What's it like to be a high-end Red Team member?

Chris Sienko: Hello and welcome to another episode of Cyber Speak with InfoSec Institute. Today's guest is David ‘Moose’ Wolpoff, co founder and CTO of Randori, a nation-state caliber attack platform. We're going to be talking about red team operations and also about the Randori platform. Moose is a recognized hacker and expert in digital forensics, vulnerability research, embedded electronic design, and most interestingly red team operations. Prior to founding Randori, Moose has held executive positions at [Kyrus Tech 00:00:36], a leading defense contractor, and ManTech where he oversaw teams conducting vulnerability research, forensics, and offensive security efforts on behalf of government and commercial clients. Moose holds a bachelor of science and master of science degree in electrical engineering from the University of Colorado. Moose, thank you for being here today.

David ‘Moose’ Wolpoff: My pleasure.

Chris: Let's start out. Obviously, you've had a very interesting career so far. How did you get started in computers and security? Was security always an interest or did you move down that avenue later in life?

Moose: No, it was completely accidental. I think people often forget how young the career field is. It's not like you can get a degree in cyber security or study it in school when I went to school. I started out doing electronics design, embedded systems design, then embedded systems reversed engineering becoming a forensics expert doing harbor forensics, harbor reverse engineering. That led to mobile device exploitation for forensic purposes. Then, mobile device exploitation for offensive computing. Then, hacking everything else. The rest is really history. That last decade, I've been running teams doing offensive security, high end red teaming.

Chris: What was the bite with these more high intensity programs like white hat hacking and red teaming? Was there something about the thrill of the hunt that brought you to that direction?

Moose: Well, people who are good at the hackings or good at the red team stuff tend to have a little bit of an addictive personality for the types of puzzles and problems that you hit. Definitely, there's a bit of an itch that you got to scratch and I get antsy if I haven't done a little bit of breaking into something or solving some sort of good puzzle. I was really opportunistic. I was working at Kyrus. We had a service called [inaudible 00:02:19], which is a high end red team. We just recognized that the incentive alignment for a lot of the pen test was really upside down, so we changed out we did that. Motivated us to become high end attackers and it worked really well.

Chris: Speaking of that, I wanted to speak to you specifically about red teaming, which is a big exciting topic right now. We're hearing a lot more about it in the news, but not really with any real depth. I wanted to talk to someone who's been involved to get their perspective. For those just coming to the topic, what is a red team? What is its primary purpose and how do we differentiate it from say white hat hackers, penetration testers, or vulnerability researchers, and so forth?

Moose: For sure. I wish that I could say there was a consistent definition that was equally applied. I'm aware of a number of internal red teams with corporate institutions, so if you're a large tech firm, you probably have a red team of some sort. It's really meant to be an aggressor and adversary working a little tiger team style against internal defenses or defenders. In the context I was working, the red teams I've always been with are high end external actors, so we play bad guy, pretend to be the APT, and we really bring knowledgeable and dedicated attacks against the targets we're working against as opposed to a pen test, vulnerability scan, a vulnerability researcher where you might be looking at the security of a particular application, trying to prove that there's a weakness in an application, or scanning for known vulnerabilities or known issues in a scoped or bounded way. We've always worked with the gloves off, goal oriented, motivated, determined adversary attack of trying to be [inaudible 00:03:59], but then of course working with the blue teams after the fact to help them learn from the experience.

Chris: Right. It also seems like it's more of an overall attack rather than penetration test where like you said you're focusing on one specific breach area. Here, you're amassing an army and hitting the company from all sides simultaneously. Is that right?

Moose: Yes. All the engagements that I've been involved in were black box, so we're starting with very limited information, very limited perspective on what makes up the organization. We're doing the full kill chain. From discovery, numeration, reconnaissance, through exploitation, pivoting everything that's involved inside of a network all the way out to data exfiltration. As you said, working without a bound, so not limited in scope to a particular asset or a particular subset of assets, but really going after the whole organization trying to achieve some particular objective.

Chris: Because red teaming as a process is by its nature pretty secretive, let's start at the beginning, what makes a good member of a red team? What backgrounds do red team members generally have?

Moose: On my team over the last several years, it's mostly been good programmers, reverse engineers, systems people, folks with a deep [low 00:05:17] level understanding. Years ago, I was tasked with explaining to somebody in a corporate management what the difference between a hacker and a high end developer was otherwise. Really, you're pulling threads from all kinds of levels of a tech stack trying to achieve some series of events or effects that seems like a miracle to a domain expert. Really, it's people who are really good at problem solving, decomposing how pieces of systems work, how systems of systems work, and then learning new information really quickly. When we've exploited perimeter systems, typically we're working with technologies that we've never seen before that we don't know how to debug, we don't know how to reverse engineer, and we have to quickly dissect those things, figure out what the ramifications of actions that we're going to take might be, bound the risk, and then be able to move forward. It's a pretty high bar to do it really effectively. Depending on the context that you're in, maybe you have more time to reverse engineer or figure stuff out. Core skills are just deep understanding of how all of the technology works in a love of learning how the stuff you don't know works.

Chris: Is time of the essence? Do these tend to be timed attacks? Obviously, it sounds like you are best served by having problem solving under fast notice, but is there a stop watch on you?

Moose: Well, there's two stop watches that happen for a red teamer. The most obvious is tie is money. At the end of the day even for very large engagement, I would typically do six month engagements or longer, you're still time boxed to some extent. If you're waiting for an opportunistic event or for defender to mess up and give you an opportunity, you're eating through your time window. There's that piece. That's the one minor artifice that a real hacker might not have. They might not have that same degree of time pressure. The other time piece is I don't want to get caught. If I'm breaking into an organization and I have some objective that I want to achieve, I'm trying to get a mission done. I'm not here to hack this perimeter system for the sake of hacking a perimeter system, I'm trying to steal your code sign keys, steal your source code, or whatever it is that I'm going after. As soon as I do something that might alert a defender of my presence, that makes my risk go up as a bad guy. Once you start taking actions against an organization, in some sense the clock is ticking. Now, a defender might be on … so I'm always trying to move as quickly as I can so that I'm limiting my risk.

Chris: One of our listeners of the show, if you wanted to get into this line of work, what experiences, qualifications, accomplishments should you be able to point to that would make you desirable to other members of a red team?

Moose: I think the biggest thing for me is you have to understand how all the tools work and how to build tools. It's foundational knowledge, knowing how to use utilities. If you're good with an exploit kit, [inaudible 00:08:21], or post exploitation tooling, those are useful skills, but if you don't know how those things work under the hood, it's going to be really hard to take that next step.

Chris: Okay. We know that red teams are differentiated from penetration testers and white hat hackers by the way they approach vulnerabilities, but in a day to day sense, how does a red team actually work? When you arrive on the assignment, where do you start is the question?

Moose: Yes. Engagements that we've always done, as I said, were very long. I think six month plus. It would be typical for us to spend the first 14 to 30 days or so just doing reconnaissance and surveillance, so getting an idea of, what is the lifecycle? What does the pattern of life look like for the organization that we're working against? Things like discovery of all the assets reconnaissance discovery of all the people. Then, observation of, are there things coming up and down? What's the rate of change? Can I measure things like, how long is a patch cycle? If patch Tuesday would come along or something and you can observe a change to the perimeter system like an IS server, you could try to measure those things. Early stage, we start very hands off. Then, once we start doing that, we basically stack rank all of the assets that we can find on a client's perimeter. That would be both technical infrastructure and people. What is an attack that I think in this organization is likely to be successful? What do I want to go after first? Where do I start doing research or what do I start poking at?

Obviously, if I already have exploit for a vulnerability that's on the perimeter and I can just go after that, I might just try it. See what works. A lot of times on the red team side, we look at individual vulnerabilities for weaknesses as a nugget that might provide us useful information. We might do a spear fishing campaign very early in engagement solely for the purpose of collecting information about the target, but without any real malicious payloads involved. Just get whatever information we can get. Then, we go low and slow. Just take our time until we see something that looks good. As soon as we get any sort of foothold inside the organization, the whole case shifts, and we go from low and slow to move as quick as we can.

Chris: I'm assuming every case is different, but do you have a universal methodology or toolkit that you break out with each? Do you really build your attack differently with each new assignment?

Moose: We have a number of things in query that we always go to. We over the years have built lots of tools around automating reconnaissance and monitoring assets and people. Those are attacks that we've principally pulled into this new company we've got going. In addition to that, we have a lot of post exploitation tools or pivoting other utilities that we have that are our custom stuff. Of course, we're going to leverage Metasploit, [inaudible 00:11:20], Cobalt Strike if it works, but we also have custom [inaudible 00:11:22] kits that we've written that are purpose built for the types of missions that we go after. Depending on what's going on in the engagement, we might deploy something commodity, we might use something very custom. It's really all about ... any time I type the same command twice, I'm going to type it a thousand times. We spend a lot of time in automation and making sure that we don't have to repeat things.

Chris: I think one of the things that caught people's imaginations about red teaming versus what seemed like cooler things like penetration testing or what have you is the physical brute force aspect of it that you're looking at the physical facility itself, you're trying to get your way in physically, or look at the patterns of people coming and going from the building and things like that. Speak a little bit about the physical aspect of it in addition to the automation and the technology.

Moose: Yes. Well, the teams that I've been part of haven't been heavy into physical penetration testing or physical red team break in just because our objectives have always been able to be fulfilled through some other mechanism. Breaking into a building is higher risk for me than doing something remote. Obviously, it's a method of last resort. We've tended towards things that were more hybrid. Shipping somebody a piece of hardware that I can get them to plug in where we've implanted the hardware, built a thing that helps us pivot into an environment. Ultimately, we do what works. If I need to jump over the ceiling tiles to get passed the glass door, motions sensors, so we can get in and go plug it into a building, totally do that. We've definitely walked into buildings, pretended to be an employee, and been given a desk or two to sit at and do our job because somebody thought we were working there. Whatever works, same thing real hackers do. Do what you got to do.

Chris: Yes. What kind of companies employ red teams to try and attack their defenses? Obviously, we're talking corporations that have probably ... they feel like they have a pretty strong defense mechanism in place whereas one might do a pen test because I just want to find out if this one thing is okay. What level of security should your company already have in place before deciding to bring out the big guns of red teaming?

Moose: I would certainly never advocate it for an organization that doesn't have dedicated security personnel. I think that many folks would be surprised how big companies get before they actually have dedicated full time security folks. One of the big values that I always felt I brought to the table as a red teamer was the opportunity for the defenders to learn from their attacker. It's not often that you get hacked and then get to ask the hacker what happened. That's not super useful just to IT practitioners. If you're really interested in finding things that need to be patched today, red team's not going to be comprehensive in that kind of manner. If you're interested in stressing your response and saying, do my defenders pick up on what's going on? Can I see a real actor? In the event of a breach, do I know how to respond in a reasonable way? Those things are more suited I think to the red team. Typically, we see very large organization that have some hybrid of internal thread actors who'd be like an inside red team. Then, some outside red team doing the goal oriented attacks.

Chris: It seems like with red teaming, there's an understanding that you're going to get in, it's just a matter of how you get in, and that's what they want to know.

Moose: Yes. There's some of that for sure. I think at the high end, it's less important how you're going to get in and it's more important what happens after you do. I really strongly believe that success in cyber is all about detecting quickly, responding reasonably, and keeping the lights on. Keep the business running while you're doing a workup. You don't keep hackers out of your network, you kick them out quickly, you move on with your life. If we're dropping [inaudible 00:15:18] in order to breach a company, that's really good. You've one it right if I have to drop [inaudible 00:15:23] to get into your network. Once I'm in, you need to know that I'm there and kick me out quick. We try to do a ton of coaching around those types of things.

Chris: What are some no nos in red teaming? I think this is probably one of those things that goes into the realms of tabloids, but you hear stories about red teams kidnapping the CEO or involving crazy things like that. How far is too far to get in? Is there even such a thing as too far?

Moose: One, I would never go beyond the bounds of authority. Make sure that ... willing consent. I need to know that what I'm doing is within the bounds. Typically when I engage, we'll have some party in the company that we're working against that acts as a white cell or a referee. We'll be in constant communication with them about all the actions that we're doing so that there's no surprises at that level and they always have an opportunity to mitigate risk internally. You don't want to break the business by trying to help them fix the business. It's a little contextual, but broad strokes. I don't do anything that's irreparable harm. I try not to be destructive. We try not to go after anything that's outside the bounds of what our objectives are. If I'm going after proving that I can get access to PII, I will take enough screen shots to prove that I had access to sensitive stuff, but I don't need to exfiltrate it because I don't want to be responsible for tracking the data. In general, I am happy to exfiltrate stuff that is useful for pressing the attack within the context of what I'm trying to achieve and I just stick to that.

Obviously, we've had a lot of clients over the years where we've happened across stuff that looks out of place. A lot of times, I'll just pick up the phone and call the [inaudible 00:17:12] or call our contact and say we saw this weird thing in this weird spot. We're hands off until you thumbs up, thumbs down, tell us what to do.

Chris: Once you've broken the defenses, whether physically, technologically, or through some combination, how do you report your findings to the company? Do you write a report? Do you offer prescriptive solutions that would prevent you getting in a second time?

Moose: A lot of times, we will offer particular medicine for particular problems. More often it's coaching around systemic or institutional issues that need to be addressed. We always give a report to our clients because we always want them to have that documented record of what we did, where we did it, what was going on. Most of the time, the two things that I find most valuable are close contact with [inaudible 00:17:57] or with an agent inside the organization. Weekly or ad hoc calls with whoever's the stakeholder that's really owning the engagement just to make sure everybody knows what's going on. Then, the other piece is always doing a debrief or some sort of coaching session with the people who did the workup. After I've turned up the volume high enough that the defenders know that we're there and they start doing an incident response, they have an opportunity to interrogate us after the fact. We always try to give folks this good chance to have that learning opportunity so take the folks who thought it was a real exercise or thought it was a real hack, do their full workup, and then get told this was friendly. Set up that debrief and have what is usually a fairly warm discussion around, how did this thing play out? What did you miss? What did we miss? Make sure we have the opportunity for folks to learn from the engagement.

Chris: After they've taken a few breaths. Why do you think that red teaming at this moment is receiving such a boost in interest? Is this reflecting a growing unease about the major prevalence of major hacks in the news? Is it something else?

Moose: I think there's certainly the hacking zeitgeist. Every breach in the news every week. I think there's also a pretty broad sense that the general approaches taken to security testing aren't serving the real purposes. If you're doing pen testing because you have a compliance requirement, you probably box it in that compliance bucket. There's a lot of folks who look at the program overall and say I know how all these individual pieces fit into my security program, but I don't know how to test the whole program. We get a lot of querying around folks who are very interesting in that kind of holistic assessment as opposed to piecemeal or more targeted testing.

Chris: I see. As we start to wrap up here a little bit, tell me about the Randori platform. We mentioned it at the beginning of the show and you described it as a nation-state caliber attack platform, which is a great term. What does that mean? How does a platform of this size allow its users to approach attacks and vulnerability tests on a larger scale?

Moose: Sure. I mentioned earlier briefly that we've built a lot of tooling over the years to help us do red teaming engagements and automate those pieces. We've taken that mind share and we've automated a platform around it. We are building a nation-state caliber attack platform, that means we're building the attack platform that we all expect that real adversaries have and are using to breach us, but we're turning that around and letting our customers see it. Starting from zero knowledge, totally black box. Plug in an email address, receive a dossier, and continue a monitoring of that dossier, all of the assets that make up a corporation or an institution. Then, the opportunity to attack assets based on how interesting those things are to a hacker. We have this concept of target temptation where we flavor all of the things that make up the perimeter of a company. Then, let a [inaudible 00:20:52] or the operator inside a business press button, receive attack, see the ramifications of the attack, and then repeat that if they need to or press the attack further into their environment. We're trying to make it very easy for a mid to large size org to get that red team experience and that learnable moment from the red team engagement, but without having to have a costly red team actually show up and do a services engagement.

Chris: This is something that you're marketing to the organization that they would use rather than you're using on them.

Moose: Yes, I think we anticipate that there will be some very natural segues for red teamers to leverage a platform either internally or externally to a client. If the folks we're working with today are of actual victims themselves who are using it to beat up on themselves and see how they do. It's been fun.

Chris: Interesting. Along with Randori, what do you think the future of red teaming is going to be? What will red teams and the companies that hire them have to do to keep steps ahead of hackers and other interlopers? Where's it going from here?

Moose: I think it's going to be more driven towards the goal oriented attack, more driven towards business based risk management. I mentioned before I'm a strong believer that winning in cyber security is just detecting early, responding reasonably, and keeping the business going. The only way that you can really stress your defenders and then learn from that experience is to have somebody come in, play bad guy, and bring you that experience. Whether that's an automated platform that's doing it or a group of dedicated hackers coming in beating up on your defenders, I think that's a really valuable exercise for organization to go through.

Chris: That's great, Moose. Thank you for joining us today. I think we all learned a lot, especially considering how murky this topic has been to people, so I appreciate you breaking it down for us.

Moose: Sure, my pleasure. Thanks very much.

Chris: Thank you all for listening and watching. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to YouTube and type in Infosec Institute, I-N-F-O-S-E, to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your work day, all of our videos are available also as audio podcasts including this one very soon. Please, visit infosecinstitute.com/cyberspeak for the full list of episodes. If you'd like to qualify for a free pair of headphones with a class sign up, podcast listeners and go to InfoSecInstitute.com/podcast to learn more. If you'd like to try our free security IQ package, which includes phishing simulators you can use to fake phish and then educate your friends and colleagues in the ways of security awareness, visit InfoSecInstitute.com/securityIQ. Thanks once again to Moose Wolpoff and thank you all again for watching and listening. We will speak to you next week.