Testing whether your security actually works with Red Teaming

I would love to introduce to you Alex Alex with a quotes uh Alex will explain how that came about um and today they're talking about testing whether your security actually works with red chain so I'll pass it on there thank [Music] you hey hey hi everyone hear me okay yeah yeah okay thank you so my name is Alex as you may have just heard with double quotes I hear some of you wondering why the double quotes it's very simple when I wrote one of my first blog post a bunch of journalists referred to me as a hacker go by the name Alex in double quotes which which is also my real name so I knew that it

was at that moment that I had to make my hacker name also be you know Alex in double quotes I once also in 2020 found former Australian Prime Minister Tony Abbott's passport number and phone number online and when I did all this oh and I told him about it and I didn't get arrested and when I did all this uh some journalists had the audacity to call me a hacker in double quotes whatever that is I also help organize a conference just like this one called Purple con and it's a conference that instead of looking like this I don't know if You' ever been to a conference that looks like this maybe you have uh it looks

like this and uh one fun fact about it is actually happening in a few in like a month in Sydney I don't know I guess you could come to it if you want whatever I I don't care um but enough about me um professionally I've worked professionally I've worked doing red team at many tech companies such as atasan and now I'm doing something completely different uh now I have a completely different gig where I am unemployed which is really good this is what it looks like if you haven't done it but enough about my job let's talk about your job you know how at work like this and this or some sort of thing that's

like an antivirus thing why do you have those things is to detect if something bad happens yeah and you know how it work you also have is this microphone like cutting out I hope it's okay you know how it work you also have like this you have like Splunk or all of your logs going into something and then you make like automatic alerts on those logs to try and detect hackers and stuff why do you have those things or it's a detector something that yeah okay okay but how do you know if that thing works like how do you know if it actually works it's kind of like a smoke alarm if you've ever seen one looks like this and the point

of a smoke alarm is it's meant to be you know when fire goes in it like beeps and you know that there's fire it's meant to detect something but if you're just looking at a smoke alarm there's probably one in this room somewhere how do you know that it will be when fire goes into it like you could go up to it and press the button to test it but that that just tests whether you press the button right and so like for all you know the smoke alarm when fire happens it'll just be like yep that's cool no worries like how do you actually know whether it works and like there isn't a way to know whether a smoke alarm works

except for trying to make puppet Arms by yourself uh for the first time and uh it's also not just your like security software or whatever that you can test it's also your plans so like for example what if your plan is oh if we get hacked then we'll call this team or whatever whoever they are that's that's a that's a very reasonable plan that people have and but if you actually got hacked would that actually happen what if the person who made that plan was on leave or what if their phone number changes or what if everyone just forgets through the plan like do you know that's actually what would happen uh to speak in formal language do you

know that your policy or procedure would actually get followed I mean maybe you do but do you basically what I'm saying in a much more roundabout way is sometimes you think your security looks like this and you're like hell yeah what a good gate that I have I love that but then you look at how it gets used in context and it's actually like this and if you haven't seen the picture before I love this picture it like warms my heart um also similarly similarly you might be thinking like maybe your security plan is like oh we'll put one of these like combination locks on every door and like we'll give them all code and we'll only

tell the code to people who need it and then you can only open the door if you know the code and like that sounds pretty good like that sounds pretty secure to me but like then when you actually try it for real and see how it's used in context you get like this and like I don't know the combination to this lock right like I can't I don't know what it is I haven't done this but in a way I do know in a way we all know you know and that's why it's important to look at it in context and so how do you fix this problem I mean I'm kind of giving it

away but like you could just test it so introducing the idea of testing whether your security Works my take is that it's good to do this uh and one way that people do this is through this thing called red teaming and all of these cool people at these cool big kid places do it so maybe you should also do it okay so let's talk about what do I actually mean by Red teaming there's a lot to unpack here firstly I'm so sorry that it's called this red team is like originally a code name from the military code name names traditionally are what you use when you don't want people to know what you're talking about not when

you do want people to know what you're talking about so whoops we've done that but uh I think they called it red because red team was meant to be the attack team and or maybe it was meant to be the Soviets I hope it wasn't I hope it was like red with attack um and then a blue team was the defense team and that's how they did it in their like training exercises like all these people would be on the same army or whatever they'd all be on the same side but someone would play the role of attack someone would play the role of defense and I know what some of you are thinking you're like oh maybe if you do both of

them or if they work together you could call it like the purple team or something or maybe purple team is when you've worked on both teams I don't know and then maybe like the people who are overseeing or the software developers could be like the Green Team and we could have more colors for it but no you cannot do this you cannot live like this otherwise people will do this kind of thing this is this is not a joke this is real this is like this is like people go up on stage and they start talking in front of this and like lock in please like I can't believe you live like anyway I'm sorry I'm fine I just think

maybe as an industry we can move on from the infoset color wheel thank thank you for your time uh so I kind of skipped over it before but what actually is red teaming like I said red team is the attack team and I don't know let's let's look it up let's Google it and if you look it up you get this website which is like okay Red Team Tools which is for covert entry agents so and they seem to have a lot of lockpicks and stuff so maybe red team is maybe red teaming is covert entry so it's quiz time what what is red teaming is it doing physical offensive security is it anything offensive security is red team or is it

doing adversary emulation where you like pretend to be a particular thread actor I think if if I ask someone which one one of these like everyone everyone in this room would be like yeah I know what red teaming is but do you all agree with each other like the correct answer to this question is yes it is those things but which which definition are we all using def the definition I'm using today is the third one the adversary emulation one so my example of what red teaming is is if you work on a red team you hack whatever it is at the place of red teaming that a real attacker would you like research what real attackers do and

you do what they would do and then you share how you did it with whoever it is that you're hacking because real hackers don't tell you what you missed and then what real hackers do is they sell the data on the dark web for big money so you have to do it too no no not really don't do that F you can you can stop there you don't have to be that real and why do we do red teaming what are we trying to avoid I think lots of people do it for different reasons but for the purposes of this talk uh the thing I'm saying we're all trying to avoid is like this like you get hacked and then you're

in the news for being hacked and everyone who uses your thing is like oh no or my da has been hacked or whatever it is so for the purposes of this the thing we trying to avoid is not that compliance thing or whatever the thing we're trying to avoid is actually getting hacked and actually getting in the news for it or even not getting use for trying thing we're trying to avoid is getting hacked and so a lot of uh places organizations have this sort of implic implicit hypothesis to sound like a scientist which is that it's okay our security is fine that's not going to happen to us the the hypothesis is everything's okay and so some people you

can talk about red teaming as instead as hypothesis testing right because then your experiment is well let's try and disprove the hypothesis and if it works we'll know it's not true and if it doesn't we'll know it is or it's evidence for it at least and so you could just try and hack yourself you could whatever it is that you're afraid of you could try and do that to yourself and then see if it works or not and like I know it sounds scary but like I don't know think about it if if it works then at least now you know like it's better than being like yeah everything's fine my security is great like at least you

know that it's not uh and nobody got hurt for real because you're not actually getting hacked you're just doing it for yourself and it's also not someone's like subjective opinion it's not just like well this guy seems pretty confident that our security is bad so maybe it is but like it's actually evidence and also you can fix it now because you know about it and if you if if you try and hack yourself and it doesn't work then you're like okay good that's some evidence that our security actually works we love that so maybe we should do that now like what should we hack we can now now now we're just meant to hack the place that we work so what

what should we hack I know we could do anything should we like break into the office or should we hack the CEO's email because that would be funny it might it might be funny or maybe we should just put malware on every computer and believe and maybe you should do the things but probably you should do whatever it is the real attackers are doing whatever it is you're actually worried about and statistically speaking that's probably ransomware for most of you unless you work at the government in which case I don't know no comment I don't know what's going on with the government and what do I mean by real attackers there are many different kinds

and threat intelligence is actually a really hard part of this but broadly speaking some categories are sort of in increasing order of hacking resources there's like hacktivists by which I mean like teenagers on Discord and like that's like that's a real like threat group that you have to worry about some people yeah it looks like this if if you if you've ever been to a activism Discord it looks like that um no comment where I got this there also Cy criminals like organized crime yeah isn't this isn't this such a good picture like please everyone steal this picture and use it in whatever recreational use you want uh and what those people typically want is they want you to pay the 5

million Bitcoin Ransom to the telegram address that they send you which is usually ransomware either the kind that in cryp so stuff or like the extortion kind um I'm massively generalizing there's like a whole industry of different things here but these are some of the most common things and then there's also APS or nation states and what they want is um intelligence so we have to think about uh who would attack you who would attack your organization or whatever thing you're red teaming what who's most likely to do that and like that's actually really really hard and you probably don't know for sure that there's a lot of public threat intelligence there's a lot of like

there's also whole threat intelligence companies you might have a threat intelligence team at your company or at your organization so I mean I'm not I'm not talking about it but this is the part this is the part you have to do first before you red team up you have to figure out what threat do you think is most statistically likely and then are you prepared for it and if you're not do that thing to yourself that's what is red teaming how do you actually do red teaming uh here's here's a way that you could do red teaming allegedly you could have two laptops you could have your regular work laptop for the purposes of this I'm talking about being on inter on

an internal red team your regular work laptop which has access to all of your work stuff you probably already have this laptop this is the easy part and then you can also get a second unmarked untraceable blank laptop that is not enrolled in whatever corporate thing you have it's just like you walk into the Apple Store and you buy one like that kind of laptop and you can do all your crimes on that one and that's a good idea because then it's completely separate so on the on the second laptop you don't use your work email you don't use a completely different account different email addresses different names like nothing can overlap between them because well a real hacker can't

use all your work stuff so if you're going to tend to be one you can't use all the work stuff you already have uh you also have to use a completely different network you can't use the same Wi-Fi you can't you have to use some dodgy VPN to seem like you're coming from somewhere different nothing can be the same as your work thing and complet like all different Cloud infrastructure as well you can hopefully you can Swindle your work to pay for the infrastructure somehow but like you has to be completely separate because well that's what a real attacker would do and ideally you make these things look exactly like what the real attackers is

doing according to the F intelligence you have if you have that and so instead of calling them experiment instead of calling them experiments you call them operations and I don't know maybe you could name something cool like operation like actual crimes that would be fun wouldn't it and maybe if you work somewhere that did this you could make cool fun logos for every time you do a red team operation that could looks like this and like I mean allegedly uh and I imagine I imagine if you're looking at those logos you're thinking wow there must be a lot of like stories behind those they all look kind of detailed and like each one of them

seems like there's a lot going on there like what actually happened in those operations and I cannot tell you that for legal reasons but what I guess we could do like if you want to is we could about like a hypothetical operation that happened didn't happen but it's like hypothetical like I don't know you could name it anything it doesn't really matter what you name it I suppose and like for the purposes for the purposes of this operation like this is everything I'm about to say is not real and did not happen it's stuff that I am like making up maybe some of it is real maybe some of it it's not I'm not saying

what but you know it's not like totally made up so for the purposes of this uh let's say that I work on a red team or you work on a red team whatever at a hypothetical company that's not real and it's called like uh like like blat Lan or something I don't know that I don't care like and like let's say they make like a product and that product is called like blond fluence or something which like I guess it kind of looks like the lassan product Confluence but that's that's crazy how that happens H um so the first part of your red team operation is you have to like What scenario are you testing what what bad

thing that you don't want to happen are you trying to test if it can happen and so there's a lot of parts to this but like here is one that I made up it's also not that good because it's made up whoops for the purposes of this which attacker are you is you're just some cyber crime group so you're like they're like kind of good at computers but they're not like government level good at computers and the goal of this particular attacker this particular time is they've decided to Target your company and they want to steal the production uh blond fluence database and they want to do that because they want to look for passwords in that text and

they're going to use those passwords for whatever else for find getting into other companies I don't know uh and this this part is like kind of the hard part is deciding what who is your attacker and what do they want and is that actually a real thing that you're worried about or is that like Theory crafting that you're doing but for the purposes of this hypothetical operation this is what this is real I don't think this is like that common for like a real attacker to do which is great because this is hypothetical anyway so for the purpose when you actually start doing your crimes first thing you want to do is close that work laptop you don't need

it where we're going it's all about this laptop now this is where we live so what you would I think what you would do on a red team is the same as what a real Packer would do really is you have to do a lot of Rec figure out like what is this company or what is this thing that I'm targeting like who works there what do they do what are their roles who has access to the production database what does this company do what they have all the stuff that you would would have heard of for like it's kind of similar to pentesting Recon honestly and I hear many of you thinking wait but but don't

you already know that stuff if you work there cuz you know you know that you work there for example right and like yeah first of all no you don't know everything about it but there's a whole bunch of stuff you don't know but yeah there is some stuff you do know but a real attacker doesn't know that stuff so you can't just use that information because that's not realistic I really heck I couldn't do that if you do want to use some information that you know you have to find some way you have to show that oh well a real attacker could learn this information by going to this publicly available thing or whatever and

then you actually have to do that thing so there's a trace of you doing there like a trail of you actually doing that as the attacker but if you can do all that then yes you can use the information that you have but otherwise it ruins the experiment right because a real attacker can't do it anyway next step is to come up with a plan for how you're going to do it and like typically lot there's a couple of different plans but a lot of the time it ends up looking like this you have your crime laptop and you going to remote control some Target employes laptop with like malware and then somehow that employees laptop is

going to get you access to the production database maybe maybe directly or maybe that laptop's going to have access to something else and you're going to get into that thing and then that thing will eventually have access to the production database somehow but you don't know in advance unless your recon is really good but you probably don't know in advance you're just kind of going to get on this laptop and believe and hope something happens so have about getting onto that laptop there uh there are many ways but there's like one main way I think you know what it is the main way is that you decide to recreationally email somebody for example you could send them this email

you could be like hey what's up it's me slack and oh we're so excited to give you the beta version of slack would you like the beta version of slack yeah you would and I bet some of you are thinking that when you click this link it like downloads something but one way you could do it is instead of doing that like this just this page just says sign up for the beta version and when you click it it really does sign them up for the beta version it just records the email address if whoever clicks it and like that's it there's no there's no maware but then later just the people who clicked on this link you send them

this email and then they're like hey remember before when you signed up for that bet program and they're like yeah I remember now it's time for you to actually download it and that's good cuz it like kind of filters out people who are suspicious of your email and it only gets to people who like are expecting it like you know they often say uh don't click on unexpected emails this is expected now because you signed up for the beta version anyway when you click this button uh then then well you do you you do get an app you get slack. app and it you know that slack do app that you get when you download it it it it

installs slack do app which is what what you asked for but it ALS it also you could also make it install malware couldn't you and so that's a good way you could get your malware installed and uh you might be wondering which maware there lots of different tyes of malware it doesn't really matter but for the purposes of this maybe this like cyber crime group isn't that sophisticated that have they're not riding their own custom malware they're just like doing some random off the-shelf thing because it's easy and cheap and fast and they're there to make money so maybe they just use whatever is on GitHub maybe they use the same thing people have been using in

the CTF today and so they use one some public open sourcing and they just use that uh for the purposes of this op you're like that might make sense depending on what your threat int is uh but when you're using malware you got to make sure not to get caught by the antivirus right or a or whatever it is and so I wanted to share a tip that I've learned for mostly I've been targeting Mac OS and I wanted to share a tip that I've learned for how to like Dodge like whatever antivirus thing is going on Mac with and that tip is don't worry about it it probably doesn't detect much at all hypothetically anyway now that you've

done that you've got your remote control of this person's laptop this Target's laptop uh but this diagram is kind of misleading it doesn't look exactly like this your laptop doesn't directly connect to there it's usually done by like a C2 server or mware server that you then SSH into and then that server controls the target laptop and when you're doing that it's really important to make sure you have some sort of not traceable back to you IP address or domain name or certificates and everything on that server because that's the server that's going to get investigated a lot by The Blue Team or whoever it is because that's the server that the the compromised laptop is going

to be talking to and so you would not want to accidentally put something that attributes you as the red team there you would want that to be unmarked untraceable could be anybody anyway now that you're actually on this laptop like once you actually get on the laptop what do you do what's the first thing you do I mean there's lots of things you can do but typically what people do is they're like well what are in what's in these files what's in the bash IC what's in bash history are there credentials is there like ad Keys here are the SSH keys and like sometimes there are sometimes there aren't but if you look around there sometimes you're like hey look we

got an SSH key or we got an AWS key which is like even better because you can use it like you know where to use that you can use it on AWS if it's an SSH key it's like well where do I use it maybe you can get there maybe you can't uh that's one thing you might want to do another thing you might want to do is steal the Chrome or whatever browser is cookies and stealing cookies is like really popular and really good for attackers because like you when you steal the cookies you're just already logged in to what everything they're logged into like yeah you have to wait yeah they have to already be logged into

it fair but you're already there that you don't like by you don't know the password it like bypasses the two-factor or and all that stuff and two Factor so it's great when cookies just do that for free I think that's why attackers are so into them uh one way you could do that there are many ways to steal Chrome cookies but I guess you could still use a technique that someone published in 2019 that still work to the day hypothetically anyway once you've done that uh another thing you might want to do is proxy through the laptop because sometimes there's secret important stuff that you want to hack into that's only on the internal Network or internal VPN

or whatever so you probably want to get your laptop to like stocks proxy through their laptop so then you can access like you can access the internet or the internal network via their laptop and that's like a really common thing people want to do but it's also really hard and really fiddly and really annoying because like you maybe maybe it's not a direct connection like that maybe you're actually connecting to that laptop via your C2 server which is via some other redirector which is via somewhere else so you're doing like five Network cops to get there and it's pretty slow when you proxy over that many Network cops and also what if this laptop just goes

to sleep then it's all over like you don't have any shell you don't have anything and your whole proxy goes down so you have to like figure out this person's working hours and make sure they're only there when the laptop's awake it's like hard right anyway after you've done those things what would happen next typically what happens is being confused being like what is all this stuff that I'm finding what does all this mean cuz you're kind of getting information overload cuz you're downloading all this data about this company you don't know anything about and like for example maybe you're like looking through some file somewhere and you're like yes I'm hacking I found an

API key this is good because AP let you log into stuff but then the more you look at it you're like wait what's what's blog Monon what does that do is that good is that what I want is that does that have the data that I'm looking for or is that just some random metric thing that doesn't do anything and like you don't know you have to find out and also even if you did know where do you put the API key like where's the actual API like I know that's not a secret but like you know I know it's not a secret but you do need to know where it goes and maybe you don't know and you have to

find that out as well and then when you look at it more you're like well is this a production API key or is this like some random develop not actually that I want and does it not actually have the data that I want and even then when you're using it you're like who wait is this expired or does it actually still working you don't know the anwers to any of these things when you just find it and I'm not saying it's impossible but these are all things you have to worry about before you actually use it typically what happens then is you make a plan again given what all that information of whatever you discovered

on this laptop or whatever you've discovered in Recon and you put it all together and be like what do I do and I don't know there's lots of things you could do but a common one is you say let's try let's try stealing the CR cookies and let's like let's say for the sake of this there were some AWS cookies in there so you're like cool let's steal those and let's log into the AWS console maybe there's something good in there maybe there's databases there so you wait for the person to actually log into the AWS console maybe they already are and then you steal the cookies and you put the cookies into your browser maybe

and then you go to the AWS website and you're like nice I did it I'm logged in to someone else's AWS account I'm hacking we're doing it but then like maybe you look around a bit closer and you're like oh wait is this some random empty boring developer account that would be kind of a shame to have done all that effort and to just be logged into some random test account that's that's kind of sad hypothetically of course and then like when you were logging into that account even the boring developer one you have to ask yourself did you remember to use the socks proxy or did you just log into that account from like whatever VPN

address your like crime laptop is on which is some like extremely Shady like data center IP address that a real person logging into the AWS console would never ever do and is like or and have you triggered some AWS guard Duty alert and is the entire incident Response Team like coming to knock down your door and like break into your house because of that one mistake you've made hypothetically that could happen anyway and then somehow you take a you do some more steps to do some stuff and you steal the production database and you're like yeah we did it that was that wasn't so bad but it's not over yet that's it's not just because of that like just CU

you've get the objective that doesn't mean it's over cuz what about the actual incident like if no one if you just get in and steal the database and get out that no one knows that a red team has occurred you're just kind of doing crime like you have to tell them about it at some point so your goal so then you have to I mean you could just tell them about it another thing you could do is try and get caught realistically like uh assuming you didn't get caught after this spot you could try and do something that's plausible that that attacker would do and hope that and hope that you get caught out of that and keep doing

that LGH and lat until you do get caught and that's good cuz then you let get to let the people practice incident response and like it's really I mean maybe they get enough practice already but it's nice to it's nice to practice incident response where there's someone who afterwards can show you everything that you missed everything that you got give you both sides of the story which you don't really get normally when that kind of thing happens you really don't want to let the incident response people call the FBI because like they call up and be like yeah we're being hacked and then they call up again being like Oh actually it was us hacking us don't

worry about it and like that's really embarrassing if that happens hypothetically of course uh after all of that you then write a very very detailed confession letter which is explaining exactly what you did why you did it not really why you did it just exactly what you did uh and in like uh I think it's good to write it in like a I think it's good to write too you can write like one technical debrief for all the technical people and you can also write like a more generally accessible one and share it with everybody because it's actually really good when everybody at the organization or whatever can read the write up because when they firstly they

go what is this hacking whoa there's hacking going on at my organization but then when they actually read it they learn the most incredible things like they learn oh we have a security team that's amazing and like I don't know it's hard to it's hard to get that culture change right if you want you have and all that stuff it's hard to it's hard to do that and one way that's good be having these things be accessible to everybody they also learn stuff like oh this is why SEC is important this is what all the security people always talking about they're like this is the stuff okay Mak sense I can't of get that I don't know that's what I

think okay part three did you really believe it before when I said and then somehow we seal the production database come on I kind of totally skipped over that I bet you're all wondering like okay but how do you actually do that I bet you wondering how do you actually do that how do you actually steal the production database had skipped over it before thank you very [Applause] much thank you so much Alex we really appreciate that we do have time for a couple of questions anyone has some specific questions I'm sure there's some things you can't answer but okay yes up there if you can call it out I'll repeat it so that we get it on the chat um he

mentioned also the like antivirus part I'm just wondering ma is pretty strong like you open up it

verifies so just for the recording mechos is super tough to do stuff in how do you get around it yeah is this can we hear me yeah um that specific thing with yeah when you if you make a Mac app it has to be signed and there's like gatekeeper which wants you to only have like a Macos Developers certificate which you need like a credit card to do and stuff and it's really annoying to do uh some people just don't use apps as a delivery meth method because of that they use like something else they ask the person to like run this B script or whatever but if you do use an app I think the common way people do that from

outway is they just they do what real software does which is it include instructions being like hey when you open this app now your computer's going to tell you to go to security preferences here's how you do that click here then click here and click there and people just do it because that's the stateof the art way to install software on Mac OS right now we have one more one more time for question anybody got something no oh yes okay one here uh so if you worked at a large organization which hypothetically employed about 15,000 people um it's pretty likely that someone's going to P for a fishing link so it seems like a waste of time to have to like fish

people every time that you want to set set up an operation is there something you could perhap us do about that I can't can't really imagine what it would be like to work at somewhere of that scale but I guess if I were to sort of get creative uh if you were to get like bored of fishing people or if you were to like realize that fishing people takes a long time like it takes months to like do all the fishing and all that and doesn't always work then you can you could just ask somebody who works there being like hey would you like to volunteer to get fished so where like you don't actually fish them but you say

at this date and time I will send you this link which you'll then click on or will send you this code to then download run on your laptop and then later when the incident responds people ask you about it here was a script for you to follow or or TR L there's no script just tell them it was me or whatever it is you can arrange that sort of assum Compromise type thing if you want to skip the fishing phase because it's been done enough before and you're like do we really need to test if we can get fished maybe you don't need to test it anymore is what I would guess but I don't

know thank you so much another round of applause for Alex thank you [Music]