Читать книгу Tribe of Hackers Red Team - Marcus J. Carey - Страница 10

“I’m a firm believer that one should not jump directly into an offensive role without first getting a deep understanding of underlying protocols, including not only technical details but also business logic.”

Twitter: @dafthack

Beau Bullock is a senior security analyst and penetration tester who has been with Black Hills Information Security since 2014. Beau has a multitude of security certifications and maintains his extensive skills by routinely taking training, learning as much as he can from his peers, and researching topics that he lacks knowledge in. He is constantly contributing to the InfoSec community by authoring open source tools, writing blogs, and frequently speaking at conferences and on webcasts.

How did you get your start on a red team?

I meet a lot of people who are interested in pentesting or red teaming and want to jump straight into those roles. I did not start out my career in information security on the offensive side. Being tasked with protecting a network, its users, and their data forced me to think like an attacker so I could be a better defender. I first developed an interest in offensive operations during an ethical hacking course I took while in college, but that interest did not develop into an offensive role until years later.

Working on a blue team at a hospital and then at a bank, I would consider how an adversary would get around the controls we had in place. So naturally I began performing offensive tests against our own controls to see where we were missing things. It was integral for me to learn as much as possible about every single layer of the organization. Everything from firewall rules to router configs to host-based protections to physical security to managing risk associated with one-off exceptions for C-suite members to protecting data to stopping people from getting phished—these were all opportunities for me to find where protections were lacking. Through all of this I learned what pitfalls many organizations and blue teams face day to day.

From an operational standpoint, understanding the struggles blue teams have to deal with, how networks function, and what defensive controls are possible provides a much clearer picture to the offensive operator. I pivoted to an offensive role in 2014 when I started working at Black Hills Information Security. Throughout the first few years of working there, I performed many penetration tests for various organizations. This gave me the opportunity to tune my capabilities and develop red team tactics. Within the last three years, I have been fortunate enough to be assigned formal red team engagements.

What is the best way to get a red team job?

Being on a red team takes a unique and dedicated individual who has knowledge in vastly different areas. I’m a firm believer that one should not jump directly into an offensive role without first getting a deep understanding of underlying protocols, including not only technical details but also business logic. Do you know how the business you are targeting functions day to day? Can you determine what the organization values?

Many red teams consist of multiple individuals with skills in different areas. You might see team members who can perform architecture setup, payload delivery, and/or social engineering, act as internal network specialists, and more. Before you get a job on a red team, I would recommend first developing offensive skills in multiple areas on penetration tests. The key to being a good red teamer is having the knowledge to attack an organization from many angles and the discipline to use the one method that is necessary and won’t get you caught.

“The key to being a good red teamer is having the knowledge to attack an organization from many angles and the discipline to use the one method that is necessary and won’t get you caught.”

If you are already a pentester looking for a red team role, I would say networking is probably going to be your best bet. Go out and meet the people working on red teams and introduce yourself. Show them projects you’ve been working on. I see job openings posted by others on my Twitter timeline all the time.

If you are working for a company as an internal security analyst or the like and your company doesn’t have an internal red team, maybe it’s time to make a case for one. You might be able to build your own internal red team for your own organization and essentially create your own red team role.

How can someone gain red team skills without getting in trouble with the law?

For building skills, I am a huge advocate of participating in capture-the-flag contests. Also, jumping in on bug bounties is a good way to build web application hacking skills. Building a home lab doesn’t have to be expensive and can provide you with a test platform for performing red team research without breaking laws.

Why can’t we agree on what a red team is?

I think many have a hard time understanding where a pentest stops and a red team starts. There is definitely some overlap between the two that people get hung up on. Commonly people describe red team engagements as a penetration test without restrictions. But red team engagements do have restrictions. If they didn’t, then kidnapping, extortion, and blackmail would be in the rules of engagement. So since red teams are not truly unrestricted, I think people have a hard time grasping why it’s different from a pentest.

What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?

For the majority, I think they still think red teams are trying to sling exploits with Metasploit. I haven’t had to use an actual software exploit in years. Configuration issues, bad passwords, and poor user awareness of phishing are typically how we get in. Once inside a network, it is 100 percent a game of credentials: pivot, dump creds, pivot, dump creds, rinse, and repeat.

I think the most toxic thing I’ve seen is how some blue teamers and red teamers treat each other. Many treat the other side as an adversary in a bad way. Our job as red teamers is to help the blue team get better. We should never gloat about our ops. The same goes for the blue team. I love purple team assessments where we can work collectively to make the organization better. Some of the coolest things I’ve found on engagements have been on purple team engagements.

When should you introduce a formal red team into an organization’s security program?

Only after an organization has gone through multiple penetration tests and has done their due diligence in mitigating any of the vulnerabilities presented to them would I consider recommending a red team engagement. The most important thing to consider when deciding whether an organization is ready for a red team engagement is, can a red team get in using a vulnerability that shows up in a pentest? If so, the organization is not ready for a red team. The organization should already have an internal social engineering program to ensure its users don’t submit credentials to a malicious page the red team hosts. Solid alerting and hardening of infrastructure should be in place, and I damn well better not find an exposed portal that doesn’t have MFA.

How do you explain the value of red teaming to a reluctant or nontechnical client or organization?

Explaining the fact that it is a true test of their defensive capabilities usually is effective for me. I like to describe a pentest to a customer by explaining that I am going to attempt to find as many vulnerabilities as I can but will likely be very noisy. I explain that on red team engagements I may find only a few vulnerabilities but will be much less noisy and those vulnerabilities will likely be much more valuable to them, as they probably allowed me to compromise the network.

What is the least bang-for-your-buck security control that you see implemented?

For the most part, if you are paying for antivirus, it is the least bang-for-your-buck control. I say that because, honestly, the free Windows Defender that comes installed by default on Windows systems is actually pretty good for doing what antivirus is supposed to do.

Have you ever recommended not doing a red team engagement?

Yes, during scoping calls, if I sense that the customer hasn’t done previous pentests or struggles to conceptualize what a red team is, then I might recommend something else. Definitions are huge in this industry. Without the proper definitions being agreed upon, it can be difficult to determine if by red team they actually mean pentest or even vulnerability scan. Laying out these definitions usually results in a customer realizing they meant a pentest instead of a red team.

What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?

One of the easiest-to-implement controls that makes our lives hard as red teamers is Microsoft’s Local Administrator Password Solution (LAPS). Randomizing local administrator passwords on every system makes it so that the compromise of a single local admin credential doesn’t allow widespread access to every other asset in the network. Network segmentation between hosts, including client isolation so workstations can’t talk to other workstations is another great control to have in place. If I can’t pivot from one workstation to another, it’s going to be hard for me to escalate privileges in the domain.

Even though this question asked for only one control, I would say the following are the most important things to look at locking down to prevent full domain compromise: MFA everywhere you can implement it, VPN requiring MFA and client-side certs, strong password policy (15 characters or more), strong log consolidation and alerting, application whitelisting/behavioral analytics software, strong egress filtering (allow web ports out only through an authenticated proxy with filtering in place), and user awareness to social engineering. If the organization implements those things, I’m going to have a bad day as a red teamer.

Why do you feel it is critical to stay within the rules of engagement?

Staying within the rules of engagement or not is like the difference between landing a shell on your target and landing a shell on the personal device of your target’s significant other. One of these things is a highly illegal thing to do, and you might not be able to unsee what you see there.

If you were ever busted on a penetration test or other engagement, how did you handle it?

Busted? What’s that?

What is the biggest ethical quandary you experienced while on an assigned objective?

One time I was tasked with performing a penetration test for a company and made my way to the CIO’s system, where I found some very questionable things. I had a Meterpreter shell on the guy’s system and noticed some KeePass processes running. I thought, “Cool, I’ll wait for him to leave, log in, and then see if he left KeePass unlocked.” Late at night after he left work for the day, I connected to his system using RDP. Sure enough, he had left KeePass open, so I now had access to a ton of creds, including some personal ones of his.

But I also noticed some other windows open on his system. First, he was using RDP to connect to another company’s server outside of the target network, where he appeared to be doing some sort of “system administration.” To make things stranger, he was also using RDP to connect to a personal system. This personal system had well-known tools on the desktop for performing mass spamming and other tools. At this point in the engagement, it became an ethical quandary, so I stopped the engagement. I ended up hearing from the customer later on that the CIO was let go.

How does the red team work together to get the job done?

Collaborative infrastructure across the entire operation is necessary in my opinion. To be successful during the operation, we need to be able to share shells, data, and so on, easily. On the reporting side, it’s the same thing. We don’t want to be working in separate documents. This creates too much work later when we want to merge them. If we can collaborate on the same document platform, it creates a much smoother reporting process.

What is your approach to debriefing and supporting blue teams after an operation is completed?

After an engagement, I like it when the organization can get all the entities involved in a meeting with me. I want the security team there as well as members of the SOC and maybe even other sysadmin-type employees. This way, those who typically don’t see pentest reports now have an awareness of what can happen on the network. In turn, this helps arm them with the knowledge that they need to be diligent in protecting their own systems. I typically walk through the entire operation, from reconnaissance to initial compromise to escalation and finally data compromise.

If you were to switch to the blue team, what would be your first step to better defend against attacks?

Not switching back to the blue team. But if I did, I would first have a long discussion about budget. Knowing the budget can help you know how to best divvy it up to get the most out of it. You don’t want to go blow your whole budget on the latest blinky light system that likely requires another full-time employee to even manage. There are so many free and open source options out there for securing a network, but many of those require time and effort as well. So perhaps using your budget to hire another co-worker might be the best bet. Some things I would try as soon as possible if they weren’t already there would be to deploy Microsoft’s LAPS, up the password policy, and deploy MFA.

What is some practical advice on writing a good report?

Take lots of notes while you are testing and essentially write the report as you move along. The worst thing you can do is fill up a notes document with screenshots but forget why you actually took them. Trust me, I know it is really hard to stop what you are doing and go write a couple sentences. Especially when you are faced with a new shell, it can be tempting to just start hacking away at it. But if you don’t document, you will be regretting it later.

How do you ensure your program results are valuable to people who need a full narrative and context?

As much as possible, I try to explain what an attacker who was actually trying to do malicious things could have done. Most real attackers don’t have the same deadlines as red teamers, so they are not worried about being done within a few weeks’ time. They can take all the time they want. So for many organizations, being able to tie an actual threat actor’s potential actions to data you provide can result in great value for them, because they understand how bad things could really be.

An important part of my red team engagements is that I’m not placing domain admin access as a primary goal. In most cases, the data I want doesn’t require domain admin credentials to get it. I feel like the goal of the assessment needs to be something that the organization deems sensitive. If I can show that I’ve been able to compromise the CEO’s desktop or maybe a database containing credit card data or plans to build a battleship and then describe how these would be useful to an attacker, most organizations seem to find value in that.

How do you recommend security improvements other than pointing out where it’s insufficient?

Oftentimes I’m providing positive findings to customers to let them know where I think their controls are working. Even though something might be preventing me as an attacker, there are cases where those could still be improved. For example, maybe the organization has an exposed Outlook Web Access portal. Maybe I wasn’t able to access it during the assessment, but I still might recommend that they move it to the internal network and protect it behind a VPN.

Additionally, constant testing of your controls is a must. Even though the red team engagement is over, learn and utilize some of the techniques that were used. The methodology of the tester should be outlined in the report and will typically include both successes and failures. While some of the tester’s techniques might have failed during your engagement, you might find that something gets changed on your network without you knowing and now those techniques are successful. Lastly, having management support behind security improvements is critical. Policy controls that executives need to address should be provided in the report.

What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?

The hacker mind-set and creativity are the most important nontechnical character traits for a red teamer. Frequently on red team engagements they will be faced with challenges they have never seen before. Having the hacker mind-set means they will not stop when they face the unknown, but instead they will question everything and find unique and new ways to face a problem. When facing highly secured environments that utilize defense-in-depth strategies along with quality alerting and response, creativity on the red team is a must.

“Having the hacker mind-set means they will not stop when they face the unknown, but instead they will question everything and find unique and new ways to face a problem.”

What differentiates good red teamers from the pack as far as approaching a problem differently?

Most of the really good red teamers I have met specialize in some area heavily. This enables them to develop a deep understanding of a certain technology or software. Becoming a master of infrastructure setup, coding, device hacking, lock picking, or any other area will help you develop a niche skill that is useful on red team engagements. Having the ability to approach unique problems with a creative mind-set can make the difference between a successful red teamer and one who fails. ■