13
Kevin Figueroa
“Red teams are different because each organization has unique needs, which is why each job should be described in the scope of work.”
Twitter: @KevinFigueroa
Kevin Figueroa is a passionate hacker and cybersecurity researcher. As a seasoned practitioner with 10+ years and vast, broad knowledge in cybersecurity, he has consulted in government, private, and public sectors. He focuses his discipline on network and web application penetration testing and vulnerability and risk assessments. Kevin’s never-ending passion for learning different coding languages, threat research, lockpicking, and reverse engineering has led him to be a speaker at several conferences like DEF CON and InfoSec Connect; he is also a cofounder of the DCNYC Group, a monthly hacker meetup in New York City, and a cofounder of Unallocated Space, a hackerspace in Maryland.
How did you get your start on a red team?
I got started with red teaming several years ago, yet it feels so long ago. It took many years to acquire all the different skill set needed to be a great red teamer. Over the years, acquiring skills in networking, firewall, IDS, packet crafting, wireless, social engineering, lockpicking, mobile, and intricacies within different operating systems is fundamental to the red team. Of course, the major skill for red teaming is penetration testing, and I’ve conducted penetration testing for most of my cybersecurity career.
Being passionate about hacking and adopting more skills in addition to my three discipline strengths of networking, web application, and wireless penetration testing has given me the liberty to be a red teamer. Over many years and learning from different individuals and mentors, it has allowed me to grasp and learn other disciplines like lockpicking, mobile, and using neuro linguistic programming (NLP), which to me is the highest form of social engineering. Indeed, these aren’t the only skills needed to be a red teamer, but they were the skills that got me started in red teaming engagements.
What is the best way to get a red team job?
Having a strong, diverse set of skills will make you a prime candidate to acquire a red teaming position. A major key skill set in red teaming is penetration testing, but penetration testing is not the only skill set that should be obtained. Two other skill sets that should be acquired and continually practiced are social engineering and lockpicking. These two skill sets sometimes are overlooked, but they could be extremely valuable when conducting a red team engagement. Lockpicking and social engineering must be practiced often. Attending lockpick villages at hacker conferences, using internet resources, gathering literature, and buying a lockpick set will get you started. Moreover, if you want to take your social engineering to the next level, continually practice NLP.
A couple of other useful skills are mobile, wireless, and radio frequency technologies. How useful could it be if you obtained an employee’s phone and cloned the SIM? Or what about cloning someone’s RFID badge to access a restricted area, maybe sniffing and finding a weakness in the Bluetooth protocol or in their wireless technology? These can all be entries into exploiting their security defense posture and also ways an organization could be compromised. So, as you can see, acquiring many different skill sets is essential to becoming a red teamer.
How can someone gain red team skills without getting in trouble with the law?
There are several ways red team skills can be acquired without getting in trouble with the law. Setting up a virtual lab environment with different vulnerable VM images is an extremely useful way to adopt the practice of penetration testing. One must continuously practice their penetration testing techniques due to the ever-changing technologies.
“Setting up a virtual lab environment with different vulnerable VM images is an extremely useful way to adopt the practice of penetration testing.”
For example, let’s take network and web applications penetration testing. These are two completely different disciplines, yet web application testing relies on networking. Some may use a Linux/Unix environment, while others may use Microsoft Windows to host web applications. So, having a clear understanding of how networking works or how different web technologies integrate with one another will be highly necessary. Accurate knowledge is vital, whether networking or web application, and can consist of knowing several different web technologies and network appliances. The more exposure you have to what these types of vulnerabilities and weaknesses look like, the more you will be able to identify the weakness to exploit within an organization.
In the end, through many hours of practice, hard work, and continuous research, you acquire the tools to become a red teamer.
Why can’t we agree on what a red team is?
I believe it’s because there is no universal outline of what red teaming is. Red teams are different because each organization has unique needs, which is why each job should be described in the scope of work. Another reason is that organizations may have wanted a vulnerability assessment and called it a penetration test, or they may want a penetration test but are calling it a red team engagement. However, it is up to us, cybersecurity professionals, to understand a client’s needs and explain the differences between engagement types. But one thing is for sure, exploiting vulnerabilities to compromise an organization is the main premise.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
Being disciplined in only one area of cybersecurity does not classify you as a red, blue, or purple team member. Being great at trolling doesn’t make you a great social engineer, and conducting a vulnerability assessment doesn’t make you a pentester. The fact that so many different buzzwords are being intertwined and used makes things within our industry so interchangeable, I believe it is causing all the toxic falsehoods.
“Being disciplined in only one area of cybersecurity does not classify you as a red, blue, or purple team member.”
When should you introduce a formal red team into an organization’s security program?
Security maturity varies from organization to organization, but an organization should consider adopting a formal red team exercise into their security posture early on, and it should be performed at least twice per year. Another factor an organization should always consider is physical access to an authorized place. Sometimes small or midsize organizations overlook this aspect, and they should not.
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?
Use relatable words with the client, use a relatable parallel story to explain why it’s necessary, or even create a quantitative analysis to show the cost should a breach occur—all these should assist with understanding why red teaming is so important. In small to midsize companies, the security defense posture may be a second thought. However, showing the cost if the organization is compromised versus the cost of conducting a red team engagement may change how they approach security in their organization.
Have you ever recommended not doing a red team engagement?
Yes, however, that should be determined when engaging the client in the early stages. This will allow you to gauge the security defense posture of the organization. After explaining the reason why a red team engagement is not warranted, you should suggest an external penetration testing engagement instead.
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?
Access control and enforcing password policy. The small and midsize organizations I have come across lack in those two areas. These two tasks could be easily implemented by their system administrator. Another task that should be considered is a monthly vulnerability assessment. This will assist the organization’s technology leaders in prioritizing the most critical vulnerabilities.
Why do you feel it is critical to stay within the rules of engagement?
This would be based on the scope of work and contractual agreement. It may be best to explain why one threat could lead to an exploit that compromises the organization and could possibly tarnish their brand. Also, let’s say you’re conducting a penetration test and run a SQL injection vulnerability program and the scanner drops a table and the company doesn’t conduct regularly schedule backups of their database. The liability could fall on the red team for breaking the rules of engagement. Or what if the company has identified the vulnerability and has decided that the threat of the vulnerability is low enough for them to classify the threat as an acceptable risk and out of scope? This could make it appear as if the red team couldn’t care less about the organization’s rules of engagement, which may cause the organization to not award the contract to the red team for the next engagement.
If you were ever busted on a penetration test or other engagement, how did you handle it?
Yes, I was busted before on a red team engagement, and it was so bad, I almost was shot by an armed guard. This made me think twice about breaching a building with an armed guard again. Thank God, I printed an email by the POC of the organization as proof, but they still needed to call the POC for verification. Long story short, you should always keep some type of written proof of sanction by the organization when attempting to breach an organization’s facility.
How does the red team work together to get the job done?
As I mentioned earlier, a red teamer should have a diverse set of skills. Working together shouldn’t be an issue because you could play on each other’s strengths. One thing is for sure, one teammate should always be selected to collect documentation from all other teammates and write the report along the way. This way, when the red team engagement has been completed, all team members sit together to discuss all the weaknesses in order for the organization to receive the best value from the results.
What is your approach to debriefing and supporting blue teams after an operation is completed?
The best approach in debriefing an organization or a supporting blue team is to be positive. The objective is to help improve the organization security defense posture, not explain how badly they are doing at implementing security defense. Identifying the weaknesses that could be exploited is one thing, but exploiting the weakness doesn’t mean anything if you’re not assisting them to understand why the weakness was there in the first place. That may cause the organization to rethink how they are prioritizing the vulnerabilities or to even set new policies within the organization.
“The best approach in debriefing an organization or a supporting blue team is to be positive.”
If you were to switch to the blue team, what would be your first step to better defend against attacks?
Personally, I would rather stay on the offense side of cybersecurity. However, if I were to switch to be on a blue team, I would engulf myself in continuous research on the new attack vectors that threat actors are employing. To better defenses, I would understand what type of log retention the organization has in place and become versed in the appliance or system that aggregates and correlates the organization’s logs. Logs and monitoring are essential to begin tracking suspicious traffic and lateral movement within the infrastructure of the organization.
What is some practical advice on writing a good report?
First, do not over-write the report, meaning do not write a lengthy report, because business individuals in the organization will review about the first 10 pages, if that. Second, attempt to use the fewest words to explain the vulnerability without losing the meaning behind why this vulnerability exists. Finally, use screenshots or maybe even videos to show how you exploited the weakness, but make sure the words are simple and to the point. Don’t just use buzzwords to put fear into the client.
How do you ensure your program results are valuable to people who need a full narrative and context?
To ensure the red team results are of value to the organization, a cost should be associated with each vulnerability discovered. Conduct a quantitative analysis that will support the vulnerability listed within your report while enhancing the client’s report. Being able to discover a vulnerability in an organization’s digital asset could be extremely important to the brand of the organization. Justifying the importance of the results and adding a dollar amount can drive the value as a necessary cause to the organization.
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
Looking for a candidate who is passionate about hacking and wanting to be on a red team is extremely important. Being able to identify a candidate with skills versus a candidate who can B.S. his/her way just to obtain a red team position is also essential. Having a small mock-up testing environment is a great way to find candidates with real skills. Also, a diverse background in different cybersecurity disciplines is a good attribute to hunt for (and is slowly dying out).
“Writing great reports by giving great details of what, when, and how on an assessment could be the winning factor for the organization.”
As for nontechnical skills used for red teaming, that would have to be writing. Writing great reports by giving great details of what, when, and how on an assessment could be the winning factor for the organization. Remember, using the fewest words to best describe what was found, when it was found, and how it was exploited will make a big difference.
What differentiates good red teamers from the pack as far as approaching a problem differently?
Because red teamers have diverse skill sets, they think differently about the approach to mission problems. Having people exposed to different technologies, in conjunction with having teammates with experience in different methodologies, is a major win. ■