How can companies know if their security investments are actually working? Getting attacked is the ultimate test, but hiring a red team is a less disruptive way to find out. These guys rely on technical chops, acting skills and pure creativity to engage in an all-out attack on a company’s defenses.
Tom Van de Wiele, Principal Security Consultant at F-Secure, stops by for Episode 12 of Cyber Security Sauna to talk about why companies hire red teams, plus he shares his tricks for hustling his way into a company. Be warned, though: After listening to this episode, you’ll never look at strangers around your office the same way again.
Janne: Tom, what is red teaming and what isn’t it?
Tom: Red teaming consists of being able to test the company in every single way, in a way that we perform the worst case scenarios to be able to ensure that the company made the right investments when it comes to security. They’re trying to protect their data, they’re trying to protect their people. They’ve made certain investments in resources, be it technology, be it people, and we’re trying to make sure that those investments actually make sense and are aligned with the things they’re trying to protect, which is of course always a moving target. And that’s where we come in. We try to make sure that we emulate or mimic the attacks of criminals and we see how the organization reacts to those.
What then are some misconceptions about red teaming?
Well, the definition of red teaming could be that the attackers choose the attacks. Because more than often companies want to have security testing done, but then kind of either suffer from tunnel vision, where the scope becomes too small, where the results cannot really be applied to the organization as a whole. We want to get away from that, where we are a group of attackers that don’t have to deal with what department a certain person is under, or where a certain piece of technology is under. So we have free reign, so to speak. Of course, we have to keep it legal, and within good taste. And that’s how we test the companies for these kinds of scenarios that they’re the most worried about.
An example of that could be, we depend on our customer database. We want to protect customers. Which is of course a primary concern for a lot of companies. But also the fact that certain companies are sitting on certain assets – my bank account, your bank account, those are zeros and ones on computers, mainframes usually. They want to see what it would take for a group of attackers to be able to get to that target, what it would cost, and if they were able to respond to that.
Let us piggyback you for a day in your work. So what do you do?
First of all, there’s an enormous amount of information we have to gather about our targets. There’s ways of automating some of that. But that could be people who work there, the department names, telephone numbers being used, domain names, websites being used, public presence, brand presence, social media. Any information that we can use against employees, because we have obtained certain knowledge and thus we’re trying to gain their trust. Or information that we can just use to what we call pretexting, which is to make plausible scenarios in which someone would give us a little bit of information, and in that way we’re able to not only gain more information but also have certain actions done on their behalf.
So for example if we have to spearphish certain individuals, we will try and get into their lives up to the point where that of course is legal. We don’t want to be stalkers or appear creepy in any way. There are certain laws to abide. But we try to see what makes someone tick, what drives someone when it comes to business interests, but also personal interests. And in that way we can create scenarios that give us a little bit more information, a bit more information, and in that way you get this snowball effect where we have enough information to actually perform the actual attack. So that’s the information gathering part.
But basically what you’re saying is, yes you have to respect the law, yes there are some contractual things from the customer, but other than that you are doing what a real attacker would do, you’re as close to that world as possible?
Correct. And of course it’s a matter of budgets, because real criminals have budgets and managers too. So we try to see what kind of budget it would take for someone to be able to perform these actions, and if some actions can be detected by the company, others cannot because they’re basically passive information gathering techniques.
So to give you an example, we for example have to target top management of a company, because usually they have the strategic overview, they see what products and services are in the pipeline, and it’s a huge competitive advantage to have information like that. We found out that for example one of the managers was very interested in Egyptian culture. We found this out through his social media interests, through his Facebook, through news groups and stuff like that where he’s been posting for quite a while, kind of like an aficionado when it comes to Egyptian culture and old religions.
So how is that a way in?
Well that’s a way in in the sense that if we know that that triggers that person, if we know he has an interest for that, then we have a higher chance that if we present some kind of Egyptian-related content to this person, we would be able to entice him to perform certain things. That could be clicking on a link, that could be providing us some information.
So what we did – and this is kind of where the creative part comes in – is that we created a completely fake museum, with a fake exhibit, fake brochures, we sent him real tickets, the whole nine yards, and then of course he had to confirm the receival of these tickets, and of course he was expecting an email to be sent to him, he was expecting an action to be performed, being clicking on the link to confirm the tickets. Obviously the tickets already ran out, that was a fake error message, exactly, cause you always have to make a clean getaway, but that way we could make him go to a certain website. And of course that website was riddled with all kinds of attack code that would infect his machine, and with that see if we could make him perform certain actions on his behalf.
So it really depends on how creative you can be when it comes to profiling certain people, but that’s not to say that the more generic attacks, they still work. Everyone is usually on LinkedIn, we send fake LinkedIn updates to people. So you get an email from us saying “Hello, this is LinkedIn, and there’s been an abuse complaint about you, and for that reason you are no longer allowed access to the (name of company) group.”
My company’s group.
Exactly. So “You have 24 hours to refute the complaint. Please click here to see the actual complaint.”
Oh, heck yes.
I mean, I think we have a click rate of more than 70 to 80 percent for these kinds of links. Even though for certain companies or for certain people, their company email address isn’t even used for LinkedIn. But it provokes an emotional response.
It does, yeah. We’re talking about tricks that actual attackers would do. How do you know what actual attackers would do?
Well as said, we do a lot of incident response, so we see what criminals try.
So these are actual, like real life things.
Actual attacks that we have to kind of handle for companies, or assist, or if they had an attack we perform what’s called a postmortem analysis to see how the company could have done better. And of course, our own techniques, our own ways of getting into technology, because we test software, hardware, services every day, we know where the vulnerabilities or weaknesses lie, and we kind of map those onto whatever the customer is using at that given time. And that way we know for example that an administrator has to be able to log on to a website and with that, administrate the website. If we can give him some kind of doubt that something is wrong with his website, we can make him log into it and that way perform certain actions.
I know enough of you guys to know that you’re a creative and, dare I say, devious bunch. So you come up with your own tricks as well.
We prefer the term creative. Subvertive computing, we call it.
So what do customers usually expect from a red team assignment?
Well, I would suppose that somewhere they hope that we’re not going to get in. And they hope that their investments have been made in a way that they are able to respond to these things. But we also hope that they’re aware of the fact that a targeted attack, with enough time and with enough resources, someone will get in eventually. So in that sense they are expecting an overview of what worked, and how we potentially got in, and what didn’t work, and what slowed us down so to speak. So they will map this onto their investments, they will map this onto their compliance framework, or the security policy they have internally, and to see where they have to make adjustments.
Do you ever get used as sort of leverage inside the company, so the CISO knows that the company has certain vulnerabilities and he just wants you external people to come in and highlight that?
People say that consultancy is someone who tells you the time using your watch. So, yes sometimes that happens. Sometimes there’s a situation of lack of trust in the sense that we have CISOs or IT managers that come to us and say “The (name an application, SAP or whatever it is) – the team says they are doing great, but from other teams I hear different stories. And I have no real way of finding out if I have everything in check to be able to protect the data that we’re sitting on. Perform this test, tell me what the real situation is from the perspective of an external attacker.” And that’s great value for money.
Now, let’s get back to your day. You’ve collected all this information, you’ve created your pretext, like this is my story, these are my targets, this is what I know about them, this is how I’m going to get them, what’s next?
Next would be to see kind of what the company operates on technically, because in the end the information is going to be stored on computers for 99% of the cases. So we need to find out what they’re using to be able get to that data and to interact with that data. So if we know they are using a certain software product, then we’re going to try to find out where that software product is located. We’re going to try and see if we can make a copy of it, a fake copy, to see if we can get them to provide their login and password to us.
So like a fake login page for example.
A fake login page, exactly, yeah. So we did a gig not too long ago where a technology company that provides IT services for companies that want to outsource their IT services, proudly announced that they have a new bank under their wings. So we registered a domain name called “first company’s name dash second company’s name.com.” We then mailed some of the IT people (we found out their names through LinkedIn), we said “Look, apparently you guys are handling our IT now, and for the life of me, I cannot log on to this website, can you guys give it a try?” And of course, they knew about this announcement that was made, they logged onto that website, we gave them fake error messages, and those error messages actually contained real system names of other systems they have internally, because –
How convincing is that?!
We found on the Google groups and other forums that some of the IT people actually were looking for certain error messages, and how to resolve them. So we just took those out, put them into the phishing websites, and that way it looked realistic. And because it looked realistic, as a result of that we got even more passwords, because what do you do when your first password doesn’t work? You try your second password, and your third password. So now we had all the passwords that we needed to be able to log onto the real website, and with that jump over to the next network to be able to get to the information that we were supposed to steal.
Yeah, and you’re targeting IT admins here. While it’s great to get the credentials of the lady who works in marketing, this is the real gold mine here.
Correct, I mean it’s not just about breaching the shell, so to speak or breaching one computer. We want to get an initial foothold in the network, and that could be anyone. If we want to target IT that’s fine, but we’ll probably do it through the marketing or sales department, or the PR department. And then from there, jump over to whatever we need to jump over to, to be able to get to that information.
But the end game surely is the domain admin creds?
Usually it’s domain administrator, because most machines are integrated with Active Directory, but there are companies that explicitly do not do this for this very reason, that if the Active Directory is compromised then you’ll be able to access those systems as well, but yeah, if you obtain domain administrator it’s basically game over. But sometimes we don’t even have to go that far. Because if you’re sitting on certain access towards a certain service that gives me what I want – social security numbers, medical data, whatever it is – then that’s really all I need. But from a long term perspective, as an investment, as an attacker, again, attackers have budgets and managers too, you want to have some kind of persistence on the network. So to be able to guarantee your investment, attackers will always make sure they have multiple footholds in the network so they can come back for even more data.
So now you’ve got the credentials to access, you’ve got the goods that you came for. Is that the end of the assignment or is data exfiltration even something that needs to be tested?
Well, you hit the nail on the head there. Now you have to get the data out. Now as an attacker you have to make the choice between am I going to sort through the data on the company network at the risk of getting caught, or will I just I take all the data home and sort through it at home, so to speak? And it kind of depends on what data you’re trying to steal.
Usually getting the data out isn’t a really big problem because most companies will allow certain encrypted services, something as simple as just emailing it to your own hotmail address, just to give you a random example, is still very effective. There’s only very few people, or very few companies rather, that have some kind of filters in place to stop that, because most of the stuff on the internet uses that. There’s also the, you know, what we call sneakernet, which is just putting it on a USB stick and walking out with the data. All these techniques can be used depending on what kind of information you are supposed to steal. If that means a huge customer database we will try to exfiltrate all of it, but usually we don’t have to. We can just prove to the company that we got maybe half of it or whatever and we can stop there, because in the end we really don’t want to be sitting on a copy of the customer’s database because now we have to protect that too.
So we prove the point, we show what the impact could be, and with that the customer has what they want, and we have what we need to be able to show value to the customer, in that, was this possible? Were we slowed down? Did anyone see it? And if so, can we help them improve their detection and response capabilities?
So, you’re super successful in this, you get the goods you came for, what’s the human fallout in the company? Are people happy or sad about that?
People will feel uneasy about the results, usually. I mean, we’ve had people throw the report at us, we’ve had people leave the room, we’ve had people cry, we’ve had people scream at us. Because you’re messing with their idea, basically the idea that whatever they are doing was correct, that they are actually protecting the organization. And you might argue that, okay, if you haven’t tested these kinds of things then how can you make these statements about this is secure, this is what it’s supposed to be? And the answer is you can up to a certain point, I mean there’s certain audits you can do internally, there’s certain things you can do as part of normal information security hygiene, if you will, but you still need to do a test that targets all of these processes at the same time. And that’s where a red team test comes in.
Do people ever get fired when you present your report?
It happens. Usually when we report our results we have to be very careful because we don’t want to corner certain people. Because we are there to address the processes, not the people. So we report on the country level, maybe if it’s possible on the department level, if we say the IT department or the PR department or whatever it is. But yeah, sometimes it does happen where people are forced to switch positions let’s say, because there were certain overlapses in the way they were doing things.
You’re trying very hard not to say that those people had it coming.
Well, you could say that, but again it kind of depends on what the cards were that they were dealt in the company. You know, if that person has been screaming for resources for five years, it’s an easy way of getting a scapegoat to leave the organization and with that kind of reset the counter. So that happens too. We see a lot of these things. But sometimes it can be that for example, a vendor doesn’t get to use their products at that corporation anymore because they weren’t doing their job, they weren’t doing what they promised they would do. In that way there are certain changes to be made.
At the very least we hope that certain changes get made as the result of our red team testing, because that’s in the end what we want to achieve, is that they change the right processes for the better, so that next time we’ll have a harder time getting in.
Do you have a favorite red teaming war story?
Usually red teaming or security testing in general has this Hollywood image around it. So when you tell people you’re doing these things, then you might actually get the wrong response. There was one company we had to target, where we were having a hard time getting into the building. We waited for a certain event to happen there, which would give us more access to some of the internals of the company, and we saw they were having a press conference about real estate. Updates and real estate numbers or rates. So one of our consultants dressed up as a journalist, went there with a fake press badge, sat through two hours of mind numblingly boring real estate numbers, and after that excused himself and asked to go to visit the men’s room. He then stayed in the men’s room for 45 minutes, which is a long time to be in the men’s room, and after that he basically had free reign, because his escort didn’t want to wait for him to be done with his business.
So our consultant was able to run around in the building, put in his rogue network devices on the network, and on his way out actually met his escort again. Having attained our objective of getting access to the internal network, as per our normal procedure, at the end of a red team we try to get caught, which is surprisingly hard at times. Because again, we are there to test the processes, so we need to see what people will say. So in this particular case, our consultant said, “Hi, I’m a consultant for a security company. It was my job to get into the company.” And the response of the escort, of the host, was, ”That sounds really really cool. Have a great day.”
No ID, nothing.
No ID, no nothing. And he just left. So again, it was that person’s job to actually escort the would-be journalist out of the building. So is that that person’s fault? Well not really, because that person should have been trained better by certain people from the security department saying “These are the rules when it comes to escorting people through the building. Don’t leave them alone because they might not be who they say they are.”
So the solution to this situation would be to have these kinds of meetings in meeting rooms that are not in the same building as the organization’s internal network, where all the important information is. Or to have it somewhere public in a public meeting center or whatnot, away from the internal organization so you don’t have to actually invite wolves in sheep’s clothing, so to speak, to come into your organization trying to plug in things on your network and with that trying to get certain things done as an attacker.
So what happens when you do get caught? Like, if that guy had done his job properly, what happens to you? Do you wrestle with the security guard, or…?
So we use this letter that says look, don’t call the police. We’re the good guys. Please call up this number and this person will vouch for who we are. As said, we try to actually have some interactions with the security company or with the security guards to see how they would react, what kind of questions they ask us. And based on that we can make a report as part of a journal that we also provide to our customer saying look, we had several interactions with the guards, we think they might be well trained, not well trained, not following procedure.
So we don’t have to deal with law enforcement because it never really gets to that point. Also we try to have some contingencies in place so that we ask our customer “Has anyone that we’re gong to interact with ever had any kind of traumatizing experiences, either on the job or stuff that you know of, because we do not want to cause any long term damage, to people, but also not physical damage. These things will change the results. And we don’t want that because again, that results in less value, and that means maybe next time we’re not invited to test that company again, which is something that we would like to do, so that after two or three red team tests the customer or the organization is so accustomed to having these tests, to be on their toes, that’s what makes your security maturity go up – not buying box number 123 or having a certain service, these things are not made of magic. You need to be able to know where they overlap, where there’s gaps and to be able to handle those gaps.
Basically just to know that the money my company has been spending on security is going in the right places, not to sort of put my head in the sand and close my eyes from the ugly truth. A red teaming exercise is something that would be helpful to any organization, you’re saying.
Absolutely. This might sound pretty Mission Impossible, Ocean’s 11, but it really isn’t. A targeted attack is a probability. But someone leaving their phone or their laptop in a taxi or on the train, that’s a certainty. And that could really be a bad day for you if you don’t know how to handle those. The simplest test that we do as part of a red team test is just to steal a laptop. I mean, usually the customer themselves takes the laptop away from someone, or just says look, we consider this laptop stolen. See what you can do with it. That has tremendous value for a company. Because again, these things happen every day, every week that phones get lost, laptops get lost.
What is the impact to the organization, can someone piggyback onto the communication, can someone steal the information from those laptops? And to know what’s at stake, having that certainty and being able to sleep on both ears so to speak, to say “I know exactly what was on that laptop, it’s been wiped, it’s not a concern, it’s encrypted,” that is what gives you security maturity. That’s where companies should find their bedrock when it comes to building up maturity for other processes, let’s say more, not exotic, but the scenarios where if someone does try to target you with a budget, and that could be for example a disgruntled employee.
There’s nothing as damaging as an employee that used to care, because employees have access to everything. That’s usually the situation where a lot of damage is caused. Not necessarily by an external attacker, because that demands interest, that demands having something that that attacker wants and being pinpointed or targeted at a particular time.
You’re putting on the cloak of invisibility, the high-vis vest, how easy is that?
Depending on what part of red teaming you want to focus on, let’s focus on the part of just walking into a building. You have to get comfortable with the fact that you don’t belong there. I could kind of compare it to going into a shop, not buying anything and having this feeling of guilt when you walk out because people will think that you’ve shoplifted or something like that. It’s that feeling times 1,000. You don’t belong there, you have to walk with purpose, you have to name drop certain things in a way that it seems like you’re not trying too hard, and sometimes that takes two or three context switches, of switching from being an external worker guy, who’s just cleaning the windows, getting into the building, going to the bathroom, changing clothes, now pretending to be an employee, having a laptop under your arm, holding an apple, going to the next department, saying, “I have my hands full. Can you use your access card in the elevator to get to the trading floor where I’m supposed to be?” Then changing again to maybe a manager, screaming in your phone against an employee while someone holds open the door.
So you have to be able to make sure that you’re very light on your feet, that you can improvise, and always, always have a clean getaway. Because if you start to panic, if you say “Look, I’m not this person,” now you’re really going to stir things up. And again, don’t get me wrong, we’re there to test the process, but that will kind of muddy the waters for all the other tests that you had planned in your schedule, because now people are on edge. Now people know that you’ve gotten into the building, now anything can happen, which kind of instills this feeling of paranoia within the organization. And that’s something that we want to avoid at all costs. Because yes security testing is required, but it does not mean that we should all be running around in our offices being paranoid, questioning every email that we get.
Shouldn’t we though?
Well, common sense should prevail, hopefully. But being able to train for these things is something that’s really up to yourself. So we coach junior consultants into getting better at this. So I usually give the example of dial a random number in your country, and I do mean random. And having someone on the line, try to keep that person on the line, on the phone as long as possible. Whatever they throw at you, you have an answer for them. And that feeling, of constantly getting weird questions thrown at you, that is something that you need to learn how to master.
Same thing with being able to tailgate. Someone opens the door, and you want to tailgate in. If you run towards the door, they’re gonna see you because obviously you’re trying to get in. Unless of course you’re holding 25 coffees and you say, “Hey I’m holding all these coffees, could you please open the door?” So we usually go to McDonald’s, get empty coffee cups and these coffee cup holders to make sure that we have our hands full. Finding out those scenarios, practicing tailgating, I mean, every mall has a door obviously. That door will open and close. Someone will go into the mall. Try and measure your pacing so it seems natural that you can get to the door without seeming too desperate. And that way you’ll be able to practice yourself. And you’ll be doing this in a very natural way, you’ll start to believe yourself that you are part of the organization.
So when you get into a company, when I say walk with purpose, what does that mean? That means that every single time you need to be on the lookout for a coffee machine or a toilet. Because those are your pit stops. You go to the coffee machine, you get to relax, you get to do something with your hands, you make a coffee, you sip your coffee, you look around, what’s the next location I’m gonna get to? There’s toilets over there, if people do notice me that I’m kind of on edge or looking around, you escape to the toilet, you wait for people to leave hopefully, then you kind of reset, you go back, you check your options, and you go back. You couldn’t get into a certain department, you have to come back? You get back to the coffee machine. Learning that, knowing how to do that – that’s something that takes practice, and that you can only do by giving yourself these little assignments, by finding out people’s names in coffee shops. We have these little competitions at work where we have to find out the first names and the profession of certain random people in a coffee shop.
Somebody points out, that guy. And that’s your target now.
Well you could say, look, this is a coffee shop. You have the entire day to give me five names of people and what they do. And how you do it, that’s completely up to you. But you have to get the results in a way that doesn’t look suspicious. So that means that someone calls up “Coffee for Janne,” and I will steam towards your coffee and take your cup.
And someone goes, “Oh! Was that for you? I’m sorry. Are you also called Janne? or is it –”
“No, actually my middle name is.”
“Oh really? Your middle name is? My nephew has the same name.”
“Well, you know, as long as you don’t arrest me, because you have this blue shirt on. Oh, you’re not a police officer. What do you do?”
So you try to push yourself into the conversation and you try to find a natural hook into talking to people. That is key, and that you can practice yourself.
How much of this is cultural? Some cultures are very good at small talk, some cultures don’t do any small talk at all.
That’s true, but again, we’re gonna be the first ones to abuse that. Because if I know that you’re not gonna mind my business and you’re just gonna look at your own shoes, I might be running around in the building with a badge, an access card that says Mickey Mouse on it. If you say that, look, this is not part of my job, I’m not gonna talk to you, and you’re not gonna be confrontational, then I’m gonna abuse that and walk past you.
How far into the terrain of fake moustache and weird accents do you usually go?
We usually dress up either as someone who is part of the event team, if a company is somewhere at an event, a worker, a window cleaner, a handyman. We have a collection of smoke detectors that we stick into an open bag, and then we pretend that we have to check the smoke detectors. Or we have electronics with us and we pretend that we need to check phones, and why do we need to check phones? Because we know that phones are in meeting rooms, and our job was to actually install something in a meeting room to see if we can have access from that meeting room to a certain location.
So again, it’s a function of what we’re trying to do. But usually we are just able to dress up normally as employees or pretend to be a customer. That also means that if there’s really no way of getting into a company, we have some CVs that will knock your socks off. Which means that the moment they have an open position for any kind of job, we’re gonna apply for that job.
So your way in is a job interview.
Exactly. So we have CVs that almost cannot be denied, and they will invite us, we will be in the building. And then it’s a matter of skill and improvisation to say, “You have to excuse me, but my wife is pregnant, and it’s the doctor on the line. Is there a meeting room somewhere where I can take this call?” And they will leave you alone, because, you know, there’s the sanctity of doctor and all that. So people will leave you alone. There’s only very few cases we’ve heard where someone says, “No, don’t take the call.”
So you’re not gonna get the job, but you’re going to get fifteen minutes in their meeting room.
Exactly. And that’s all we need. That’s all we need.
So red team testing is about pretending you’re the attacker to help companies defend against real attackers. By making your life harder, they’re going to make the attacker’s life harder. So what are some concrete suggestions companies can do to make your and attackers lives harder?
Well, in the industry we say that companies that are good or resilient against targeted attacks are the ones where you can get in, but it’s really hard to get out, or rather to get the information out. But as a general recommendation, I would say to companies that want to have more resilience against an eventual targeted attack is to have visibility. To have visibility over what are the third party vendors doing? If you want to go and outsource things to the cloud that’s fantastic, you’re gonna save a lot of money, but it comes at a cost. And that cost is the loss of visibility.
You need the data, you need to know what is going on in your company across departments. And if you can find a way where you can differentiate the noise from the signal – and that’s kind of the tradeoff or the battle that a lot of companies are handling, they have all this data coming in and they have to kind of sort through it. Someone who has the visibility about the attacks that are going on right now and is able to detect those, that is going to make our life really hard as a red team, and it’s gonna make the life of criminals really hard, so that hopefully, they will go to the next organization and not target you and leave you alone.
Thank you very much for coming on the show.