Читать книгу Tribe of Hackers Red Team - Marcus J. Carey - Страница 7

“Today, open source tools dominate the red team space, making it possible for more people to get familiar and practice.”

Twitter: @marcusjcarey • Website: https://www.linkedin.com/in/marcuscarey/

Marcus J. Carey is a cybersecurity community advocate and startup founder with more than 25 years of protecting government and commercial sensitive data. He started his cybersecurity career in U.S. Navy cryptology with further service in the National Security Agency (NSA).

How did you get your start on a red team?

The funny thing about my red team journey is I wasn’t technically a paid red teamer until I got fired from a job and had to make ends meet. I picked up work at an East Coast consultancy doing penetration testing and product development.

I was able to gain red team skills by working at the Defense Cyber Crime Center (DC3). There I did research, taught, and did course development. Amazingly, I had access to all the red team tools that you could imagine, plus every digital forensics tool on the planet. I also had the pleasure of working with a guy named Johnny Long who was quite the hacker and red teamer himself.

I’m extremely lucky to have been in those positions to prepare me for a red team role. Today, open source tools dominate the red team space, making it possible for more people to get familiar and practice.

They say luck is when preparation meets opportunity. It sucks that I was laid off, but it was a blessing to have red team skills to pay the bills.

What is the best way to get a red team job?

It is uncommon for people to start directly into red team jobs. The best way is to have or gain a skill such as internetworking, system administration, or software engineering and start out in a blue team role. Getting into a blue team role will allow you gain cybersecurity experience and network with people in your dream role.

You can network internally and externally from your organization at local events and regional cybersecurity conferences. There are a couple of certifications tailored to red teaming that can get you noticed by red teams looking to add some human resources.

How can someone gain red team skills without getting in trouble with the law?

I recommend downloading virtual machines and web applications that have vulnerabilities on them when trying to learn at home. There are plenty out there; just be careful and don’t put them on the internet because they will be compromised in short order.

If you don’t have permission from the system owners to test or run tools, you are probably violating some law. If you are trying to get into red teaming, try to exploit only the systems that you own or systems that you have explicit written permission to exploit.

Why can’t we agree on what a red team is?

I think it’s human nature to want to differentiate from each other, especially in a competitive environment like the cybersecurity community. What I have learned is that there are only so many ways to solve problems. Many times we end up with the same solutions to the same problems we see. We end up having different names for the same thing. The old saying “There are no new ideas under the sun” is proven right every time I talk to people trying to solve the same issues.

What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?

There is a natural conflict between the red team and the blue team caused by a mixture of bad experiences and misunderstandings. I think the toxic bit sometimes comes from people making mistakes like taking down servers or leaving malware on endpoints. The problem is that everyone hears red team horror stories, and there isn’t a lot of data that backs anything up.

When should you introduce a formal red team into an organization’s security program?

I believe that everyone in information technology and software engineering should know how to build, secure, and hack anything they are in charge of. My crazy vision is everyone always threat modeling and red teaming everything they do. You don’t need to have red team as your title to utilize red team skills. I always say, “Hack more. Worry less.”

How do you explain the value of red teaming to a reluctant or nontechnical client or organization?

I believe the best way to do this is to explain that even though the red team has an adversarial role, internal and external red team goals are aligned in the sense that we all want to protect sensitive data and critical systems. To keep the trust over time, red teams should always avoid showing up blue teams and internal stakeholders. You can only do this by working closely as a team. It takes only one bad experience to potentially ruin these relationships.

What is the least bang-for-your-buck security control that you see implemented?

Antivirus.

Have you ever recommended not doing a red team engagement?

I certainly have. I recommend that the organization start with vulnerability management and getting policy and governance into play. I see too many organizations out there getting “penetration tested” for compliance. I put those words in quotes because organizations are typically getting a limited-scope vulnerability scan.

What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?

I’m going to go with restricting administrative privileges for end users. I’ve seen first hand how this drastically reduces infections on a network. This simple control applies to organizations of any size. Restricting privileges is easy to implement and scale.

Why do you feel it is critical to stay within the rules of engagement?

The only difference between a good person and a bad person is that the good person follows the rules. Violating the rules of engagement breaks the trust between teams. If you violate the rules of engagement, you may be breaking the law as well.

If you were ever busted on a penetration test or other engagement, how did you handle it?

One of the most embarrassing things I ever did related to red teaming is owning a USB thumb drive with a volume name of Marcus Carey. I ended up using the thumb drive in a server, and the forensics software detected the device that had my name on it.

I’ll never make that mistake again. I’m sharing this story so it doesn’t happen to you. Sharing is caring!

What is the biggest ethical quandary you experienced while on an assigned objective?

The biggest ethical quandary is being intentionally deceptive in spear phishing and social engineering. This is primarily because you could cause actual harm to people and their livelihoods on the other side of the phish.

One of my mentors would always ask for a few executives to be in scope in every engagement so management couldn’t blame it on their staff. He wasn’t satisfied until an executive was compromised. Sometimes he’d conceal the identity of the person whom he compromised so they wouldn’t get in trouble.

How does the red team work together to get the job done?

If you are working with a team, communication is the most important element. Split up work and ensure you document everything that you do on an engagement. Trust is important as well, because I’ve seen situations where team members lose faith in their teammates.

I recommend using collaborative tools so everyone can see what their teammates are doing. Transparency always wins. One more thing, don’t be afraid to ask for help; that’s what teammates are for. If your teammate is an expert at a certain thing, simply ask for help.

What is your approach to debriefing and supporting blue teams after an operation is completed?

Professionalism is the key. Since we are all human, feelings can come into play when debriefing to internal and external blue teams. Always let them know you are on the same team as far as the big mission goes. If you do it right, they will have a detailed plan for how to correct any issues you discovered.

The hard part is when you help someone and then come back in the future and find that the same issues exist. Don’t get mad. Try not to get burnt out. Stay professional and try to help. You can lead a horse to water, but you can’t make it drink.

If you were to switch to blue team, what would be your first step to better defend against attacks?

I’m blue team for life, but I occasionally red team. The first step to being able to defend against attacks is putting policy in place and following it. I repeat, follow it.

People don’t implement policies because it feels cumbersome. Security policy should be looked at like a map. You may not be where the policy says you are, but if you don’t have a map, you’ll never reach your destination.

What is some practical advice on writing a good report?

My advice is to not reinvent the wheel—there are plenty of resources out there to describe vulnerabilities, exploitation, and risk scoring. Feel free to grab content from NIST, CVSS, or MITRE ATT&CK and cite them as references. Citing them as references actually boosts the credibility of your findings and report.

Use something like CVSS to help score the vulnerabilities that you find. MITRE ATT&CK is great for discussing exploitation techniques and suggested remediations. If you use those resources, the report will be easier to write for you and easier for the consumer to trust.

How do you ensure your program results are valuable to people who need a full narrative and context?

I think it’s important to use something that tells both sides of the story. I like things like the MITRE ATT&CK framework and the NIST Cybersecurity Framework because they both can be used to measure your actual capabilities and skill sets. It’s possible to be effective at cybersecurity without mastering all the skill sets. Pick three things and be the best at them.

The book From Good to Great talks about how great businesses understand what they are good at. We can apply the same thing to cybersecurity.

How do you recommend security improvements other than pointing out where it’s insufficient?

I always try to find some areas where organizations are doing some things right. So, low-hanging fruits for positive reinforcement are two-factor/two-step authentication, password length, and automatic updates.

Another way to help out as a red teamer is to understand ways to fix issues, whether on a system, on a network, or in code, that build camaraderie. I’ve sat side by side with Unix administrators helping them issue commands to harden systems. This is especially important if you are doing internal corporate red teams. At the end of the day, you are on the same mission.

What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?

Empathy is a great skill to have when you are delivering bad news. As a red teamer, you are going to have to give some bad news every once in a while. Put yourself in the other person’s shoes and don’t be a jerk.

What differentiates good red teamers from the pack as far as approaching a problem differently?

I think good red teamers study and know how things work. I mentioned empathy before. A good red teamer can put themselves in the system administrator, network engineer, or software developer mind-set and solve the problems they are facing. A good red teamer is always hungry to improve their skills and help others do so as well. ■