Building And Leading Advanced Red Teams - Bjoern Trappe

thanks Ruth for the introduction to be fair uh I focused more on the back uh backend side of mware development so something like load balancing 100 back connects and keeping them operational over days months that was something I was focused on um they asked me in front of this presentation if my presentation will work and if I want to test it and asked me a few times you know you're in the lead role when you can just say with pretty much confidence it'll work it always works so many uh yeah presentations nothing techy it's just a plain windows and you have to just present and that's something you have to do as a pentest lead so today I'm going

to talk well red team lead today I'm going to talk about uh yeah the shift from becoming a technical good pentester or good technical red teamer into a lead position in Germany at the moment we have all these seniors pent these seniors red teamers which are technical pretty pretty awesome but at some point a company says hey I need a red team lead red team is a new buzzword with Dora and nist everyone wants to do red teaming and now we have these technical people who have the shift to become red teos just a slide to to why I am telling you this uh bej Traer I've got about 10 years of experience in offensive

security if you count my sub seven times that was a clickable Trojan from the old times where you could remotely open your CD drive then I would say it's about 15 years of experience uh I've served in the German military for 13 years um there I yeah trained was trained in cyber operations conducted them LED them plan them on tactical and on strategic level I also founded a company during my time in the military with two friends laun security and after my time there in the military I'm now a managing director in at laun security I still have sometimes the yeah pentest lead the lead of red teams but more of the times I would say I'm kind of the backseater of

our uh of our red team lead and I'm kind of challenging them or giving them guidance also uh I'm a trainer for red team operations and uh leading red team operations so just a few words about red teaming red teaming is a military term uh I was once told it's even from the 18th century uh something uh which we called War gaming and it's not something technical actually it's just a uh concept that you try to Target a plan and try to play against some kind of plan that could be something technical but it can also be processes it can be organization it can be yeah for example passwort rules a good definition is that you have to

provide this knowledge to an end user and the end user is most of the times a commander a leader or a manager so you don't just write your pentest report your red team report but you have to uh present it to some kind of management to some kind of not technical leader but why is red team leadership so important isn't it like yeah everything else like a pentest where I'm telling you do this do that uh let's try is well it's a little bit different unlike traditional it or blue teams uh red teaming kind of focuses on a unique uh combination of being steals tactical but also Technical and uh you have to have communication skills because you have to

somehow communicate with a different uh brand in a organization you have to uh explain your results and not only shows that you're a a technical Mastermind many leaders in these uh space have back have technical backgrounds so it's kind of usual to have a technical background and then at some point become a red team lead or a pentest lead uh also it's the other way around there are some leaders who don't have a technical background and try it into the red team lead I can tell you I had a lot of R team leads the technical ones well most of the time the better ones not the ones who Focus just on leading um so we're now going to focus

on what do we need for this transition like at some point of your career someone will ask you hey you're good at what you're doing do you want to become a yeah do you want to lead a a team most of the times there are no red team uh teams at in the company you're working for so you're going to be the one who's even building it up out of nowhere somehow so we're going to focus on leadership skills during this talk building up red teams like the recipe to have a from my perspective a pretty good red team and uh talk a little bit about Innovation because Innovation is a good thing but Innovation can also uh lead to

yeah loss of quality if we're just trying to innovate and always do do something new so when you're the good it doesn't mean you're ready for leadership and that's actually it not everyone is build to be a leader most of the times uh people are not natural leaders they can learn it so uh if you want to train over time if you want uh to become a leader you actually have to do it you have to get your own way uh in the military they told us there is no right way you either have to be yourself don't try to pretend to be someone else don't try to be when you're a technical leader uh when you're

a red team lead and you've always been yeah friendly uh to your staff don't try to change that and become someone else that doesn't work so when you're a red team lead you need a little bit more than just technical uh skills you need for example people management that's a real real important skill don't let HR manage your team that that will definitely go bad for you you have to be uh you have to have some kind of Strate strategic thinking like Hey we're planning some kind of actions a pentest is pretty straightforward but when we think about a red team we have some yeah engagements which we have planned we we have some um

simulations which we want to play with the customers uh together and you have to have this strategic thinking that at the end everything makes sense and that the customer can say hey I really trained for the worst case I trained for yeah that it's happened and uh that you know what you're doing in Germany probably many uh companies at the moment have already pentest teams but just a few have a red team maybe only one so there's not really someone in the company most of the time that can help you a really good thing is always or which you will become is it support it red team support I'm going to slight later talk about it but that's something

that's going to be your task probably no German company has a special it operations um brand uh to help you during your red team operations like for example spinning up infrastructure or uh yeah talking uh getting licenses for example that's something that's going to be on your desk this also the essential part is to develop these soft skills you will have to talk with customers no way way around it if you're a good pentester and you can't talk with customers there's no way you're going to be a good uh red team lead you also have to talk with your team you also have to talk with your boss for example you have to ask your

boss uh for money for example for Cobalt strike for some conferences but you also have to uh make sure your team understands that there's maybe at this moment no money and that you can't get these Cool Tools that someone can't get go to a cool conference and so on so that's are all those are all soft skills you have to focus on also from our perspective it's still pretty uh important to have a deep technical knowledge in offensive security activities so you don't have to be an expert on all the fields but you have to understand how something works you have to not be the smartest person in the room but have to understand what

the smart person in the room is telling you and how you can actually use the smartest person to get your goal for example to get into a company to write fishing mails and so on also you really need uh some experience and some mindset in creating these creative attack scenarios as I mentioned red teaming is a lot more about these scenarios than just pentest in and that's where your strategic mind has to yeah be fed like hey how can I yeah roll out these ttps Metro Tech Wiki is a good place to start there are some good tools out there which uh can help you to create these kind of scenarios but these scenarios are probably most of the time uh created

on your desk uh your team will help you but it'll happen on your desk also a good thing is always to understand uh the defensive side and know for example Security Solutions uh processes that are used in the market and so on and not so good thing but something you also have to focus on are all the compliance knowledge because that's what uh probably the organization you're working for or the ones who are paying you are focused on they're not at least the management is not probably focusing uh that you're doing cool technical stuff and um finding security Loops they are just focusing on that they can bypass or that they can pass a compliances so we kind of have to switch

from yeah this technical Focus where we just focus on a technical problem to strategic thinking you will be the bridge between the upper management in your company and the technical team that's something you have to like uh probably you're the one who's always getting uh something on his head or who is getting called out but you have to live with that um you also have to align your team efforts uh with your uh business objectives there's no need to build some cool yeah Advanced red team that can do fancy stuff if that's not the purpose and the customer is not paying for it or it doesn't help the company so focus on the goals on of the

company something we see a lot often is that especially young technical leaders start with micromanaging so they tell their team hey please do that please do this and they show them how to do it or not even show them they don't uh give guidance they just do it themselves and the team actually is just watching how the team lead is working I can guarantee you you can do it for half an year after that uh you will be burned out probably yeah the good thing the delegation versus doing probably every leader has to learn about every manager has to learn it at some point in his life it's really something you have to learn it's experience uh no one can do

it from uh birth it's something you learn you develop this is a skill you develop it over time you can experiment a little bit what uh how much doing is still okay but you are kind of the coach of the team so your team performs and then it's good you don't your yourself at least technical don't have to perform also a good or what's really fundamental believe in your team's ability to deliver if the team doesn't if you don't believe that the team can deliver you have to change something you have to give them more education better tools uh work with them but you have to trust them at some point you have to trust in them that they are good enough

to yeah stand up for the task now we're going to look a little bit more in how to build a really good uh strong red team um please don't just get all the active directory experts and put them in one team have a wide variance of Brilliant Minds Minds that maybe aren't expert but are really yeah fast learning and they have some kind of soft skills so they can talk with other people they can write emails because you don't want to be the only person in the team that writes emails to the customer it gets annoying as hell there's a good uh GitHub repository you can look up some yeah Red Team interview questions there

those are technical questions with uh answers uh just keep in mind mind if the interview process is long enough and you have enough people and they talk with each other they probably will find out that you're using this repository uh also focus on Team Dynamics uh if there are people who can't work with each other it's not a good red team and that's something you have to watch out for because HR won't do it for you they will just find the Good IT guy who uh wrote his stuff to HR I already said we need a real good mix of skills um offensive Security Experts I always like to have some kind of developer in my team someone who can

write code pretty fast uh we know we are pentesters or we are kind of techy persons everyone can write a little bit of code but real developer is still something different he can think about his code before he writes it down and uh change the idea during his coding also it's if you have the possibility nice to have some analysts and as just some guys who have experience for example in the compliance uh stuff uh so you can actually not only focus on technical stuff during your red team engagements but also give it to another level and have for example uh red team the processes red team a compliance really big thing get your gu

uh get yourself infrastructure admin that's something I can tell every one of you get this one guy who uh does all your infrastructure spins up um the infrastructure spins up the redirectors and so

on yes also you somehow have to educate your team we thought it's a really good way uh to educate your team is to do ctfs they are kind of not realistic okay I'm totally fine with it but it's not about how real realistic they are but how you work in a team together so it's essential that when you attend on a CTF and even if it's on Friday evening or Saturday you as a team lead also are there and you somehow engage with your team you help them and at some point you you are the person who tells them hey you've been looking at this exercise this challenge for 3 hours hey you might need uh need

to take a break uh go take a walk and afterward we're going to discuss your findings in the whole team and then we'll get on onward it's really a good process for building teams together also it's always and probably for every manager it's good uh to lead by example um I want to be led by someone who I can admire and uh same goes for the

team as a managing director I can tell you I won't I myself won't focus on everyone's education so that's actually the part of the technical red uh of the red team lead no one will come to you and will say hey this guy needs this kind of course this guy this guy may go to the blackhead on in Vegas no that's something you have to focus on and if the team member goes to the managing director or to HR probably it doesn't have the same level as if it's if you're doing it on the beginning of the year or something so just keep that in mind that something you have to master also as I mentioned lets them go

for a walk try to focus on the work life balance it's kind of a buzz word but uh burnouts are really a big thing at the moment in the it especially when it comes to offensive security working through yeah countless hours during the night is not a good thing so try to focus uh that your team really has a good work life balance that they will have fun what they're doing even if they're completely stressed out and are are yeah burnt out they will still have fun but you're the one who has to say hey now it's time to stop focus on something else and tomorrow we'll meet again and now a really important part take your time on engagements we

always uh use kind of modeling in front of it to practice the real hit before we drop an implant we try to model it we have kind of a cyber range in AWS where we can uh yeah test our engagement and this testing of the engagement somehow brings in Innovation it also brings quality because you test it you everyone knows what they're doing uh you see loopholes and so on try to never hinder creativity I know it's really really hard even if they are really stupid ideas uh but just try to say sure let's try it out and if nothing breaks if it doesn't cost a lot of money it will cost a little bit of money most

of the times but if doesn't cost that lot of money you can make this escape this mistake together and then everyone can learn and maybe it's not a mistake maybe it's then Innovation which goes into quality at some point but always think about quality because quality and red teaming is kind of attached to Safe um engagements we don't actually we are building bridges from our infrastructure to the customers or to the organization infrastructure it's a two-way work or two-way uh Street kind of no one says that if you're building these unsafe connections that a third party could uh engage in these and try to hack or take over your roots so always keep that in

mind that quality is really really important and don't just focus on um on Innovation and the last thing try to automate try to automate especially infrastructure uh rollouts try uh to automate as much as possible try to automate that everything that makes sense I would say um spinning up uh infrastructure can well Auto U automating the spin up of the infrastructure can definitely reduce errors um you can even include some kind of uh tests before the actual deployment when we talk about malware malware can also be tested before you actually deploy it on the customer's uh EDR system so that's something you can test before and uh always keep in mind don't try to automate that much that You

Hinder creativity so let the people still work work uh not everything not a from nmap scan till the complete drop of the malware till the fishing campaign has to be automated that doesn't make any sense there you have to focus on the organization and uh quality will definitely be accepted by the customer don't Focus too much on Innovations and new tools because there will always be new tools try to get these new tools into your tool set and uh bring them in a real process nowadays actually in Germany you have to write down or many companies want that you write down which tools you use to know are these tools safe especially when we talk about supply

chain attacks even in hacking tools Z establish longterm uh term goals where do you see uh your team in the next one or three uh to three years Focus first on your personal goals where do you want to be then where do you want your team to be again you are the one who is shaping your team no one else will come to you and will shape your team it's all on you but also keep in mind what are the upper management goals what do they expect from you in one two or three years and don't forget about the customer they also have expectations uh they're not just doing a red team one once they

actually want to do red teams over and over again and therefore it's important and now to the closing to my closing thoughts one thing I can always recommend to you guys keep calm and wait and that's something every young leader has to learn many things just sort out themselves just over time always keep this in mind when everything goes house you are the one who has to keep calm get the team back together make new plans and yeah make sure that these plans get executed one more thing I really want to point out uh let people go I see it a lot of times at the moment in security companies that with Force they want to

hold the people even good uh especially if the people are good uh if you let someone go um and you're not the reason why they're going uh you will have probably friends for life many of my yeah good friend at the moment were the ones which I had in my red teams and I still have contact with them today and so much for the presentation and now we can move onwards to the questions I guess there are some [Applause]