Читать книгу Tribe of Hackers Red Team - Marcus J. Carey - Страница 15
9 Skip Duckwall
Оглавление“Don’t break the law! It’s that easy.”
Twitter: @passingthehash
Alva “Skip” Duckwall started using Linux before there was a 1.0 kernel and has since moved into the information security arena, doing everything from computer/network auditing to vulnerability assessments and penetration testing. Skip spent three years on the U.S. Army red team, where he got to break into military bases and not get arrested for it. Skip’s current work is as an independent security consultant.
How did you get your start on a red team?
I spent nearly a decade as a Unix system administrator before transitioning into the burgeoning full-time computer security arena. Unix sysadmin work routinely involves modifying an access control list (ACL) somewhere, be it a firewall, a file share, or whatever, so the transition to a security-minded role wasn’t bad. I eventually transitioned into a position with the Defense Information Systems Agency (DISA), where I traveled to worldwide DoD sites and audited the sites versus the Security Technical Implementation Guides (STIGs). Having a deep background in day-to-day operations, along with a deep understanding of how various organizations attempted to keep their data secure in accordance with what are generally considered the top security standards, is what ultimately got me a job with the Army red team.
What is the best way to get a red team job?
A deep understanding of how the sausage gets made on a daily basis and how people involved with the process try to get their work done is key. Spending time as a help desk/sys admin really helps to provide the foundational knowledge about how security operates. If you understand how the processes work, from the human level to the computer level, then you can find ways to subvert them. One of my favorite quotes I think highlights the point I’m trying to make: Ronnie Coleman said, “Everybody wants to be a bodybuilder, but nobody wants to lift no heavy-ass weights.” In other words, you have to put in the time and effort to become proficient in the foundational levels before you can move on to the higher stuff.
How can someone gain red team skills without getting in trouble with the law?
Don’t break the law! It’s that easy. But seriously, who knows better how to subvert the functioning of the human body than a medical professional who has to stabilize or fix it daily? They understand that the wrong mix of chemicals/techniques could harm a human being. You have to understand how stuff is supposed to work and know how the whole Rube Goldberg contraption works front to back before you can routinely affect it in a desired manner. Vulnerability scanning, pentesting, red teaming, and so on all rely on target consent. If your target doesn’t give you formal consent, then it’s illegal, full stop. There are plenty of do-it-yourself labs and stuff online that you can use to break into stuff on your own network.
“If your target doesn’t give you formal consent, then it’s illegal, full stop. There are plenty of do-it-yourself labs and stuff online that you can use to break into stuff on your own network.”
Why can’t we agree on what a red team is?
This link is from 1987:
It talks about how a team of Navy personnel examined the security of various bases and some of the issues that came up. It also talked about people getting sued because of differing opinions of what the rules of engagement (ROE) were. I bring this up because this particular article is the first one I remember reading about what a red team cell is.
I was a member (as a contractor) of a service red team (Army). We were tasked with acting as a bad guy during military exercises and demonstrating in the most visible way possible how security lapses can affect the overall operations of the good guys. There were some rules in place, but generally we were tasked with a particular objective and not really given too much guidance about how to achieve it. If we were arrested for activities directly related to attaining these goals, we had letters that would (eventually) get us out of jail. As you can imagine, this offers a lot of flexibility about how to solve the problems on the way to completing the objectives. If we were really sponsored by a hostile nation-state, money, manpower, equipment, and time would not really be constrained.
Unfortunately, now the term red team has been somewhat diluted to mean something more than an average pentest. This could mean a normal pentest plus some sort of physical security assessment, for example.
There are generally two camps that argue about what a red team is: the folks who were on a service red team (or similar real-world teams) and everybody else. If you have had a job where you got to break into a military base several times a year and do stuff that, if caught, would get you thrown in jail, you have a different take on it than the rest of the world.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
A red team isn’t a bunch of folks running rampant like a pack of hungry hyenas on the network causing maximum damage. A good red team is like a ninja—it sneaks in, maybe causes diversions or something, but eventually takes care of the task and disappears.
When should you introduce a formal red team into an organization’s security program?
Ask the following multipart question: “Can you, within a 60-minute window, provide me with all of the following?”
A count of all your computing assets, their locations, and any other relevant information within a 5 percent margin of error
If provided a MAC address of a particular machine, its physical location
A complete list of all internet access points as well as a diagram for each one of what your security stack looks like
The last three days’ worth of log data from (random machine)
A written list of policies, procedures, runbooks, and so on for your SOC
An overall network map, dated within the past three months
Detailed policies, procedures, and results from the most recent security awareness testing
If the answer is no to any of these, then the organization’s benefit from a red team would probably be minimal and they need some other sort of assessment. If they answer yes and can back it up, they might be ready for a red team.
What is the least bang-for-your-buck security control that you see implemented?
Threat intel. IMHO, pure snake oil.
Have you ever recommended not doing a red team engagement?
Frequently. I constantly recommend a full-scope pentest (on-site, remote, phishing, physical, wireless) before jumping to a red team. They have to survive and/or do well in a full-scope test before I’d give the go-ahead for an actual red team.
“I constantly recommend a full-scope pentest (on-site, remote, phishing, physical, wireless) before jumping to a red team.”
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?
Privilege separation. Understanding that the average office worker does not need admin access to their PC.
Why do you feel it is critical to stay within the rules of engagement?
The ROE are your boundary line between staying legal and opening up your liability for criminal and civil damages.
“The ROE are your boundary line between staying legal and opening up your liability for criminal and civil damages.”
If you were ever busted on a penetration test or other engagement, how did you handle it?
Once on the Army red team, there was a group of us (5 to 10 people) in a conference room where we weren’t supposed to be when a soldier appeared at the door asking if we had the room booked and what we were doing there. I responded with something like “We’re here collecting metrics for the exercise. Ask Chief <deliberately messed up the name a couple of times, to which they corrected the name> about it. She said we’re good.”
The soldier seemed mollified and wandered off. Right after that, we packed up our stuff and walked out the door. While we were heading out to our cars in the parking lot, we were able to look in the window and see the soldier and some other folks wandering back to the conference room looking confused about where we had gone. In the after action, nobody asked us about it, so it must have been forgotten about.
The trick is to put on an air of confidence when challenged, have a story all ready to go, have names of people on staff, and so on, and then be willing to pull the plug if something doesn’t seem right.
What is the biggest ethical quandary you experienced while on an assigned objective?
The toughest part of the gig is when the client decides as a result of your activities that somebody on their side has to be fired/relieved of their duties. I always try to ensure that everything we do is as nonattributional as possible, because often the problem is systemic and doesn’t reflect the mistakes of one particular person. People can be retrained; at least the good ones can. If asked directly whose fault a particular situation is, I will always avoid using people’s names. It might piss off the client, but ultimately I try to explain that it is usually not any particular person’s fault and that it’s a systematic failure that led to our successes. Generally the client is understanding, although sometimes they are not and have made wholesale staff changes as a result of our success.
How does the red team work together to get the job done?
From a teamwork perspective, everybody brings a different focus, different background, and so on. I’ve had many sessions where we spitball ideas about how to accomplish goals based on what we have in front of us, what we know, what we don’t know, and so on. It’s all about different perspectives. Keeping centralized notes in a wiki or something like that, making sure we had a central pile of screenshots, and then writing up individual summaries of actions taken, objectives achieved, and so on all helped with writing the final report.
What is your approach to debriefing and supporting blue teams after an operation is completed?
On the Army red team, we would hold a Q&A with the blue team. The big thing is that we would kick management out of the room. We wanted the techs and hands-on guys to ask us questions without fear of looking bad in front of management. We were honest and forthright with our answers too. We were there to make them better.
If you were to switch to the blue team, what would be your first step to better defend against attacks?
Take away local admin rights from the 95 percent of people who don’t need them. The biggest reason it is in place is usually because there are not enough help-desk/support people to install software, and thus the populace gets to be local admins because they need to install software or do something that facilitates their work efforts.
What is some practical advice on writing a good report?
Understand that you aren’t getting paid to break into the place; you’re getting paid to write the report about how you broke in and what the client can do about it and what the implications are if an attacker did the same thing.
“Understand that you aren’t getting paid to break into the place; you’re getting paid to write the report about how you broke in and what the client can do about it and what the implications are if an attacker did the same thing.”
The report is not about how badass you are; it’s all about the client. Does your report have actionable information that helps the client to remediate issues? Does your report effectively communicate issues to the C levels? Also understand that in many organizations, the management won’t take their employees’ words at face value that something is wrong. They need an external third party to tell them it’s wrong. Understanding the customer’s motivations and then tweaking the report to help further their goals also leads to better report writing and ultimate client satisfaction.
How do you ensure your program results are valuable to people who need a full narrative and context?
Provide extensive documentation about how to fix the issue. Reporting is for the client and not for the tester. Imagine being on the other side and having this report landing on your desk. What information would you want in there to fix the issues?
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
The ability to effectively communicate your thoughts in a coherent manner, be it out loud or on paper.
What differentiates good red teamers from the pack as far as approaching a problem differently?
The degree of caution displayed. In some environments, one bad packet can kill your access. Good folks will test in a lab/VM environment first before trying it live on the wire. ■
