Red Red Whine by Dan Cannon

all right thank you very much um so I'm done from North Korean I uh I'm the company it's a cyber security training and penetration testing company and I've been doing this for about 12 years as a perspective of a pen tester and then running red team engagements and I'm going to stand here for the next 13 minutes and moan about red teaming to be honest because I don't always whinge about red teaming but when I do it with a crowd of people who feel awkward about leaving so we're going to talk about the fact that there's uncertainty around what red teaming actually is we've heard both Holly and Andy talk about some of the really interesting things they've done some of the really foolish things that clients do but quite frankly there is a huge amount of effort put when people are talking about red teaming to talk about really super Elite kind of hacking techniques that we all get to use and feel like great spy who are breaking into buildings and defeating blue teams and doing goodness what kind of really technical stuff and for the most part it's incredibly unnecessary we all feel great doing it I'm not yeah I'm not denying that at all and it's a lot of fun to do it but for the most part it's not giving people what they need and anyone who did see Holly's talk earlier will know that the industry is not improving and that's because we're trying to push this kind of talk of well we need to go more advanced we need to go more in detail then we need to go more technical as opposed to actually fixing the stuff that's wrong third thing about security testing throughout the ages now once upon a time there was just no security testing we had computers everything was isolated everything was okay no testing happened until people found that there was an issue and then we had to really try and think about how we we improved security so vulnerability scanning came up we still do it it's really effective it's yeah aim is breadth its aim is being able to figure out where a known misconfigurations where is something that we can find an ability to examine an environment and identify problems next we've got pan testing this is what I spend the vast majority of my time doing it's a lot more fun the vulnerability scanning because you actually get to start properly attacking systems and taking advantage of it uh dumping passwords attacking users all these good fun stuff that we all enjoy doing and it's really useful to be able to find the fundamental flaws that exist in a machine and be able to actually prove that there's a problem and show why we need to care about what's going on when we think about red teaming too often we're just thinking about an evolution of pen testing being watch Red teaming it's just super cool pen testing where you're not told here's a web app here's a commuter here's a network you're told here's a company instead red teaming should be that kind of emulation of a real world attack it should be something that is actually going to be representative of what a company is going to be the victim of and what the tactics techniques and procedures of some form of threat actor is going to do not just fantastic so what is fantastic and what is red teaming what's well what's red team it was no red teaming ultimately what we've got to think about is anyone who's trying to do red teaming and say they can do it in days uh is is just a charlatan who needs to be called out with a snake or a Salesman they are anyone who's saying that yeah red teaming is all about identifying and exploiting vulnerabilities is completely missing the point the objective of a red team is to be able to hit those kind of key areas that a company is concerned about those Key Systems that key data some form of thing that will cause damage to a business if they are compromised and ultimately the tactics differ we're talking about threat emulation versus just being able to identify and demonstrate issues this is this is what we have as a problem with an industry where things aren't improving because we're just selling things that aren't red teaming at red teaming the common misconceptions we have that clients have it is what causes this problem is the clients will think that red teaming is just the same as pen testing that think it's a phishing campaign they'll think it's a malicious Insider assessment but they won't think big picture I had a client recently who was convinced that red teaming was the idea of me sat at a computer on the phone to the blue team suck saying I've just failed to log into an account via IDP 10 times in the last one minute have your theme alerted to that this is not red teaming that was a billion dollar company who were convinced that they were doing continuous red team testing because every month they would have someone turn around and go well yeah we're testing whether or not the new rules are being triggered when someone does something and you kind of turn up and have a mind blown of you've invested how much in your blue team and you've got how many really smart professionals here that you are all convinced that you're protected because your red team testing is continuously just turning around and running random automated scripts and saying did you see that did that alert this is not going to help anyone and fundamentally I mean it didn't help them because we then we we then had a minor disagreement where I turned around and ask for a domain admin account to test something got the age-old comment from the ad people if you're the hacker you figure it out and then had the upset phone call about two days later to turn around and say have you created a domain admin account outside of the uh work in progress and outside of the the processes in place to do this and I had to say I go well you do red team testing you've got all this alerting this is stuff you should be able to pick up but they fundamentally weren't able to do that because they're not doing Red Team testing and they're not checking then everything's everything is actually going according to plan we've got to get the basics right fundamentally if you can walk into a company and tailgate your way in that's great you can turn around they'll have a fantastic War story about physical intrusion physical penetration testing if you can walk up to someone and convince them to give you a password amazing you get a great War story about social engineering and if you can then absolutely destroy their Network and get the main admin then that's great you've got a fantastic War story about how you've been able to just turn up to a business and absolutely decimate them and how you're really clever and they're not and quite frankly there'll be a lot of people in this room who probably have a really good number of those War Stories and they're nothing short of fact hysterical at the same time but if we can get the basics right if we can actually focus on talking to clients about what it is that they need and actually being able to turn around and think how are we going to protect businesses then we can turn around and start thinking about what's been what's being put out onto the internet is it actually secure have you got horribly configured firewalls that are just letting all traffic go through there was a business that I worked with within the last three years that had a 2003 vulnerability on a FMB protocol that was facing the internet that was a very awkward conversation to turn around and be like there is absolutely no way that you don't have to burn down your entire network because you have no idea who's in your network because you've got all this stuff on the internet and your firewalls are just shop no one's managing them no one's monitoring them and people are opening whatever they want and that just leaves a huge huge point of entry to attack us red teaming yeah it's probably gonna find that but quite frankly the basics of turning around and saying don't open RDP don't open SMB or don't have FTP all these really common things don't put it on the internet and just let anyone access to it would have helped them yeah we all know that fishing's one of the main ways of getting into a network probably doesn't really need to be spoken about but the fact that I'm quietly confident there will be at least a dozen of you in here who know of a company that's still using 2003 service 2008 servers means that we've also got a problem of thinking well red teaming you get great stories about absolutely decimating companies and getting domain admin but if you get it on a 2003 server in 2023 it's not that clever it kind of ruins the story a little bit when you turn around and go oh yeah no it was it wasn't even Eternal blue it was 08067 from way back in the day that some of you probably don't even get the reference we then got to think about password security yeah there's yeah the the absolute worst I've ever seen is a domain admin who argued Point Blank that he was using the most the best password advice that you could get of four random words as his password those four random words where we will rock you [Music] it's not quite as random as he'd have hoped it's not quite as long as he'd have hoped it kind of defeats the purpose of it and he was just absolutely livid when I rang him up and went mate come on like your domain admin of a huge environment like for the love of God we've talked about this just Eve I mean at that point you kind of think even password I don't know 27 would have been a little bit better because we could think that he's at least incrementing stuff and then we've got the fact that so many of us have Smart devices now that are on the network that we're connecting we're either connecting to guest Wi-Fi's and we're potentially having a point of entry through our equipment we've got developers who do feel entitled to put things like wireless networks on networks so they can make things easier and these again represent a potential breach to the company and if we can get users familiar with the fact that when they add stuff to the network it is a potential breach point then we can try and solve this again interesting kind of things where we've seen this happening people hooking up their phones to the Wi-Fi and not realizing that that data is traversing over to the corporate Network I once found out to my horror that uh up until around about 2017 Grindr didn't encrypt their data traffic um at all and so you could turn around and find out every user who has their mobile phone on their Network get an understanding of who they are what their weekend plans are what their user accounts are and start sending targeted phishing campaigns specifically to them that you know they're going to follow because you're building up a very specific idea of what this person does in their private life so this is something where you think the company itself has no visibility of that but as someone who is trying to attack you've got that ability to see that and ultimately this is a risk that companies aren't really thinking about so if we can get the basics rights then I'm saying red teamings you know not needed but ultimately red teaming can focus on doing the really clever work that it needs to do not having someone come in to do our red team and realize that actually you can get domain admin within 10 minutes and therefore barely any work really needed to be done so ultimately people like listen to these talks to hear about red teaming jobs that have happened um there's a couple that I want to talk to you about one of the global pharmaceutical institution one was a UK financial institution and one with a global infrastructure institution um I don't know why I picked the word institution uh but let's talk about how these works that was a a global pharmaceutical company that we worked with where we took the approach of running through oceans being able to identify where their attack surface was and chaining together some really interesting web zero days and vulnerabilities to be able to get onto their Network and be able to completely pone it and within about five weeks we had network access to four continents and we had access to everything that was sold as a red team engagement it's great it was it was it was something really interesting it took the perspective of being able to say what is an external attacker going to be now I'm okay with the fact that every every red team has to have a slightly different methodology but when you see the fact that there are such varieties in the different ways we worked with these industries you'll see there's absolutely no consistency and that is also one of the issues because for the UK banking institution we tried fishing um and it fundamentally failed nobody clicked the links nobody did anything I think we got one username and password and we got one username with them as an expletive underneath it so I can only assume that the person realized it was a phishing email shockingly didn't report it to it though so when we went and dropped USB sticks on site uh it were none the wiser that there was potentially a malicious attack happening against them but this was an interesting one where it shows really the importance of making sure that when you have a red team engagement you've got the right people with the right skill set because they had an okay blue team they felt they they escalated it up to the point of contact to actually understood that there was a blue team happening and he rang it up seven hours after a USB stick had been deployed to say we've reverse engineered this and we blacklisted all the AWS IP addresses you're using to attack the network that's really good great job fantastic didn't feel like telling him that six and a half hours ago we pivoted around the network got persistence and compromised a shitload of accounts thought we'd leave that for the report to be like congratulations you were only six and a half hours too slow um and then we moved around the network and compromised it but the whole premise was completely different but this one there was such such a focus on being able to actually just get domain admin that you think that you think the way we did this was not through any real emulation of a threat actor that's that's really realistic this was we dropped a USB stick on site and someone plugged it in there are gonna be people who do that but quite frankly realistically we could have provided the exact same value by turning up and plugging in a testing laptop and being like okay this is how this is how someone's gonna do it the fishing didn't work this is how someone's gonna attack your network the the weeks and weeks of oh sin were absolutely useless the fishing was useless nothing really provided any value in this client fundamentally could have just done with the pen test it because once we had one compromised machine it was it was game over so fast whereas at least at least this one it took it weeks to get through our active directory it was an actual challenge and then we had uh the pharmacy was going to start and change the text and then we had the uh the infrastructure company this one we went for a human breach mentality uh so you've reach for anyone who doesn't know is where you turn up and you've already got a foothold in the network and it was really good we we pivoted around the network we had a look at what we could and couldn't gain access to and eventually had to spend weeks bypassing their EDR solution again really really useful because they had a blue team that could focus on this and they had a blue team that were constantly looking out for this kind of malicious activity so the value to each of these was different but they all had the capability to actually identify an attack so we all had something that we were actually achieving this is a red teaming engagement that's not just can we exploit machines but it's can you figure out this is happening and if you do can you block it the edr1 or this one was particularly interesting because they did get alerts but they weren't sure what was happening for the first couple of days and thought it might have been just faulty alerting and then it took a long long time for people to be able to recode the custom implants that have been created so it was really really interesting how we try to do this but again the value of these kind of red team engagements was that there was a blue team to try and defeat to try and circumvent whereas companies who were smaller than us who hear the word red teaming who hear the buzzwords who think cyber security is just constantly changing the words for no reason turn around and go because could I have already an engagement why because I've been told I need one if you've got no AV or EDR who really cares you know your machines are already going to be compromised to Suicide attacked if you've got no segregation you're going to be ruined as soon as someone gets onto their network if you've got no software control or patching policies you're going to have stuff on your network that's awful and then if you've got no one absolutely no one looking at alerts or logging or God forbid you've got you know grads doing it who have absolutely no idea what they're looking at then you've got no protection in place and it's all Just an Illusion that as soon as we peek behind the curtain we realize that you've spent a lot of money on an engagement that really didn't need to happen because it wasn't that complicated the common objectives I hear when it comes to clients talking about red team engagements are the ones who can benefit from it are that it costs too much it's too hard to get approved it doesn't give a consistent list of vulnerabilities to defects and no one would get onto our machines so the assume breach is pointless that last one's my favorite when a client says absolutely no one would get onto their machines so it's pointless and you literally just spoke about people being able to get jobs and get machines anyway and be able to get into companies but we've got to focus on the fact that for some of these companies these are really valid points companies that turn around and go it doesn't give a a conclusive list of vulnerabilities to fix will know but if that's what you're after you're not after a red team your maturity is so far below that that you don't really need a writing engagement you need either a vulnerability assessment or a pen test or something to go on loads of these companies will focus on this kind of thing and they'll completely ignore the fact that actually their development life cycle is shut and every time they publish a new application whether it's internal or externally facing it is being built on Sand and it is just waiting for someone to poke it with the same stick they poke the last one to get access to the database again and again and again and we've seen billion dollar companies turn around and go oh we've got a framework of how we build our applications and you talk to them and be like okay when was the last time anyone tested the framework that you're building the market oh well they don't they do they do individual spot checks the pen test of some of the web applications and then you turn around and identify the yeah the framework's fundamentally flawed and every single application that you create no matter what amount of effort you put into it every single one of them is broken and you just are completely unaware and then you think the cost of a red team is is a great deal but the cost of being able to find out that you need to fix the stuff you're building on is where the value is and the ability to turn around and say Here's a list of issues is just as valuable as a red team depending on that kind of maturity level of a business so it's all about trying to make sure that we can focus on where is the company in their journey through security what are they actually trying to achieve and then we can try and help them the r