Today we will learn about Getting started in Red Teaming.
In this episode of Infosec’s Cyber Work podcast about cybersecurity, host Chris Sienko talks with Curtis Brazzell, managing security consultant at managed detection and response cybersecurity firm Pondurance. They discuss how Curtis got his start in security, the methodology of Red Team operations and the day-to-day operations of Red Team, and what the future of Red Teaming looks like.
Getting started in Red Teaming
If you’re looking for a solid introductory look at Red Teaming, look no further!
Tell us about the intrusion detection and response platform you’ve been building in your spare time.
Curtis created an intrusion detection and response platform that serves home consumers. It was essentially a remote security operations center (SOC) that offered network threat detection and response as well as malware removal and updating.
How did you get started in computers and security?
Curtis’ passion began in third grade when his elementary school received gifted Macintosh computers. He subsequently pushed it to the limit, causing his father to notice and buy Curtis his first personal computer – a Compaq Presario with Windows 95.
After starting out in web design and learning Visual Basic, he got into security around 1998 with a website called crashme.com. This website exploited a vulnerability in Windows 98 that would cause the system to crash if you visited the website. He reverse-engineered this vulnerability, which opened the floodgates to his security passion.
Can you explain what the Red Team is and how it relates to things like penetration testing?
Red Teaming refers to advanced targeted cyber attacks in the real world. It’s like penetration testing, but it goes a step further: you don’t just identify vulnerabilities, you go blindly into the attack. Red teams use more stealthy operations and advanced tactics than pentesting.
A big part of Red Teaming is the physical aspect of Red Team operations, such as going to a location, physically dropping a malicious USB, and more. Another big part of Red Teaming is phishing: 91% of breaches are the result of phishing.
What made you move your career further into Red Teaming?
Continuing Red Teaming was a natural progression for Curtis, but the honorable mention here definitely means the thrill of the break-in. Part of the excitement comes from solving problems and thinking quickly in the moment.
Curtis enjoys all aspects of safety and saw Red Teaming as an opportunity to take safety further and see how far he could push the boundaries. However, it should be noted that Red Teaming is not as “Hollywood” as you might think.
What makes a good red team member?
To be a good member of the red team, you need different skills. Most members of Curtis’ team have a variety of IT backgrounds – former admins, developers, security, and so on. Sometimes the natural progression within a red team is based on your background and the specific skills you have. For the most part, you’ll want to have a wide range of skills if you want to Red Team.
What experience, qualifications, and accomplishments should you strive for to become a desirable red team candidate?
The most important thing is to have a passion for Red Teaming. When Curtis is hiring for his team, he can tell if someone is passionate about security and has a desire to tinker at home. Being proactive in learning new skills is essential and makes a candidate more desirable.
How do Red Teams actually work?
Red Teaming works when their operation is as close to an actual attack as possible. This means simulating real-world attack conditions such as not appearing during business hours, using advanced tactics, being zero-day and other aspects to create an authentic cyber attack experience.
What are some of the common methodologies used by Red Teams?
Curtis says it could go either way you want it to – meaning it all depends on the Red Team tester. Some like physical entry in certain ways, such as simply walking someone into a website or picking a lock. Some like to leave rubber duckies in place for a physical attack via USB to compromise the domain, and others choose to look for VPNs on the outside and use phishing to steal credentials.
Another aspect is the fact that every project is really different, which requires a lot of creative thinking and trying different tactics.
What type of companies employ Red Teams (and can they benefit smaller organizations)?
All organizations should be Red Team ready, but for smaller ones it may be overkill. For those new to Red Teaming, start with a vulnerability scan and work your way up from there to eventually Red Team.
How often should a company test its security with the red team?
This depends on the organization, but generally speaking, once or twice a year.
What is “too far” when it comes to Red Team testing?
This is a very important question. It is important that Red Teams have this conversation with the client about the rules of engagement in Red Team operations. Red Teams won’t do anything illegal, but some organizations may be okay with things like lock picking and others may not, so it’s important to set those boundaries up front.
How long does it take to complete a full Red Team assessment?
This depends on the assessment, but generally two to three weeks of testing. Processing time may vary as the time required for documentation may take as long as the testing itself.
How do you report your findings to the company so they can fix their security holes?
The report is saved after testing is complete unless there is a serious, glaring gap that requires immediate attention. An example of this is if anyone can remotely connect to a network from the public internet. If a loophole like this is found, an organization’s IT department can expect the proverbial phone call in the middle of the night about the problem from their red team.
What do you think of Purple Teams?
Purple teams are great! Red teams can try to bypass the security of blue teams, allowing them to try different methods. Blue Teams can use this experience to improve their own security. It’s definitely a win-win for both teams.
What is the future of Red Teaming?
Red Teaming is a game of cat and mouse, constantly trying to stay on top of new techniques and methods. This will likely never change, meaning that Red Teams will become more important and eventually more common over time.
On this episode of Infosec’s Cyber Work Podcast, Chris Sienko chats with Curtis Brazzell, lifelong IT enthusiast and managing security consultant at Pondurance Cyber Security. They’ve delved into the high-level details of Red Teaming that are sure to answer the questions many have for the first time about Red Teaming.
Stay tuned for more interesting episodes of Cyber Work. If you’re interested, you can watch Curtis’ interview on the Cyber Work YouTube page.