22
Brent Kennedy
“The laws surrounding hacking are gray at best, but they will most likely not be in your favor.”
Twitter: @bk_up
Brent Kennedy is the red team director at Capital One Financial Corporation, where his team is responsible for conducting advanced, objective-based offensive operations that emulate threats faced by the organization and the financial industry as a whole. Formerly, Brent led the penetration testing team at the CERT Division of the Software Engineering Institute (SEI), where his team supported and assisted in the development of the Department of Homeland Security’s Risk and Vulnerability Assessment (RVA) and Red Team programs.
Brent is a graduate of Carnegie Mellon University (’10), where he received an MS in information security policy and management, and of Washington & Jefferson College (’08), where he received a BA in information technology and economics; he holds OSCP and GXPN certificates. Brent is also an adjunct professor at Carnegie Mellon University’s Heinz College and at Norwich University, teaching courses in ethical penetration testing and information security.
How did you get your start on a red team?
In a previous job, I worked for a Federally Funded Research and Development Center (FFRDC) that partnered with a federal agency to conduct penetration tests for other government organizations. Over time, some customers’ security posture greatly improved, which increased the need for stealthier tradecraft and the demand to test their monitoring and response capabilities. A red team capability was spun up with the more experienced testers on the team. This was an extremely valuable time in my career: I got to explore and improve my tradecraft and really see what did and did not work. Many lessons were learned!
What is the best way to get a red team job?
First, make sure red teaming is what you really want to do. It is different (not better or worse) than penetration testing, requiring a different set of skills and mind-set. Then, focus on learning about tactics, techniques, and procedures (TTP) and operations security (OpSec) at a deep level. Those core fundamentals will be essential in learning how to best execute because you may get only one shot. Finally, spend some time with the blue team. Having an understanding of how blue teams work to monitor, detect, and respond will go a long way to being a good red team operator as well as making your output relevant, whether you are successful or not.
How can someone gain red team skills without getting in trouble with the law?
As a professor who teaches an ethical penetration testing course, I always sternly caution my students to act within the law and always be cognizant of where they are operating. The laws surrounding hacking are gray at best, but they will most likely not be in your favor. That being said, there are a few platforms out there now that provide sandboxed testing environments that are an invaluable tool for testing skills and tools in a real networked environment.
Red teaming is also about having the right mind-set. You can gain great red team skills by spending time with defenders and reading about strategy. Many of the strategic techniques that are used in warfare are applicable to red team operations.
“Red teaming is also about having the right mind-set. You can gain great red team skills by spending time with defenders and reading about strategy.”
Why can’t we agree on what a red team is?
Often, the term red team is used to describe anything in the offensive security realm, especially as it’s become a buzzword in the tech industry. If you ask someone what the differences between application testing, penetration testing, and red teaming are, you start to get more consistent answers. I think the biggest disagreement on the term comes when red teaming is being defined as “advanced” pentesting. Red teaming has the connotation of being the next level up from penetration testing, when in reality the objectives of the two services have significant differences, and both are valuable.
In discussing red teaming with leads from other organizations, I’m always interested to see the different ways their red teams are organized and how they operate. On the surface, these can look like differences, but it’s really just each team applying the same core red teaming principles to best fit their organization and customers. Doing so is an important part of internal red teams.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
Not many people understand the level of planning that goes into a red team operation from both a management and technical perspective. It is not as simple as getting an idea, opening up the computer, and starting to hack. A great deal of preparation goes into getting the necessary approvals, making sure the right people are “in the know,” and planning the actual execution. Also, setting up the proper infrastructure can take a large amount of time and resources.
A toxic falsehood is that red and blue cannot work together and naturally work against each other. Sure, blue is trying to detect and prevent red from being successful, but that is only one facet of the job. Behind the scenes and after the fact, the two teams can and should work closely together to fully understand what each party did and close any identified gaps. The success of a red team ultimately relies on having a great relationship with blue. At the end of the day, I believe that the red team is an extension of the blue team, not a completely separate entity.
“The success of a red team ultimately relies on having a great relationship with blue. At the end of the day, I believe that the red team is an extension of the blue team, not a completely separate entity.”
When should you introduce a formal red team into an organization’s security program?
An internal red team should be one of the final pieces of a security program. An organization wants to make sure they have mature processes in place to monitor, detect, and respond to intrusions before they have a red team potentially create events. A red team is valuable in helping to fine-tune an existing security program, not find holes that are already known.
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?
When explaining what a red team does to a nontechnical audience, I always highlight the world real. I explain that a red team is emulating a real bad actor and using only the resources that a real bad actor has at their disposal. It is always important to be humble in these discussions to make your customer know you are not there just to make them look bad. It helps to explain that when a red team goes into an operation, they do not know if they are going to be successful, and that is the point. This helps create a partnership, as if it’s a puzzle that both of you are trying to find the answer to.
Have you ever recommended not doing a red team engagement?
Yes! Many times customers want a red team exercise because they assume that is the most advanced offensive service, and why not go with the best? In reality, though, the customer is looking for a more targeted assessment of their product or application that better fits in the application security or penetration testing realm. It is critical to figure out what the customer is really looking for in terms of output and what they really want evaluated. This will help drive selecting the right assessment type. Not one of these services is better than the other; they are simply oriented to different demands, and it’s important to help your customers identify which is the best fit.
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?
Proper account configuration, namely, applying the principle of least privilege. Smaller businesses have the advantage of being just that—small. Before their environment grows too big, they can work to keep access tightened up and allow access only where needed on an individual basis. To a red teamer, an over-privileged account is gold because it can be used “as intended,” and this often does not get caught.
Why do you feel it is critical to stay within the rules of engagement?
It’s important because the rules of engagement (ROE) are, above everything else, an agreement of trust. No matter how much the customer welcomes and believes in red teaming, they want you to behave in a manner that is best for the organization. Going rogue and breaking that trust will lead to a bad relationship that could spread throughout the organization.
If you were ever busted on a penetration test or other engagement, how did you handle it?
Getting caught is not a bad thing! Being on a red team means being kept (somewhat) in the dark as to what new defensive measures are being rolled out. Getting caught can mean that those defenses are working, and every red teamer should expect and want to get caught…sometimes.
“Getting caught is not a bad thing!”
On one such occasion, I was working toward the objective of spreading malware when my mule host, which was hosting the malware payload, got discovered. This became a race against time with blue now being able to better track where I was. Ultimately, I was still partially successful but also burned. This created a great opportunity for red and blue to work closely together. We both did some things well and some things poorly, but it created a discussion on how to better stop an attack of that nature at the root level.
What is the biggest ethical quandary you experienced while on an assigned objective?
There have been some social engineering pretexts that made my stomach churn, such as leveraging a natural disaster or national tragedy. You just know you are pulling on people’s heartstrings and exploiting the good in human beings, so that makes it hard to pull the trigger. However, I have to remind myself that the real bad actors are using these techniques, so it is all for the greater good (I hope!).
How does the red team work together to get the job done?
The duration of an internal red team operation will differ from organization to organization, but there’s a good chance they are all shorter than the length of a real adversary’s campaign, so working as a team is the only way to accomplish everything on time.
During an operation, it is best to have well-documented processes and procedures that ensure that all team members are properly documenting their work and communicating it with the larger team. It is also good to ensure that the customer POCs are kept in the know based on our ROE with them. This is all managed by an operation lead who is responsible for ensuring that our procedures are followed and that any outstanding issues or impediments are properly communicated up the chain.
Afterward, I recommend a service that is centered around burning any TTP that was successful during the operation. This is accomplished by the red team and blue team working closely together to replay the TTP, determine what evidence is present, gain full awareness of all associated IOCs, and then put a plan in action to prevent and/or detect the activity. This teamwork between the groups has been amazing in gaining increased defensive measures in a short time.
What is your approach to debriefing and supporting blue teams after an operation is completed?
My belief is that the blue team should have full knowledge of an operation and the tactics that were used after an operation is complete. Simply put, if the red team can be successful, then so can the bad guy. Being able to burn TTPs and increase defenses as a result of a red team operation is why they are conducted in the first place.
It is sometimes not enough just to hand over a report. Ideally, red and blue should sit down and work through the attack path again so that everyone can see it working in real time. I have found that this allows for “light bulbs” to go off and for defenders to come up with innovative solutions.
If you were to switch to the blue team, what would be your first step to better defend against attacks?
I would focus on getting offensive training for all blue team members. Through teaching in the classroom and mentoring in the workplace, I have had the privilege to train many blue team folks on offensive techniques. These people are extremely skilled at their jobs but have never had the opportunity to experience an attack from the other side. Being able to understand how an attacker operates and thinks is extremely useful and creates “light bulb” moments that result in full situational awareness of the problem and creative solutions. I believe this allows defenders to triage events more quickly and come up with root-cause analysis rather than just fixing problems on the surface.
What is some practical advice on writing a good report?
Technical writing is an art, and doing it well comes with experience. A common misbelief is that a good report is long, but that is certainly not the case, and you’re just making more work for yourself. I encourage my team to focus on the facts and tell a good (and accurate) story. Be concise in your writing so that your reader doesn’t get lost in technical jargon but instead can follow along and understand what you, the attacker, did and why you did it.
“Technical writing is an art, and doing it well comes with experience.”
How do you ensure your program results are valuable to people who need a full narrative and context?
This speaks to the art of writing a good narrative. An operation’s story should include the weaknesses that were exploited, but it shouldn’t call them out in a way that makes the audience feel dumb. The report should speak in terms of what an “attacker did to our network” instead what “I did to you.” Results should be presented in a manner where you are back on their side of the fence and discussing what improvements can be done together, for the better of the organization. State the facts of what happened and how the collective “we” are going to fix them.
How do you recommend security improvements other than pointing out where it’s insufficient?
It’s best to come prepared with real, plausible recommendations to the problems you are pointing out. It’s also imperative to be humble and admit what you do not know. As a red team, you exploited a weakness, and that’s a fact. Now present what you know in terms of how you could be stopped in the future, while welcoming additional input to the solution. It’s also important to recognize that the ideal fix may not be a reality. There are many forces at play (politics, prioritization, money, and more) that can prevent a defender from implementing a solution. In some cases, the problem may already be known, but a red team exploiting it may serve as the leverage needed for leadership to prioritize remediation.
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
Check your ego at the door. Internal red teams need to be able to work with each other and defenders to achieve the same common goal. Any bad attitude can kill the team dynamic, and an ego can ruin internal relationships. On the other side, someone who has a passion for tradecraft is a dream candidate. I want the person who is always willing to learn from others and spends time honing their skills because they know that job is never complete. They will become an excellent red teamer in no time and will never stop growing.
One of the best nontechnical skills is the ability to convey technical information at a high level. It’s not just about the words that you choose but also being able to read and understand your audience. You must have patience with a nontechnical audience, and explaining complex concepts in relatable terms can go a long way to connecting with all the other important teams within the organization. It’s imperative to remember that your organization is full of really smart people, but not everyone is specialized in every area. Teach others and let them teach you.
“It’s imperative to remember that your organization is full of really smart people, but not everyone is specialized in every area. Teach others and let them teach you.”
What differentiates good red teamers from the pack as far as approaching a problem differently?
Patience and creativity. On red team operations you sometimes get only one shot at exploiting a weakness, so you cannot be too eager to jump in. The red teamer who can take a step back, spend time assessing the situation, and come up with a cunning solution will not only be successful but also set a great example for the rest of the team. ■