38
Jayson E. Street
“If you want to get a really good red team job and be effective as a red teamer, understand all the details of how the blue team functions, and that will make you a way better adversary.”
Twitter: @jaysonstreet
Jayson E. Street is a co-author of the Dissecting the Hack series. He is also the DEF CON Groups Global Ambassador and the VP of InfoSec for SphereNY. Jayson has spoken on a variety of information security subjects, including events at DEF CON, DerbyCon, GrrCon, and several other cons and colleges.
How did you get your start on a red team?
I believe I’ve always had that red team mentality, even when I was in physical security, patrolling a new building or starting at a new site. I would always look at the defenses and check to see whether the camera placements were correct to make sure that the perimeter was secured. I made sure that the doors were locked and there was no way to circumvent the door, so I was always thinking with that mentality—how I would break in and be the bad guy. I didn’t actually start doing the official red team role until probably midway through my career. When I started looking at the physical aspects, partly being inspired by watching some other red teamers give talks at conferences, I realized, “Wow, that’s a whole other avenue I could start looking at,” so I started doing red teaming in my organization. They were very supportive and let me do these kinds of things, which helped perfect my skill and got me more confidence to actually start going after it—it was a great fit. Their support benefited them, and then it benefited me in the long run.
What is the best way to get a red team job?
I think the best way to get a red team job is to start off with the blue team. I always recommend to people that red team jobs are fun, and for some reason we make them all seem like they’re sexy people like, “Oh, look at these guys breaking in and stealing stuff. They’re breaking into the network and downloading all the crown jewels.” That’s cool and everything, but I don’t think you can be a really good red teamer unless you understand what the defenses are, how the defender thinks, and how the defenses are made, built, and monitored. I’m sure everyone has been talking about different ways to go about getting the job and places to interview, but forget about that part if you want to be a good red teamer. If you want to be someone who is really good at their job, start off at the blue team doing the defender’s job. Learn their processes, learn how they escalate issues, and learn what they’re monitoring for so you can circumvent them. If you want to get a really good red team job and be effective as a red teamer, understand all the details of how the blue team functions, and that will make you a way better adversary. At the same time, you being a better adversary will bring value to your clients because the role of the red team is to actually assess and help the blue team.
How can someone gain red team skills without getting in trouble with the law?
I’ve always said the main difference between a hacker and a criminal is permission. The key way to do that is if you’re in a blue team position right now, contact your upper management, get involved with them, tell them that you would like to do a red team exercise and that you would like to approach it from the adversarial position. See if you can get upper management to buy in to that process and explain to them this is a free assessment. Give them some good arguments that makes them take that chance and actually grants you permission to go in and do it.
Why can’t we agree on what a red team is?
I have no earthly idea. I think because everybody has an ideal of what the red team is supposed to be. I’ve already described red team, and I’ll say it again—I think that the red team is not just a physical aspect of the job of penetration; I think it is also network based. I believe that red teaming is different from penetration testing or vulnerability assessments or things like an audit. It’s an adversarial way of thinking. You still have to stay within the scope of the defined agreements that you’ve made with your client, but it is a more adversarial role in which you are trying to think outside the box by channeling what an actual attacker would do and breaking into the network. It’s not just firing up Nmap and scanning to see whether they’ve exposed ports or running a Nessus scan. It’s literally going in and looking for a way to create a payload to send in an infected PDF or to leave a USB drive in the parking lot. You have to think like an adversary, and when you give them that report, the blue team will benefit from that information.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
I think one of the main things the red team forgets about is that they exist only to benefit, help, and improve the blue team, period. There is no other part of it. The only function a red team has is to make the blue team better. I’m going to say that just one more time for the people in the back—red teamers are only there for the blue team; they’re not separate, and they don’t exist in a separate field to audit or just to show where everything is broken. Their job is to facilitate making the whole company more secure, instructing the blue team by giving them information on where their flaws and gaps are, and showing them how to shore those up and fix those.
I think the most toxic falsehood is that there’s much of a difference when it comes to red, blue, or purple teams. At the end of the day, we should all be on the same team—the team of trying to make things better and more secure. We’re doing different functions, but we are all on the same team. We all win at the end of the day when the company is more secure than before we started.
When should you introduce a formal red team into an organization’s security program?
One of your biggest indicators that you’re ready to do a red team assessment is that you know where all your computers are. Have a full asset management program. Know when a new machine pops up on your network, especially one that’s not supposed to be there, and report on it and investigate it. How is an organization going to detect when someone else gets in, puts a new machine on the network, and starts doing callbacks if they don’t even have that part managed? They have bigger issues to address first.
Second, if you don’t have proper patch management systems implemented to make sure that machines are patched and you want red teamers coming in and doing damage to their network, that’s not right. You need to have a totally incorporated working network department IT support line and information security department. You have to be communicating together, be well organized together, know how to work together, and share information and alerts from different devices you own. You need to be able to detect all those things and be able to report on it in a way that makes it more effective for defense. Because if you can’t get that part down, which is mostly policy, procedures, understanding, and discovery, then you’re not ready for a red team.
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?
I think the best way to explain the value of a red teaming engagement to a reluctant or nontechnical client is simple. We need to stop building defenses as if we are expecting to be attacked by honest criminals and then inspect them as if we would expect it to be done. A lot of defenders build and a lot of programmers program things for honest people. Locks keep honest people out; they don’t keep criminals out. I’ve seen a lot of networks that were really great until someone who was “thinking bad” was able to find a vulnerability because they were thinking like a criminal—they were thinking like an adversary.
What is the least bang-for-your-buck security control that you see implemented?
Any device that you have on your network. Be it an IDS, IPS, firewall, WAF, or whatever it is, if you have that device on your network and you haven’t taken the time to understand what the signature baseline is for your environment or how to configure it specifically tailored to your network, then that is one of the worst things to have, and that’s a waste of money. That is throwing money out the door. I’ve seen so many people put in an IDS system, but they don’t properly tune; therefore, everybody is ignoring any kind of legitimate signature because they consider it just another false positive. You have to configure these devices so that when someone sees an alert, they take it seriously.
Have you ever recommended not doing a red team engagement?
I actually have a story where on the first day of my red team engagement, I went to the CEO of the company by the middle of the day to tell him that I couldn’t continue. I started by doing a preliminary look at what was going on, and this was before the engagement actually even started. I told him that I could not in good conscience actually do a red team on him and that he needed to take the money that he was going to pay me and hire a network consultant or a new network administrator. Their current network administrator had put everything on a 10.0.0.X network, and there was no DMZ. It was a totally flat network. The mail server and the web server were reachable by anyone on the network! Everybody was on the same network, including the guest Wi-Fi.
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?
I know this is a broken record, and I know there’s also some people who like to debate about it, but if you have a small or medium business and you have a small budget and a small staff, then the least you can do is to patch.
Why do you feel it is critical to stay within the rules of engagement?
Because I don’t like going to jail! If you do an engagement and go off script, you could actually be responsible for damages and for information that you weren’t supposed to gather. You may have compromised something that you weren’t supposed to. You could be scanning or going into another network. I’ve had friends who have said that they’ve been on jobs where they actually broke in and they found themselves on a network. Then after further recon, it turns out it wasn’t the network they were supposed to be on; they got the IP address wrong, and they actually compromised another company. You have to make sure that you stay within the rules of engagement. Understand what your scope is, and even if it’s a narrow scope, you have to stay within the confines that your client has set because that gives you a shield from any kind of liability. If you stay within the parameters of the engagement, you’re going to be okay.
If you were ever busted on a penetration test or other engagement, how did you handle it?
Actually, on all my engagements I try to get caught at least once if not more times. I always handle it as a learning experience. It is a great thing to happen, and it’s even better when you weren’t expecting it to happen. That’s a cause for celebration. You should be happy for them because they’re doing what they’re supposed to be doing. They did everything right, and that’s what you want. You’re not supposed to just be trying to find their flaws; you’re supposed to see what they’re excelling at, what they’re doing right, and making sure you document that as well. Celebrate those victories because they did a good job. So, you have to make sure that attitude is transferred when you do get caught. You shouldn’t be resentful like, “Oh, crap, you got me on this one, but I got you over here.” No, it should be, “Good job. Well done. Can I have your name so I can give you the recognition?” In a lot of these reports, there are so many people and so many instances where they have to look down upon what people did wrong. Make sure you give them something to look up to, and make sure you give them someone to look up to. That helps the medicine go down, so to speak.
What is the biggest ethical quandary you experienced while on an assigned objective?
I think the biggest ethical quandary I have is hurting people’s feelings. It’s difficult for me, and it gets me because I’m lying. I’m lying to people, telling them I’m here to help their network run faster, or I’m there to give them new equipment. I mean, I literally told one manager at this bank that I was going to re-outfit his whole entire branch and give them all new equipment, and when I had to tell him at the end of the engagement that I was lying, I felt like I’d kicked a puppy. I mean, this guy thought it was Christmas, and I’m telling them there’s no Santa Claus because I shot him, which was horrible. I still feel really bad about that.
How does the red team work together to get the job done?
Usually the people doing networking (or several people all doing network-based or physical-based attacks) are the red team. For me, red teaming is working with the blue team. It’s the collaboration. A company does not hire a red team to break in and cause damage or show where all the damage can be caused, not even to show where all the holes are. That’s not really what the client is paying you for—they are paying you for the report and the collaboration that you have with them after the incident is over. You’re showing them where they need to do better, where they are doing well, and how to fix it and make it better. That’s what they’re paying you for. You’re not being paid to break it; you earn your paycheck by showing them how to fix it.
What is your approach to debriefing and supporting blue teams after an operation is completed?
The best way that I approach debriefing and supporting blue teams is quite simple. I let them know at the beginning, before I start, that I am not an adversary. I’m an advocate, there to help them be more secure. I’m giving them assurances that when I’m done, they are going to be better for it. They’re going to get the ear of management to find out where they need more support and more funding to get things fixed, to get things done the way they should be done. And they probably have been saying this for years, and no one has listened to them. I’m their advocate in that regard, and I make sure they understand that before I even start. So when we’re debriefing and supporting the blue team or the operation, they understand already that there are no hard feelings. There are some instances where people still get a little upset when they find out how easy it was to get in. But at the end of the day, they still understand you’re there to help them, and you always approach it that way.
If you were to switch to blue team, what would be your first step to better defend against attacks?
In my case it would be, “What would I do if switched back to the blue team? Because I started out on the blue team.” And I think the first thing I would do, again to reiterate an important point, is make an assessment of all the devices on our network. I’d check our current patch status. I would do a complete inventory and create an open dialogue between all the major groups that are, in some way or another, partly responsible for information security. Then I would get the users on board to let them understand that they’re part of information security too! I would also create a comprehensive security awareness team, because I also think that is very important.
What is some practical advice on writing a good report?
I do believe I am an expert on how not to write reports! I’m not very good at them, but I think it’s the most important part of a red team engagement. The only difference between the people you hire and all the other people currently attacking your network is you’re getting a report from the ones you hired. You’re paying for the report. So, it had better be a good one and worth all the money you’re putting into it. If you give me a report that just shows me what you broke, how you broke it, all the details on the CVE, or all the different ways that you broke it, and how you circumvented the control, well, then you wasted my time and money. You have to be able to show the client the ways to make it better, the ways to fix it. It’s not about the breaking; they’re paying for how to fix the flaws you found.
How do you ensure your program results are valuable to people who need a full narrative and context?
Always when I do an engagement (again, I do security awareness engagements) my goal is not just to break in and find an exploit or a vulnerability; my job is to teach the people while I’m there what happened and why it’s bad, so my value is not so much in the report but in the education piece I bring to it. Once I’ve broken into a place, I will then leave for two minutes. I come back after that two minutes with an employee of the company who’s trusted, and I explain to each person I compromised what I did that was bad. For example, if they let me in, I explain why that was a bad thing and how they can be more emboldened and encouraged to not let that happen again. I’m the inoculation. I make sure that they understand right then and there how to be more security conscious. That makes it valuable to them because they learned that lesson instead of just waiting until three months later, when the memo goes out to employees telling them, “Hey, something bad happened three months ago. This is what you all did wrong.” I show them right then and there what the problem is.
How do you recommend security improvements other than pointing out where it’s insufficient?
I think you showcase the security improvements. You do it by saying, “Here are the things that you are doing well, and here’s what you can augment. Also, if you add these other components, it would be even better.” It’s about showing where you can actually advocate for them to do what’s good, recognizing what they were doing well, and building on that to make it better. If you show that you’re trying to build on something that they were already doing, even if not 100 percent correctly or effectively, you’re not just kicking them when they’re down.
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
Communication, communication, communication, and I don’t mean between one technical person and another technical person. You need to find people who know how to communicate to executives, to regular users, to anyone. They need to know how to convey what they did and how they broke into something, and they need to be able to communicate that to people who don’t have a clue what Nmap is, what Nessus is, or what a zero-day is. They need to be able to communicate how to resolve that issue in terms that everyone understands, because that is where the true value lies. I don’t care how great you are at breaking something if you can’t reliably communicate to your client how something was broken, why it needs to be fixed, and how to fix it. Otherwise, you’re wasting the client’s time. You have to provide that kind of value.
What differentiates good red teamers from the pack as far as approaching a problem differently?
Understanding what each client is looking for and giving them what they need, not what they just expected based on faulty expectations. You have to be able to understand what your client is requesting and what their needs are versus what they’re expecting. You need to also make sure that they understand the difference. Give them value by giving them actionable information and actionable intelligence on how to remediate and mitigate potential threats. I think that’s one of the biggest things that a good red team does. They manage the expectations of their clients, and they help them understand what their real-world adversaries are like. Most importantly, they help the client understand what they are trying to protect. You have to understand what makes them money and how to protect that. ■