BSidesNCL (Newcastle) 2022 - Your Red Team Is Missing The Point by Zibby Kwecka

very much hey all right uh so before we start shall we play a little game we've got some you know different types of activities we could do in cyber here on the screen you know we can start with vulnerability management detection of in and incident response grc on the top and we've got offensive security and 8-bit game of global nuclear war on the bottom which one would you prefer to play maybe if you prefer to play the top raise your hand now something from the top you know like management or would you rather play an offensive security game and some global nuclear war i'm all about the last one yeah if you go with that that that's why i created this

talk there is a lot of people in the security community that really love to break things and then see how they break and burn and i suppose that's part of you know i do too from time to time of course uh and the part of this talk is about that and and i called it you know your red team is missing the point so who am i i sometimes refer to myself as a forest camp of scottish tiger and it's kind of because of those pictures you know i feel like i've been everywhere you know i've been there you know when uh the first cyber security uh sock was created for one of the major

banks in uk that was down in in edinburgh and two different cyber security companies are now spawn out of that work that we've done for that bank you know 11 or more years ago some plenty of different stuff was about many different places so you've got here some things on the screen more recent things for uh when the pandemic started i work as a head of information security for heineken uk and i now transition to being a bc show lead at quran cyber so that's me last year i haven't really done much certification just sabsa and then gain some weight you know some that's what is already all about so red teaming we could say it's you know it's a

specialized form of ethical hype so uh obviously i'm assuming that everybody in the audience will know what it is but sometimes good to put the definition on so we know what we're talking about and if you're putting the definition on we can put some more details about it as well so obviously you know there is something called ethical hacking maturity model and they say that you start with vulnerability scanning for an organization then you you know do vulnerability assessment how big difference probably small difference then you do some penetration testing and then you go into that interesting stuff it's got the red color it needs to be interesting so it's red tea all right so that's where you go right

after pen testing fair enough uh why i'm here no so as the head of information security for heineken uk but also other roles i sometimes got some reports that were and behaviors that were not really right things that i didn't really think that were right in cyber security community uh so you know that's part of it uh and i started speaking about it to know my fellow csos and the head of information security and and one of the guys was like yes yes finally somebody talking about it we really had enough of our work and actually their reading is one of the well brand no you know one of the most known brands for red tv around and

now we just had enough you know they're not professional they're not delivering value we just can't do without you know we're just gonna hire robots it's just gonna automate everything it's like so at this time i really you know i know you've got good manners but i would assume that somebody would try to boo me off the stage because you know obviously red teaming supposed to be that highly sophisticated engagement where you're you know putting threat intelligence passing and everything into place and only then you're you're trying to attack your target so what is zippy talking about what task he knows you know it sounds like he was on the blue team for a long time and not

you know much on the red team ever what am i talking about so obviously you know check people's you know criteria for talking about things i myself haven't done red teaming in my life but i manage fan testing and directing engagements when i work in kpmg i've been on receiving the end of those engagements and i'm not alone i've got colleagues so i've got guys from other organizations that i know and trust and before doing that talk i actually reach out to them and say okay before i tell you how i see the word can you tell me what you see when i give you that title can you tell me a little bit more how you feel about some of the

engagement so these are the three guys i reach out to and there are different stages of the career doing different things uh aaron very very young looking guy but he's actually very skilled very fast progressing through the environment done again great guy and then conrad as well now a director in singapore for kpmg so can robots replace red dimmers part one so imagine you've got the task you need to get the crown juice and get out and detect it you're somewhere here outside the walls on that little boat armed ready to go in get the crown jewels and get out you've talked to the people inside the organization there's like no this is our staff this guy you know you're not going

to get anywhere near our crown jewels before they find you so you get some of the best you know guys in your team and they're like yeah hold my beer you cannot do it i suppose now i should do the pizza cake their previous company was here now we know for the cake so it turns out it's an easy thing you know you don't some off synth you send just few phishing emails you know suddenly you've got initial access you elevate access quite easily you get domain admin within 20 minutes and you're like okay what we're going to do here so for the next two weeks you just spent time trying to attack this domain

sorry attack active directory in in a different way and eventually you know you create the report full of highs and criticals that we never talk about that see so in between and and you're like yeah they're gonna cry when they see that report you know as we just demolish them yeah things are all good isn't it and then you write a report your port for a pentas or wrecking exercise looks something like that you know you remember we had a lovely castle and fortress of the problem but now you can't really tell you know the trees or the crown jewels over here because the report doesn't actually you know the pentax and the red team or the

red team that pandas but the red teamers didn't take time to understand what's important you know you got domain admin what is the domain even important to them is that are they crown jewels connected to the domain do you know that so it seems an easy scenario the output wasn't perfect but you know that's where you are so let's do a part two you know so can robots replace red teamer part two slightly harder scenario you know you've got an atk engagement to do a you know a red team and you spent over two weeks trying to get any form of initial access you've been fishing them you've been trying to drop usb's everything and you're just not getting

it you spend about 50k worth of effort just to get to the point where one person clicked on the link and you've got some initial access so you're thinking what you're going to do now so you quickly go to the best coder you've got they rewrite some metasploits exploit so nothing can detect it and you drop it on your machine on the machine and it works you're in you elevate access and you feel like harry potter when he first got the snitch because you got the golden ticket you can now create any ticket within the environment you are so you do things that you know you want to do you even you know take the dump of the full database

you just feel amazing you know you you're ready you're like avengers after the battle you're ready for the debrief okay so you're going in to speak to the seesaw and you actually think that that's how cecil will feel there that he will cry a little bit so you can't hear it but i'll you know you can research that video on youtube or try to find a link it's it's just some substitute where you can see somebody fish them and siso gets very angry as you can assume in this video because we all see that video in that bit but you know they dropped copper strike and finally you know the cesar is not not very happy with their crew here

so you're going like you know ready like an adventure after the battle or shining it doesn't matter that you just you know what was fighting for a few days now and you know you were expecting to be going to the normal place you've seen them but actually you led to some you know darker corridors and you're wondering what's going on and you suddenly realize that you're being taken to the incident rooms underneath bug and like okay you go in everybody looks a bit tired and okay and you slowly realize they didn't know that they had a red team they thought it was for real they've been there for two days trying to defend you know the walls of the castle without

knowing it was already see some you know team sessions in the corner and you recognize some you know some faces from the vendor's face they're just not you know shaking their heads looking at you and and you know they would want to swear at you but the only thing they say it's not what real adversary would do and it dawns on you cecil never calls a red team after the first hundred days in the office they didn't know about it it was obvious they didn't tell anybody and you laugh it off anyway you got it you caught them you got the flood you know they should be prepared [Music] you spend two weeks on a report

and again that's how your report comes in again nobody can recognize the crown jewels for trees it's the same quality of the report doesn't matter it was a harder engagement oh actually this time the cso is a little bit grateful because we managed to dump the database and their vendor told them that nobody could ever dump this database with their tool on so they can now get their refund from the vendor fair enough that's the only good thing that you've done for those guys sometime later you see the name of the company in the news [Music] and you're thinking is that linked to the fact that i've done an ad sync for the domain and

left the usb stick on a train nah no way no chance so that's some that's how sometimes red teams are perceived from the perspective of an organization they they often highly disruptive and often the value that you're getting at the back is you know some report that it's got a little bit you know colorblind pain by numbers kind of thing so so what can we do to assure the survival of the red team can we do something and i think you can first of all verify the maturity of the blue team before you start directing you know actually try and go on to speak to them they don't need to know when you're gonna attack them to being half in your

time but you go in and actually know where the company is at what's the maturity of the organization and the blue team there don't always don't always insist on starting from scratch you know there's so many engagement i've seen and heard of where you know you've got really 80k engagement 80 000 pounds for an engagement and you spend 50 000 pounds on it to get initial access in some cases just assume somebody somewhere will get initial access on your organization give a laptop to the red team and say okay you can pretend you're in and let's start from there where can you get so you don't always have to start from scratch you can sometimes you know

assume that somebody clicked on the link so basically give a link to an insider and say okay on that day you're gonna click that link and we're gonna see what's gonna take there or you can assume that you're already from some form of uh basic access where you've got an account so start from there uh play a realistic threat actor so you know find out what is the threat intelligence given to the beauty and if you know and and then try to play against you know apply the adversary that actually could attack this type of environment so you know don't put your best team that you've got to read you know against uh some other guys so you you don't put

the guys that could write meta sport against the guys that need to you know google what meta spoiler does you know obviously those guys were very skilled and very kind of direct if you talk about lapses they they actually didn't have limits in terms of calling them and using kind of uh safety triggers in security and everything else but still you know when you're doing a red team don't put you know like amazing coders against uh you know an organization that actually is never going to have a dedicated attacker instead they may have you know somebody who is going to use an opportunistic attack as if they see their accounts that's one when they do

not happen so play fair and never the little the opponent never belittle the the blue teams actually it's i think we now talk about it more than we used to talk before it used to be that uh you know everybody was like in all of the penetration testers and the red teamers but actually it's often much harder to be a blue team because you need to pre you know protect the castle 24 7. you need to do it day in and day out the attacker really they need to be lucky once or twice lucky to get in and lucky to stay undetected so don't let the little then try to if you if some you know if you're a red

teamer or you're an offensive security person go and uh to try to do as a company detection response or risk and understand what's important to the organization how to write things that are important to them inside and you can offer you know right along red keys so so the bluetooth you see how it is from their side uh often review services when you actually look at the use cases that they've got in their sim tools and it's like yeah you're missing that that and that you can help not you don't always have to go and attack you can go in and just use your brain and use your perspective to have a chat with the blue team and

say you know what now attacker would probably bypass that going this way do you have anything no there and in the way you can together threat model the environment and find what what are the controls that are missing without even you know trying to test anything and never overblown findings because i i heard it so many times from a security companies like the the implied there is always on an implied thing in the reports that or if you don't do it the company will just diminish you know your elder it's not the case most companies with good cash flows will come back maersk has spent 300 millions to get back their 4000 server 45 000 pcs and

two and a half thousand applications back up and running but you know if you look at it their share price since they've been hit by you know pekka 2017 i think they're doing pretty well you know are they more than make up for it now so don't overblow the findings uh and when you're talking about finance agree the findings with the blue team before the report goes anywhere else you don't wanna you know if you don't agree then the only thing is you can take it higher up and what the higher up person will do they will basically lose trust in both of you there is no chance that they will be like oh i gonna side with a blue team or

i gonna side with bretty no they're just gonna lose trust with both teams go and agree your families talk like human beings because you are you know you understand technology people higher up may not so you need to agree what is defining and when we talk about it also yeah make sure that somebody in the blue team knows about directly i you know i wasn't joking when i was talking about the scenario where you know people were in proper incident rooms for days not knowing directing exercise and they were close to call ncc to help because they they thought something really is happening and don't do a you know domain control sync or take prop properties

uh i heard about guys that you know if you ask them what's on their laptop they would be proudly saying i've got that domain i've got all the tickets from that domain i've got all the identities from that domain it's like why do you need it the next engagement you've got you can't use those trophies it's just trophies you you're not allowed to reuse it for a red team because it doesn't make sense it's not not what you're asked to do so just don't collect those things and if you do collect them just security beat them at the end of the engagement actually you should have a process to make sure it happens uh know the audience if you're writing a

report you think you know the report you you're imagining the person that you're giving the report to it's wrong because every report that i've seen from a pen test from a red team should actually go to three different audiences the exact summary should be written in a language that goes to the proper execs in the environment then the technical samara should go to something somebody like cecil and all the technical details then go to the csos team and the idt so actually a single report should be written with three different audiences in mind and not just one and finally there is a time and place for a red team so if you know if there is that

security program or a ciso is really too sure for you know the boots yeah that may be a good time for for somebody from that organization to call the red team and say i think they're blessing you know i don't think they're doing right or the program is that we just need to do something and show that and do a bit of shaving fair enough you can do it but what i'm trying to say and i think i'll eventually go and you know speak to the guys that brought it i don't believe that the red e should be the next thing in maturity although after the penetration testing i believe that if an organization is

going through vernal discounting to penetration testing the next thing you should be doing is something more close to purple team and you should skip all together directly in here it doesn't make sense from everything i seem to have a pure ready in in here so yeah and i've even joking here there is a place uh and you know for for lower maturity clients the place for red team is called the power button but that's how i get it the only exception is song and that's where everything started and that's probably where why it's there is because banking regulations made it mandatory to run red teams uh you know for some organizations and probably that's why you know people

have put it there but that's the only reason so we can look at the definitions and things like that so long leave the red team and how do we get hired into it how we how are we for the time we're good for the time so just gonna run through those some of the slides we're recording that session as well so looking at your faces guys you probably all hired already within the industry uh but i'll run through some slides because we all know that we're suffering from the fact that not that many people are going to cyber and sometimes they are also pushed away feeling like they pushed away from cyber i personally was

speaking to a guy that you know applied to a job working with me a year ago and he only started his job today with another company he began we didn't get him because we had a better candidate at the time and he didn't get a job for the past year you know so uh you know how do we get hired uh can you hack a job interview if you think you can hack computers learn how to hack people or be nice to people because there are techniques to get you to the interview stage and through and also pass the interview straight stage there is i think it was a seasonal relationship podcast that often asked the questions would you hire a

brilliant jerk and the answer every week is you know the guy have to choose would you hire a brilliant jerk or a team of something something and and the viewers and everybody are trying to find the question another kind of option that he will select to hire a brilliant jerk and every week the answer is no i wouldn't hire a brilliant check i would prefer another solution you know let's say one newbie that never even seen cyber because attitude is actually more important than knowledge you can talk about knowledge but if somebody in the team is not nice to others it's not playing right then suddenly from that one person you've got 10 people that are

disgruntled and not having fun organization so make sure that first of all you are a nice person and when you you are in a hiring position hire people that will work together and don't you know affect others and uh example actually who i hired last year for my intern was leo and leo wanted to do red tv and pen testing i didn't have that job to him i was an internship and it was mainly grc that i needed i'm like leo if you come and work with me i'll get you a good good gig as well so he was doing grc for me over the summer but also he was he also had masters in brewing and cyber so i got

him okay go to our breweries and do wi-fi testing across breweries i love the images but also what i got from him you know he was really interested the offensive but at the end of the day he understood that it's not the only thing in the world there are other important functions in cyber and actually that's helped him to grow his career from that internship onwards so i'm very proud of what he's doing now as well i think he changed that fight for already he was a risk advisor for deloitte in switzerland and i think now he's helping a startup if something important which is nice grow yourself no university will grow you or or any formal education will grow

your skills within a program of knowledge but it won't necessarily grow you as a person or won't tell you exactly where you should be going i really like reading the you know the biography of arnold schwarzenegger is you know that young skinny guy becoming like uh mr universe just because he thought he could he thought himself i can't do it and he done it and then later he rediscovered himself he's like i want to play in the movie so he handed some of those movies and he moved to us in order to become a movie star and from there decided i want to be a politician got closer to kennedy's started being a politician and now from

a guy that couldn't say uh you know i'll be back properly he he's very underplanned and and he's got a lot of good ideas in here speaking and trying to speak to to you know russians about what's going on in the world i just amazes me how you know by growing yourself and setting yourself targets and the guy says just repetition repetition repetition decide where you want to go what's going to get you there and repeat train and repeat and it's just amazes me where he got to some good books i just gonna put them on the screen here you know these are not books about treating people if you read this one will specifically tell you that you know

you do it because you like people you want to get to know people better because you like them you want to understand them and help them and and and help them have fun together with you in life so these are all good books for learning about others don't just stay learning about technology learn about others those books are this way it's more about others that one here it's about if you want to learn about yourself great book long one 28 hours on you know on recording what is a good book finally be open minded respect others experiment every day fail when necro requires fail fast explore enjoy and share that with me zibi i will be very happy if you know

you contact me uh through one of the networks and yeah all the best thank you very much