42
Adam Willard

“It has been said that the red team is the unwanted party guest that trashes the hotel, doesn’t clean up, and blames everyone else.”

Twitter: @asw_sec

Adam Willard, at a young age, found out his passion was in computers. It started with building computers, graphic design, and digital photography. He spent the majority of his career writing software based on business requirements for customers, which led to many bruises from hitting his head on the keyboard. It was time to start something new, so he took an opportunity for a high-profile system as an application security analyst. Adam is now a senior penetration tester on multiple projects and is involved in several bug bounty programs. He is captivated by the industry and looks forward to growing with the next generation of security professionals.

How did you get your start on a red team?

It was a long road to where I am today. The start of my career was in software development, moving on to code reviews, to penetration tester, and today to working with a great team on the blue and red sides.

I was fortunate during my early days, between code review and penetration testing, to sit in the SOC, access all of their tools, and switch hats when needed. During the transition to penetration tester, I was allowed full access to the SIEM, Splunk, web application firewalls, and a few other items that let me see what was going on. This allowed me to ensure that my traffic was not obvious and was hard to track down.

That was the beginning of the red and blue teams as best defined where I am employed. I won’t say we function at top capacity as red and blue teams; however, we have come a long way.

What is the best way to get a red team job?

Ask. We have had great success with all sorts of backgrounds on our team. Some have come, made their mark, and moved on, and some are still with us making a difference for our teams every day. We even steal them from our blue team.

How can someone gain red team skills without getting in trouble with the law?

There are programs out there that let you test your penetration testing skills, such as capture the flags or bug bounty programs. You can utilize bug bounty programs to ensure you are providing the best reports you can for the teams that may either mitigate or remediate your findings. There are other offerings by industry names that provide friendly competitions for teams to compete.

Why can’t we agree on what a red team is?

I understand that it makes things easier to break into teams; you do this, and they do that. One of the pitfalls is that it makes us fail by putting each other into silos. One of the things that is the responsibility of our team members is to provide a solution if possible. While certain assets have specific protections in place, other systems may have a different set. Mitigation techniques, monitoring, and patches/fixes are items we can recommend to assist not only the defenders but the ones having to do the heavy lifting to fix the issues.

When it is a vendor that must provide a solution, we need to work with the teams to assist in mitigation. This may require reviewing their approach and retesting solutions until fixes can be deployed.

Because our work is to test the systems and protections other teams implement, being a red team is more than a penetration test. Our work on a red team doesn’t stop after a report is submitted.

What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?

It has been said the red team is the unwanted party guest that trashes the hotel, doesn’t clean up, and blames everyone else. However, we are all on the same team working on a common goal. We are here to test what is in play. Occasionally we knock over a few lamps and leave doors unlocked; however, we are documenting our findings. Sometimes applications process our payloads in ways we did not expect, and we have no clue where things end up. It is important we document those issues when they occur.

“Sometimes applications process our payloads in ways we did not expect, and we have no clue where things end up. It is important we document those issues when they occur.”

What is the least bang-for-your-buck security control that you see implemented?

Automated scanners. I say this because no matter what the report states, it takes two teams at a minimum to implement the results: one to review the issues and then the staff to implement the fixes. If you just fire off a scanner and never do anything with the results, it is a complete waste of time and money.

Reliance on automated scanners. While, yes, it baselines your scanning activities, it also causes unnecessary events in your blue team’s tools. It takes time to weed those activities out and get rid of false positives. Automated scanners attack based on the known. As a red team, you aren’t necessarily using known vulnerabilities.

Why do you feel it is critical to stay within the rules of engagement?

We all like to push our boundaries and break the rules, but that could cause many issues during an engagement. Many times, the component may be off limits due to who owns the software and the terms of service that the customer has signed. Even though we may see something that is exploitable, we don’t have permission to attack. You can always write up in the report why something out of scope is a real issue.

“We all like to push our boundaries and break the rules, but that could cause many issues during an engagement.”

How does the red team work together to get the job done?

The team I am so fortunate to work with has a broad range of talents and diverse work history. We all may be off hitting the systems, trying to find the next vulnerability to exploit, but when we reach a roadblock, we are all ready to jump in to help.

We are responsible for writing up our findings, but processes have come into place where we can utilize/reuse certain aspects of the issues. The team utilizes step-by-step procedures and videos, with audio as needed. Our lead views our reports, sends them back, or asks for clarifications, and then they are compiled for the business owner.

In regard to the blue team, part our team has been on that side of the fence. We utilize communication streams so that we are in contact throughout the day.

If you were to switch to the blue team, what would be your first step to better defend against attacks?

Shut down the datacenter and walk out the door.

At a point in my career I had access to the same tools the SOC used. While I was testing, I would monitor myself to make sure I wasn’t being seen. Doing things like this allowed us to suggest other methods and indicators that would increase their chances of discovery.

One of the things I would suggest is for the blue team members to sit with the red team and discuss why and how they are going about certain activities. Just monitoring traffic doesn’t allow the analyst insight as to why a technique may be used.

“One of the things I would suggest is for the blue team members to sit with the red team and discuss why and how they are going about certain activities. Just monitoring traffic doesn’t allow the analyst insight as to why a technique may be used.”

What is some practical advice on writing a good report?

A lot of work has been completed by the community at large. There are frameworks that assist with consistency and reusability. You can join the bug bounty communities and practice finding bugs and writing reports. You need to submit quality reports if your bug is going to be accepted. Certain programs don’t necessarily give the money to the person who first finds the bug but instead rewards the person with the best report for the bug.

I’ve noticed we get lazy with our reports when we use videos. Our videos show the step-by-step process, the annotation of why we did what we did, and more; however, that doesn’t translate into the written report. When it comes time to retest, some of the critical components are missing in the text of the report, and it takes more time and effort to complete the task. Before turning in your report, ask yourself if you had never seen the finding, could you repeat it and does it make sense?

How do you ensure your program results are valuable to people who need a full narrative and context?

We have a competent team lead that keeps us in check. Our lead works tirelessly with our team and the business owners. Our basic report findings have a set of well-defined common classifications and standard verbiage. We then specify at a high level why it is an issue for a particular issue. Then we walk step-by-step through their vulnerability.

How do you recommend security improvements other than pointing out where it’s insufficient?

Staying up to date on current attack vectors. Whether these are human or cyber, knowing what is going on can improve security posture.

What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?

Attention to detail and the ability to communicate clearly. Communication, whether it is step-by-step instructions on how to exploit a vulnerability or just in a day-to-day conversation, allows each of us to learn about each other. Being able to adjust to a conversation and understand the other team members is critical. As a red team, we get to plunder and have a great time while the blue team is trying to figure out what we are doing. Communicating clearly after the fact or even during an engagement benefits everyone. ■