29
Chris Nickerson
“The precursor to getting better at any craft is to understand it from as many viewpoints as possible.”
Twitter: @indi303
Chris Nickerson, CEO of Lares, has spent the last 20 years of his career leading, inspiring, and sometimes irritating the security industry. With Lares cofounder Eric M. Smith, he created the unique methodology used at Lares to assess, implement, and manage information security realistically and effectively. Collaborating with a group of other InfoSec researchers, he founded the Penetration Testing Execution Standard (PTES) and is working with the Red Team Alliance Training Collective to create a certification for red team testing. Chris is one of the founders of the Security BSides conferences, and he’s been a keynote, speaker, and/or trainer at more than 50 InfoSec conferences worldwide, including DEF CON, CyberWeek, and BlackHat. He’s a member and certification holder with ISACA, is on the board of CREST, and holds CISSP, CISA, BS7799, and NSA IAM certifications. His book Red Team Testing is upcoming from Elsevier/Syngress. Despite all that, he is perhaps best known for his appearance on the TV show Tiger Team on TruTV and his TED Talk Hackers are all about curiosity, and security is just a feeling.
How did you get your start on a red team?
In my early days at Sprint we had a task force put together to show the actual impact of vulnerabilities identified. Over time, the scope grew and began to include attacks from the physical, social, and electronic realms. Although this team was called a “tiger team,” it was really my first professional exposure to mixed-discipline attacking over multiple execution surfaces.
What is the best way to get a red team job?
Earn it. The main reason to have a red team is to be able to simulate a wide range of adversarial tactics over the entire attack surface. The operator needs to have a broad background in problem-solving and quick thinking. Knowledge of one discipline can be tactical but is not sufficient when tasked with simulating many different adversarial models. The operator must be able to mimic not only tactics but thought patterns. With that in mind, the best way to get a red team job is to practice everything besides red teaming.
How can someone gain red team skills without getting in trouble with the law?
Practice in a controlled environment. This may come in many forms, from picking your own padlocks to creating pentesting labs. The precursor to getting better at any craft is to understand it from as many viewpoints as possible. There are boatloads of classes at conferences and standalone. My advice would be to take a solid mix of classes in pentesting, social engineering, and physical security. Oh, and don’t forget to have mastery of your audience’s language. We can be the best red teamers in the world and will not get a single stitch of credit unless we can effectively and appropriately communicate our actions.
“Practice in a controlled environment. This may come in many forms, from picking your own padlocks to creating pentesting labs.”
Why can’t we agree on what a red team is?
It is a fairly standard term in the military. Since the invention of the German 19th-century kriegspiel (wargame), it has had a few names, but the sentiment has remained the same. The Army said it well in TR71-20 TRADOC:
“A structured, iterative process executed by trained, educated and practiced team members that provides commanders an independent capability to continuously challenge plans, operations, concepts, organizations and capabilities in the context of the operational environment and from our partners’ and adversaries’ perspectives.”
So, from that standpoint, the world has had a great definition of it. Why can’t “we” agree? Well, we will have to ask who “we” is. If you mean “people in cybersecurity,” I would quickly point to the sales and marketing departments. Since such a small talent pool existed when the terms started to gain popularity, they wanted to cash in on the interest. Just like penetration testing, the term was watered down and manipulated to mean “whatever engineering talent I have to sell you.” Bruce Schneier (https://www.schneier.com/essays/archives/2007/04/how_security_compani.html) captured this so elegantly while comparing the information security market to American economist George Akerlof’s paper “The Market for ‘Lemons,’” which is a body of work that looks at markets where the seller knows a lot more about the product than the buyer. That’s partly the same issue we have in red team definitions. The customer doesn’t know what to expect, and the sales team makes up a slick sales sheet that says the words they are looking for and the buzzwords that make them “feel” like they are doing it right.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
Red teamers, or the offense, thinks they are better than any other teams. Look, I am all for having confidence in yourself and even more so confidence in your team. But, there is no place or need for some pseudo-hierarchy. Members of this team should be the most similar. They should all be committed, passionate, and mission-driven. They should be using their talents to drive progress. They should be the instrument of change no matter how hard it is or how long it takes. This isn’t a field for people who don’t want to make a difference. We’re all part of the same crayon box and, when used in concert, can create something much bigger than our individual contributions.
“This isn’t a field for people who don’t want to make a difference.”
When should you introduce a formal red team into an organization’s security program?
Coach Bear Bryant said, “Offense wins games. Defense wins championships.” The key lesson here is that you need to have a defense to win. Having an active state red team requires an active state blue team. That’s not to say that one cannot get some value from “sparring” with the red side, but to realize the full potential of the organization’s ability to progress and improve through the challenge of red teaming, they must have a team dedicated to that constant improvement. This may be a “hunt team,” or it may be a group of dedicated defenders charged with the proactive improvement of the environment. Either way, the commitment to challenging the status quo is being able to act on it. The teams that are ready for a red team are the ones who are ready to put in the work to own the findings, measure the results, and drive the organization forward.
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?
The sparring analogy is one that I usually find most people understand. Whether it’s the Mike Tyson–style “Everyone has a plan until they get punched in the face” or the idea that you join a fight club to see what it really feels like to be in a fight or something even deeper. The entire sentiment of red teaming is to challenge the status quo—not through some type of theoretical or mathematical model but to learn and evolve through experience. It makes me think of those silly T-shirts that say, “There’s no patch for human stupidity.” They are totally wrong! The patches that we get are called experience, and the more experience we get, the more prepared we are. This applies to the sparring partner analogy. If you are a beginner, you need to always be punching up above your skill level—not too far, because you need to build your confidence. Let’s face it, if you jumped in the ring day one with Iron Mike, you’d likely hang up the gloves forever. As you progress, you need to move from sparring in your class to the next level above it. Each time you turn the dial to make the sparring partner a bigger challenge, you will build confidence, experience, and skill. Eventually, when you get to the pro level, it’s no longer about fighting someone better; it’s about someone who has a different style than you. You may be the baddest thing to ever hit the ring, but the variables you experience in the challenger or adversary are the things that can catch you off guard. At this point in the game, you need a sparring partner who can act “just like your opponent.” It will prepare you for the inevitable fight ahead and give you trust in your skills. It will also point out opportunities in your game plan that may have never been tested. Not everyone is ready for a title fight, but the ones who are trained for it with every breath.
What is the least bang-for-your-buck security control that you see implemented?
To answer the reverse question, training. Investing in your people will always beat your tools. It is a common misconception that you can buy your way to being secure. As you can see from common statistics, that idea isn’t working so well. There is nothing on this planet that can beat a dedicated and educated member of the team. The thing that most people don’t consider is that security tools constantly have vulnerabilities just like everything else. So, at the end of the day, every time you buy a new tool, your attack surface increases, not decreases. There are more things to attack, more openings, more everything. Now, with a highly trained team, you would be able to know that and engineer around the blind spots created. Without that training and investment in your team, you are increasing the likelihood that the very thing you bought to protect you will be the thing that gets you owned.
Have you ever recommended not doing a red team engagement?
Most people are not ready for a red team engagement. It is an extremely deep look into an environment’s real-world effectiveness to defend itself in multiple different modalities. Oftentimes, the companies asking for exercises like this do not have the technology/staffing in place to even make progress on the findings. Back to the sparring analogy, they are amateurs trying to spar with Tyson in his prime. It’s counterproductive to the program, and we regularly guide companies to testing types that they are more prepared for. This may be pentesting or even a broader defensive controls analysis to determine what they are actually equipped to handle. It often doesn’t end well, and they go with another vendor willing to sell them the “term” they are requesting. I still feel firm in the decision to do what’s right for the client even if they don’t see it at the time. Now, have we ever done a red team job on someone who was woefully underprepared? Absolutely! How did it end? Just like we told them: a string of attacks that you aren’t staffed or engineered to deal with. Surprisingly enough, about 10 percent of them recover from the shock and awe and actually make a massive change. The others just don’t call back.
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?
Two-factor everything. Passwords are the Achilles heel of modern access. It’s the most common way I see access and lateral movement happen. There are plenty of 2FA solutions out there that are free to low cost and provide a massive leap in security above the single-password solution.
Why do you feel it is critical to stay within the rules of engagement?
The rules of engagement aren’t just a contract, they are your word. The bond of trust that is required to allow a stranger to see the darkest secrets of your business is one that requires a far more emotional connection than words on paper. It requires honor, purpose, intent, and overall trust. The foundations of that trust are memorialized in the rules of engagement. It’s a catalog of your mission and your commitment to the progress of the organization.
If you were ever busted on a penetration test or other engagement, how did you handle it?
Oh boy, I have had some weird ones. One time I was working at this large healthcare facility. It was about 2 a.m., and we had made our way into the IT operations building through a chat with the cleaning staff. As time went on, the cleaning staff left, and we stayed on the network. After collecting the artifacts of access the client requested, we went exploring. We were looking for some final flags of raw patient information, data, persistent physical access, and additional bypasses. I found myself in the basement looking at a few boxes that looked just like a key box, I swear. Anyway, I picked the box open, and the alarm went raging. I knew right away that this was the alarm central unit and the tamper switch had been triggered. I heard a faint yell from my teammate upstairs, “Are you kidding me? Nickerson, what are you doing down there?” I ran up the stairs, beet red and totally embarrassed. We both convened at the alarm keypad to see if we could find a way to disarm it. We checked everything close to the panel and found nothing. As a last-ditch effort, we popped the external housing, and on the inside of the casing was the number 4757. Coincidentally that was also the number of the building we were in. We punched in the code, and the cacophony of sirens immediately stopped. “Whew! We’re good,” I laughed. I was met with the “I’m not impressed” look, and we started to collect our things.
Not more than three minutes later, the road up to the facility was drowning in blue and red. “Well, here we go,” I said, as I started to reluctantly unfold my engagement letter. We immediately went outside and waited for the police to show up. Like any pride-stung red teamer, I thought to myself, maybe if I go first, they will think I am supposed to be here. So, as soon as they were in the parking lot, I waved them to our side of the building. “Officer! I’m so sorry. I have been here all night working on this server being down, and the cleaning lady locked me in. I just came out here for a smoke, and the dang alarm started going off. I tried to turn it off, but the call already went out.” He let out a faint giggle and grabbed a flashlight to shine in my face. After a few minutes of questions, he actually bought the story. I helped him do a sweep of the area, looking for anything suspicious, and he reassured me that “this kind of thing happens all the time” since I was worried about having to pay a fine for the emergency response call. They eventually left, and we packed up and alarmed the building in good conscience that if anyone else broke in that night, they were surely going to jail.
What is the biggest ethical quandary you experienced while on an assigned objective?
Red teaming is a really strange duality. On one hand, you are being paid to conduct a test to find potential weaknesses and measure the success of a program. On the other hand, you are doing all the things your mom told you to never do, and you are doing it for money! It’s a really strange place to be in. Also, there is a palpable intensity to it. You are breaking into a building. You are doing this highly criminal thing, and no matter how you justify it, you feel those butterflies. But unlike with a criminal, the intensity doesn’t stop there. You see, when a criminal gets caught, they know that’s a potential result of the game they signed up for. When you, a red teamer, get caught, you no longer have the feeling of the criminal act or the intensity of going from hidden to exposed. You immediately switch to an entirely different fear. You go from “OMG, I don’t want to get caught” to “OMG, I’m getting caught. I’m a phony. I’m terrible at my job. Everyone is going to know. My career is over. My peers are going to ridicule me. The client is going to think I suck. And on and on….” It’s vicious. There are other ethical aspects of the job that we come in contact with that have some effect or give me pause, but there is nothing like listening to my mother’s voice in my head, telling me that the thing that I am in the process of doing is just wrong.
How does the red team work together to get the job done?
The team is everything. No one can do it on their own. Even if it is a one-person job, the entirety of my team is there to support the operator every step of the way. You need a pump-up? We got you. Need someone on the cameras at 4 a.m.? We will get on. Need someone in your ear to walk you through the office you should break into to try to get part of the safe codes? We will be there, digging through mailboxes and shared folders trying to help you narrow the 1,000 offices down to the ones that likely have the code. This doesn’t stop at the operation. Afterward, the same rules apply to our blue team counterparts. You need something? We are there. We are an extension of your team—there to make sure that when you tackle the next big issue, you know that we have your back. Findings, remediations, brainstorming sessions, or just a late-night call to vent. We are just as invested in the program growing as they are. Together we make it happen.
What is your approach to debriefing and supporting blue teams after an operation is completed?
We start the process as early as possible. If we are allowed, we let members of the blue team “ride along” with us to gain both sides of the experience. I can remember some pretty famous faces in the InfoSec industry coming on a gig with us as blue teamers. Some of them used it as inspiration to create revolutionary defense programs, and some of them used it as a launchpad to move the offensive industry further than we could have ever expected. The one thing that was the same in every engagement was that the more we engaged, the more we all learned.
If you were to switch to the blue team, what would be your first step to better defend against attacks?
Basic defensive inventory. Most companies have been bullied by compliance to buy tools and technologies they don’t even use. They have had Gartner in their ears for decades, telling them what to buy but not why. Situational awareness and home field advantage are the biggest assets of the defensive team. The best teams in the world use those two things to move mountains and respond to attacks in real time effectively.
What is some practical advice on writing a good report?
Collaboration. Work with your peers, work with your clients, and work with your team. Try a few different styles of reporting and see what resonates with the customer. Not everyone learns and communicates the same way. The more versatility you get in your reporting, the more likely the customer is to understand the intent of the attack path as well as the remediation. If our goal is to grow, let’s push it from every possible direction.
How do you ensure your program results are valuable to people who need a full narrative and context?
This is something that is crucial to the pre-engagement phase. Both sides need a road map. Both sides need to set clear expectations for what the exercise will cover and how it will be delivered. Don’t just spend time selling; spend time listening. Spend time learning about the business and the members of each team that is part of the test. Learn their differences and how they need communication to unfold. Define pathways to success and a picture of what success looks like. Throw out the work language for a little bit and just speak like humans—ones who are about to embark on a deeply emotional and distinct journey together—and make sure everyone is comfortable. That comfort and trust will be the foundation of the exercise and ultimately the thing that separates your success from your failure.
How do you recommend security improvements other than pointing out where it’s insufficient?
Metrics. This is no longer a binary game. There is a way to distribute the information in a testing engagement without the fear, uncertainty, and doubt. We must first understand that the discipline of security is a capability. It is something that can be measured on a standard capability maturity model integration (CMMI) scale. As testers, we rarely know the actual impact to the organization beyond our theoretical impact. “OMG, I got domain admin! You are hosed.” Well…maybe, but is that a fact? Not always. It does, however, drive fear. Fear is the last thing wanted as an outcome. Remember the Tyson scenario. We can’t break the will and confidence of the team; our job is to show the opportunity for improvement and track its progress. That said, we need to use metrics to enrich the data over time. We can’t just say “red team wins.” We need to measure the varying level of success of the program to protect and detect the threats we simulated. We then need to work together to improve our capability maturity tactic by tactic. You know what I think is insufficient? The graphs you see from every security tool tell you that it stopped “X number of threats or attacks.” You know what it doesn’t tell you? “Out of how many.” How many did it miss? How well is it really doing? The red team is there to fill out the rest of those metrics for the defense team. The red team is not there to decide for them or even suggest what products they need to stop the attack. The red team is there to provide the metadata needed to empower the blue team to make the best possible decisions.
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
Drive. Pride. Honor. Respect. The technical skills can be taught to just about anyone. The aforementioned traits are something that are inside someone. The willingness to be behind the scenes, grinding, is the thing I see as the most valuable trait of a red teamer. Everyone is going to get pushed to give up, red or blue. The ones who can carry on in the face of adversity because of their dedication to the cause have the selfless nature that moves the needle. One breath at a time, one hack at a time, one collaboration at a time—they know that the mission is everything and will stop at nothing to get there.
What differentiates good red teamers from the pack as far as approaching a problem differently?
Being able to switch modalities. Removing the route to the issue allows you to see it from a different perspective. It may not be a shot you can take from the outside. It may not be a phish that lands. It may not be a cred you can find or a pivot you can make from the outside. It may not even be the guard you try to trick your way past. A good red teamer is ready to execute on any and every part of the battlefield. A great red teamer is one who knows how to spot the weakness and knows how to leverage the collective power of their team to get the job done. ■