Red Team: Are We The Baddies?

Welcome to my team are the baddies. I'm Rebecca or Beex. My website is on there if you wish to see any of my other talks or send me. Um there's lots of other things on there. Go have fun. This talk does come with a warning. This talk has lots of critical thinking in it. Um and it will encourage you to critically think. Uh so it may make you uncomfortable if any of the things that I cover in this talk somehow pertain to you or your team or how you work. That is absolutely fine. Remember this is not a personal attack towards you or your team. It is an industrywide critique and please sit with your feelings. Have a

little think through maybe why we're feeling that way. Attend to the reaction that you're having. Like I said there will be questions at the end. So you may then bring up anything that is there. Um, if you still have questions afterwards or you have rage, I'll be around for a little while afterwards. So, please feel free to come find me after. Um, but again, it is an industrywide critique and it is going to encourage you to think critically. I know that may be difficult when we're in the height of an emotional state, but try. So, we're going to cover quite a few topics in this talk. We're going to start with security culture. We'll define what actually is cuz a lot of

people just use it as a buzz word these days which is very annoying. We're going to talk about ethics in relation to people and ethics in relation to computers and why we actually red tea. What is the purpose? What is the point? Why bother? We'll talk about full ninja. I like the phrase full ninja. Red teams do fall ninja a lot. We'll talk about why that's actuallyful. And we'll talk about causing harm. Uh these are not necessarily in order. These are just the main concepts. uh and talking about how we do better. I'm not going to just pull a hole in red teaming and then leave you with a hole. I will provide you with

solutions and different ways of thinking and developing scopes for red team by the end. At its very core, this is an ethics talk, a little bit of philosophy and a whole big piece of security culture in general. But what exactly is security culture? So security culture is how security is integrated within an organization and how it's integrated into the processes and procedures and policies within that organization. Security culture is all about the thoughts that people have about security in relation to their role and the company. It's in the behaviors they exhibit doing their day job. And it's in the feelings they have towards their behaviors and the feelings that they have towards security as a concept.

security as it is implemented right now. So people feel something about how multiffactor authentication slows them down. That is a piece of security culture. If they go, "Hey, I love your security training. It's super fun and exciting." That is one of their feelings about security and that will then lead to them doing their training more and hopefully actioning the things in their training which leads to the behavior. such the thoughts, feelings, behaviors roll up into how security is perceived, implemented, fits into a wider organization and the culture of its organization. Uh culture in a very strict military system will very different to a culture in a startup will be very different to a multi-,000 employee global system versus a small

local team. They all have their own cultures and each of them have their own individual security cultures. It is not a one-sizefits all, but it does always come back to people. There is no culture without people. I'm sure many of you have worked somewhere where you hated the toxic environment and you left for a different place with a much better, more friendly environment that fits you. And maybe you have friends that went to the place you used to work with and they loved it. You know, culture is very people dependent and it tends to collect and invite more people who are like that culture. And the behaviors can be molded over time. Behavior change takes a long

time. But behavior is very difficult to change. So if you make a bad choice, it will impact everybody and it'll be very hard to walk it back. You know, you see it a lot um with PR disasters with companies online. How quickly they are trying to fix something and how quickly people just immediately hate problem and they no longer purchase their products because they think they're horrible people. I will go cough Nestle. talk a little bit here about ethics. Ethics are the moral guidelines and rules and strictures that we put upon ourselves that again is decided by the people and the cultures around us. What we think is moral in one place may not be considered moral in a different

place. If you work in a global company, the morality and ethics may change depending on which country you're in. Somewhere in Asia may have different morality. somewhere in Southeast Asia versus Africa, North South Africa versus North South America versus East West Europe changes over time. What was considered moral and ethical 100 years ago, 500 years ago, 10 years ago is not considered moral and ethical now. It is an everchanging quagmire. However, most of us can come to a fairly good realistic consensus that causing harm is not moral or ethical. Those the guidelines that we live by and those the guidelines that we try and work with in security. It outlines the acceptable behavior that we as individuals. We as

security people can participate in our day-to-day lives. We know very quickly when someone has crossed moral or ethical boundary or guideline. It makes us go shouldn't have done that. That's not right. It's what sets us as security practitioners, particularly redeemers, apart from criminals. Because would a criminal do it? Yes. Is it ethical or moral? No. We do not do it because we're ethical and moral. Therefore, we are not criminals. However, I've just said that very gray area of what that line is. And the more you are exposed to a particular behavior or action being done that sits in that gray area that you are then perceiving as being moral and ethical, the more likely you are to see it as

moral and ethical. And everyone else may be seeing it as not moral or ethical at all. So that differentiation, that distinction between criminality and noncriminality, it's a little bit of a moving target if you don't sit there and actively think about it. Breaking into somebody's house, not ethical. Breaking into a building that someone's paid you to do, kind of ethical. What if someone paid you to break into someone's house? Because a lot of criminal gangs are on payroll. What's the difference? Right? Um so it's a really essential grounding therefore to really sit there and think what are the ethical moral considerations that we agree are acceptable for us that differentiate us from the criminal activity that we so

clearly state to everybody that we are not. And the foundation of ethics foundation of a good culture of trust and morality is trust. You know, someone says they'll do something. Trust that they won't. And they if they do it, you've broken that trust. You no longer believe what they're going to say. You no longer would say, "Hey, you can look after my kids." You said, "Can you look after my kids while I'm out of town?" You go, "Sure." And you realize that they never bothered to turn up your house. They left your kids alone or can you ever going to trust them not just to look after your kids with anything else in your life? Right? And if we pull this

back to security culture as a security team, if we say, "Hey, we're ethical. We're great. We're not criminals and we do something that undermines that, that trust once it's real hard to build back up. So, what's this got to do with pentesting? Mentioned it a couple of times. Also, this is one of my favorite um stock image sets. At no point in the set of images does this man hit anything. He's just in various positions about to hit, which is why it's here. So, little show of hands or yay or nays. Would it be ethical for us during a contest to take a list of social security numbers or national insurance numbers that we find in a system?

Ethical or not ethical? Hands up if you think is ethical. To take a list on your person, you you've taken a list of all social security numbers. Do you think that's okay? very important. >> Okay. What do you think? What if there are masks? >> Just want to prove that we must. >> So, you're going to take them all for yourself. >> Just a small sample. >> Just a small sample. Okay. Um if we we've managed to get into a system and we know that if we do this one next step, we're going to take the entire system that that company runs on, it's going to die, be completely taken down. Ethical or ethical to do that?

>> You're doing a business continually. >> Yes. But just for ships and >> no. We're very clear, right? Patching. Do we patch things when we find a vulnerability? Is it ethical to patch something that we know is broken if it's in our power to do so? >> Always. >> If it's alerted to our to us, it is patchable. It will not impact in a negative way. We're going to go it's moral to attach the system otherwise leaving ourselves vulnerable. Okay. Fishing people. I see many of you have seen my talks. Um the ethics of fishing. I have a whole talk on this. We won't go into it too much. But this comes down to a lot of

you have said it depends maybe depending on scope. This comes down to what is the purpose? Why are we doing this? If we are fishing somebody because we need to steal their stuff and we'd like money and it's quite easy to send like fish out to everyone, steal lots of money, get rich and famous in our criminal landscape. Everyone's going to say that's not cool. That's a crime, right? There's a distinction between the purpose of why we're fishing. There's many films like The Beekeeper, very good actually. The whole fishing scam thing. Are we fishing to train people? How is that training? You know, what are you doing? What is the purpose of the behavior that you are trying to train?

Um, and what are the pretexts that you're using? Is it okay to fish someone by saying that they've won a $1,000 gift card from their company for all of their hard work they've done this year and then tell them that, haha, jokes on you. No, you don't get anything. Anyone here think that's an ethical thing to do? No. Does anyone think that it's ethical to entract people in sting operations? No. Same concept. The pretext that you come up with impact the people that you are using them on. And this goes wider than fishing. The pretext that you use to get into buildings, the pretext that you use on the phone if you're phoning someone as part of your physical pen

test. The use cases of all of your pretext. You should think through them and think about the ethical implications. A friend of mine used to a very long time ago pentest banks but the online street versions of banks not the main head office and they knew that they had really really old point of sale. All their systems were absolutely ancient. It was a constant complaint. So he went in and said that he was there to assess and upgrade all of their equipment for them. Do we think that's an ethical pretext for people? >> Yes, people did get fired. >> Um, so he goes then tells them they're absolutely thrilled. Give them as much access as they like lots of coffee.

He leaves and he says, "Hey, this was a pentest." Cuz that's part of his job is to say, "Hey, it's been a pentest. There'll be a report. So if someone gets in contact with you, it'll be that." And they said, "So we will get the new upgraded system." He's like, "No." Um, some quit, some were fired, and everybody in that bank was scoring probably if they did say incredibly low. They've been lied to. They were very excited about something that been promised to them for a very long time. And then not only did they not get it, but they all got in trouble for engaging with this protester. It's not ethical. That causes long-term harm and it

undermines your overall security program. within your company. Those people are never going to report any security incident to you. They are not going to trust your security team. They are not going to forget that. It's going to impact how they behave with customers, how they behave with third party contractors and vendors going forwards. That is not a good place to be. You cannot patch people. You cannot revert to previous if you've made mess. You cannot reboot them. They forget it. it sits with them forever. You can cause very bad damage to people, not necessarily because what you did was particularly bad, but what you did reminded them of a very bad instance that's happened in their past. You know,

people carry trauma with them through their entire lives. You can't know what trauma people have gone through and how it impacts them. But it is your responsibility to not cause more drama to people simply so you can win a game, especially the way that a lot of pentests are being carried out. And again, this is an entry-wide critique. Not everybody in the red team does things unethically, but you can cause not only short-term harm, but long-term harm. There are instances where, you know, people use disabilities or medical conditions in order to get past something, which seems like a great idea at the beginning in your head because of course people are really nice. If you're in a wheelchair,

they're going to open all the doors for you. People are going to be kind to get you somewhere to sit if you are pregnant. Great easy way through. really simple, easy pretext to get you through a door, maybe in an area where you shouldn't have access to cuz people are at their most of them at their core very kind, generous, helpful people doesn't make okay because by the time that person then gets back to you that that was an end test and they failed because it's apparently something you can fail, you're now damaging a minority group that already struggles in life. Are they going to trust pregnant people that come into their building in the

future? Are they going to believe that every disabled person they meet is actually disabled? Or are they going to be sitting their head going, "They could be here to trick me. I'm going to be nice. I'm not going to hold it with them." You're causing harm to sways of people, you know, just for that one easy pretext for you to get in somewhere. You haven't thought through the ethics because no one has requested that you think through the ethics. Whenever universities and especially in psychology departments do big tests or people do their dissertations, there's this huge ethics piece they have to go through and if at any piece they don't think it's ethical, you can't do that

test. There are tests you could do 20 years ago on twins that you cannot even consider these days because they are considered unethical. The short-term harm can build into a long-term harm. Depending on what you've done to someone, that trauma can live with them for a very long time. And I know a lot of you here are sitting there going, "Ah, I don't know really." A lot of pentests happen across the world. A lot of those happen in America, which is obviously a slight different country to where we are right now. But many of the pretexts we use to get past security guards people use knowing that those security guards are likely third party and will get fired and that when they

get fired, that gets put on their record. And their record followed them from company placement to company placement. And if they get too many, they will lose their job and they will be unhirable. And I'm sure many of you know that the cost of living right now is not very good. And that should that person's livelihood be taken away from them, they will be poverty and they may lose their house. Their dependents may lose all of their stuff, security jobs are usually pretty well paid in America. They're pretty good. We have security jobs here, bounces and everything. Again, their record travels with them. you knowing there's an opportunity or potential that they could get fired

because what you have done. You have to be really careful because there are very few pieces in a pentest that can come back to your decision. A pretext you use against a security guard that causes them to get fired is on you. And I know it's not nice to think about, but there are ethical pretext you can use to get past them where you can say, "Hey, I did this. They let me through. I think they potentially just need a little bit better training. Do they even have training? Have they been trained on this? You know, when I'm doing a pen test, have I trained them on that? Why should I test them? You know, and you

have a a buildup of insider risk. Talking about that back example, you build the insider risk up there. Those people not necessarily going to be malicious insiders, but they're going to be insiders that don't care. They're not going to do anything to help you out. And the more you do that across a company, the more it spreads because culture is contagious. People talk, they probably talk to the other banks in their location, say, "Hey, this dude came in and he like did all this stuff and this guy got fired. This guy quit and we don't have a new system." And so they're all now anti the security. Why on earth would they do that? I thought

they were here to help us. You know, you do all this stuff now saying, "Oh, security's here to help." And then you go and do that to people and it spreads and it undermines the security of your entire organization bit by bit by bit. And as soon as people's behavior changes, it's really hard to change it back. So what exactly is the purpose then of our red teammate exercise? Why are we doing a physical penetration test? What are we not doing? We are not doing an egoosting back in my army days adrenaline rush j. We are not there to win a prize for getting as far in as we could, tricking as many people as we

could. That is not what a pen test is for. A pen test is to assess the security of a building, of a system, or of the behavior of people. It should have absolutely nothing to do with the ego of the person doing the test. It's to check if behaviors that have been trained on are actually happening. If you have not trained behavior, you cannot test it. You should not test it. It is not ethical to test someone on something they've not been trained for. If I handed out a university level maths exam you all right now and expected you to complete it and yelled at you if you failed it right now that is not okay.

None of you or some of you math is probably a bad choice. Most of you have probably not sat down in the last 3 months and revised for a university or math exam. Right? I can't come in and test you on that. You have not been trained. It has to have actionable feedback. As someone that trains all the people, I would like to know if I've trained people on these behaviors, if they see these behaviors, are they doing what I've asked them to do? If they see someone coming in and behaving suspiciously, are they reporting it to the people I've told them to report it to? Are they not? No. That's what I would like to test. If you

come in all super secret ninja, and we'll talk about that in a minute, you haven't really tested any of behaviors that I've trained them against. And also, if I've hired sort of nation state level people to come and sneak into my building, I don't expect anyone to defend against that. I can't train your average person to defend against an person or a CIA person. There's no way. There's no there's no need for me to train against that because if one of those people is coming for us, they're getting in like this. This >> the goal is to improve security, you know? It's not to get people fired. It's not to ruin people's lives. It's not to

cause long traumatic harm that sits with people for a really long time. Causing harm is a real active thing that does happen. Uh there are many cases and towards the end of this I'll give you a very nasty example. And it's not to fail people. We're not there to catch people out. We're not there to entrap them. We're not there go, "Haha, you suck. I got past you. You failed. I win. Woohoo. I'm the greatest panter in the world." We are not here to do super secret ninjas. You want to be a super secret ninja, go play esoft at the weekend, go play like scavenger hunts, do CTFs. People are real. They are not NPCs in a

game. They are not sort of disposable people. They exist after you interact with them and they continue existing after you have interacted with them. So it is incredibly important that we are not going full ninja as red teamers. Red teamers love going full ninja. They they really do. Um he mentioned earlier in his keynote speech how red teams don't like wearing buffs because it shows off that they you know do a penetration test and they look weird. But they'd very happily take some of the things that the bad guys do cuz it makes it easier for them, right? But they don't want anything that makes them stand out because that means it's harder to go

full ninja. They want to be as hard to spot and identify as possible so they can crash through all of the security giable valuous information to the people who are training the people and they're like, "Oh yeah, but look, I got your systems." It's really important here to differentiate between testing people, testing systems. Test systems, you can break them as much as you like within your scope. You can do all of this stuff. The scope is very clear. You cannot destroy information. You can't take say for example social security numbers for yourself to use and identity theft not okay. You can't download it onto your personal stuff. You only download it onto like your work things.

If you see something you can like image it. You can't touch it. You can't bring systems down. You can't put active malware into actual running production servers. the hoping on the people's side. People don't really think about that. They just say, "Hey, when you're doing your fishing pretext, if you want to use fishing attack to let someone potentially gain access, make sure it's an ethical pretext. Don't promise people money. Don't promise people promotions. Don't say that something terrible has happened and their family is in the hospital." Um, in South America, we see a lot of fishing pretexts, especially phone based ones, saying that members of their family being kidnapped, they have to pay a ransom or they have to give

them information. Not ethical. Please do not do that. Just because they do it in that country doesn't mean you can do it because you're targeting a place in that country. The information that a red team people based test gives should be actionable. That means that I as someone who's reading the report should say this behavior we've trained on. I've trained people if they see something like someone sitting lockpicking a door or bulk cutting a door or crowbaring a door that they report that to like facilities to security to reception to whomever it is that they should report it to that they report it. So if I've trained that and I want pen test to happen I'd like

you to test that behavior. I'd like you to go in super obvious. Go like you're or actually lockpick a door. See if anyone says anything. Walk in blatantly obviously like you shouldn't be there. If no one says anything, I need to know that because I've trained everyone at a very low level of you see someone weird and say it's a bank and everyone's dressed in smart suits and you rock up in tatty jeans, a hoodie, and you've got a massive duffel bag full of obviously bad stuff and no one says anything. you don't need to do anymore on the people's side. I've got it right. I can say cool, thanks very much. Come back in tomorrow and work on all the

systems, you know, because it's obvious that no one has pointed out there is obviously a burglar in the lobby and he has got his way through. I don't need to do anything more than that. If someone shouts out and go, "Oh, they shouldn't be here." They report it and you get picked up. You've you've done a good job. You've won. You've proved my security is good at that level. Come back tomorrow. Come back next week. be a little less obvious, right? Be a little bit less sort of not fitting in, but still wear the gloves, but the criminal is going to come and wear gloves. Bring your bag of stuff. They're going to come and bring your stuff. And at what point

are you getting more and more subtle every day or every other week do people stop identifying you as a potential threat and reporting you? I can then go back and assess that and say okay on my scale of nation state sas coming in to get us I can't protect people training them against that versus very clearly burglar coming into the house where on that line is it do I think I can train people to that level or actually is that as much as I can expect from your dayto-day person if it is then great job everyone's done fantastic brilliant fantastic and I'm happy it's below that I'm like okay cool we train a little bit

on that. Were there certain things that you did that maybe we we thought could have been picked up on, couldn't have been picked up on? That's useful. That's actionable. That is valued information. You be a super secret ninja gives me nothing because I do not expect people to be able to identify a super secret ninja. The clue is in the title. Super secret ninjas cause harm. um they the unethical pretext like I've I've mentioned but they also caused mistrust in the security team because people identify the fact that you sent a super secret ninja against them expected them to identify and then got crossed and they've given you training that you cannot action I'm sure a lot of you have

had training that you can't action it's really frustrating really pointless nothing you can do about it but also there's no trust there if I've trained you to be able to spot a burglar coming in and you've sent a ninja. Why didn't you trust that I could spot a burglar? Why didn't you try a burger and see if we could spot it? Why did you just assume that we couldn't and you just went on ninja? Pent tests for people, they tend to start at one extreme and then never bothered getting easier. Whereas we need to make it really easy people because the behavior we want is what we're testing, right? We're not testing how good you are at getting into

a building. Wouldn't have hired you. Why did they get into a building? Right? I'm hiding to see how good my people are at spotting you getting into a building. You know, how obvious is it? How obvious can I make it be for somebody to identify? And the increased risk here becomes very very important because the inside risk is in the people protecting your building. It's in your facility staff, your reception staff, the people at the point of contact. The people coming in then don't like you. They don't trust you. They don't trust any of your third party vendors. And like I've mentioned before, this undermines not only the security of that building, but the other

buildings that you have because those people will have group chats. All your receptionists for all your buildings, they chat each other. If you had a bad experience and they can track that back to security, they already don't like you. They're not going to like you anymore. If you're doing a series of pent tests across your building and they suddenly start clocking that you're not doing this once or twice but to everybody that's not ending well for anyone and it's a very easy thing to avoid. It's just effort. You just got to put more effort into your ethics into your scoping into considering is this pretext good? Is this pretext going to cause harm? Is this pretext going to cause people to

not like us and to report things less when the whole goal of security is to get people to report things more, to engage with us more, to want to work with us? Is this going to make everybody hate us or everyone go, "Oh, that was really good. I felt great. I spotted the thing that you sent and you said great job and they said great job and I I feel fantastic. You know, use that training and I thought I never have to use it. Oh, I feel fantastic." the risk benefit sudden becomes very unbalanced and the benefits not very high. If the pentest is going to cause more harm than good, why would we do it?

What's the purpose? If we haven't trained anyone, are you asking in your scoping, have you trained people on behaviors that they should be identifying and reporting during a physical pen test? If the answer to that is no, then you should put people out of scope. You know, you can't expect people to do anything if they haven't been trained. It's not fair. And there's the psychological safety aspect. People should be entitled to work in a safe space at work. They should not expect to be entrapped and belittled for something that's not their fault. um undermined psychological safe spaces leads to toxic work environments leads to people quitting and leaving and generally is not good for productivity

let alone internal security. This is what leads people to turn into malicious insiders where they're giving the stuff away whether that's information or whether it's passwords. If you have a lack of psychological safety, no one speaks up. No one speaks up even when they know they should and they want to. they just will not do it because they feel like they will get fired. And again, we see this a lot more in America where the firing is much easier than it is in the rest of the world. But it still applies. You can still fire people and you're setting people up for failure, which isn't fair for anybody. You know, if you aren't scoping in your

discussions what behaviors people have been trained on, what examples people have used so that you can incorporate that into your pen test. What are you testing? What is the purpose? Redefine those scopes. The bad guys do it. So why can't we remember we talked about ethics before? Bad guys do lots of things. And it's ethics that keeps us from being considered bad guys, from being considered criminals. If I think that your house could be burgled, does that give me the right to come and smash in your front door to prove the point that someone could smash in your front door and you could be burgled? It does not. It is not. If I say, "Hey, you're carrying a bag

really loosely. You could get mugged." Does that give me the right to come and steal your bag and punch you in the face and say, "Ha, see, you get mugged. I just proved it." Right? So, what gives us the right to do the same thing for people when we're doing physical pen tests? It does not. It makes it unethical. Okay? There's a lot more work to put in to come up with ethical scopes, to come up with ethical pretexts, to come up with an ethical stepbystep what behaviors we're going to exhibit to see if people will report it. And we've got to differentiate people from systems. You know, you can test all the systems you like. Really important we test them.

We do not need to combine a people and a system together. You know, we're testing getting part of the security guard, we can do that. We want to test if we can a badge and get through the badge. You can do that. You don't have to do them together. So, this brings us back to the main cause of why are we pentesting? We a lot of people in red team who come from an ex military background, which is great. They're very good at their jobs, but we kind of automatically go into that major adrenaline mission impossible kind of vibe. And that's not what we're doing when we're pentesting. We're testing to see if the security solutions we have in

place, the training for people, the security that we have in place, is it successful? Is it working or is it not working? What can we do to make it better? Where are the little holes? Are the holes the same everywhere? Is it the same hole every day, every time of year, every location? Is it different holes in different countries? You know, we got to be very aware of the cultures and the ethics that change depending on which country we're in. What exactly are we testing? Are we testing how far we can get in a building? Are we testing how many people don't do a behavior? I really enjoy doing a challenge pen test where you're

supposed to wear your badge in the office. So, if I'm not wearing my badge, how many people come up and say, "Hey, do you have a badge? Are you here visiting someone? Can I help you? Are you lost?" And every person does that gets a little challenge coin to say, "Great job. You challenged me. You found me. Fantastic. Everyone loves it. Word gets out and by the end of the day there's a lot of people looking for you, right? And you do it in a few different places over the course of the year and everyone's suddenly goes, it's quite hard to challenge someone, but last time I did it, it went really well. I practiced and I got something good out

of it. That's great. So, when they see something going forward, they're going to be like, okay, cool. Hey, where's your badge? You lost. Do you want me to take you to a reception? Are you here to visit? And if that's an actual criminal, you've caught them. Great. It was a pentest. Fantastic. You've caught them. What we're not here to do is is ruin people's lives and ruin that positive reinforcement. A lot of unfortunately quite a lot of pent use fake get out of GF cards with fake numbers on. And it's like at that point, why are you doing that? There is no ethical reason to do that. You can write in your report that, hey, I got caught.

Fantastic. They caught me. You go, "Oh, you caught me. I'm here doing a security test. Here's my gout free. Here are all the contacts, all the people that have approved. This is like a company test. Well done for capturing me. Great job." Why would you then punish them by having them call a number? You know, they're in that moment of high stress. This might be the only time they've ever done it. They've done everything right. And you're now making them fail. You could write in your report that hey when I gave them my get out of jail free card they used the number on the get out of jail free card instead of independently finding number to call like they did

everything right other than that they did a really good job. Can you confirm that this person's been trained on how to act in that particular scenario? What benefit to the pentest is you using a fake get out of your free cut? Nothing. It's pure ego. Pure ego. There's nothing saying just that writing would say, "Okay, cool. We just maybe need to do a little bit on the double check verification piece." But they did everything right. That's actionable information. Someone handing me a report and they've used a get out of jail card with fake information on, I am going to be so mad. You've just ruined all the hard work that I've put into training that person.

They did everything everything we could possibly expect from them and you've now punished them. Right? The person the end of that phone is being like, "Oh, yeah. Yeah, you you shouldn't you shouldn't have stopped them. What are you doing? Let them done with their job." That person now feels demoralized. They feel stupid. They thought they done everything right. It's not for you to ruin that for you. Like challenging is so hard. The behavior is so hard to get in. We want to reinforce it. Every time someone finds you, every time someone spots you, you should be thrilled because you've proven the security is good. the security works, the training works, the systems are good. It's not a

personal failing for you. It's a personal success. You know, a lot of humans have got that little switch around in their head. If they get caught, they've failed. They haven't. They've done a really good job. You know, they've assess our security. Our security is good at that level. They come back next week, make it harder. Did you cause harm? This is really important. This comes into your scoping. Sometimes the scopes can be quite vague. uh they don't necessarily include everything because you know morals, ethics, standards, guidelines. There are examples I of pentesters going and pulling knives on people in the dark in parking lots cuz it wasn't out of scope because they couldn't get a badge any

other way. The people with pendants weren't massively happy, but they're right. It wasn't out of scope, but they've caused long-term harm. And that woman is likely never ever going to go by herself to her car in her entire life. She's probably going to have therapy for the rest of their life. In the heat of the moment, people get very excited by what they can do because criminals do it. And it's not out of scope. It's not ethical. It shouldn't have to be out of scope for you to sit there and go, "Should I do that?" No, probably not. Should I on Tinder or Hinge or Grinder, set up a date with someone I know works at that company in

order to boot their ID card, clone it, and go into their office again. I know someone that's done that. No, it's not ethical. Shouldn't have to ask. Not okay. Just because people can do it doesn't mean we should. What sets us apart from criminals is our ethics, our morals, our guidelines. Don't go in so deep. Don't go so full ninja that you think the end is I must get in as far as possible by any means necessary as long as it's not technically out of script. Don't sit so heavily on the scope. Who is making those scopes, right? You have as much to do with the scoping as the person paying you for the test.

You influence the scope. You ask questions when you're setting your scope. Is this in scope? Is that in scope? How much would you like us to do? How long do we have? You know, just because you've got a vague scope or a super narrow restricted scope doesn't mean you can sort of be like, oh, it wasn't out of scope. You know, they really wanted this testing. You know, if it gets to a point where actually you couldn't get someone's badge because they had really good badge hygiene, they go, "Okay, cool. Here is here's the badge information. Please see if you can copy it and see if you can use that to get in. Okay, separate but

together. You know, you're still testing the system. You're also proving the point that it's incredibly hard to get the badge in the first place. But should you manage that very difficult thing, you're now testing the system separate still very successful test. Make sure you're giving value to people like me who is training people to the teams who are managing the systems. Have you got value? Is it actionable? Here's me saying, "Hey, I could throw a ballistic missile at your door and that would totally open it." Not even very actionable, right? And remove your ego. I know, I know, I know it's really hard. Um, but a lot of ego is in red team because it it is inherently it pulls

those kinds of people in. People like breaking into places, but doing it legally because you've been paid to, you're totally not to mention criminals get paid. That's the job. But remove your ego from consider the consequences. So many red teams these days are contracted. So if you come in, you leave. You don't necessarily think through the consequences of the actions and the behaviors and things that you have done because you go in, you're gone. You don't see that place in 6 months time. Maybe you go back the next year and think what did I do last year that may have had an impact? You know, was it a good impact or a bad impact? Should I maybe think about my scoping?

Should I maybe discuss what ethical pretexts I should and should not be using? Does that change depending on the company, the country, the length of the engagement? And number one thing is please don't cause harm. Think through could this cause harm? Could this cause harm not just to the individual person or that group of people, but could that cause harm to a wider group of people? Mentioned the disabilities, the pregnant things. People use a lot of dodgy pretexts that impact other minority groups and it is not okay because that impacts the people and how they interact with those minority groups and they're already having a difficult time. And it's just unacceptable in my eyes for

people to scope out engagements without considering the ethics, considering the harm, the short-term, the long-term harm, and considering how what you do could impact the security of the company. If you come in and do a a pentest and the security is worse than when you went in, why are you doing it? Unmining security in the long term is incredibly difficult to fix because it impacts that thing we talked about at the beginning, people's feelings, their thoughts, and their behaviors. And the more times you go in and do it, the harder it is to get those people back. So, just rethink how you're doing it. Rethink your scoping. Rethink kind of questions you're asking, not only

yourself and your team, but the people defining the scope. Rethink the purpose. say, are we going to write a list of all the people that we got past, or are we going to generalize and say, "Hey, we walked through an area with 20 people and nobody challenged me whilst I was carrying a ladder, an angle grinder, and like no batch, no escort. I'm not going to write their names down." You're going to say, "Hey, have these people tested things? Have they been trained on these things?" I'm going to test them because that's not fair. Be ethical about your pretext. It takes a little bit more time and it's a little bit harder. Once you start getting up a

bank of ethical pretexts, you're all good, you know, and you can just keep using it. And remember that red team behavior directly impacts the behavior, the feelings, and the actions of the individuals within that organization long after you've gone. And if you can understand the potential harm that you can cause people, you can reduce the harm that you cause people. you can identify in your report that you think potentially maybe the front end security guards could maybe do a little bit more training but that actually you thought they did a good job considering what what pretext you used because that could be what stops somebody from getting fired and having their life crash down and ruins amongst them you

know and I know it's not nice to have to do all the extra thinking about other people that aren't us and their lives and their jobs and their kids but it is kind of on you because you can very easily with how you write your report and whether you give people are listing things or not and the way in which you frame how your pretext have been successful not have a massive impact on those things. So we're going into questions now but a reminder this talk is mostly critical thinking to get you thinking about the ethics of redeeming and it's not a personal attack against anyone but it is an industry critique. Um if you are feeling uncomfortable at

this point just sit have a little sit after the talk and think why you're feeling that way. Is it because you've done something that I've mentioned and discussed as being unethical? Is it that you've never thought about it before and you feel bad about it? It's fine. Just kind of digest those reactions and those feelings and kind of follow them through to their conclusion. And if you have a question you don't get to in our question session, come for me after and I'll answer it. But just sort of remember it's not a personal attack. Um, and hopefully no one is too ragy, although you are allowed to rag. Someone did walk out in question section out of

rage when I gave the talk at layer 8 which was very good fun. Highly recommend if anyone's in Boston in June go to layer 8 talk weird. So questions how many?

[Applause] We have many questions. Fantastic. We're going to start at the back. [Music] >> Um It started as a question about what I do to people that uh click on fishing links and I said I support them because they're a victim of a crime cuz they are a victim of a crime and you didn't like it. Um and it kind of morphed into well what if they clicked on something and the entire systems went down and I that's an infrastructure problem not an end user again I still support them victim of crime and then it turned into well what if it was a zero day at which point no one can do anything that's kind

of the zero day and everyone was grumbling in the order and he left um yeah so it was quite good fun it went on for like solid 5 minutes the discussion and great had asthma rifles I think mentioned Any other questions? >> Oh, >> so you talk about the distinction between testing systems and testing people. >> Yes. >> But I'd like to maybe challenge you that sometimes there are cases where we want to test like escalation mechanisms, hierarchy about the way the people interact with each other. So how do you think we should approach those kinds of scenarios? >> You again split them out into systems of the people. Uh so you determine which people are testing and what escalations

you are testing. Have they been trained on those escalations? Do all the systems work? So you mess around with if you do a certain behavior that should be identified and escalated, do it in front of whatever people have been trained on and see what they do and then repeat that for each level of escalation. um you may have to turn it into more of a tabletop red team scenario so that you have all the relevant people in the group and you don't give them any prep. You just get a very senior person to say here's 90 minutes where you have to be on this call and then run them through the stuff and you're not helping them.

It's a pure table talk like a war gaming. They call them tabletop. We love war imagery. It's a whole lot of talk. And see what happens and see potentially depending on exactly what you want to test whether you have everyone in one or you split into multiples with different sets of people to see if it's an endemic system success or if it's siloed or if there's certain level of which it ceases to be escalated. If there's a particular individual or people who try and fix instead of escalate because I mean they're trying best. Often people forget and you can mess around with when they had the training on the escalation processes and when you're testing. How

long does it remain in people's memory? Is it 2 months, 3 months, 6 months, a year? How frequently do they need refreshes on that? >> Thank you. >> Yes. What can we do to improve the culture of the companies? Because like for instance, people think uh that's just stupid from the company's perspective because >> uh instead you should keep the employee who kind of made a mistake but now has done something. >> Instead you get them and everything. >> It's very stupid with fishing people who keep on fishing. Mhm. >> I know about other people, but the corporation I work for constantly telling people to ignore [Music] you from certain domain different

training. So then we are starting at that moment. >> Yes. Uh so you have to get the people scoping out the red team exercise. You have to identify where they are in the chain. Who is ordering it? Sometimes it's not even the security team requesting a penetration test. It could be a finance team. It could be directly from a board. It could be as a requirement of insurance. So like the legal team is requesting it. Confirm with them in your scoping what's going to happen to anything that uh is classed as a a failure or as a nonsuccess. And ensure that if they are we'll get rid of them that you refuse to test that or you

won't give them names. So, if you're going to run a fishing set, you're not going to get anyone's names for anyone who interacted with the fishing email or you're not going to give any information about the security guards. A lot of the time the security guards might even be employed by the company. They're employed by a third party which makes it much easier to say to the security company, hey, your guard made us lose our fishing fishing and penetration test and they're just going to get rid of them. So, you can in your scoping just ensure that what are you going to do with this information provide to you? Are you going to use it for additional

training or are you going to use it to, you know, negatively impact people? And you can make your choice then. I mean, it it's it's a bit of a discussion, but I think it's on red teamers to ask those things because kind of it's part of the consequences of what you're doing. Okay, we've got time for one more question. Ah

super long enough you get to the point where you can always you know and you get to the point where when you're attacking organization you more or less know you're going to get past element [Music] But at that point, we're not saying we're not really testing the train beh is is what they're up against is too hard to be able to stop. They're not sending password

much harder with that. How would you deal with that in terms of Yeah. just like trying to get value out of that block. We're going to get past it and know. >> Yeah. This comes back to the why and what's the value. So my entire program, I want to know if it's successful. I don't want you to go super super awesome. Get past them. I want to see at what point people stop identifying it. I want you to come in really obvious. That gives me value. in order for you to do the rest of the piece, you can just hypothetically assume that you got that information already and then go from there. You don't actually have to entrap

people, you can say, "We're going to assume that we were successful in this because we know this is a successful project that's used in the wild. We're going to assume it and we're going to go from there." You don't actually have to do it. Just cuz you can doesn't mean you should. services where once someone knows that is happening they basically start cheating >> it's not cheating >> it is cheating it's soft team knows the name of the user not being given system >> I would say that's cheating I'd say that's poor opsac on the part of the people who are determining the pentest keepations Like once the soft

things might be >> Yeah, it's the same knowing an audit's coming versus not an audit's coming. You can't protect against it beyond having an offset around the fact that an audit is coming. >> The way I usually do it is >> if we just talk about the way that you usually do stuff, we can wait until after the talk. So that we don't take any more time from what is I'm expecting to be a very interesting talk on I think it's burnout now which I'm psyched about. So we'll happily take this after. Awesome.