Red Teaming Without Red Teaming

hey everyone uh thanks for joining my presentation uh red teaming without red teaming i appreciate uh everyone giving me the opportunity uh first and foremost i'm nick regelman uh i'm a senior uh information security analyst i wear many hats even though i am not wearing a hat currently and i'm not wearing a hat in the picture some of those hats are incident response vulnerability management security awareness and i think i rules with a z it's always with a z and i put that anywhere that i can whether that's a printer whether that's a server in the data center but really i just put nick rules on everything that i can because my name actually auto corrects

to beef woman so with that said i want to make something very clear before we start i am not a red teamer uh i'm i'm not uh gonna sit up here and try to pretend that i'm a red teamer sorry nothing against that um i support the red team in their efforts uh i think working closely in vulnerability management a red team really helps to emphasize uh that not all of your vulnerabilities have a cvss score uh when starting a red team people like to reference that pyramid of pain uh which is it's very valid right but how do you even get the building permit to build that peer that pyramid of pain uh how do you

create the foundation to build the pyramid on uh this presentation is really about advocating for the existence of offensive security programs uh whether that's basic phishing pen test red team whatever and it's not even limited to just security you can use this just about anywhere so sit back and enjoy it so what this presentation is not it is not about uber elite hacks and it's not even technical in nature what this presentation is though is how to talk to people and form those meaningful relationships the idea for this talk it actually came up a few years ago at defcon it's as most of these talks usually do so i was i was talking with some people

and uh we were you know of course afraid to discuss where we worked uh but over you know maybe maybe some drinks and some time we were talking about what we did for work and the challenges uh that we faced at the places that we work so some of the people we talked to they had ideas to implement bug bounty programs uh others wanted to do red team and you know there were actually a few uh which kind of surprised me they really just wanted to do simple vulnerability scanning uh they were they were all told no you know for whatever reason you know like oh so and so won't let me do this and you know i wanted to understand like

why and in these cases it really wasn't what they were asking but how they were asking for it and and i'm going to try to keep this high level and give you the pieces to put together yourself but if you need help uh you know it was something that applies to you specifically in your organization feel free to reach out and and i'll have contact info later on so every organization is different right we all know that um for that reason you know we have a number of different frameworks that are going to be available uh it's not necessarily that one is better than the other it's that one may cater towar to uh a

particular organization better than the other based on you know industry what your current security posture is or really any other types of needs that you have that you that are unique to your business right that's we already know that's nothing new i'm not gonna i'm not here to talk about that i'm here to talk about where you begin no one really talks about where you actually start most of the guides that you see online on on how to build out offensive security programs they cater to how you set your team up and again nothing wrong with that this is very important and like really any plan you really need to take those into consideration when you

build the team however that takes into the account that you already know how to walk that your organization already supports the concept how do we crawl first well in most organizations you simply have to ask for permission and uh you know being a cowboy is really fun but when you accidentally shoot the sheriff the town can get upset so based on many different conversations that i've had when you get an opportunity to ask for something a lot of the defcon conversations they seem to have gone like this hey i want to do this thing that we've never done and i could potentially break something but i'm pretty sure i won't and and you know because you're responsible right you're

a responsible person and honestly you probably won't even break anything you know there's a good chance that you won't you're confident that you can do this safely uh but think about your executive you just really made them confused like you actually got the time with them and now they are very confused at you you see the confusion in their face so you try to respond dynamically you try to give them some more context so you say something like well it's pretty cool though because you're gonna hack something right i'm gonna hack something now what is the average person like what's their idea of hacking i know that this is changing thank god but um what what do people you normally

think when you think about hacking uh csi two people typing on the same keyboard um certainly not mr robot uh so it it pretty much it's what they see in the movies right that's that's normally you know what they think i've been hacking so you you hurry up and add in but it's not like how they do it in the movies so hey i want to do this thing that we've never done and could potentially break something but i'm pretty sure i won't but it's also pretty cool because i'm not going because i'm going to hack something but it's not like how they do it in the movies well congrats you now made them scared and confused so you

got the double whammy uh come back next year uh if you're lucky so all joking aside where do you actually begin you actually get you know you want to get that time so when you have an ask they actually do something well it really comes down to one thing and and it's hard to get in a lot of cases and it's exceptionally easy to lose and uh if if i was in a room with people which we can't i can't be for some weird reason i don't know why but and anyone want to guess what what that would be and this is when you know someone goes trust right um trust that's the basis like that is the foundation

for everything no matter what it is you want to do uh whether that's you know red team offensive security uh even if you just want to do something for the business that has nothing to do with i.t it's all based on trust so how do you build that trust well you don't light a turtle on fire if if that's what you're thinking that's not how you uh you build the trust um really i use that image because is has anyone ever been are you familiar with the the term slow burn if if people are like avid readers you may be familiar with the with that term uh it's really something in storytelling it's it's a

story that doesn't try to rush itself uh it doesn't try to escalate for no reason just to make it within like the 90 minutes or however many pages uh it takes its time getting to the end it's not really in a rush and it's intriguing uh to be set up it has some good characters you know there's some drama along the way i'm not here to sell you about a slow burn but i'm just saying that's what a slow burn is uh people get invested in that story so who are the characters in the slow burn that that is the business well depending on your organization there really can be many different characters here and their styles really

can vary a lot you know remember they're characters so no two are exactly the same however there could be some similarities and usually the ones that are decision makers they operate in a very common way so let's think of your executive right well for most people they think of a person right and they're behind a desk and picture a person behind a desk i i think i did an accurate representation of the image here and picture a bunch of levers all around them and each one of those levers does something and yes one of them can launch you out of your chair through the roof out of the building now why do they have all these levers

and by the way those are levers those those are not bongs uh if you i have very poor art skills if you have an executive who sits in their office surrounded by a bunch of bongs uh odds are you don't even need to get to this point because they probably thought what you said about hacking earlier was wicked sick so i just wanted to throw that out there anyway the levers they're there to prevent micromanaging each one of these levers does something and when they're presented with a problem they really just want to know which lever they have to pull to fix it in a very simplified term that's how a lot of organizations operate

and it works so now that we know how they generally operate we can start to begin building that trust right so are there things that could happen that could change them from a person behind a desk to a person in an orange jumpsuit right oh i can help that not happen i can help you not go to prison this is the lever you have to pull you need to start thinking in these types of terms what is it that's important to them obviously you know not going to jail is is pretty important uh and i'm not telling you to go into your executive's office and threaten them with jail time like you're going to jail

probably not going to end very well for you bad idea don't do that think of opportunities though where you're able to interact with a person who's a decision maker maybe they're not even an executive maybe they're a mid-level manager it doesn't matter you need to begin building this trust at different levels so you you're not even that person that gets to talk to them find out who that person is talk to them gather data for whatever problem it is that you're trying to solve and start small with that oh do you do phishing campaigns if not you really should because if you don't know your company's click-through percentage i'm willing to bet that there's someone

else out there who does what's that how are you supposed to know what problems they want to solve or what they're concerned with aside from going to jail we're all hackers here right at least at heart you should know the answer to this how do you know like what do they read what are they reading wall street journal business insider forbes they have a list i don't know anything about it i'm not advocating for whether any of these uh businesses or publications write good articles about infosec or even how accurate they are all i'm saying is whatever these types of publications are talking about is really what these executives are reading so what is that's what's on their minds

what it that's what they're concerned with you want to start a phishing campaign find an article from something that you know that they're going to that they're reading and share it with them via email add some context interesting article about phishing have we thought about conducting a campaign to see where we are at um you know don't just share that with them because that's weird you know there's a couple couple managers in between you know what you're going to want to do is you're going to want to share that with your team as well the more people who you who you make aware the more informed they are and you're going to be creating those dialogues

i'm not saying spam them with articles every day or every week just when there's something that can kind of get those juices flowing send it over remember it's the slow burn it's not something that happens overnight you're establishing that dialogue and you're establishing that credibility start letting them know oh nick reads the same stuff that i read i i like him i'm gonna listen to his crazy idea like that happens so use that to your advantage so with that it kind of brings you into one of my favorites and this is this is what i call the illusion of choice and uh you can use this in so many different ways and odds are you probably do it now

to some degree uh so when i started my career i worked in the it help desk for a few different companies and if you're starting out in the industry like if you if you want to get into security offensive security you know anything like that it's it's very broad i still think that's a good way to get your foot in the door at some organizations and more importantly you're able to get insight into not only how processes work within the business but where those processes fail and then you can you have opportunities to fix them like seriously if if you work in security and you're not talking with your help desk you're missing out on so many good

resources for information and probably actually a decent talent pool in in many cases uh so anyway working help desk i'm sure that there's at least a couple people who can relate um you're going to encounter in in a help desk position many different people and some of them are going to get hostile um like i understand why there's some frustrations here it you know it doesn't make it right you know i'm i'm really big on treating people with respect and and you know berating people over the phone just isn't you know the proper way to do it but anyway it happens and it happened to me rather quickly and anywhere you go so i created what i can really only

describe as a coping mechanism uh that i call the illusion of choice and really what this is is this is when you present someone with multiple options now if you're good at this you present the options in a way that makes it very obvious what the correct choice here is and the second best choice should also lead you to the same outcome as the first choice however just be prepared to implement any choice that you offer them so be careful don't make it a choice of putting a clear dome over over a city uh probably not not a good option so how does this work here's an example this is bob now bob has a problem with his email

client right so he calls the help desk and he gets me or you you know who whoever you're envisioning in this in this scenario uh so you you know me or you answers the call and uh after a minute or two you know he's describing his problem and you figure out that you know based on what he's talking about it really just sounds like the the outlook database is corrupted and you really just you just recreate the the profile and download everything you know it it's done you know now bob doesn't like to be told what to do for whatever reason we're not it doesn't even matter why he doesn't like to be taught what to

do he just doesn't doesn't matter why so how how do you actually do this well this this is how i would respond because this is someone who i ain't doing that hey bob you know checking into this we have a few different options here uh the first here is i can just connect in i can recreate your email profile really that should be pretty quick you won't even have to reboot or save anything you won't lose any data the other option is i could recreate your entire windows profile you're going to lose some settings it could take a little bit but i think it'll take care of it also the third option i i suppose

we could re-image your machine uh that might take a week or so and if there's probably gonna be some approvals and hoops to jump through so i don't recommend going that route unless we have to so by doing this you're giving bob a couple different options and bob feels in control however you stacked the deck in your favor bob is likely going to choose the first option if not he's going to be inconvenienced because he has to reboot and save his work and no one likes to reboot no one like we all have solid state drives now and we can reboot in like 35 seconds in most corporate images but like we still don't want to reboot

anyway uh he's inconvenienced if he doesn't choose option one and also pay attention to some of the words that i used there i i added some doubt with that second option i think it will take care of it it doesn't matter what he chooses because if he chooses one of those three options i win seriously look at it so option one i get the call done i fix his stuff and he's happy he writes a good review because you know we're not we don't count metrics on uh on you know problem solved or anything like that we we we do it on like how many stars you get or something uh option two takes a little bit longer

because i had to recreate his profile and you know ultimately i just did that so i could recreate his outlook database you know it still gets fixed the guy's happy i get a good review ori just doesn't send one option three right this is the wild one i fought for him right wasn't approved obviously why would that be approved of course it's not going to be approved it gets denied because the mean supervisor won't approve the rebuild request because we didn't try option one or option two so of course they're gonna they're gonna shoot that back down so the caller he's not gonna be happy with the supervisor but they're happy with me because i

tried right oh man that supervisor they're mean i don't like them you you're cool i like you i want to talk to you next time i have a problem great right so i it's important that when you offer an option that's backwards you give yourself an out and and really the bonus to the illusion of choice is people love it they love it when they feel like they're getting something special if if you can use something like oh we don't normally do this or or you know kind of convey things a little bit differently so they feel like they're getting something special even if it's a penny it's still a shiny penny and they got it

and the other person who called in didn't they feel special so uh this is this is gonna be a a little story here uh i used to sell shoes at a department store way back when i was i was the al bundy it was uh yeah it was an experience and and that's a different talk for a different time but one of the things that the managers did in this department store was they gave us the authority to discount 10 off of the price so this was really if there was a scuff or something cosmetic with the shoe i use that discount for people somewhat often like i would i would actually say frequently uh you

know obviously yeah if there's a mark or something on the shoe yeah here's 10 but if someone was genuinely nice to deal with or they were buying multiple shoes something like that i'd just be like hey you know you've been pretty cool and you're buying a couple pairs of shoes you know what i'm gonna knock an extra 10 off your uh your price and they're like does that include the sale price or like can i still use my coupon like that's usually their their main concern and if you can say well of course man they are happy they are so happy do you know how many of those customer service awards i got as a result of doing that

so obviously we we are not shoe sales people here like we don't sell shoes you know i i would imagine most of us work in in security or some sort of a technical role or at least trying to attain that that type of uh job so how do you do something special in your organization so really what i started to do is i had something that i like to call the rounds and this was uh this was pre-covet obviously and friday afternoon like no one wants to start anything new on a friday right like you uh how many people are starting some unless there's an incident like after like two o'clock friday i'm not starting anything new

you know i'm working on email cleanup documentation that type of stuff but anyway um friday afternoons i would walk around the campus and i would visit different teams that i work with you know people who i'm i'm asking to do work i'm asking them to do something and i i would really just be like hey what's going on because at first they would see me come and they would like kind of scatter like the only way i can describe it is like lifting up a rock like a big rock and seeing all the bugs scatter like oh no it's the sun uh that's what it was like oh we we better we better scram regelmans here

uh but after a while like they they found out that i wasn't showing up to try to give them work i was just showing up to just to talk to them hey what's going on you know just just to just to bs with them a little bit and and you know you might be like you you walked around and bs with different teams instead of doing work yeah you'd be surprised how much work i get done um so we would end up having these like impromptu meetings i would just be like oh wow what are you guys working on or you know what's a problem you guys have and and we would just talk about

different things that they're thinking about and we would end up like bolting security on really early in their processes and actually improve our overall posture just by walking around on a friday afternoon talking to different teams so people liked this because they didn't associate me with work as a result remember like you come home you have a dog and your dog's real excited to see you when you come home probably because you're a good person he's probably going to be let out and maybe they're going to get fed so they're very excited to see you when they come home they associate you with happiness right same thing happens at work if if you are just hammering people with work

making their life difficult people aren't going to like you and you're going to have a hard time winning them over so all if all you do is create work for other teams it's important very important that you do something to keep the relationship in a good balance do you have any pizzas i've bought in the past two years that that weren't for me it'd be a lot more if they were for me because i i really like pizza um it's my password uh but it like if your team is doing a bunch of like pen test remediation work here are some pizzas thanks for your work or uh you know because they're not going to associate with work they associate

with something positive like pizza right so this this extends even past the uh the the friday uh work around so uh one of the things that i would do is we would have a gym and if you have a gym when you're able to go back into the office i encourage you to join that gym at uh at work uh because it really helps uh with stress and more importantly if you start taking some of these classes you can meet people on the business and after a couple weeks of sweating it out and just suffering with these people you're equals like it doesn't matter what your job role is it doesn't matter what you do

you lay on the floor and you sweat and like cry at the end of that class at p90x just like everybody else so they they can relate to you so when you're actually interacting with those different members of the business that's very important uh that like take advantage of those types of opportunities a little bonus right there so when you put this all together you know look at the slow burn that's trust is the fundamental driver of everything it's a slow burn because it must be genuine to be effective you're not going to build trust overnight there's there's different things that you can do and understanding the concerns and creating those dialogues are really an excellent starting point

to start to engage uh the the decision makers without it being forced without you know them feeling like you're just coming to them because you want something if you can build a genuine relationship with these individuals and you can do this at any level it's it's so rewarding and you're going to accomplish so much in your organization and you also increase the trust that you have by increasing the circle of influence remember it's the illusion of choice it works well when you need to get someone to do something and they love special things as a result of doing something pizza whatever these people need to be an extension of your team so it's it's vital that you go

and you build out those uh that those spheres of influence so then that way you know they may they may not be the manager of those teams but those are the teams that are saying oh yeah this guy you know i i really like him i trust him and you're gonna be like you're going to find that it's a lot easier to get things done or get things accomplished so once you start to gain that trust you're you're going to want to start small uh you know you're not going to get a little bit of trust to be like hey man we're doing red team exercises it's gonna be brutal hold on now that's that's probably a bad

idea you're gonna want to start really small uh fishing fishing is like so so good to start off especially if you don't have a security program you do fishing already then you know you're probably further along um and and they may have some general security acceptance you know your executives so so why not do a password audit at that point excuse me the other thing is words matter especially now you know uh red team might be a bad word where you work at your organization uh there may be negative associations with the term red team should there be no there shouldn't but some people you know they they think of that as an attack team which i mean by definition it is

so if you can't use red team or it makes people feel uneasy because it's really conservative why not call it something else can't use red team controlled attack program right it's controlled because it's in the name it i wouldn't put it in the name if it wasn't controlled so you're you're you're telling them at that point oh yeah that's not a red team that's cap that's a controlled attack it's everything is controlled you know nothing's going to break because that's that's their fear breaking the business um the the other thing with the words they they matter so much more now that we're remote um and it's important that that when you're talking to these people

that that you're speaking to them uh you know that you're not typing to them but if you have an opportunity to do voice chat or even video if you can do video please just do video it works so much better you can talk with your hands and and you can just convey certain things and if you're on camera you can have things that you can use as an ice breaker like this this stupid microphone right here this right i i've dubbed this since you know we we've started going remote i i've i've started to call this the legitimacy maker like this right here this just adds legitimacy to whatever i say because people are just like

what are you dj in a radio station you're like yeah i am and they're like oh okay like they they think that this is like it just adds it's like a it's like a blue check mark on twitter like people are gonna pay attention to more of what you're saying if you have like little trinkets and like i don't mean little blinky things behind you but like just just little things like that that you can use as an icebreaker uh i people when i meet them in meetings that's one of the first things that they bring up is is they is they're like oh look at that microphone and i joke around about it you know things like that they're stupid

cheap and they're a really good icebreaker and right now if you can't do those face-to-face interactions it's best to try to do the the video to video wherever possible i know that people hate you know being on camera and and whatever and i'll be honest i i do too because i can't pick my nose or do whatever it is that i'm gonna do with the camera isn't off um but you know it's really worth it especially if you can't have that human interaction that face to face uh so i i can't emphasize that enough that's actually one of the things that i i took on and learned during quarantine is like how do i still

you know effectively communicate and you know just having the webcam and you know the backgrounds or you know a lot of people comment on like mortal kombat in the background something like that you know just good ice breakers you know to start conversations with people um so if you're looking for some helpful resources and i am not trying to shill anything here uh take it leave it you know whatever these are things that have actually helped me a lot in my professional development if you think you can talk to people and you're good at presenting seriously take up one of these classes you're gonna get better like you're never going to be as good as

you can be like you can always do better um you know gaining that trust and expanding my professional network uh both of these uh these books really helped to to do that um you know it might be kind of a bad example because we're sort of in a in a pandemic um but like the the win friends and influence people i know that that class right there you were giving presentations on just about anything you know multiple times uh like twice a week uh and then the the 21 irrefutable laws of leadership with john maxwell those are things that you can take with you and you can use no matter what it is that you want to do

like i cannot emphasize those two resources enough uh they they're tremendous um so with that uh you know i i just really laid out some of the fundamentals for you uh to put things together for what fits best in your organization if you want to talk about what fits right you know for you uh send me an email or send me a message on discord i i play a lot of games you know let's let's play some games and talk about security i'm i i want to help you get better i want to help you build out your program everyone's going to be different everyone's going to face different issues you know there might be some

similarities and if i can help in any way seriously reach out to me uh you know that's you know that's my discord the the pound one three three seven that was auto assigned i definitely didn't pay money to get that by any means um so with that you know thank you everyone for uh for you know taking the time to listen to me ramble and look forward to hearing from you