6
Stephanie Carruthers

“The best way to get a red team job is to network. The goal when networking with people is building relationships.”

Closeup image of the professional liar (performing social engineering as a service) "Stephanie Carruthers."

Twitter: @_sn0ww

Stephanie “Snow” Carruthers is a professional liar performing social engineering as a service for her clients. Stephanie specializes in using her social engineering skills to perform a variety of assessments, including OSINT, phishing, vishing, covert entry, and red team exercises. She works with clients of all sizes from startups to Fortune 100 companies in all industries, as well as government agencies. Since 2014, Stephanie has presented and taught at numerous security conferences and private events around the world. For fun, Stephanie has earned black badges for winning the Social Engineering Capture the Flag (SECTF) at DEF CON 22 and also The Vault, a physical security competition at SAINTCON 2017. Stephanie also enjoys traveling the world to see beautiful locations and meeting new people, like Larry, who just let her into your data center.

How did you get your start on a red team?

The short answer is slowly. I started my career by specializing in social engineering and physical security by working at different organizations, including an information security consultancy and government contractor, and I even started my own business. At each of these different types of organizations, I was able to grow and learn professionally in different ways. However, I still worked hard at developing and expanding my specific skill set.

In time and as a result of networking, a red team saw value in my specialized skill set and made me an offer. I brought a specific talent and value to the team. I think a common misconception about red teamers is that they must be jacks-of-all-trades, and that is not the case at all. Having a group of talented individuals in specific areas makes for a much more talented and capable team.

What is the best way to get a red team job?

I believe this answer is two-part. First, you need to develop a specialty. There is no doubt that solid, specific talent is a requirement. As Charley Bowdre once said, “You can’t be any geek off the street; gotta be handy with the steel if you know what I mean; earn your keep”!

The second part is the hard part. The best way to get a red team job is to network. The goal when networking with people is building relationships. As those relationships build, which is naturally a slow process, you must show that you can be trusted. The value of trust between red team members can’t be overstated.

How can someone gain red team skills without getting in trouble with the law?

I think this question is flawed. First and foremost, when people say “red team skills,” I feel like Inigo Montoya would say, “You keep using that word. I do not think it means what you think it means.” Red team skills aren’t anything more than working in a fast-paced team dynamic. The technical aspect of red teaming aside, you can get “red team skills” anywhere there is a fast-paced team dynamic, from McDonald’s to the military. Any time you’re required to work as a part instead of the whole, you’re working on red team skills. In fact, you’d have to go out of your way to gain these skills in an illegal manner with so many opportunities present. It’s just a matter of knowing where to look.

I’d be remiss if I didn’t talk about the technical aspect, though. This is where the trouble with the law caveat in the question comes from. Twenty years ago, in 1999, this would have been a real problem. However, it’s 2019. Access to labs, capture-the-flag (CTF) events, blogs, YouTube, a vibrant and social information security community, university degree programs, high school programs (CyberPatriot), college programs (Collegiate Penetration Testing Competition, National Collegiate Cyber Defense Competition, etc.), and even paid training programs exist. The resources are here in abundance. You can’t go 30 seconds on YouTube without a Udemy ad trying to teach you ethical hacking. Even with the physical security portion, at the SAINTCON conference in Utah, I proudly help run the The Vault, a physical security challenge that gives attendees an opportunity to practice attacks against physical security controls such as RFID cloning, lockpicking, request-to-exit bypasses, under- and over-the-door tools, alarm systems, biometrics, and so on. With all this information present, the bar to a technical skill set has been drastically lowered as compared to 20 years ago.

Why can’t we agree on what a red team is?

Spoiler alert: we can, and we have. However, there is a consumer education problem. Some in the information security industry want to do things “their way” or want to make new definitions for things to meet their abilities but add more markup to their services. This is unfortunate and contributes to the confusion of the consumer. Unfortunately, because the commercial sector doesn’t usually look to the government sector, many aren’t aware that the term red team has been defined for quite some time and is a very good definition.

In 2005 the Department of Defense released Manual 8570.01-M, which defines “red team” as

“An independent and focused threat based effort by a multi-disciplinary, opposing force using active and passive capabilities; based on formal; time bounded tasking to expose and exploit information operations vulnerabilities of friendly forces as a means to improve readiness of U.S. units, organizations, and facilities.”

In recent years, as this concept is expanded, I feel that this industry will naturally align with the 8570 definition much as PCI has helped drive the difference between vulnerability scan and penetration test.

What is one thing the rest of information security doesn’t understand about being on a red team?

Hot take: being on the offensive side doesn’t mean you’re on a red team. There is no red side. You’re confusing it with opposition forces (OPFOR). Stop saying you’re red or blue—this isn’t fucking gang territory, and you aren’t Bloods or Crips.

Many people think that a red team is a one-person show, which isn’t the case at all. A true red team has multiple team members and a lead. These team members work as a cohesive unit toward a common goal. There is no room to operate independently, which is difficult for many offensive testers as they are used to doing things their way at their pace.

“Many people think that a red team is a one-person show, which isn’t the case at all. A true red team has multiple team members and a lead.”

When should you introduce a formal red team into an organization’s security program?

While this is a gut feeling, it’s a pretty easy one to come by. Consider how a company isn’t going to get the right value they need out of a penetration test if they have never done a vulnerability assessment and also have no patch management process. An organization is ready for red team assessments once penetration tests have diminished in value.

How do you explain the value of red teaming to a reluctant or nontechnical client or organization?

I explain that the value from a red team comes from the team aspect. Typically, companies get penetration tests conducted by a single consultant who usually has a general skill set. A red team brings a group of individuals whose specific skill sets are aligned with the company’s infrastructure. The idea is that just because you’re on the team for this client doesn’t mean you will be on the team for the next. If your background is Linux penetration testing, there is no reason why you should be on the team against a target that is a full Windows shop. On the client side, having a penetration tester skilled in Linux is a waste of their money and will provide less value. Keep in mind, I’m not saying the Linux tester is not good and couldn’t learn, but we must remember that we are beholden to the client and not our pride.

Lastly, but equally important, red team engagements focus on targeted goals instead of a specific scope. Without a rigid scope, the red team can work naturally and pragmatically to attempt to achieve the goals in the best way they see fit, much as an actual attacker might.

Have you ever recommended not doing a red team engagement?

Absolutely. I’ve seen clients get sold on the buzzword red team and want one, but in reality, they still haven’t fixed their critical, high, or even medium findings from their last few penetration tests.

When a client requests a red team, I try to understand how they have been performing previous security assessments and how they are handling remediating the findings. If they are still doing vulnerability scans and haven’t moved to penetration testing, they aren’t ready for a red team. If they are doing penetration tests and not remediating findings, they aren’t ready for a red team.

What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?

This isn’t the answer you want but the answer you need: small and medium-sized businesses are typically solely focusing on building their business and scaling. As a result, their dollars are usually allocated to endeavors to facilitate this. The right answer is that you need a consultant. Just as most small and medium businesses outsource things such as accounting, human resources, and information technology, you need to outsource security as well. Hire a reputable consultant who can come in and look at your business holistically and consider all aspects of the business so that any recommendation keeps its impact to your business’s operations and tempo to a minimum, but also helps increase your security posture. Our industry often forgets that our goal isn’t to make an organization unhackable, but to help increase their security posture in a way that allows them to focus on the business’s mission and vision.

Why do you feel it is critical to stay within the rules of engagement?

Elementary, my dear Watson. You must always remember the three Ls: liability, liability, liability. Staying within the rules of engagement comes down to liability. If a client has specific requests (don’t target C levels, don’t touch these IPs, don’t go to this floor in our building, etc.), it is important to abide by those requests, no matter how irritating they may be. The last place you and your team want to be is at the receiving end of a lawsuit for breach of contract.

If you were ever busted on a penetration test or other engagement, how did you handle it?

This is a tricky one for me to answer because many times the client requests that I intentionally test until I get caught. What I mean by this is during physical security assessments, for example, I slowly escalate my methods and noise to determine at what point an employee stops to question me. These metrics have given my clients a huge understanding of how and when their employees respond. Yes, I can go in and try to be undetected (which is the goal while red teaming); however, while performing a physical assessment, why not test as much as possible? If you don’t, you’re doing a disservice to your client. Then, when I’m caught, my clients also get to see how their incident response process handles it. Why wouldn’t you want to test every employee’s detection and capabilities in a controlled manner?

However, I do have a time I was caught while not trying to be. A few years ago, I was performing a physical security assessment for a client. During the kickoff call and follow-up communication, they were acting slightly odd and continuously decreasing the scope, including shortening the assessment from three days to one. I’ve learned that these are usually warning signs of trouble afoot.

When I arrived on site, I was able to successfully gain access to one of their floors. I found their mailroom and proceeded to place a USB drive inside an employee’s mailbox. As soon as I was leaving the room, I was stopped by an employee who said, “Oh, I found you! We were told to be on the lookout all day for you and to turn you in right away.” After talking for a few minutes, I found out that the client had sent out an email to all employees saying that a female would be coming on site during the limited time window they gave me to test and to stop me immediately.

This client wanted good results and didn’t want me to succeed. To achieve that, they rigged the test. However, this left me in an ethically hard spot. How was I supposed to write my report? I decided to be truthful and document in my report that the employee who stopped me explained that they were notified ahead of time and tasked with attempting to find me. To this day, that engagement was the most expensive game of corporate hide-and-seek I’ve ever played.

What is the biggest ethical quandary you experienced while on an assigned objective?

I had a client ask me to leave out findings from a phishing assessment. A C-level employee provided their network credentials to my malicious website, and they didn’t want that information to be in the final report. On one hand, it would be an extremely easy piece of data to omit from the final report; no one would even know it was missing. On the other hand, I knew deep down that it was wrong. I ended up explaining to the client that I could not remove any findings and proceeded to deliver an honest final report.

How does the red team work together to get the job done?

My absolute favorite part of red teaming is the team aspect. I love the camaraderie that is developed during the engagement. We work together under a team lead who builds out a strict plan to execute, where everyone knows their role and target. The documentation and reporting are really just a matter of good record keeping. There isn’t a team member specifically tasked with the job of the scribe. However, working with the blue team is always a learning experience. It’s interesting when we do our debriefs, and they show us what they were able to catch and not catch and dive into the technical portions of some attacks. Both teams learn a lot, and it is one of the most critical elements of the engagement.

“My absolute favorite part of red teaming is the team aspect. I love the camaraderie that is developed during the engagement.”

What is your approach to debriefing and supporting blue teams after an operation is completed?

This is a question that we ask during kickoff calls with the client—to determine what they want. Some clients like to be very hands-on with daily calls, multiple after-engagement calls/demos with different departments, and so on, while other clients are just looking forward to the final report. It all comes down to delivering the value that the client needs from the engagement.

If you were to switch to the blue team, what would be your first step to better defend against attacks?

Don’t assume. One of the biggest benefits any new hire brings to an organization is a fresh set of eyes. However, you need to capitalize on this while they are still fresh. I would personally start at the beginning, going from policies and procedures to technologies and to roles and responsibilities. I would take stock of what was present in order to determine what was missing. Things are often put in place in the blue team to meet policy need but never touched or exercised. Additionally, over time complacency sets in and things move to the wayside that should still be actively monitored.

What is some practical advice on writing a good report?

I’ve written, reviewed, and read others’ reports, which means I’ve seen the good, the bad, and the ugly. I have some tips here.

Executive summary: This should be more than a single sentence (yes, I’ve seen that)! This section should include the high-level assessment details (who, what, when, where, and why). Additionally, this section is typically the only part of the report that is handed off to executives, so don’t get too technical here.
Findings: For every finding, you need to show the steps to re-create the finding and a risk rating to help the client prioritize the order of remediation.
Recommendations: Never provide findings without recommendations.
Review: Don’t forget to run spell-check. A client will start to question your work if they see grammar errors and misspellings in your report. Also, ensure your report is QA’d. Having a second set of eyes is always beneficial, no matter what. If your report comes back with red lines throughout, don’t take it personally. It’s not about you; it’s about the client.

What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?

Hands down, soft skills. I can teach you technical skills or send you to training, but I can’t teach you manners, how to be on time, how to talk to clients, how to respond to teammates, and so on. One of the most nontechnical skills used in red teaming is communication. You have to be able to communicate with both your teammates and the client to be successful.

“I can teach you technical skills or send you to training, but I can’t teach you manners, how to be on time, how to talk to clients, how to respond to teammates, and so on.”

What differentiates good red teamers from the pack as far as approaching a problem differently?

A good red teamer knows where they fit into a team and how they can provide value. They also need to be outside-the-box thinkers. Often during assessments things don’t always go to plan, so being able to throw out ideas with teammates to figure out the best next steps is valuable. ■