Red Teaming... THE FEAR IS ******* REAL!! - James Mason

hello good afternoon uh thank you for joining me for the last talk um I realize I'm competing with the free bar um so thank you for for joining me and thank you for bid shouting them for putting me on um so this talk uh is a bit different to some of the usual ones I've done um that tend to contain a lot of War Stories and things which are my favorite parts and good fun to talk about but this talk uh red team the fear is very real is uh is a little bit different it's been born out of frustration and I must must caveat at this point that although these slides are branded kinetic which is the company

I work for uh these views are very much my own just in case I sue me um so my name's James Mason um as I mentioned I work for a company called contic we're a defense company uh and with that we helped to protect National Security uh we were fully deployed throughout covid um our testers were on site as and where needed um and even so we were closely working with our customers um we've we've got a handful that uh stopped red teaming during the pandemic and haven't felt the need to pick back up again which is um quite worrying conversations um so I've been physical pentesting social engineering red teaming whatever it's called this week

um for just over a decade um I've got a pride never been caught record and I've managed to social engineer my way into some of the most sensitive environments that you can think of um I spoke at bide chham last year and um it was a talk titled from salesperson social engineer which is my own sort of Journey of how I ended up somebody non-technical um delivering in a supremely technical industry um and then late last year um I became csfl pentester qualified with the Cyber scheme um and in Brackets I've put only just and at Foundation level so I still regard myself as a noob when it comes to uh technical skills so uh a little bit about kinetic

I've mentioned already um a lot of people don't realize kinetic are actually the oldest dedicated pentest team on the planet back when we were the mod and you couldn't talk about offensive security um so it dates back then uh we actually for the check scheme and then handed it back over to cesg so it could retain its independence um and we were founding members of Crest so I'm sure that you know all of you in the room are familiar with these types of schemes and uh just to show you there's our guys doing some o in it proves proves how old we really are so yeah my personal Journey as I say um I got a job with contic back in 2013

had no idea that that pentes in ethical hacking was a thing and uh I I got my role as a salesperson and on my second day with the company a couple of pentesters took me in a windowless room uh they showed me how to pick locks how to open a padlock with a can of Coke and then they showed me uh hacking a laptop that wasn't even turned on and that was my second day with the company and since that day I I think I found my calling um so as I mentioned my last talk contained a lot of War Stories uh stuff like this uh which are always the fun bits um but importantly um they each contained a

lesson learned you know um and this one in particular was the company had uh spent time money investment on their perimeter security and once we got inside uh the entire company was on a flat Network so just like an outdated cyber security model all the effort was on the perimeter um the reason I mentioned it this is um as I say there's red team and's getting a little bit of a a pasting uh postco uh and I've seen a lot of talks that have some really epic War Stories really cool gigs um but they're missing the Lessons Learned bit and I think that's harming to the industry you know um the talks are coming across that we're laughing at the

customers about how easy these things are which to be fair are very often very easy but I think talking like this it could potentially damage uh the industry that we care about um so I think it's our responsibility to use platforms such as this to to try and educate um would those people talk like that if all you were seos I don't think they would so um yeah I've posted on LinkedIn about it a bit of a rant that you know please don't forget the lessons Lessons Learned so uh the fear is real um as I say postco even though we were working with our customer we were fully deployed uh obviously physical pentesting dropped off a cliff

while while the world was in lockdown um and we've got a handful of customers that um their their official reasoning for this is we saved all that budget for 3 years and we haven't been owned um so why should we um and you know I I always say to them you know um during physical pent tests um there was one we were on and within 20 minutes we found evidence of a real physical breach that they were completely unaware of so how do they know they're not being owned um if they're not testing um and these kind of conversations I was having 10 years ago it got to the stage where I thought right everyone's understanding this and

then covid happened and it's like we've gone backwards um again um I think a lot of businesses saved a lot of cost during covid um I remember thinking during the pandemic that up until now business sort of demonstrated growth by opening new offices and new locations and I remember thinking during the pandemic you know they're going to realize they're saving multi-millions pounds are we going to see companies kind of shrink uh because they're making more money and unfortunately we've seen that we've seen redundancies in this sector which before covid they were quoting a 25e skills Gap um and with that um businesses you know if they haven't got to spend it um they really don't want to like never before

so cesos that I talk to are really disheveled um a lot of them have had a a reduction in security budget um if they're lucky they might have the same security budget even though threats arising year on year they're being asked how can you make us more secure but for no more money um and that's the challenge these people are having um so events conferences social media um I've seen just myths about red team that are simply untrue which which has really rattled me um I'll go into more detail cuz I've only got 20 minutes um but I don't think it's helpful and when you've got a room full of cesos um nodding their head in agreement with these

things that are just plain not right I think again for the sector that's really quite damaging um as I've just said so the message that always gets forgotten is the whole aim of a reputable red team exercise is to make the organization IT staff and especially the blue team stronger um but it's just not painted like this um I don't know if you find the same um so I speak to a lot of cesos uh every week and um I understand the stress that they're under when they're considering a red team exercise um things like uh will the red team get in and uh at contic our red team we've been red teaming for about 24 years and on physical pentest

we've never shown unwillingly to get out of jail free card so the answer is highly likely yes we will um but it is a concern for them because it's their Kingdom and they're employing worldclass Specialists to come and break into it um and I see a lot of resistance has crep back in when it seemed to be preco everyone was getting that red teaming is a good thing to do and the benefits from it um what about the victims um people are being referred to as victims now that fall for a email um and how how can we stop this and should we make red team in more like a weekly fire alarm um because yeah that's that's how you're

going to get attacked isn't it at 10:00 on a Wednesday morning every week um but these are the types of things being pushed out there which um we are simulating attacks how you would likely be attacked and um the prime example that's gets pushed out a load of events is the West Midlands rail fishing example which you probably all know but if not it was uh a fishing exercise that uh West Midlands rail emailed their staff and said because you drove um drove trains that's right is it um because you drove your trains throughout the pandemic um here's a nice bonus for you and of course the success rate was was Sky High the email legitimate

because it was from really from their company it got plastered all over the Press on how not to fish and obviously you've got ethical choice is there and and they shouldn't do it like that and then on the other hand would that be an impossible method for an attacker to take not really um but yeah it's being portrayed as victims and trying to water red teams down and I make a comparison that kinetic are a defense company our biggest customer are the ministry of defense and the mod the Armed Forces when we're not at War what do they do they spend all their time exercising preparing for war um and I think it's important that um you know you the mod

trains like it fights um let's let's exercise like we operate um and I've got a load of War Stories when we've caught companies cheating their red teams which again is another dangerous game um will they access our business critical systems crown jewels um almost surely yep um but these are all the fears going through C's head when procuring a red team exercise um will I need to include physical I get this question so often um and as I said earlier during a red team um we come across evidence of real breaches and you could say that exercise is immediately paid for itself because that company didn't know it was happening um and the point I always I

always make is uh once our Specialists are inside we're simulating an Insider threat which is a top risk item so you know look at it that way uh but I get that question all the time uh will my role be impacted if the red team is successful um I've actually seen the opposite that when we read team we have a small key stakeholder group ideally that knows the exercises going on rest of the business shouldn't know um but we've also accessed emails and found all staff emails saying we're having a red te next week um but these people we work closely with them we keep them informed of each phase um and by the end of the exercise

they actually feel like the red team has been collaborative and it's certainly not painted as that um it's offense versus defense you against us uh and by the by the end of the exercise they can see the value of it but it takes that one exercise sometimes uh and if you're a ciso and uh you've run a red team and you've you've increased your resilience um you're going to end up more confident and more safe in your own job role cuz we all know cesos tend to have a I mean it's shockingly gone down to like 12 18 months job expectancy or something silly like that um so if I was a ciso I would

want to know where my holes are but uh a lot of them well some are burying their heads in the sand which again you're waiting for something to happen uh will I lose face to my seniors uh again when we red team we often present a sea Suite um but what we do we we assist with the findings um they they remediate and when we presented to the board we show them what we did and worryingly you were here but your team have fixed A and C and now you're up here and it's a lot more positive um they end up getting security budget exactly where they need it um when you've gamed a red team tipped off

your entire organization uh and the red team doesn't go you know you might look good but you're certainly not going to attract any any further budget so that's what I mean that it's G dangerous to gain one um and we've seen members of um blue teams gain a promotion after a single X because of how well they they performed and the presentation is being delivered directly at Senior Management uh we've seen people get promoted which is awesome all these all these positives which none of the industry is talking about um will I feel a failure if the red team achieve their objectives again um hopefully with some of those examples at this point the ca is working with us

you know they can see that uh a red team is for good and not to be feared well my security budget be impacted very often they get they get more budget surprisingly because an independent company has coming and showed you exactly where your holes are um so if anything all these cesos at the moment that that's crying out for investment actually get it off the back of a single exercise um and it's a bit of a tough tough sale especially postco because we all know with pent testing you've got check Crest you're mandated to an annual pent test red team hum a little more Wild West you know you've got things like seab best and things like that but

it's kind of a a nice to have it's expensive because you're hiring you know worldclass operatives um it's for mature companies who care about their security um but again without the mandation we're in the year 2024 and this stuff's not mandated yet um you know if a company can save money that's seemingly the choices they're making postco uh they're losing they're losing the fact that a single Bridge could end an entire organization you know um and uh yeah just mentioning how how collaborative a red team exercise ends up being and again it's not painted like this um so yeah realizing I'm short on time um I would like a call to Arms with all you Security Professionals uh red

teaming is getting a right hammering press events um some of the Security influencers on LinkedIn are pedling questionable quotes and then everybody's agreeing with them apart from me um but I'm asking you you know red team let's let's use our PA for good and start spreading these messages wherever you can whether that be with your own customers who are literally doing the bare minimum an annual pentest um posting about it online um please it's like a it's like a comet relief appeal or something like this isn't it um yeah please a company's just been owned no but no in all seriousness um yeah wherever possible please um talk about red teing um I've got a couple of

minutes left again thank you very much for your time um if there's any questions slightly different talk to my usual one um but uh thank you for your time and thank you bides for putting me on [Applause] oh

Gaza I actually do both so the last engagement I sold it to them and then I delivered it which was the last thing they were expecting um which is pretty cool um but yeah my my aspiration is to move across 100% full-time physical pen testing um and um that's why I'm passionate that people are not understanding the value of red teaming um even though we have a large customer base and as I say we work with them throughout Co some of the thought processes just gone back 10 years of it hasn't happened to us yet it's like it's like Burglar Alarm syndrome you know your house gets burgled and then you put the alarm up it's it's just

that cheers

yeah I mean I always I see companies operating physical and information security separately siloed with a massive Gap in the middle and as I say once we're inside it's then in a cyber security problem um it's frustrating and I see this as well with um um businesses that share an office block you know there's a third party security company and there's 12 businesses in there but has anybody tested your physical security no we just pay them a monthly fee and and that's it you know and not one of those businesses will take accountability to test that third party um but information sharing there's been a number of things in the past where they've tried to make people

more open and things and I think they start off with a flourish and then sort of die down um but with physical we're seeing news headlines now that this isn't just a cyber risk or information security risk um there's physical stuff going on which is personal harm you know and and the kind of times we're in at the moment that's kind of increasing you know so physical security should be you know a top board level priority um and it should be a cultural thing um and the staff should be educated about it thank you

hey yeah

yeah yeah

yeah sure sure yeah yeah yeah

yeah definitely that's interesting um a couple of points regarding that is um so when we're red teaming and say it's a full spectrum red team Black Box um including Recon physical um if we achieve any objectives in the time frame sooner than we expect we are straight in contact with our key point of contact and we bring the next phase forward so we give maximum value we don't just go oh we've done that and sit there for 4 days you know burning burning your budget you know so that's something we do do um some companies you know um it is a real close relationship during the exercise we we might do breach acceptance somewhere you know and

work on what their their bad day really looks like um agains give value for money um second point is uh We've just partnered with a company called Inspire um they they're another defense company they provide training um and the aim is to provide a more continuous service um and the the idea is Inspire pick up some of the stuff that the expensive Red Team guys don't need to do which then brings the the overall cost down and you could do things more regularly um so if you run a red team exercise now like I 60-day engagement you probably you might see that customer this time next year and then the 11 months in between nothing happens with

this model uh you run an engagement the red teams only deployed on the offensive parts and the and the O obviously um then Inspire judging by the outcomes May provide training um then there might be an exercise two which might be you know a shortened version but have has the mediation or the train and been effective and you've got this more continual model rather than a like a a project Le delivery of oh we've delivered this they've got the report and see you again in 12 months you know which I think um yeah it's we've only just announced it at Cyber UK but I think it's a good way forward for for more regular involvement while you

haven't got bottomless Pockets uh while keeping costs under control so

yeah and uh a lot of our red team guys end up good pals with blue teams you know on that very basis you know it's a very sort of pick up the phone kind of relationship um we're vendor agnostic we don't sell certain products or anything like that but we get a lot of blue teams ringing us up saying we're thinking of installing this what do you think and we're kind of like that does give us some h on red team engagements go for it or have you thought of these instead they're pretty good you know so we keep that kind of independent impartial um relationship with our customers because yeah we're not we're not signed up to

sell product or tin or any silver bullets oh sorry [Music]

yeah yeah and that's where the critical Gap is um those teams should ideally work closely together um because as I say once you physically breached premises it turns into a cyber security problem um and we see them operating completely siloed you know no communication if you breach one you're straight into the other so that is in the year 2024 very much still happening um there's just a guy

there yeah so reporting physical breaches to the company um again it's like educational and improving the culture like um nowhere's 100% secure um that's just the way it is um but our culture at kinetic is if we see our CEO for instance and we know he's our CEO but he's not wearing his pass I will go up to him and say where's your pass um and it's that kind of mindset you need to to make your staff responsible enough to challenge people challenge culture because most of the places I get into is just by really kind people who shouldn't be letting me in and exactly exactly um and that's the point where I get serious guilt when please

stop helping me um but I overcome that by thinking at least it's me getting in and not somebody for real so that's how I quickly get over it um but yeah it's it's improving the culture of all you all the employees making them feel responsible because it is their responsibility um [Music] perfect yeah and it again slightly on a tangent you know um covid changing the world and hybrid working now people working from home security is a given at work but how many how many companies are sending out instructions to change the default password on your router um you know as your printer patched up uh are you shredding any documents that you print um there's not many companies that are

joining the dots and it's still the same risks uh if not more because you're in your home environment that's good to hear that's good to hear um but yeah thank you I'm going to let you go and enjoy some fine beer all right