2. $ whoami n Matt Howard
- Hacker turned professional sell out
- 20+ years of experience breaking into things with varying degrees of success
- 10~ years experience doing so professionally
- Spent some time helping improve security products
- Currently: red team operator and R&D
X: @pasv0x7f matt[at sign]shell.fishing
3. What’s a red team?
- Test detection and response capabilities, not just controls
- Objective-based, objective is never generic: “finding vulnerabilities”
- Depth vs Breadth: Red teaming vs Pentesting
- 2-4 months
- Typically blackbox
- no info given or access provided*
- very limited number of staff aware of the ongoing mission
4. What’s a good objective?
- The “million/billion dollar problem” (scoping):
- What IT related function is most important to the company’s business?
- What’s valuable to their most likely adversaries? (threat modeling)
- How can we arm infosec department to get shit done?
- Many orgs already know their problems, but can’t prove it outright
- Red team can kick that door, prove those fears are founded in reality
- What’s the biggest unknown unknown?
- Org thinks it’s mature and can no longer see their most gaping holes, pentests have
diminishing returns
6. Examples of objectives:
- Ransomware (#1 today unfortunately, and tbh the most boring)
- Access to install and deploy
- Compromise backups
- Partially demonstrated
- Intellectual Property theft
- Millions of dollars of inhouse R&D? Sure, thanks
- Operational control
- A personal favorite :)
- Prove and demonstrate the ability to affect large scale systems
- Examples:
- Arbitrary SIM swapping without social engineering
- Affect routing for an ISP
- Money movement
7. How it starts: OSINT
- LinkedIn stalking
- Job posts
- Company news
- Googling (tons)
- SEC filings (M&A, subsidiaries, legal entities and brands)
- Public court documents
- Github
- DNS (registrations, passive records, guessing, cert transparency)
- 3rd party SaaS providers (Microsoft, Google, Slack, Atlassian, JAMF, etc)
- More social media stalking (leading up to the phish)
8. How we get in (Initial Access)
In order of frequency:
- Phishing
- Smishing
- External DMZ/Employee remote access solutions
- Vishing
- Physical access
- Chats
Because time is $$$ and IA is getting more time consuming:
- Assumed breach (more prevalent nowadays)
- “Simulated click”
- Procured VPN access
- Procured laptop (sometimes even joining the company as employee/contractor fully)
9. Phishing
- Worst part of the job
- Leverage social engineering:
- Customer to business, B2B, Vendor to business, internal
- Become a really terrible human being, for a short period of time
- Initial access payloads as an art form
- Substantially harder nowadays!
- Force multipliers:
- Leverage insider info from one hack into another
- Attacker in the Mailbox
- 0day exploits (rare and burnable): https://issues.chromium.org/issues/41492103 ;-)
10. Malware development
– Commercial offerings and OSS are rarer in use as EDR get more wise to them
- In-house red teams *must* develop their own capabilities
- The stronger the R&D, the stronger the team typically
- Maldev stages for red teams:
- stage 0: the method of executing code
- stage 1: minimal viable means of keeping access and loading additional
components
- stage 2: Cobalt Strike, et al. - hands on KB what you typically use to achieve
objectives
11. Defensive Tech I’m Up Against Daily
- Email filters (Proofpoint)
- Sandboxes (Wildfire, Cuckoo)
- EDR (can’t say, because they’re often litigious)
- NGFW (Palo, Cisco) - Outbound and Inbound traffic
- MFA (RSA, Duo)
- PAM (Privilege Access Management)
12. Defensive Tech I’m Bypassing Daily
- Email filters (Proofpoint)
- Create high reputation senders
- Learn phish scoring metrics
- Sandboxes (Wildfire, Cuckoo)
- Create “puzzles” for sandboxes to solve - that they cannot
- Detect their presence in various ways - User input, VM detection, etc
- EDR (can’t say, because they’re often litigious)
- Know where they’re looking, don’t go there - Windows vs Mac/Linux EDR
- Know where baselines are, blend in - What makes a similar signal, how can I use it?
- Attempt to completely bypassby removing their ability to inspect - Unhook, compromise
- NGFW (Palo, Cisco) - Outbound and Inbound traffic inspection
- Blend with traffic - Where do their systems typically connect to, what kind of traffic?
- High reputation domains, categorized with real content. - Thank god for LLM
- MFA (RSA, Duo)*
- Session hijacking at the browser or app level
- MFA device enrollment
- Hack the MFA admin/console itself
13. “Adversarial onboarding”:
what we do on the inside
- No port scanning or noisy tool usage
- Automated tools are for pentesters
- Reading, more reading, reading after that
- Weeks of studying existing documentation
- Essentially the same thing a new employee would do the learn the ropes
- Internal ticketing systems
- Internal asset management systems
- Stalking employees across various internal platforms:
- git, wikis, tickets, workstation, AD groups, chats
- “Know your opponent” - find their security stacks and capability levels
14. Lateral movement and privilege escalation
In order of frequency (at least for me):
- Information disclosures, credential theft (see: reading)
- Misconfigurations
- Excessive permissioning
- Exploits
- Misc
Total control (Enterprise/Domain Admin) is rarely wanted or needed
- Highly monitored
- Touch less things, intentionally
- Workstation admin is useful to hunt sysadmins for main objective
15. Obtaining the objective
Methods vary widely
- Credential theft
- Mitigated by MFA sometimes so..
- Session hijacking
- Cookies and tokens are the “single factor” in reality
- Apps can be coerced to share access (ssh)
- Mapping access patterns based off… reading documentation
- “Break glass access” == “backdoor access”
- Find systems that target systems rely on, use those in unexpected ways
Over simplifying:
- Find who has what you want (“I hunt SysAdmins”)
- Find a way to get where they are (workstation, server, git repo, docs/notes storage, etc)
- Follow their access in (if necessary)
16. Tips for getting into red teaming
- Learn to code in multiple contexts (web, windows, linux, automation,
database, common APIs)
- Learn from threat reports, incident responders, expert vendors
- Reverse engineer everything that interests you
- Most tools are “proof of concept” and not typically great for red teaming,
must be modified
- Eventually you will get ideas or features that are not available:
- Bad red team: “I wish this tool could do this or such a tool existed, oh well”
- Good red team: “I think I can make this happen, but need time”
- Best red team: “Our R&D already anticipated this and we have tools or scaffolding
to do it with less time”
- Study network engineering/IT
- Study a bit of psychology/social psych. “wetware”