes to we're trying to basically break in. A lot of people, they only see how things are built, so how have they been architected. It was built for a very specific reason, that's all it's supposed to do, but unfortunately, a lot of things work differently than the way it was originally designed.

For example, last year there was an issue to where some security researchers found out there was a vulnerability in a sequencer. What they ended up doing was they wrote malware and then encoded it in DNA and had to sequencer read it. That, in effect, made a backdoor in that system, which then called home. You're trying to think about not just how some of the common bad guys would do it, but how anybody could potentially bypass something that was built in. In that scenario that I just mentioned, there's very limited reason why certain type environments may need to get access to the internet. For example, the DNA sequencer probably didn't need internet access.

Same thing with ICS and scan assistants. Not sure if anybody, if you've seen a place like Shodan before, but when it comes down to it, there's a lot of potential systems out there that should not be online. Places like Shodan you can use for information gathering. Some people will call this open source intelligence gathering, OSINT, recon, but basically what you're trying to do is trying to find out what's public. You're not even testing the target, not touching them at all. Again, some of the sites like Shodan, there's tools like [inaudible 00:06:04], there's all kinds of good information gathering items out there to help automate the process. Again, these things may not even be internet accessible. I know a lot of HR departments has gone through and pushed even further to where they will ask you need this very specific skillset. It could be, let's say, SELinux. At that point, you know that they're using Linux Boxes and they also have Security-Enhanced Linux.

Absolutely, there's recon or OSINT that can do most of your job for you, especially things like social networking sites. I know so many people have a social network profile. Most of us do. Especially if you're on the security side, people are disgruntled talking about their work or they're proud of their work and they're talking about it. You can get a sidebar conversation with them and sometimes they do leak out a little bit. I know we were talking about Shodan, but what's interesting about that whole scenario is that they're based off of Nmap scans anyway, they just go a few steps further. If you haven't gone there, it's definitely a good resource.

With that said, looking for things beyond the normal cyber weaknesses, like open ports, I know we kind of mentioned disgruntled employees, but it's things that you're looking for that are not necessarily obvious, especially to the client. I've had some scenarios to where, again, stuff like contacting some of the sales staff, seeing if they're selling specific content, or pretending to be target and then contacting the vendor and saying, "I want more seat license for a specific product," and the salesperson might say, "Yeah, it's going to be this amount. You already have this amount of licenses."

If they come back and say, "Hey, we don't see that you have this technology," then of course that also tells you something, that they probably don't, or if they do, it's not part of their main organization. Things like that, or if you can even get onsite. I had a colleague that's a little bit more eager than I am and he'll do us a recon and try to find out when they have new hire orientation. Once he finds that, and a lot of times that might be Fridays, it could be Wednesdays, whenever, he will then research who the hiring managers are, what groups are hiring, and he usually tries to go for an IT position, a system admin, not necessarily high level security, but somebody low in the ranks but would still have good access. He'll try to get insight, and knowing that he doesn't have any authority either, go to the security desk and say, "I'm here for new hire orientation. I was told to be here. Where is training?"

Security officer guard usually calls up HR or walks them to the area. Once HR gets involved, of course he's not on the list, but he's convincing and he has a fake offer letter. He usually gets put into training and at the end of the week comes out with credentials. At that point, again, you're looking at the guards themselves just let him through, HR just let him through. He's able to just walk in. Most people in general are non-confrontational, which is good to an extent, it's human nature. Somebody is in an area that they shouldn't be, either contact security, things in that area, but they usually don't. Those are things you want to look for would be actual open doors, or see if anybody will open them for you. I have a very good percentage of I'm carrying something or somebody goes to open the door, I hold it open, but instead of going in, I let a few people in and then follow them. Definitely look not just for the cyber, again, it's usually the human factor is the biggest weakness, and then of course, physical always a big issue too.

Camille: Now Jeremy, just bringing up the point you just talked about, researching when they have orientation and stuff, I suppose it's pretty easy to find that information. Maybe on LinkedIn someone posted, "Oh, hey, I've got a new position. I'm so excited to start working with this company and my orientation is Tuesday. Can't wait to start." I think people need to be aware that even on professional sharing sites you can really get a lot of information about someone.

Jeremy: Oh, absolutely. That's where it comes down to is trying to identify those sources. LinkedIn is a good one, Monster, people that have jobs there. I've even been in a group that we had fake job interviews or a fake competing organization or startup and then started asking questions like that to the people we take out to dinner. Yeah, absolutely, sometimes it's a little bit more hands on, but usually it's just right there.

Camille: Yeah, that's very interesting stuff. A lot of people for sure thinks that it's a harmless post or an excitement type thing. We all want to build our brand and build awareness of our own self on LinkedIn and look at those professional opportunities, but interesting to think of it, how it can be really a security concern.

Jeremy: The good standpoint is that's usually not going to happen to most people, but absolutely, industrial espionage is huge. It has been for thousands of year. It's going to be for a long time since. With that said, once you've identified potential weaknesses, here we have a list, you can send exploits to the server. That'd be the cyber. In that instance, you're hoping that there's a port open, and then if you can take it over, great. Phishing, I know a new term that they're starting to push over the last few years, this is kind of a Moby Dick reference, but good old whaling. Instead of going for the average fish and the average item, you're going for the big guys, the Moby Dick of the organization, the CEO, the CFO.

What's interesting about that is unfortunately it's kind of a catch 22. The people that have authorization of the business, those that sign the paycheck, are usually the ones that sometimes are the biggest risks. They're usually the biggest targets. A lot of times they have more rights than they need. I've known CFOs that have had admin rights across the domain. There's no real reason a CFO that deals with finances needs domain access or domain admin access, but yeah, absolutely. I know here, weak services. Weak services could be usernames and passwords. Could be looking for DOS. Then if you can get a DOS, going back to the whole thing about being an actual bad guy, you can then pretend to be their IT service staff. Then at that point, you now have physical access. Once you have physical access, the joke is the game's over.

The only thing that really stops that would be full disk encryption, but when the computer turns on, that's out the window too. Basically, when you identify vulnerability, you just try to find some way of exploiting. If you can't find anything, that's the proverbial joke is that red teaming is a try harder profession. Just try until you break it.

There's a lot of APTs out there, the advanced persistent threats. Sometimes that's what you're trying to mimic as a red team, or just trying to break in any way you can, but a lot of these things are calling back home. It's amazing over the years how many services have popped up that allow people to call back home. For example, I know here we're talking about Ngrok and Serveo. Ngrok is a site so they can set up an application on their own home PC, behind a firewall, behind NAT, behind all their protections, contact outbound their server and then be able to share with the rest of the world.

Same thing with Serveo, but Serveo is just doing an SSH reverse tunneling. You can set up your own, spin up an AWS server. At that point, you don't necessarily have to worry about firewall and NATs on your side, because for years and years I've been doing pen testing. A lot of times I'd be in a hotel. I would definitely not have a static IP address, or if I do, it's usually a cloud service because I don't want my personal static that I have a couple of being tied with potential attack traffic. Yeah, definitely third party services all over.

I know a lot of people have been using Tor over the years. It's harder to call back home on, but it does add for a little bit of a layer of anonymity, but yeah, outside that, once the connection's been made, grab as much stuff as you can. Don't look at the content that you're getting necessarily and then be very specific, unless you have all kinds of time. Most bad guys do. For example, I was brought into an instant response case. I was trying to figure out how they got in. We got pulled into a risk assessment after we did the investigation, but it was one of those interesting scenarios to where the bad guys, we found out during the investigation, they were in there for over a year and a half. They weren't pulling anything, but for a red team, you might have a week or two, maybe more.

With that said, when you do find things, you always kind of want to look for, I like to call it a pain point of your customer. With a pain point, another assessment that I was brought into, basically this airport brought us in, it was a team of two of us, very small team. The specific site had about 900 computers, and out of there you had about 80 servers. Within the first day I was able to guess the servers. All of them were basically the same image of Windows 2008 and they had the same password. The only thing we weren't able to break with the time that we had was the active directory. We had their file server, so we started copying all of their IT data. We copied all their financial data.

Given the presentation, what was interesting about it was the CFO was the one that called us in there, he didn't care. I was able to find an image of his laptop that the IT did about a week before we were brought in. I stumbled across it and I mounted it in some forensic software and basically found some stuff related to him. Even though that in our report we were showing that we had pictures of everybody else's passports, we had everything related to their, again, IT, their HR, their finances, he didn't care until the very end of the presentation. I brought up a picture of his wife and kids, his family. At that point it hit him to where, "Oh, it affects me personally? This is an issue." If you're ever able to point out a pain point to the customer, it does give a little bit more ... Not only is it flashy and good for show, but it definitely gets a little bit more emotion out of the client.

Once it's in a system, it's always a good idea not to just stay on that one system. I know here they're talking about good old pivoting. There's another term called island hopping. It's a little military term, which is basically what red team is anyway, but once you hit a system, there's probably all kinds of issues within the network. That's where a lot of problems happen is you're not able to necessarily compromise the server from the outside due to good firewall rules or they have a low footprint or overhead, whatever, but once you get in, then spread to other systems. Then once you do, try to blend in with the rest of the traffic.

If you're creating users, I do two things. I do create users that look like other users, and then I also create users that are obvious, but I usually do that towards the end. The reason I do both is, again, testing security, and also proving a point that we were not only able to get in, but they should have seen it, but yeah, as far as whenever you're inside, look like normal traffic. You're trying to pretend to be a bad guy. They're probably not going to catch you if you're able to get in to begin with. If they do, that's great. That's a huge good finding for the client is that they were looking, they saw it, you can go on from there, but if they don't see it, then again, that's kind of a negative finding.

If they have a CERT team, which is supposed to be looking, it's if you're slow and go and blending in, there's a good probability they're not going to catch it, especially if you know the baselines to the technology that they're using. That's how bad guys get away with things for so long. Blend in, go deeper, blend in more. Then it's not a bad idea to have some fun too, because you're hired in there to test their security. Once you go in, not only test it, but make it to where it's useful.

Camille: Now Jeremy, I have a question or a little bit of a thought here. What is the longest, just out of curiosity, what is the longest that you've ever heard of someone being undetected in a system or in a network?

Jeremy: Probably 10 years at Nortel before they went out of business.

Camille: Wow. Wow.

Jeremy: Basically they never found it. It was the third party that was going through their assets that found that they were making some call homes to Beijing. Then of course they asked the question, "Why is Nortel calling Beijing so often?" Then they found them.

Camille: That's incredible, 10 years. Wow.

Jeremy: With full admin rights and everything. They had all their trade secrets. Okay, so not being the bad guy, because you're hired into test their security, so you need to document everything for a few reasons. You're trying to help the customer. You're trying to identify weaknesses. Then when you identify them, help them fix them. You're not going to be able to identify everything, but here's the other problem is that if you don't document it and something goes wrong, or for whatever reason the client gets upset because a server went down in a different country and they didn't [inaudible 00:20:25] it, you're going to be responsible for it. They're going to blame you and you need to be able to prove or disprove that you could or could not have caused the problems.

If you did, justify why. Especially if those systems are outside of scope, you need to keep an account of pretty much everything that you found, the place that you went, everything that you touched. If, for example, you're on one network, you're scanning it, and a system on an entirely different network in a different country goes down, if you did do it but you didn't touch their IP address or their system, that is showing in itself another vulnerability. That's something that the client needs to take care of. Absolutely documentation is huge because that basically minimizes liability and increases value.

A couple other things I did want to mention in this scope too is scope, always stay within scope. If you go outside and beyond the scope, that does bring you some legal liabilities. Again, if you do take down a server and you attack something that was not within the contract, that is a potential loss on your part. One trick that I've actually learned, I don't know if anybody's seen these videos before, but there's a couple of them floating on YouTube called the Tiger Team. That's basically a threat team or pen test group that has been around for a while. They highlighted something that was very useful and everybody should be doing, but they found vulnerability. They found their ways in on both of those episodes. At the very end they were actually saying, "You had great security, but this is how we can help you."

Every once in a while, that may backfire. I have had scenarios to where I found all kinds of issues and the upper level management was basically just, "We got the assessment done, we're moving on. We're not fixing the thing," but sometimes, again, if you say everything that you did, it was not a waste, but for a few more resources you can make things a ton better, that definitely makes them a little bit happier. Especially like you mentioned before, with a CERT team, they may have found you. At that, absolutely, that's a great thing. They may have blocked your IP address.

For example, when I do an assessment, I never do it from the IP address that I'm currently in. I always go through a VPN or some other proxies. The main reason is is I want to see how long it's going to take for my IP address to get blocked and my stuff to stop working. If it never gets blocked or stopped, that's great for me, but it's bad for them. If it does get stopped, then absolutely, something to document. They were great. They identified me within five minutes. They blocked me. Switched IP addresses, same thing happened, but again, when you do find things that are bad, it could be a simple fix, it could be a misconfiguration problem, or it could be an inherent issue with technology that they have.

For example, I was doing an assessment on a large organization down South and they actually had some pretty good security. One of the weaknesses we found was that if somebody was going to HR, the security guards would just let them right up. Everybody else, they had to be escorted. You basically said, "We have an appointment with HR," you walk right in. We'd go to the IT staff because we're supposed to meet them, and of course they were surprised we got in, but then they changed their mind because we were supposed to have some credentials and start a basic risk assessment. They said, "Okay, we just want to see if you can do it. Here's a phone line." They had a voice over IP system. "Here's the network cable to the phone, get into our network now."

We're talking, and luckily my colleague was taking up most of the time, and so basically at that point I was able to hook up my system. I ran a couple of tools, one called Netdiscover to find out what the IP ranges and MAC addresses were in the area. I found a printer, spoofed the MAC address, and then was able to get right on their network. That took maybe about two, two and half minutes. What I found out later on is that they had an NAC system, network access control system, but it wasn't fully functional because they had a lot of systems like printers, their old printers, within the e-management system that they had to white list. All the bad guy would have to do is identify one of those. I got lucky. First try, I got one that was being white listed. That got right past them. Again, highlighted the good and then pointed out one of the weaknesses in their technology and they were able to make their area a little bit more secure.

Camille: Well, Jeremy, thanks so much for that. That's some interesting stuff, that people looking to get into this, this red team side of things ... We have a new offering that I wanted to talk about real quick before we get to the Q and A section. Please continue to ask questions. We've gotten a few through the Q and A and a few through chat as well, but we're saving a couple of minutes here.

While we let some more questions stream in and while we look through those, just wanted to get you a little overview on our new red team operations course. InfoSec Institute recently released two new courses around offensive and defensive security job roles. First is the red team operations, which Jeremy just shared a lot of interesting information about with us, and cyber threat hunting, but in the course you'll learn how to perform a comprehensive red team operations pen test, of course, what Jeremy covered today, all of the things that you need to do to test a network and think like the bad guy and be that bad guy, but the course will also prepare you to pass the Certified Red Team Operations Professional exam so that you can prove your red team knowledge to your employer or job recruiters and advance your career in that sense. We also have a really cool promotion going on. I know, Jeremy, you have a few of these hacking toys, don't you?

Jeremy: Yeah, I actually have been using the Rubber Ducky, which is those little thumb drives at the bottom for, what, since 2012, the WiFi Pineapples. You can do a lot of this stuff yourself, but it takes a lot of time and effort. This automates a lot of the attacks, so yeah, absolutely.

Camille: Sure. Very cool. Well, with the promotion you can get up to $500 of ethical hacking toys. Some of the ones you see there are the Hak5 Elite Field Kit, the physical engagement bundle, the WiFi Pineapple, which Jeremy just mentioned he used, but some interesting tools to monkey around with and get that hands on experience as well. Wrapping up here, we've got a few minutes to ask Jeremy some questions. I think one of the first ones we'll go with is, what are the most common vulnerabilities that you find on midsize or small companies, small businesses, versus the larger corporations?

Jeremy: To be quite honest, the majority of the vulnerabilities I do find are usually misconfigurations, bad passwords or unpatched systems. Outside that, if you can't find any of those, then the next best bet is social engineering, so human trust.

Camille: Sure. Do you see more issues with ... I know sometimes in larger companies it's easier with the social engineering because everyone doesn't know each other in some of those big companies. Is that a point that you see often?

Jeremy: Yes. The smaller the company, the harder it is to social engineer. I did have an issue where I was trying to send a calling campaign and I picked the wrong person. I picked a person that the CIO was actually dating and they knew that I was not [crosstalk 00:28:42].

Camille: Well, that's an interesting way to figure it out. That's kind of funny. Another question here, have you started working along blue teams after a successful red team engagement?

Jeremy: Yes. Sometimes it's before and after. I know when I get called in, sometimes it's right after an incident so I have to do instant response and then I work with them to try to do the investigation, then plug up some items. Then I will testing and then go back to them and see if anything can be fixed, so absolutely.

Camille: Sure. Both sides of that spectrum, the bad guy and the good guy to fit our analogy here.

Jeremy: Yep.

Camille: Let's see, another question. What is a good company that utilizes a VPN, or how can a company do that if the home phone gives your position away, I believe the question is kind of asking?

Jeremy: I've worked with a lot of law enforcement organizations over the years helping them set up investigation systems, like open source intelligence gathering, things in that area. What we usually do is we set up a router that has the VPN service. A lot of VPN services, some of them don't log, some of them do, but especially depending on what country they're based out of, I know in the US there's certain things, so if you're not breaking the law, it shouldn't be an issue. Any one of the big ones usually works. I know I use VyprVPN and they just stopped logging due to GDRP, because there's a liability there.

There's another organization I do use called BTGuard, and they focus primarily on people that do BitTorrent traffic, so they're not logging much anything, but if you do that with a router, you can also set up a virtual machine or a couple of VMs on the inside, and then basically have it to where one VM goes and passes through another as a gateway. Even if your system does get compromised and calls back to a bad guy, it's not getting the right IP address. It's getting some other random internal LAN address, or if they do get the external, it's going to be going through at least a VPN service provider.

Camille: Jeremy, another question that came through on the chat here, so this person would like to know the best way to get a red team job. Do they need to learn pen testing, do they need to learn social engineering, or can you just kind of specialize right away into that red team space?

Jeremy: That is a very good question. You need to find an organization that has a red team. Then to be quite honest, use them as your first target. Try to identify the weaknesses that they're trying to overcome, and then focus on those. I do know pen testing is a huge start for it. Social engineering's a huge start for it. It depends on what their needs are, and absolutely focus on learning what their needs are. With that said, it is a good idea to know a little bit more than just one specialization, but yeah, find out what their weakness is and try to exploit them.

Camille: It looks like we've got time for just a one or two more questions here. Another question is many users feel that IT security is a nuisance. How do you deal with that mindset? That's a question that we deal with a lot here at InfoSec Institute is helping people care about IT and security, but Jeremy, do you have any tips on that?

Jeremy: That's where if you find a pain point, which could be management, so sometimes that's a top down approach. If you can get management to care about it because it became personal to them or focused on something that was interesting to them, then they're more likely to support it. Then that basically trickles down, but sometimes it does come to be where you have to find personal information based off the users. I know a lot of companies may not care as much about their employee data as their customer data because customer data can sue more than employees care lose their job, but yeah, if you make it personal then it usually has a little bit bigger of an emotional connection.

Camille: Sure. We're about to run out of time here, so last question that we'll go for came through on the chat and it says, "I have an IT career but I don't have offensive experience. How do I transition?"

Jeremy: Well, there's a couple ways you can do that. You can find a security team that does risk assessment and then you can go that route. Another route would be, to be quite honest, build your own lab. You can build your own lab with virtualization, VMware, VirtualBox, KVM or [inaudible 00:33:49] on Linux, and then just start attacking those systems, try to get it consistent. That's from the cyber side, at least. Read as much as you can, study up, and then basically try to build a value for the organization. I know some people are able to talk their management into building certain capabilities within an organization, but if you're trying to get within another organization, absolutely. IT definitely helps, but trying to get some of the other knowledge is invaluable. Labs are great.

Camille: Thanks again for joining us today, Jeremy. Just a lot of great information and can really help those people that are interested in the red team side of things.

Chris: This concludes today's episode of CyberSpeak with InfoSec Institute. Thank you all for listening. Remember, if you enjoyed today's episode, you can find many more including webinars, tutorials and interviews with security thought leaders by visiting InfoSecInstitute.com/CyberSpeak for the full list of episodes. Also, if you'd like to try our free SecurityIQ package, which includes phishing simulators you can use to fake phish and then educate your colleagues and friends in the ways of security awareness, visit InfoSecInstitute.com/SecurityIQ. Thanks once again to our guest, Jeremy Martin, and thank you all again for listening. We'll speak to you next week.