Red Team Gut Check

Tim MalcomVetter
4 min readJan 31, 2018

Some Greek historical inspiration, followed by a Red Teamer’s scribbles-on-the-back-of-the-envelope metric of your security program. Where does your security program fit in the eyes of the Red Teamer who is also a fan Heraclitus?

“Ah, but the one, one is a warrior, and he will bring the others back.” ~ Heraclitus

You’re one of the ten security programs that “shouldn’t even be here” if:

· Defaults settings on most, if not all red team tools were used without detection.

· AV was bypassed without effort at all (see above).

· You have multiple single factor authentication endpoints that are internet facing and you don’t notice when a single IP address attempts brute forcing on it.

· You have passwords literally everywhere inside your network and the only persistence technique that the red team needs is to keep a copy of a few of them. Our primary “hacker tool” is to read your password spreadsheets in excel or a browser (ahem, your browser).

· There is no egress friction at all, not even to straight IPs on random ports.

· You installed a SIEM to make some compliance regulator happy, but nobody is watching it.

· The Red Team learns your environment and where your sensitive data is better than you.

· Mean Time to Entire Environment Compromise can be measured in hours.

You’re one of the 80 security programs that are “just targets” if:

· The Red Team threw 8 payloads, 5 were blocked by AV, 3 executed, but nobody is watching the logs to even know, let alone respond.

· Your users still make passwords out of season + year and you don’t know what a “password spray” is.

· You deployed two-factor authentication in a way that the red team could enroll using single factor.

· The Red Team came in through your front doors (web portals, VPN, Remote/Virtual Desktop Infrastructure, etc.) with IP addresses from geographical locations that meet the definition of “impossible traveler” (i.e. within an hour Alice logged in from both San Francisco and Sao Paulo) and nobody noticed, even after other IOCs were tripped.

· Our malicious C2 egress traffic through your proxies over HTTPS sails straight through uncontested.

· The path to full environment compromise is textbook-predictable; permissions are lacking, credentials are not protected.

· The Red Team knows what alerts on your SIEM should have raised the fire alarm, because we logged into the SIEM and turned them off and you didn’t notice.

· Or you detected us, but had no idea how to contain and eradicate us because you never thought about what comes next.

· The Red Team finds sensitive data in a place you didn’t know existed.

· Mean Time to Entire Environment Compromise can be measured in a few days or less.

You’re one of the 9 security programs that are “the real fighters” and you “do make the battle” if:

· You actually have a 24x7x365 SOC that has proper incentives, training, and most of the important logs — you know where your blind spots are.

· You notice when payloads are blocked by endpoint controls and start to take action.

· Default settings on adversary tools get blocked and caught.

· You have some substantial monitoring for signs of internal lateral movement that are tied to TTPs, not tools.

· You proactively monitor for signs of abuse on external authentication endpoints, most of which are two-factor enabled.

· When we do access your front doors from geographically improbable IP addresses, you take notice, start tracking, and squash the activity.

· We have to really customize the way our C2 egress traffic looks and find ways around your SSL decrypting proxies.

· You detect us and block aspects of our attack, maybe not completely, but with decisive action and some pre-planned playbooks.

· Privilege escalation is hard and well-earned when achieved by the Red Team.

“Ah, but the one” security program that is both a challenge and a joy to spar with:

· Nothing default or textbook works for the adversary. You quarantine common tools, even when most of the defaults have been changed, either immediately or you contain us in just a few hours as the expert handlers piece together events — well before objectives can be achieved. We must go 100% custom with our tooling.

· You have your own private detection mechanisms for common adversary TTPs that are tool agnostic and the Red Team won’t know them until it’s too late — better luck next time!

· You don’t take immediate decisive response actions when you detect an adversary’s presence, instead you contain and observe to see how deep our access is, who we are, what our motivations and objectives likely are, all before you act. Then you act swiftly in a coordinated fashion, cutting us off on multiple fronts at the same time, rather than signaling that you are on to us while leaving us a foothold. Patience is your virtue.

· You notice our external authentication abuse and quietly rotate credentials before we can use the credentials in our larger plan.

· We walk blindly into your canaries that quietly signal we are someplace you don’t want us to be.

· We loathe the required effort to get C2 traffic out of your egress points and spend a great deal of time brainstorming new ideas that may have a battlefield time-to-live of only a few hours.

· We have to spend weeks planning multiple redundant and isolated attacks and consider all details to avoid any potential cross-pollination, because if we don’t, you’ll see our mistakes and prevent our secondary or tertiary attacks before they begin.

· You make us better simulated adversaries.

That’s what it takes to be “the one.” Aspire to be the one, or at least one of the nine. Leave the other 90 behind.