14
Marco Figueroa

“From my perspective, skill trumps everything; over the years, I’ve aligned myself with way smarter people than me who have helped me grow into the security professional I am today.”

Closeup image of the senior security researcher at a Fortune 50 company "Marco Figueroa."

Twitter: @MarcoFigueroa

Marco Figueroa is a senior security researcher at a Fortune 50 company whose technical expertise includes reverse engineering, bug hunting, incident handling, and APT group tracking. He has a deep understanding of threat intelligence tradecraft across different market verticals and organizations to identify attack vectors, trends, and nation-state actors, and he utilizes the latest techniques from nation-state actor reports, enhancing his offensive security skills.

How did you get your start on a red team?

My first red team engagement was when I was a security analyst at a Fortune 50 company in 2006 and one of my co-workers cofounded a consulting company in India that had more than 100 employees. For about a week this co-worker, whom we will call Randy, was asking me security questions about specific network hacking techniques; at first, I thought he was interested in security because he was an Oracle DB developer, but then I finally asked him why he wanted to know all of these different techniques. He informed me that the company was being attacked every day and was playing whack-a-mole with the attackers. The questions he was asking me were to see if I was the right person for the job. He asked if I was interested in doing a pentest and wanted me to figure out how these intruders were gaining access. So, Randy gave me the scope of the engagement. The following Monday, we had a contract signed with the terms. To make a long story short, the perimeter was weak with default credentials on the router, and internally the switches had default credentials as well. The internal infrastructure needed to be hardened by the administrators. The lesson I learned from this back then was that it doesn’t matter how big or small the company is, the red teamer should inform the stakeholder immediately about every critical impact vulnerability to the organization.

What is the best way to get a red team job?

From my perspective, skill trumps everything; over the years, I’ve aligned myself with way smarter people than me who have helped me grow into the security professional I am today. What happens when you begin to align yourself with like-minded individuals is it enables you to elevate your skills to a new level.

Here are my recommendations for how to do this and land the red teaming job that you want:

Figure out who are the wicked smart red teamers in the industry, go to red team conferences, meet people, share ideas, get tips/tricks. People by nature love to help others, so if you have a well-thought-out question, then ask a person who you know will have the answers.
Follow people on Twitter and use TweetDeck so you can create a group (named RedTeam). A few people I follow who provide me value through their tweets are @Tobyhush, @TTimzen, @0xDADE, @at1as, @invisig0th, @carnal0wnage, and @nnwakelam, but there are so many people delivering value that you can have many sleepless nights learning.
Attend conferences like your life depends on it. I am where I am today because of the knowledge that I’ve gained by attending talks and hallway con conversations at conferences. Every single time I attend a conference I walk away with a bag of questions answered and a clear agenda of the things I need to implement and learn. I seek out people I know have more knowledge than I do to assist me on the roadblocks that I might be facing at that moment.
This one simple thing is beneficial: follow up with people you meet. Make sure they remember you so the next time you see them, they will ask you about your progression on the question you may have asked them. Don’t just friend a person on Twitter or LinkedIn; a two-minute email to a person you just met will go a long way. Some of the relationships that I’ve built over the years I now consider lifelong friends. Your persistence in seeking knowledge doesn’t have boundaries, so why would you not be engaging with the community?
Provide value to as many people as possible. When you do this one thing without expectation of anything in return, the doors will open for you. When I find something incredibly cool that I think a friend might like, I reach out to them and share the knowledge with them directly; this is how you build trust. I love helping people and sharing because this community has done so much for me.

How can someone gain red team skills without getting in trouble with the law?

This question is a no-brainer for me. Join the bug bounty programs and start hacking away. These companies are providing an incentive for bug hunters to find bugs, so they offer you training on their websites to get you started. HackerOne and BugCrowd are just two of the companies, but this space I believe will be crowded in the next few years. The company that wins this race will be the company that provides the most value to its community by going above and beyond for them. They can be providing you with every tool and training there is, but you must put the work in and type away on your keyboard to develop those skills to earn the bounties.

Some of the people and sites that have provided immense value to me these last few months are @jhaddix, @stokfredrik, @nnwakelam, @NahamSec, the HackerOne website, Bugcrowd website, PentesterLab website, and Offensive Security Training.

What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?

The value that the red team adds to an organization is invaluable. There was a team filled with top-notch skills, and they all left as a unit, one after the other, and went to another company. What does that say about the organization? I always inform upper management of the value of red teams. If you were on the front page of the WSJ in a negative way, what would be the price of that in dollars? If an adversary pops one of the company’s servers and steals customers’ data, then how does that company deal with the fallout if that data is sold on the black market or just dumped? Now, what if your organization had a red team continually working on looking for low-hanging fruit or reverse engineering binaries for bugs? People might say that’s not red teaming, and my answer is the same thing every time: acting like the adversary is red teaming.

When should you introduce a formal red team into an organization’s security program?

It varies tremendously between companies. I believe that a company should have a quarterly assessment regardless of its size. How I measure companies is that if your crown jewels are your IP or customer data, then you need to have a full-time staff red teaming. Companies think that being hacked won’t happen to them, but if you look on HackerOne’s Hactivity, you will be amazed at the innovative ways that companies can be compromised. From private keys leaked to RCE, it’s an amazing time to be alive.

How do you explain the value of red teaming to a reluctant or nontechnical client or organization?

Luckily, all the companies that I’ve worked for have understood the value of having a red team, but one company that sells soft drinks found out the hard way about the importance of having a red team. This company had an incident that stopped the conveyor belt from pouring drinks. This incident cost them more than $100,000 an hour, and they learned a valuable lesson back then. The following month the company organized a security summit, and my manager at the time tasked me with bringing a “hacker” to talk about the importance of security back in the late 2000s (by the way, @at1as, you still owe me a drink for that one). This company eventually established a red team, and I want to believe it was that summit gathering that did it!

What is the least bang-for-your-buck security control that you see implemented?

To answer the reverse question of what gets you the most bang for your buck, an endpoint detection and response (EDR) product that allows you to deploy YARA rules.

Have you ever recommended not doing a red team engagement?

Yes. Instead I have recommended limiting access rights to users and training every employee on not being fooled by phishing emails.

What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?

Make everyone in your organization part of the security awareness program. The adversary understands that employees will always fall victim to a well-crafted phishing email. For example, I ordered a package, and it was being shipped via UPS. That week I received an email that looked like a legitimate email from UPS, and it was perfectly crafted (kudos to that threat actor). It was 2010, and I remember it vividly because I spoke to my manager at the time, and the following week he received a similar email.

Why do you feel it is critical to stay within the rules of engagement?

One time I was on an engagement and a team member was out of scope and knocked over a critical server, and the server was down for a couple of hours. Besides the embarrassment of the call that we had with the manager, the engagement was immediately halted. What red teamers do not understand is that sometimes it’s completely fine if you do not find anything; it’s not the end of the world. You tip your hat and try harder on the next engagement. Not all engagements are made equal!

If you were ever busted on a penetration test or other engagement, how did you handle it?

I will give you the flipside version of this. I was contacted to investigate suspicious activity on a system. I received a binary and began to reverse engineer the binary. I said to myself that the binary I was analyzing was impressive. I reached out to the red team lead at the time and asked him if his team was performing any suspicious activities that I analyzed in the binary; the red team lead informed me that it wasn’t the red team.

I immediately recognized that this was probably a sophisticated actor; I really admire cool binaries that I analyze. I give a lot of respect to the adversary for crafting sophisticated techniques. After investigating the binary further, I determined that it was a specific APT group and created some YARA rules to see how deeply they infected the network. It was the only box that was compromised, but I then had to investigate to see if they pivoted, and they didn’t. We investigated the system, and we determined that the actor didn’t compromise any other systems. Sometimes on operations the adversaries need to have operators on standby to pivot at a moment’s notice. I know of adversaries who can run through networks within 30 minutes—those I consider supra actors. I love offense, but defense is where you learn bleeding-edge techniques from nation-states that you can use on the offensive side. I always read APT reports to learn the latest techniques that adversaries use. Playing both sides is crucial for your development as a red teamer!

What is the biggest ethical quandary you experienced while on an assigned objective?

When reverse engineering and hunting for bugs in software, you will always read a disclaimer informing you that you should not reverse engineer the software. When doing this, you have to know that if you find a bug, you should immediately report it.

How does the red team work together to get the job done?

If you’re collaborating, then the communication between the team members is essential. I’d suggest having morning and evening stand-ups (10-minute meetings). Doing this will help the team figure out what the team is working on and their daily findings.

What is your approach to debriefing and supporting blue teams after an operation is completed?

I’ve always suggested to management that the red team members should write rules for the way they compromise systems. Many red teams do not want to do this because it hinders them in their next engagement. Many teams try to advise on specific ways to harden the system that was compromised during the engagement, but people usually do not want to write the detection rules. It’s more work, but it will pay off in the long run.

If you were to switch to the blue team, what would be your first step to better defend against attacks?

I’ve played both sides over my career, and I find both sides fascinating. On the red team side, you’re looking at things from a fresh perspective. My favorite is looking at new technology and trying to find ways to exploit it, and on the blue team side, it reminds me of the popular TV show The First 48. When something is detected, you must figure out what priority level the compromise is and then become a detective to figure out how to stop the bleeding. My reverse engineering skills allow me to work both sides as if I am ambidextrous; there have been times when I’m assisting the blue team side that I’ve had to pull in a red teamer to collaborate on an incident. I believe that red and blue teams are siblings, and they need to be aligned to work together for the common good.

What is some practical advice on writing a good report?

The thing that I will say about this is to figure out what are the most important things to the stakeholders in charge of the engagement. I do not believe a 500-page report is helpful. But they must be aware of all issues, that’s for sure. Understanding what the stakeholders care about is so important, and providing value should be your number-one priority. Many pentesters in my experience hate writing reports, but if you learn how to embrace the task and provide an actionable report with clear steps on tackling the issues discovered during the engagement, then the organization and you win.

How do you recommend security improvements other than pointing out where it’s insufficient?

I would point out the obvious things, but let’s say the organization has an admin or engineer who doesn’t know the why behind something that was compromised. I always believe in training the individual in depth on the techniques and mitigations, and I always recommend offensive training for defensive analysts. An example would be training on how Mimikatz is used. If an admin or analyst understands how it is used, then they will have the knowledge to write detections for it.

What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?

Positive attitudes, people who love to learn, and those who do not stay in their comfort zone. I had a friend who was an expert in skill Y. He knew the ins and outs of a specific skill set, and I asked him why he didn’t learn another skill. He replied, “I’m the king of this sandbox, and I want to stay the king.” That is an example of a teammate who would be hard to work with in different situations. A person with that mentality will not elevate team members. He won’t let people get better than him in his sandbox. He will resent people on the team who can start playing better than him in that same sandbox. I think this would be a bad hire. You can sniff that out during the interview process; one question you could ask would be, “How would you learn new things that you’ve never learned before? Can you take me through that process?”

What differentiates good red teamers from the pack as far as approaching a problem differently?

I would say when a person loves the craft, that person will stand out immediately. I know a person who would absolutely be a first hire if I moved companies and built out a red team. I wouldn’t take no for an answer when someone is creative and uses techniques to find ways to get the job done. I would consider them a person I can trust to do their best during an engagement. ■