Embed Size (px)
Citation preview
Cybersecurity Sampler
Featuring excerpts from...
Cybersecurity Essentialsby Charles J. Brooks, Christopher Grow, Philip Craig, and Donald Short
Hacking the Hackerby Roger A. Grimes
Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurityby Marcus J. Carey and Jennifer Jin
Beginner
Cybersecurity Essentialsby Charles J. Brooks, Christopher Grow, Philip Craig, and Donald Short
Chapter 1: Infrastructure Security in the Real World
CHAPTER 1
Infrastructure Security in the Real WorldThe following challenges will provide contextual reference points for the concepts you will learn in Part I. Because you have not yet read the chapters in Part I, the challenges in this chapter are designed to introduce you to the infrastructure security scenarios you’ll face in the real world. In this chapter, you’ll learn to:
▶ Understand the relevance of infrastructure security
▶ Describe the functions, categories, subcategories, and reference structure of the NIST Cybersecurity Framework
▶ Apply the NIST Framework references to specific cybersecurity scenarios
Security ChallengesThe NIST Cybersecurity Framework was developed by the U.S. National Institute of Standards and Technology (NIST) to provide a set of independent guidelines that organizations can use to implement or upgrade their cyber-security programs. Because the framework is a product-independent tool, it provides guidelines that any organization can tailor to meet its own cyberse-curity needs.
The frameworks are divided into five functions (Identify, Protect, Detect, Respond, and Recover) that provide a top-level description of the cyberse-curity development process. Each function is then divided into applicable categories that underpin the stated function. Each category is further divided into subcategories and implementation methodology. Finally, the
4 C h a p t e r 1 • I n f r a s t r u c t u r e S e c u r i t y i n t h e R e a l W o r l d
subcategories are supported by lists of reference documents that contain the nuts and bolt of building the cybersecurity program.
This chapter will kickstart your thought processes for what you are about to learn in Part I. It contains two specific cybersecurity scenarios to which you will be asked to apply the NIST Framework in order to produce a cybersecurity solution that meets the desired objectives. In each case, you will be provided with specific subcategories to research, along with some guidance to help you produce your solutions.
In this first pass through the scenarios, you are expected to generate and record general observations about securing the infrastructure described, as you have not yet been introduced to the supporting material. As mentioned earlier, this is activity is designed to get your cybersecurity thought processes started.
In Chapter 5, you will return to these scenarios and use what you have learned in Chapters 2, 3, and 4 to revise your initial assessments. You will also compare your observations to those of professional security specialists who have provided their observations and solutions for these scenarios.
Infrastructure Security Scenario 1You are in charge of planning and implementing a security system for a new electrical substation that will be built next to a new housing development. The substation is equipped with high-voltage electrical switching gear for the sur-rounding community. It is not manned on a full-time basis but does have a con-trol building that houses instrumentation and communication equipment, as shown in Figure 1.1.
F I G U R E 1 . 1 The Electrical Substation
The high-voltage switch gear accepts electrical power from different sources, which it then conditions and routes to the community users as needed.
S e c u r i t y C h a l l e n g e s 5
The energy arrives on a set of different high-voltage supply lines and leaves the facility via different sets of distribution lines.
The monitoring devices and control systems in the substation communicate with different parts of the utility’s transmission and distribution system to route electrical power where and when it is needed. These communication channels include wireless radio signals, signals transmitted across the power lines, and traditional network communications media.
Risk Assessment 1
From the information provided in this first scenario, consider the National Institute of Standards and Technology (NIST) functions detailed in this section and then record your observations as they relate to each category.
See Appendix C for the NIST Cyber Security Framework
A copy of the NIST Cyber Security Framework is available in Appendix C. These frameworks were developed by the U.S. National Institute of Standards and Technology to provide cybersecurity guidelines for Improving Critical Infrastructure Cybersecurity under executive order 13636. The ultimate goal of this initiative is to provide guidelines for the nation’s critical infrastructure in business, industry, and utility organizations to reduce their cybersecurity risks.
Identify
Create an inventory of physical assets (devices and systems) within the substa-tion (NIST ID.AM-1).
Understanding NIST References
NIST references include the function, the category, and the subcategory. In the example of ID.AM-1 mentioned earlier, the function is Identify (ID); the category is Asset Management (AM); and the subcategory is 1 (which is “physical devices and systems within the organization are inventoried”). To implement this portion of the Framework for the scenario presented, you may want to refer to an online copy of the designated Reference documents listed under this subcategory. The same is true of the following subcategories as well.
6 C h a p t e r 1 • I n f r a s t r u c t u r e S e c u r i t y i n t h e R e a l W o r l d
Protect
Describe in general how you might go about protecting the physical assets iden-tified in the previous point (NIST PR.AC-2).
Detect
How would you know if someone or something was attempting to access, dis-able, degrade, or destroy one or more of the devices and/or systems in the substation? How could you detect anomalies and events that might impact the operation of the substation (NIST DE.CM-2, 8)?
Respond
How would you need to respond to the anomalies and events you’ve identified through the devices, systems, and steps you would implement in the previous point (NIST RS.AN-1, 2, 3)?
Recover
Which steps could be put in place to recover from actions intended to access, disable, degrade, or destroy the assets you previously identified (NIST RC.RP-1)?
Infrastructure Security Scenario 2Your company is building a new corporate facility, as shown in Figure 1.2, to house its 5,000 headquarters employees. The facility will feature multiple floors. Some management personnel will use traditional offices with doors and win-dows, but the majority of the employees will work in open cubicles.
Each office and cubicle will be equipped with a telephone and network con-nection. In addition, many of the employees travel as part of their job roles and require portable computers. Other employees work with desktop personal computers.
The facility will house a cluster of computer servers and network devices that provide workflow and communications between all of the managers and employees. This architecture electronically manipulates, stores, and transmits all of the company’s important business information and data. This includes product descriptions, accounting information, legal records, customer records, employee records, and the company’s intellectual property.
S e c u r i t y C h a l l e n g e s 7
F I G U R E 1 . 2 Headquarters Facility Plans
Risk Assessment 2
From the information provided in the second scenario, consider the NIST func-tions detailed in this section and then write your observations as they relate to each category.
Identify
Create an inventory of physical assets (devices and systems) within the organiza-tion (NIST ID.AM-1).
Create an inventory of cyber assets (software platforms and applications) within the organization (NIST ID.AM-2).
Prioritize the organization’s assets based on their criticality or value to the business functions of the organization (NIST ID.BE-3).
8 C h a p t e r 1 • I n f r a s t r u c t u r e S e c u r i t y i n t h e R e a l W o r l d
Identify any assets that produce dependencies or provide critical functions for any of the organization’s critical services (NIST ID.BE-4).
Create a risk assessment of asset vulnerabilities identified (NIST ID.RA-1, 3).
Protect
Create a policy for managing access to authorized devices and resources based on the following items (NIST PR.AC-1).
Create a method for controlling physical access to secured assets (NIST PR.AC-2).
Create an action plan for informing and training general employees (NIST PR.AT-1).
Create a plan for helping privileged users understand their job roles and responsibilities (NIST PR.AT-2).
Detect
Which types of systems must be in place to identify occurrences of physical security breaches (NIST DE.CM-2)?
Which types of systems must be in place to monitor personnel activity to detect potential cybersecurity threats (NIST DE.CM-3)?
Respond
Which type of response plan might be necessary when general physical security is breached at the facility (NIST RS.AN-1, 2, 3)?
Considering the information kept on the company’s servers, which type of response plan might be necessary when physical security is breached in the server room (NIST RS.CO-4, 5)?
Recover
Which type of recovery plan might be needed for general physical security breaches that occur at one of the cubicles in the facility (NIST RC.RP-1)?
Which items might a recovery plan include if server security is breached at the facility (NIST RC.CO-1, 2)?
SummaryRecord your observations for the risk assessments presented in this chapter. In Chapter 5, you will compare these original thoughts and observations with those you will generate after reading Chapters 2, 3, and 4. You’ll also be able to com-pare your answers to those of professional security specialists.
Intermediate
Hacking the Hackerby Roger A. Grimes
Chapter 1: What Type of Hacker Are You?
Chapter 2: How Hackers Hack
1 What Type of Hacker Are You?
Many years ago, I moved into a house that had a wonderful attached garage. It was perfect for parking and protecting my boat and small
RV. It was solidly constructed, without a single knot in any of the lumber. The electrical work was professional and the windows were high-quality and rated for 150 mph winds. Much of the inside was lined with aromatic red cedar wood, the kind that a carpenter would use to line a clothing chest or closet to make it smell good. Even though I can’t hammer a nail straight, it was easy for me to see that the constructor knew what he was doing, cared about quality, and sweated the details.
A few weeks after I moved in, a city official came by and told me that the garage had been illegally constructed many years ago without a permit and I was going to have to tear it down or face stiff fines for each day of non-compliance. I called up the city to get a variance since it had been in existence for many years and was sold to me as part of my housing purchase. No dice. It had to be torn down immediately. A single day of fines was more than I could quickly make selling any of the scrap components if I took it down neatly. Financially speaking, the sooner I tore it down and had it hauled away, the better.
I got out a maul sledge hammer (essentially a thick iron ax built for demoli-tion work) and in a matter of a few hours had destroyed the whole structure into a heap of wood and other construction debris. It wasn’t lost on me in the moment that what had taken a quality craftsman probably weeks, if not months, to build, I had destroyed using my unskilled hands in far less time.
Contrary to popular belief, malicious hacking is more maul slinger than craftsman.
If you are lucky enough to consider a career as a computer hacker, you’ll have to decide if you’re going to aspire to safeguarding the common good or settle for pettier goals. Do you want to be a mischievous, criminal hacker or
Hacking the Hacker2
a righteous, powerful defender? This book is proof that the best and most intelligent hackers work for the good side. They get to exercise their minds, grow intellectually, and not have to worry about being arrested. They get to work on the forefront of computer security, gain the admiration of their peers, further human advancement in the name of all that is good, and get well paid for it. This book is about the sometimes unsung heroes who make our incred-ible digital lives possible.
NOTE Although the terms “hacker” or “hacking” can refer to someone or an activity with either good or bad intentions, the popular use is almost always with a negative connotation. I realize that hackers can be good or bad, but I may use the terms without further qualification in this book to imply either a negative or a positive connotation just to save space. Use the whole meaning of my sentences to judge the intent of the terms.
Most Hackers Aren’t GeniusesUnfortunately, nearly everyone who writes about criminal computer hackers without actual experience romanticizes them all as these uber-smart, god-like, mythical figures. They can guess any password in under a minute (especially if under threat of a gun, if you believe Hollywood), break into any system, and crack any encryption secret. They work mostly at night and drink copious amounts of energy drinks while littering their workspaces with remnants of potato chips and cupcakes. A school kid uses the teacher’s stolen password to change some grades, and the media is fawning on him like he’s the next Bill Gates or Mark Zuckerberg.
Hackers don’t have to be brilliant. I’m living proof of that. Even though I’ve broken into every single place where I’ve ever been hired to do so, I’ve never completely understood quantum physics or Einstein’s Theory of Relativity. I failed high school English twice, I never got higher than a C in math, and my grade point average of my first semester of college was 0.62. That was composed of five Fs and one A. The lone A was in a water safety class because I had already been an oceanfront lifeguard for five years. My bad grades were not only because I wasn’t trying. I just wasn’t that smart and I wasn’t trying. I later learned that studying and working hard is often more valuable than
What Type of Hacker Are You? 3
being born innately intelligent. I ended up finishing my university degree and excelling in the computer security world.
Still, even when writers aren’t calling bad-guy hackers super-smart, readers often assume they are because they appear to be practicing some advanced black magic that the rest of the world does not know. In the collective psyche of the world, it’s as if “malicious hacker” and “super intelligence” have to go together. It’s simply not true. A few are smart, most are average, and some aren’t very bright at all, just like the rest of the world. Hackers simply know some facts and processes that other people don’t, just like a carpenter, plumber, or electrician.
Defenders Are Hackers PlusIf we do an intellectual comparison alone, the defenders on average are smarter than the attackers. A defender has to know everything a malicious hacker does plus how to stop the attack. And that defense won’t work unless it has almost no end-user involvement, works silently behind the scenes, and works perfectly (or almost perfectly) all the time. Show me a malicious hacker with a particular technique, and I’ll show you more defenders that are smarter and better. It’s just that the attacker usually gets more press. This book is an argu-ment for equal time.
Hackers Are SpecialEven though I don’t classify all hackers as super-smart, good, or bad, they all share a few common traits. One trait they have in common is a broad intel-lectual curiosity and willingness to try things outside the given interface or boundary. They aren’t afraid to make their own way. Computer hackers are usually life hackers, hacking all sorts of things beyond computers. They are the type of people that when confronted with airport security are silently con-templating how they could sneak a weapon past the detectors even if they have no intention of actually doing so. They are figuring out whether the expensive printed concert tickets could be easily forged, even if they have no intention of attending for free. When they buy a television, they are wondering if they can access its operating system to gain some advantage. Show me a hacker, and I’ll show you someone that is questioning status quo and exploring at all times.
Hacking the Hacker4
NOTE At one point, my own hypothetical scheme for getting weapons past airport security involved using look-alike wheelchairs with weapons or explosives hidden inside the metal parts. The wheelchairs are often pushed past airport security without undergoing strong scrutiny.
Hackers Are PersistentAfter curiosity, a hacker’s most useful trait is persistence. Every hacker, good or bad, knows the agony of long hours trying and trying again to get some-thing to work. Malicious hackers look for defensive weaknesses. One mistake by the defender essentially renders the whole defense worthless. A defender must be perfect. Every computer and software program must be patched, every configuration appropriately secure, and every end-user perfectly trained. Or at least that is the goal. The defender knows that applied defenses may not always work or be applied as instructed, so they create “defense-in-depth” layers. Both malicious hackers and defenders are looking for weaknesses, just from opposite sides of the system. Both sides are participating in an ongoing war with many battles, wins, and losses. The most persistent side will win the war.
Hacker HatsI’ve been a hacker my whole life. I’ve gotten paid to break into places (which I had the legal authority to do). I’ve cracked passwords, broken into networks, and written malware. Never once did I break the law or cross an ethical bound-ary. This is not to say that I haven’t had people try to tempt me to do so. Over the years, I’ve had friends who asked me to break into their suspected cheat-ing spouse’s cellphone, bosses who asked me to retrieve their boss’s email, or people who asked to break into an evil hacker’s server (without a warrant) to try to stop them from committing further hacking. Early on you have to decide who you are and what your ethics are. I decided that I would be a good hacker (a “whitehat” hacker), and whitehat hackers don’t do illegal or unethical things.
Hackers who readily participate in illegal and unethical activities are called “blackhats.” Hackers who make a living as a whitehat but secretly dabble in blackhat activities are known as “grayhats.” My moral code is binary on this issue. Grayhats are blackhats. You either do illegal stuff or you don’t. Rob a bank and I’ll call you a bank robber no matter what you do with the money.
What Type of Hacker Are You? 5
This is not to say that blackhats can’t become whitehats. That happens all the time. The question for some of them is whether they will become a whitehat before having to spend a substantial amount of time in prison. Kevin Mitnick (https://en.wikipedia.org/wiki/Kevin_Mitnick), one of the most celebrated arrested hackers in history (and profiled in Chapter 5), has now lived a long life as a defender helping the common good. Robert T. Morris, the first guy to write and release a computer worm that took down the Internet (https://en.wikipedia.org/wiki/Morris_worm), eventually became an Association for Computing Machinery Fellow (http://awards.acm.org/award_winners /morris_4169967.cfm) “for contributions to computer networking, distributed systems, and operating systems.”
Early on the boundary between legal and illegal hacking wasn’t as clearly drawn as it is today. In fact, most early illegal hackers were given superhero cult status. Even I can’t help but be personally drawn to some of them. John Draper (a.k.a. “Captain Crunch”) used a toy whistle from a box of Cap’n Crunch cereal to generate a tone (2600 Hz) that could be used to steal free long-distance phone service. Many hackers who released private information for “the public good” have often been celebrated. But with a few exceptions, I’ve never taken the overly idealized view of malicious hackers. I’ve had a pretty clear vision that people doing unauthorized things to other people’s computers and data are committing criminal acts.
Years ago, when I was first getting interested in computers, I read a book called Hackers: Heroes of the Computer Revolution by Steven Levy. In the dawn-ing age of personal computers, Levy wrote an entertaining tale of hackers, good and mischievous, embodying the hacker ethos. Most of the book is dedicated to people who improved the world through the use of computers, but it also covered the type of hackers that would be arrested for their activities today. Some of these hackers believed the ends justified the means and followed a loose set of morals embodied by something Levy called “hacker ethics.” Chief among these beliefs were the philosophies that any computer could be accessed for any legitimate reason, that all information should be free, and to distrust authority. It was a romanticized view of hacking and hackers, although it didn’t hide the questionable ethical and legal issues. In fact, it centered around the newly pushed boundaries.
Steven Levy was the first author I ever sent a copy of his own book to and asked him to autograph my copy and send it back (something others have done to me a few times now that I’m the author of eight previous books). Levy has gone on to write or become the technical editor for several major
Hacking the Hacker6
magazines, including Newsweek, Wired, and Rolling Stone, and he has written six other books on computer security issues. Levy continues to be a relevant tech-nology writer to this day. His book, Hackers, introduced me to the wonderful world of hacking in general.
Later on, other books, like Ross Greenberg’s Flu-Shot (long out of print) and John McAfee’s Computer Viruses, Worms, Data Diddlers, Killer Programs, and Other Threats to Your System (https://www.amazon.com/Computer-viruses-diddlers-programs-threats/dp/031202889X) introduced me to fighting mali-cious hackers. I read these books and got excited enough to make a lifelong career out of combating the same threats.
Along the way, I’ve learned that the defenders are the smartest hackers. I don’t want to paint all malicious hackers with the same brush of mediocrity. Each year, a few rogue hackers discover something new. There are a few very smart hackers. But the vast majority of malevolent hackers are fairly average and are just repeating something that has worked for twenty years. To be blunt, the average malicious hacker doesn’t have enough programming talent to write a simple notepad application, much less discover on their own how to break into some place, crack encryption, or directly successfully guess at passwords—not without a lot of help from other hackers who previously did the real brain work years before.
The irony is that the uber-smart people I know about in the computer world aren’t the malicious hackers, but the defenders. They have to know everything the hacker does, guess at what they might do in the future, and build a user-friendly, low-effort defense against it all. The defender world is full of PhDs, master’s degree students, and successful entrepreneurs. Hackers rarely impress me. Defenders do all the time.
It is common for defenders to discover a new way of hacking something, only to remain publicly silent. It’s the job of defenders to defend, and giving malicious hackers new ways to hack something before the defenses are in place won’t make anyone else’s life easier. It’s a way of life for defenders to figure out a new hack and to help with closing the hole before it gets discovered by the outside world. That happens many more times than the other way around (such as the outside hacker discovering a new hole).
I’ve even seen defenders figure out a new hack, but for cost efficiency or tim-ing reasons, the hole didn’t get immediately fixed, and later on, some outside hacker gets credit as the “discoverer.” Unfortunately, defenders don’t always get immediate glory and gratification when they are doing their day jobs.
What Type of Hacker Are You? 7
After watching both malicious hackers and defenders for nearly three decades, it’s clear to me that the defenders are the more impressive of the two. It’s not even close. If you want to show everyone how good you are with computers, don’t show them a new hack. Show them a new, better defense. It doesn’t require intelligence to find a new way of hacking. It mostly just takes persistence. But it does take a special and smart person to build something that can withstand constant hacking over a long period of time.
If you want to impress the world, don’t tear down the garage. Instead, build code that can withstand the hacker’s mauling axe.
2 How Hackers Hack
The most enjoyable career activity I do is penetration testing (also known as pen testing). Pen testing is hacking in its truest sense. It’s a human
against a machine in a battle of wits. The human “attacker” can use their own ingenuity and new or existing tools as they probe for weaknesses, whether they be machine- or human-based. In all my years of pen testing, even though I am usually given weeks to conduct a test, I have successfully hacked my target the majority of the time in around one hour. The longest it has ever taken me is three hours. That includes every bank, government site, hospital, and corporate site that has ever hired me to do so.
I’m not even all that good as a pen tester. On a scale 1 to 10, with 10 being the best, I’m about a 6 or a 7. On the defender side, I feel like I’m the best person in the world. But as an attacker, I’m very average. I’ve been surrounded by awe-some pen testers—men and women who think nothing of writing their own testing tools or who don’t consider their testing a success unless they did not generate a single event in a log file that could have caused an alert. But even the people I consider to be 10s usually think of themselves as average and admire other pen testers that they think are tens. How good must those hackers be?
But you don’t have to be extremely good to be a very successful hacker. You don’t even have to actually break in for the customer that hired you (I’m assuming you’re being paid for a lawful assignment to pen test) to be happy with your work. In fact, the customer would absolutely be thrilled if you were not successful. They could brag that they hired some hackers and their network withstood the attack. It’s a win-win for everyone involved. You get paid the same and they get to brag that they are impenetrable. It’s the only job I know where you cannot have a bad outcome. Unfortunately, I know of no pen tester who has ever not successfully broken into all of their targets. I’m sure there must be hackers who fail, but the vast majority of pen testers “capture their prize.”
Hacking the Hacker10
NOTE If your pen testing doesn’t find any weaknesses and soon afterward your client is compromised by real attackers, you aren’t going to look good. If this happens several times, word will get around and you’ll probably be looking for a new career. The weaknesses are there. Find them.
Usually pen testers will do something extra to impress their target’s senior managers, such as taking a clandestine picture of the CEO at his desk using his own computer’s camera or embedding the domain administrator’s password in the picture of a pirate flag that shows up on the security administrator’s screensaver. A picture is worth a thousand words. Never underestimate how much one goofy picture can increase your customer’s satisfaction with your job. They’ll be talking about the picture (and bragging about you) years after you’ve finished the job. If you can, always finish with a flourish. I’m giving you “consultant gold” with this recommendation.
The Secret to HackingIf there is a secret to how hackers hack, it’s that there is no secret to how they hack. It’s a process of learning the right methods and using the right tools for the job, just like an electrician, plumber, or builder does. There isn’t even one way to do it. There is, however, a definitive set of steps that describe the larger, encompassing process, and that includes all the steps that a hacker could possibly have to perform. Not all hackers use all the steps. Some hackers only use one step. But in general, if you follow all the steps, you’re likely to be very successful at hacking. You can skip one or more of the steps and still be a successful hacker. Malware and other hacking tools often allow hackers to skip steps, but at least one of the steps, initial penetration foothold, is always required.
Regardless of whether you’re going to make a career out of being a (legal) hacker, if you’re going to fight malicious hackers, you have to understand the “hacking methodology” or whatever it is being called by the person or document describing it. The models can vary, including the number of steps involved, the names of the steps, and the specific details of each step, but they all contain the same basic components.
How Hackers Hack 11
The Hacking MethodologyThe hacking methodology contains the following progressive steps: 1. Information Gathering 2. Penetration 3. Optional: Guaranteeing Future Easier Access 4. Internal Reconnaissance 5. Optional: Movement 6. Intended Action Execution 7. Optional: Covering Tracks
Information GatheringUnless a hacker tool is helping the hacker to randomly access any possible vulnerable site, the hacker usually has a destination target in mind. If a hacker wants to penetrate a specific company, the first thing the hacker does is start researching everything they can about the company that might possibly help them break in. At the very least, this means accessible IP addresses, email addresses, and domain names. The hacker finds out how many potential sites and services they can access that are connected to the company. They use the news media and public financial reports to find out who the senior execu-tives are or to find other employee names for social engineering. The hacker looks up news stories to see what big software the target has bought recently, what mergers or divestitures are happening (these are always messy affairs often accompanied by relaxed or missed security), and even what partners they interact with. Many companies have been compromised through a much weaker partner.
Finding out what digital assets a company is connected to is the most important part of information gathering in most hacker attacks. Not only are the main (public) sites and services usually identified, but it’s usually more helpful to the attacker to find the less popular connected sites and services, like employee and partner portals. The less popular sites and servers are more likely to have a weakness compared to the main sites that everyone has already beat on for years.
Then any good hacker starts to gather all the software and services hosted on each of those sites, a process generally known as fingerprinting. It’s very
Hacking the Hacker12
important to learn what operating systems (OS) are used and what versions. OS versions can tell a hacker what patch levels and which bugs may or may not be present. For example, they might find Windows Server 2012 R2 and Linux Centos 7.3-1611. Then they look for software programs and versions of those software versions (for the same reason) running on each OS. If it’s a web server, they might find Internet Information Server 8.5 on the Windows server and Apache 2.4.25 on the Linux server. They do an inventory of each device, OS, application, and version running on each of their intended targets. It’s always best to do a complete inventory to get an inclusive picture of the target’s landscape, but other times a hacker may find a big vulnerability early on and just jump into the next step. Outside of such a quick exploit, usually the more information the hacker has about what is running, the better. Each additional software and version provides additional possible attack vectors.
NOTE Some hackers call the general, non-technical, information gathering footprinting and the OS and software mapping fingerprinting.
Sometimes when a hacker connects to the service or site it helpfully responds with very detailed version information so you don’t need any tools. When that isn’t the case, there are plenty of tools to help with OS and applica-tion fingerprinting. By far the number one used hacker fingerprinting tool is Nmap (https://nmap.org/). Nmap has been around since 1997. It comes in several versions including Windows and Linux and is a hacker’s Swiss Army knife tool. It can perform all sorts of host scanning and testing, and it is a very good OS fingerprinter and an okay application fingerprinter. There are better application fingerprinters, especially when they are focused on a particular type of application fingerprinting, such as web servers, databases, or email servers. For example, Nikto2 (https://cirt.net/Nikto2) not only fingerprints web servers better than Nmap, but also performs thousands of penetration tests and lets you know which vulnerabilities are present.
PenetrationThis is the step that puts the “hack” in “hacker”—gaining initial foothold access. The success of this step makes or breaks the entire cycle. If the hacker has done their homework in the fingerprinting stage, then this stage really isn’t all that hard. In fact, I’ve never not accomplished this stage. There is always old software being used, always something left unpatched, and almost always something misconfigured in the collection of identified software.
How Hackers Hack 13
NOTE One of my favorite tricks is attacking the very software and devices that the defenders use to defend their networks. Often these devices are appliances, which is simply another word for running a computer with harder-to-update software. Appliances are notorious for being years out of patch compliance.
If by chance all the software and devices are perfectly secured (and they never are), then you can attack the human element, which is always the weak-est part of the equation. But without the initial penetrating foothold, all is lost for the hacker. Fortunately for the hacker, there are lots of ways to penetrate a target. Here are the different techniques a hacker can use to break into a target:
■■ Zero-days■■ Unpatched software■■ Malware■■ Social engineering■■ Password issues■■ Eavesdropping/MitM■■ Data leaks■■ Misconfiguration■■ Denial of service■■ Insider/partner/consultant/vendor/third party■■ User error■■ Physical access■■ Privilege escalation
Zero-days Zero-day (or 0-day) exploits are rarer than every-day vulner-abilities, which vendors have usually long ago patched. A zero-day exploit is one for which the targeted software is not yet patched against and the public (and usually the vendor) isn’t aware of. Any computer system using software with a zero-day bug is essentially exploitable at-will, unless the potential victim uninstalls the software or has put in place some sort of other mitiga-tion (for example a firewall, an ACL list, VLAN segmentation, anti-buffer overflow software, and so on).
Zero-days are not as common as known exploits because they can’t be widely used by an attacker. If an attacker overused a zero-day, the coveted exploit hole would be discovered and patched by vendors and placed in anti-malware
Hacking the Hacker14
signatures. These days most vendors can patch new exploits within a few hours to a few days after discovery. When zero-days are used, they are either used very broadly against many targets all at once for maximum exploitation pos-sibility or used “low and slow,” which means sparingly, rarely, and only used when needed. The world’s best professional hackers usually have collections of zero-days that they use only when all else has failed and even then in such a way that they won’t be especially noticed. A zero-day might be used to gain an initial foothold in an especially resistant target, and then all traces of it will be removed and more traditional methods used from that point onward.
Unpatched Software Unpatched software is always among the top rea-sons why a computer or device is exploited. Each year there are thousands (usually between 5000 and 6000, or 15 per day) of new publicly announced vulnerabilities among all popularly used software. (Check out the stats reported in each issue of Microsoft’s Security Intelligence Report, http://microsoft.com /sir.) Vendors have generally gotten better at writing more secure code and finding their own bugs, but there are an ever-increasing number of programs and billions of lines of code, so the overall number of bugs has stayed relatively stable over the last two decades.
Most vendors do a fairly good job of patching their software in a timely man-ner, especially after a vulnerability becomes publicly known. Unfortunately, customers are notoriously slow in applying those patches, even often going so far as disabling the vendor’s own auto-patching routines. Some moderate percentage of users never patch their system. The user either ignores the multiple patch warnings and sees them as purely annoying or is completely unaware that a patch needs to be applied. (For example, many point-of-sale systems don’t notify cashiers that a patch needs to be applied.) Most software exploits happen to software that has not been patched in many, many years.
Even if a particular company or user patches critical vulnerabilities as quickly as they are announced, a persistent, patient hacker can just wait for a patch to be announced that is on their target’s fingerprint inventory list and launch the related attack before the defender has time to patch it. (It’s relatively easy for a hacker to reverse engineer patches and find out how to exploit a particular vulnerability.)
Both zero-days and regular software vulnerabilities come down to insecure software coding practices. Software vulnerabilities will be covered in Chapter 6.
Malware Malicious programs are known as malware, and the traditional types are known as viruses, Trojan horse programs, and worms, but today’s
How Hackers Hack 15
malware is often a hybrid mixture of multiple types. Malware allows a hacker to use an exploit method to more easily attack victims or to reach a greater number of victims more quickly. When a new exploit method is discovered, defenders know that malware writers will use automated malware to spread the exploit faster in a process known as “weaponization.” While any exploit is something to be avoided, it is often the weaponization of the exploit that creates the most risk to end-users and society. Without malware, an attacker is forced to implement an attack one victim at a time. With malware, millions of victims can be exploited in minutes. Malware will be covered in more detail in Chapter 9.
Social Engineering One of the most successful hacking strategies is social engineering. Social engineering, whether accomplished manually by a human adversary or done using automation, is any hacker trick that relies upon trick-ing an end-user into doing something detrimental to their own computer or security. It can be an email that tricks an end-user into clicking on a malicious web link or running a rogue file attachment. It can be something or someone tricking a user into revealing their private logon information (called phishing). Social engineering has long been in the quiver of attacks used by hackers. Long-time whitehat hacker, Kevin Mitnick, used to be one of best examples of malicious social engineers. Mitnick is profiled in Chapter 5, and social engineering is covered in more detail in Chapter 4.
Password Issues Passwords or their internally stored derivations can be guessed or stolen. For a long time, simple password guessing (or social engi-neering) was one of the most popular methods of gaining initial access to a computer system or network, and it still is. But credential theft and re-use (such as pass-the-hash attacks) has essentially taken over the field of password hacking in a big way over the past half decade. With credential theft attacks, an attacker usually gains administrative access to a computer or device and retrieves one or more logon credentials stored on the system (either in memory or on the hard drive). The stolen credentials are then used to access other systems that accept the same logon credentials. Almost every major corporate attack has involved credential theft attacks as a common exploit component, so much so that traditional password guessing isn’t as popular anymore. Password hacks are covered in Chapter 21.
Eavesdropping/MitM Eavesdropping and “man-in-the-middle” (MitM) attacks compromise a legitimate network connection to gain access to or
Hacking the Hacker16
maliciously participate in the communications. Most eavesdropping occurs due to flaws in network or application protocols, but it can also be accom-plished due to human error. These days the biggest eavesdropping attacks occur on wireless networks. Network attacks will be covered in Chapter 33, and wireless attacks will be covered in Chapter 23.
Data Leaks Leaks of private information can be an outcome from one of the other forms of hacking or can result from an unintentional (or inten-tional) human action. Most data leaks occur because of inadvertent (and under-protected) placement or because some hacker figured out a way to access otherwise private data. But insider attacks where an employee or contractor intentionally steals or uses private information are also a common form of hacking. Several of the chapters in this book apply to preventing data leakages.
Misconfiguration It is also common for computer users and administra-tors to (sometimes inadvertently) implement very weak security choices. I can’t tell you how many times I’ve gone to a public web site to find that its most critical files are somehow marked with Everyone or World permissions—and those permissions are exactly what they look like. And when you tell the entire world that they can access any file they like, your site or the files stored on it are not going to stay private for very long. Secure operating systems and configurations are covered in Chapter 30.
Denial of Service Even if no one made a single error or had a single piece of unpatched software, it’s still possible to take nearly any web site or computer off the Internet. Even if you are perfect, your computers rely on one or more services, not under your control, that are not perfect. Today, huge distributed denial of service (DDoS) attacks can take down or significantly impact nearly any web site or computer connected to the Internet. These attacks often contain billions of malicious packets per second, which overwhelms the targeted site (or its upstream or downstream neighbors). There are dozens of commercial (sometimes illegal) services that anyone can use to both cause and defend against huge DDoS attacks. DDoS attacks are covered in Chapter 28.
Insider/Partner/Consultant/Vendor/Third Party Even if your net-work and all its computers are perfect (which they aren’t), you can be compro-mised by a flaw in a connected partner’s computer or by insider employees. This category is fairly broad and crosses a range of other hacker methods.
User Error This penetration category also crosses a range of other hacker methods. For example, a user can accidentally send private data to an
How Hackers Hack 17
unauthorized user by putting a single mistyped character in an email address. The user can accidentally miss patching a critical server or can accidentally set the wrong permission. A frequent user error is when someone replies to an email thinking they are replying privately to one person or a smaller list of people but they accidentally are actually replying to the larger list or even to a person they are talking disparagingly about. I point out user error separately here only because sometimes mistakes happen and hackers are ready to take advantage of them.
Physical Access Conventional wisdom says that if an attacker has physical access to an asset, they can just steal the whole thing (poof, your cell phone is gone) and destroy it or eventually bypass all protections to access private data. And this perception has proven pretty accurate so far, even against defenses that are explicitly meant to protect against physical attacks. For example, many disk encryption programs can be defeated by the attacker using an electron microscope to identify the protected secret key by identifying the individual electrons that compose the key. Or RAM can be frozen by canned air to reveal the secret encryption key in plaintext because of a fault in the way memory physically stores data.
Privilege Escalation Each hacker uses one of the various penetration methods described in the previous sections to initially exploit a target system. The only question after gaining access is what type of security access they get. If they exploit a software program or service running in the user’s own security context, they initially only have the same access privileges and per-missions as the logged on user. Or they may get the Holy Grail on that system and get complete administrative system access. If the attacker only gets regu-lar, non-privileged access permissions, then they generally execute a second, privilege escalation attack to try and obtain higher privileged access. Privilege escalation attacks run the gamut, essentially duplicating the same approaches as for penetration, but they begin with the higher starting point of already having at least some access. Privilege escalation attacks are generally easier to perform than the initial exploits. And since the initial exploits are almost always guaranteed to succeed, the privilege escalation is just that much easier.
Guaranteeing Future Easier AccessAlthough it’s optional, once an attacker has obtained the initial foothold access, most hackers then work on implementing an additional method to ensure that they can more easily access the same asset or software faster the next time
Hacking the Hacker18
around. For many hackers, this means placing a “listening” backdoor program that they can directly connect to next time. Other times it means cracking passwords or creating new accounts. The attacker can always use the same exploits that worked successfully last time to gain the initial foothold, but usually they want some other method that will work even if the victim fixes the issue that worked the previous time.
Internal ReconnaissanceOnce most hackers have penetrated the system, they start executing multiple commands or programs to learn more about the target they have gained access to and what things are connected to it. Usually that means looking in memory, on the hard drive, for network connectivity, and enumerating users, shares, services, and programs. All this information is used to better understand the target and also as a launching point for the next attack.
MovementIt is the rare attacker or malware program that is content to break into one target. Nearly all hackers and malware programs want to spread their range of influence over more and more targets. Once they gain access to the initial target, spreading that influence within the same network or entity is pretty easy. The hacker penetration methods listed in this chapter summarize the various ways they can do it, but comparing it to the initial foothold efforts, the subsequent movement is easier. If the attacker moves to other similar targets with similar uses, it is called lateral movement. If the attacker moves from devices of one privilege to a higher or lower privilege, it’s called vertical movement.
Most attackers move from lower to high levels of privilege using vertical movement techniques (again, using the hacker penetration methods described in this chapter). For example, a very common hacker methodology is for the attacker to first compromise a single, regular end-user workstation. They use that initial foothold to search for and download local administrative account passwords. Then, if those local administrative credentials are shared among more machines (which they often are), they then move horizontally and repeat the process until they can capture very privileged account access. Sometimes this is done immediately during the first break-in because the logged on user or system already has very high privileges. They then move to the authentication server and capture every user’s logon credentials. This is the standard modus
How Hackers Hack 19
operandi for most hacker groups these days, and moving from the initial compromise to complete network ownership (or pwning in hacker terminol-ogy) can be less than an hour.
In my personal experience, and remember I’m just an average hacker, it usually takes me about one hour to gain the initial foothold and another hour to capture the centralized authentication database. So for me, an average hacker, it takes about two hours to completely own a company. The longest it has taken me is three hours.
Intended Action ExecutionAfter access is guaranteed and asset ownership is taken, hackers then accom-plish what they intended to do (unless the action of breaking in revealed something new to do). Every hacker has intent. A legitimate penetration tester has a contractual obligation to do one or more things. A malicious hacker might spread malware, read or steal confidential information, make a malicious modification, or cause damage. The whole reason for the hacker to compro-mise one or more systems is to do something. In the old days (two or three decades ago), simply showing off that they had hacked a system would have been enough for most hackers. Today, hacking is 99% criminally motivated, and the hacker is going to do something malicious to the target (even if the only damage they do is to remain silently infiltrated for some potential, future action). Unauthorized access without any direct damage is still damage.
Covering TracksSome hackers will try to cover their tracks. This used to be what almost all hackers did years ago, but these days computer systems are so complex and in such great numbers that most asset owners don’t check for hacker tracks. They don’t check the logs, they don’t check the firewall, and they don’t look for any signs of illegal hacking unless it hits them in the face. Each year, Verizon’s Data Breach Investigations Report (http://www.verizonenterprise .com/verizon-insights-lab/dbir/) reports that most attackers go unnoticed for months to years, and over 80% of the attacks would have been noticed had the defenders bothered to look. Because of these statistics, most hackers don’t bother to cover their tracks anymore.
Hackers need to cover their tracks even less these days because they are using methods that will never be detected using traditional hacker-event detec-tion. Or what the hacker uses is so common in the victim’s environment that it
Hacking the Hacker20
is nearly impossible to distinguish between legitimate and illegitimate activity. For example, after breaking in, a hacker usually performs actions in the secu-rity context of a legitimate user, often accessing the same servers and services as the legitimate user does. And they use the same tools (such as remote access software and scripting languages) that the admins do. Who can tell what is and isn’t malicious? The field of intrusion detection is covered in Chapter 14.
Hacking Is Boringly SuccessfulIf you want to know how hackers hack, there you go. It’s all summarized throughout this chapter. The only thing left to do is add tools, curiosity, and persistence. The hacking cycle works so well that many penetration testers, after getting over the initial excitement of being paid to be a professional hacker, get bored and move on to something else after a few years. Could there be a bigger testament to how well the cycle works? And it is within this framework and understanding that defenders need to fight against attackers.
Automated Malware as a Hacking ToolWhen malware is involved, the malware can accomplish one or more of the steps, automating everything, or hand over manual control once the target is acquired and pwned. Most hacking groups use a combination of social engineering, automated malware, and human attackers to accomplish their objectives. In larger groups, the individual hackers may have assigned roles and specialties. Malware may execute a single penetration step and be success-ful without ever trying any of the other steps. For example, the fastest mal-ware program in history, SQL Slammer, was just 376 bytes big. It executed its buffer-overflowing payload against SQL UDP port 1434 regardless of whether the target was running SQL. Since most computers aren’t running SQL, you might think it would be very inefficient. Nope, in 10 minutes it changed the world. No malware program has ever come close to infecting as many hosts in as short of a time.
NOTE If I’ve missed a step in the hacker methodology or missed a penetra-tion method, I apologize. Then again, I told you I was only an average hacker.
How Hackers Hack 21
Hacking EthicallyI would like to think that my readers are ethical hackers who make sure they have the legal right to conduct hacking on any target they have fixed their sights on. Hacking a site you do not have the predefined and expressed authority to hack is unethical and often illegal. It is even unethical (if not also illegal) to hack a site and let them know of a found vulnerability for no money. It is unethical and often illegal to find a vulnerability and then ask the site to hire you as a pen tester. This latter scenario happens all the time. I’m sorry, there is no way to tell someone that you have found a way to hack their sites or servers and ask for a job or money without it being seen as extortion. I can tell you that almost all sites receiving such an unsolicited request do not think you’re being helpful and do not want to hire you. They see you as the enemy, and lawyers are always immediately called.
The rest of this book is dedicated to describing specific types of hacking, particular penetration methods, how defenders fight those methods, and experts in their field at fighting hackers at their own game. If you want to hack for a living or fight hackers, you’ll need to understand the hacker methodology. The people profiled in this book are the giants in their field, and you can learn a lot from them. They led the way. A great place to start is with Bruce Schneier, who is profiled in Chapter 3 and is considered by many to be the father of modern computer cryptography.
Advanced
Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurityby Marcus J. Carey and Jennifer Jin
Chapter 3: Paul Brager
Chapter 4: Beau Bullock
10
3
“ As you can imagine, the best way to get a red team job is to first understand what it is that you want to do and then build a technical skill set and foundation to align with what that type of role would entail.”
Regarded as a thought leader and expert in the cybersecurity community for more than 25 years, Paul has deep expertise evaluating, securing, and defending critical infrastructure and manufacturing assets (ICS, IoT, and IIoT). An avid speaker and researcher, Paul seeks to move the conversation forward surrounding ICS cyber and managing the threat surface.
He has provided commentary on several security-related podcasts, publications, and webinars that provided guidance and insight into strategies for critical infrastructure and manufacturing cyber defense. Paul has a passion for mentoring and guiding people of color who are aspiring to contribute to the advancement of the industry and promoting diversity within the cyber community.
How did you get your start on a red team? My red team beginnings (much like most experiences in this space) came about from necessity. Company leadership fi red a “legacy” employee who was using a Windows 95 desktop with local accounts (yes, Windows 95). At the time, it wasn’t uncommon for workstations to not be part of a domain (Windows domains weren’t terribly common in the mid-’90s), but there also weren’t many methods of getting into a workstation if the password was lost. Novell was still king of the network operating systems, so you get the picture. Recovering a machine typically means re-installing over the top of it and hoping that you didn’t step on any of the critical documents/areas or getting into it with one of many “magic boot disks” that had started to appear at the time.
These were generally Slackware-based, but you needed some “skills” to be able to get them to work without destroying the master boot record (MBR) on the target. “Hacking” those disks with predictable results became more of an
Twitter: @ProfBrager
Paul Brager
Paul Brager • 11
art than a science, as you needed not only some Linux/BSD knowledge but also knowledge of how partitions worked within Windows. After spending countless hours building (and rebuilding) a Windows 95 test machine to get the parameters correct, I was able to successfully gain access to the Windows 95 workstation and recover valuable source code that would have cost the company months in development.
What is the best way to get a red team job?Well, it depends—red team job doing what? Pure penetration testing? Survivability testing? Penetration testing against certain classes of assets, in other words, ICS? As you can imagine, the best way to get a red team job is to first understand what it is that you want to do and then build a technical skill set and foundation to align with what that type of role would entail. Experience is generally key here but not always—sometimes raw knowledge and demonstrated know-how are enough. Much of how you are received as a legitimate red teamer is left to the devices of those interviewing, but those who can truly recognize talent may show interest. Networking, either in person or through social media (or both), remains one of the strongest ways to get insight into available red team roles, but you may also luck out and talk to someone in a position to make a hiring decision.
How can someone gain red team skills without getting in trouble with the law?Today, gaining red team skills without getting into legal trouble is easy. Many of the tools that one would need to practice are open source and easily downloaded; the same is true about access to many of the operating systems that would be potential targets. The world of virtualization has opened the door to the creation of virtual labs that can be destroyed and rebuilt with no impact to anyone—other than you, of course. Additionally, there are numerous hackable platforms available to test various skills and abilities (such as Hack The Box) to further hone red teaming skills. The more specialized type of practice—against ICS assets, for example—is a bit trickier, although some PLCs (the primary targets in an ICS) can be purchased on eBay. Likewise, IoT devices (such as Raspberry Pis) can be purchased inexpensively to develop skills against those.
Why can’t we agree on what a red team is?As with many things in cybersecurity, there is always an implied “it depends” when discussing what constitutes red teaming. Some believe that red teaming is just hacking; others believe that red teaming is far more robust and systematic than that. I believe that ultimately it depends on the perspective of the audience. For those in a purely corporate setting, red teaming gives a more elegant name to penetration testing with a nonmalicious purpose. It infers a sense of structure and methodology that leverages offensive security capabilities to uncover exploitable vulnerabilities. Among the hacker community, however, there may be a much looser definition being used.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?Being on a red team does not automatically make a person nefarious or malicious. Rather, what excites them within the realm of cybersecurity tends to be more the offensive capabilities. Researching and discovering exploitable vulnerabilities is both tedious and painstaking, and to be able to do so and articulate findings in a consumable manner is more an art than a science. While
12 • TriBe of Hackers red Team
their pedigree may be hacker-made, it does not define them but legitimizes their necessity within the cybersecurity ecosystem.
Perhaps the most toxic falsehood to date that I have heard is that cybersecurity professionals completely fit within one of three buckets: red team, blue team, and purple team. This gives the perception that cybersecurity professionals are single-threaded, which simply isn’t true at all. While each professional may have more of an affinity to one or the other depending on how they have matured within cybersecurity, it is functionally impossible to not consider the other buckets. Red teamers must understand how their penetration attempts could be thwarted or detected and come up with countermeasures to lessen the likelihood of that happening. Blue teamers must understand at some level the TTPs that adversaries are launching to better develop countermeasures to repel them. Most cybersecurity professional are a shade of purple, being more red or blue depending on affinity and maturity in the field.
When should you introduce a formal red team into an organization’s security program?A formal red team can be introduced into a security program at any point. The value and benefit of doing so largely depends on what is to be gained from the red team exercises. If the intent is to understand the threat surface and to what degree a program (or a part of the program) is vulnerable, then it is reasonable to engage red team services early in the program’s develop phase as a tool to better frame overall risks. Similarly, formal red team engagement can be part of the overall security strategy and lifecycle to reassess the robustness of controls and the organization’s ability to detect and respond.
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?Lobbying for red teaming within one’s organization can be challenging, particularly if the organization’s security program has not matured beyond vulnerability assessment and/or vulnerability management. Additionally, if the organization has not sufficiently invested in or implemented controls or resources, red teaming may uncover vulnerabilities that have not been budgeted for and which there are insufficient resources to address, which exacerbates the problem. My approach has always been to frame the notion of red teaming as a function of risk management/mitigation. Red teaming allows for an organization to find potentially damaging or risky holes in their security posture before bad actors exploit them, minimizing the potential impact to company reputation, customers, and shareholders. Taking this approach makes the question of whether to use red teaming a business decision, as opposed to a technical one.
What is the least bang-for-your-buck security control that you see implemented?With the myriad of security products, services, and capabilities that are on the market, they all should be supporting two principal edicts: detect and respond. However, many security organizations are not staffed appropriately to consume and act on all the data that is available to them from these tools. Standalone threat intelligence tools, in my opinion, offer the least bang for the buck because they still require contextual correlation to the environment, which implicitly requires human cycles. Even with automation and orchestration between firewalls, SIEM, and IDS/IPS, correctly consuming threat intelligence requires resources—and burns cycles that may be better utilized elsewhere. The robustness of many of the more effective controls (firewalls, IDS/IPS, EPP) will generally give you the threat context that is necessary to detect and respond, without the overhead of another tool.
Paul Brager • 13
Have you ever recommended not doing a red team engagement?Typically, a customer or an organization can always benefit from some form of “red team” activity, even if it is just a light penetration test. In my consulting life, we generally would recommend against a full-blown red team exercise if there was significant immaturity evident within the organization’s security program or if the rules of engagement could not be settled upon to safely conduct the red team exercise. What has been recommended in the past is a more phased approach, going after a limited scope of targets and then gradually expanding as the organization’s security maturity increases.
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?Security awareness training can be one of the easiest and most important controls that bolsters the overall security posture of an organization. User behavior can be the difference between a managed threat landscape and an unruly one, and in many instances, the end user will see incidents before security. Educate and empower users to practice good cyber hygiene. Beyond that, certain security controls that are cloud-based can be leveraged to offset the capital costs of infrastructure, if that is a barrier. This is particularly true in small to medium-sized businesses with limited staff and/or budgets.
Why do you feel it is critical to stay within the rules of engagement?Rules of engagement are established as the outer markers for any red team/pentesting exercise. They basically provide the top cover for activities that may cause harm or an outage, even if unintentional. Additionally, the rules of engagement can be your “get-out-of-jail-free” card should something truly go sideways, as they generally include a hold harmless clause. Deviating from the stated rules of engagement without expressed written consent of the client could open you up to legal liability issues and be devastating to your career.
If you were ever busted on a penetration test or other engagement, how did you handle it?I had an instance where a physical penetration test was being conducted for a client, and the sponsor had neglected to notify site security about my presence. After gaining access to the facility through a propped-open door in the back (repair personnel didn’t want to keep badging in), I was walking through the facility with a hard hat that I had “borrowed” from a table, and I was apprehended by site security and the local police. To make matters worse, my contact was unavailable when they called to confirm that I was authorized to conduct the penetration test. After two intense hours of calling everyone that I could to get this cleared up and the threat of charges being filed, the contact finally called back and I was released without being arrested.
What is the biggest ethical quandary you experienced while on an assigned objective?Without question, the biggest ethical quandary I’ve experienced is stumbling upon an account cache, financial records, or PII in a place where they shouldn’t be and being told by the sponsor not to disclose the details to the impacted individuals until the penetration testing exercise was complete, which may be over several days. For me, there are certain discoveries that take priority and need to be acted upon immediately, particularly when it is PII or financial information. In this case, the sponsor was attempting to prove a point to another member of management and had virtually no regard for what had been discovered.
14 • TriBe of Hackers red Team
How does the red team work together to get the job done?Red teaming, as the name implies, generally involves more than one person. The coordination that is needed to engage in a penetration test against multiple targets requires clear accountability as to what is expected of each team member. Additionally, there are generally members of the team who are better at certain tasks than others—those more suited to speaking with the customer do so, those more technical stick to those roles, and so on. It is always useful to have a team of red teamers comfortable speaking with customers, as each of them (particularly in large engagements) may have to report at different times to different audiences.
What is your approach to debriefing and supporting blue teams after an operation is completed?When I was consulting, there would be two report-outs. One would be for management and reported on the high-level activities that were conducted, what was found, and the risk concerns that had arisen from those findings. Any extraordinary findings would be enumerated within that conversation so that if any legal or other actions needed to get underway, the accountable parties could get started. The second report was the technical deep-dive; it was generally divided into finding areas, and individual small sessions were conducted with blue team designees to confirm what was in the report and walk through any questions. It was also during these sessions that follow-on remediation efforts and next steps would be discussed.
If you were to switch to the blue team, what would be your first step to better defend against attacks?Having lived on both sides of the fence, one of the things I am always amazed about is the lack of contextual visibility—not just logs and so on, but actual visibility with context into the associated assets. Additionally, there still seems to be considerable challenge in identifying assets within the ecosystem. The introduction of IoT (IIoT in the industrial world) has exacerbated this problem. Those two areas need to be addressed from a defense-in-depth approach because you simply cannot defend what you cannot see and identify. Effective cybersecurity defense is deployed in layers so that even if attackers get past one layer of defenses, it is increasingly difficult for them to get past subsequent layers. Lastly, I would spend more time and energy on security awareness training and arming the end user with the information needed to change behavior.
What is some practical advice on writing a good report?When writing a testing report, it is important to understand what the objective of the customer is and write the report to align with those objectives. At the end of the day, any remediation efforts are going to need to be funded, and the more the testing report can help build that case, the more likely the client is to reach back out to your entity (or you) for follow-up work. Consider what the customer would need to show management to compel them to act. Get feedback from the customer during the drafting process and incorporate it; certainly the style and tone of the report can be critical to the efforts of the security function within that organization. Seek to highlight areas where the security function performed well, followed by findings characterized by risks. Also keep in mind that the content will have to be defended, so make the language succinct and as unambiguous as possible.
Paul Brager • 15
How do you ensure your program results are valuable to people who need a full narrative and context?In my experience, how value is added to the red team program varies from organization to organization, but principally it should align with the overall security program and the risk posture of the organization. The program should strive to enumerate material and exploitable vulnerabilities within a given ecosystem, understanding that all findings may not be outside of the organization’s risk tolerance, whereas some may be nonnegotiable as a risk that absolutely has to be mitigated. In either case, the ability to link the red team program to some repeatable metric, such as the number of materials and exploitable vulnerabilities found, the number of successful versus unsuccessful attacks, or the number of false positives, can go a long way in legitimizing the value of the effort. Your skill set really doesn’t matter if the work you are doing doesn’t align with something of value to the business. Senior management isn’t interested in a report showcasing how skillful and smart you are—what they are interested in is their overall risk exposure given what you have discovered, so frame your activities in that light.
How do you recommend security improvements other than pointing out where it’s insufficient?In any red team exercise, it is important to highlight those areas where the customer/organization did things well. For instance, if the organization has a robust patching program and it led to a smaller attack surface for the red team, be certain to acknowledge that. Remember, part of the job of a red team is to legitimize not only its skill capability but its intrinsic value as part of the security program. If the red team cannot contribute to the success of the security program to get the funding it needs, then its value is severely diminished. Conversations with blue team members should be as informative as possible, and if both teams come from the same company, it may be useful for the red team members to assist the blue team in identifying countermeasures. Be a source of expertise that is not just for hacking into systems but also for securing them—help the blue team think like hackers (assuming they aren’t already).
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?The most important nontechnical skill any security professional can have is strong communication skills. When recruiting for red team members, there must be an air of trustworthiness and integrity within the candidate. Red teamers will have access to very sensitive knowledge about infrastructures, security controls, vulnerabilities, and so on, and that information will need to be held in the utmost of confidence. The ability to be not only technically astute but also able to explain those technical concepts to the layperson is invaluable in a red team asset.
What differentiates good red teamers from the pack as far as approaching a problem differently?Good red teamers are not only technical hacks but also have an innate understanding of what value their activities represent to their organizations (as an employee or consultant). Good red teamers are thorough and detail-oriented and comfortable with their own skill. Good red teamers are always looking to hone their abilities and figure out ways to exploit without detection. Problem-solving can be highly methodical, or it can be serial. Regardless of the approach, a good red teamer applies the proper approach when necessary and adjusts when that approach runs into a dead end. ■
16
4
“ I’m a firm believer that one should not jump directly into an offensive role without first getting a deep understanding of underlying protocols, including not only technical details but also business logic.”
Beau Bullock Twitter: @dafthack
Beau Bullock is a senior security analyst and penetration tester who has been with Black Hills Information Security since 2014. Beau has a multitude of security certifi cations and maintains his extensive skills by routinely taking training, learning as much as he can from his peers, and researching topics that he lacks knowledge in. He is constantly contributing to the InfoSec community by authoring open source tools, writing blogs, and frequently speaking at conferences and on webcasts.
How did you get your start on a red team? I meet a lot of people who are interested in pentesting or red teaming and want to jump straight into those roles. I did not start out my career in information security on the off ensive side. Being tasked with protecting a network, its users, and their data forced me to think like an attacker so I could be a better defender. I fi rst developed an interest in off ensive operations during an ethical hacking course I took while in college, but that interest did not develop into an off ensive role until years later.
Working on a blue team at a hospital and then at a bank, I would consider how an adversary would get around the controls we had in place. So naturally I began performing off ensive tests against our own controls to see where we were missing things. It was integral for me to learn as much as possible about every single layer of the organization. Everything from fi rewall rules to router confi gs to host-based protections to physical security to managing risk associated with one-off exceptions for C-suite members to protecting data to stopping people from getting phished—these were all opportunities for me to
Beau Bullock • 17
find where protections were lacking. Through all of this I learned what pitfalls many organizations and blue teams face day to day.
From an operational standpoint, understanding the struggles blue teams have to deal with, how networks function, and what defensive controls are possible provides a much clearer picture to the offensive operator. I pivoted to an offensive role in 2014 when I started working at Black Hills Information Security. Throughout the first few years of working there, I performed many penetration tests for various organizations. This gave me the opportunity to tune my capabilities and develop red team tactics. Within the last three years, I have been fortunate enough to be assigned formal red team engagements.
What is the best way to get a red team job?Being on a red team takes a unique and dedicated individual who has knowledge in vastly different areas. I’m a firm believer that one should not jump directly into an offensive role without first getting a deep understanding of underlying protocols, including not only technical details but also business logic. Do you know how the business you are targeting functions day to day? Can you determine what the organization values?
Many red teams consist of multiple individuals with skills in different areas. You might see team members who can perform architecture setup, payload delivery, and/or social engineering, act as internal network specialists, and more. Before you get a job on a red team, I would recommend first developing offensive skills in multiple areas on penetration tests. The key to being a good red teamer is having the knowledge to attack an organization from many angles and the discipline to use the one method that is necessary and won’t get you caught.
If you are already a pentester looking for a red team role, I would say networking is probably going to be your best bet. Go out and meet the people working on red teams and introduce yourself. Show them projects you’ve been working on. I see job openings posted by others on my Twitter timeline all the time.
If you are working for a company as an internal security analyst or the like and your company doesn’t have an internal red team, maybe it’s time to make a case for one. You might be able to build your own internal red team for your own organization and essentially create your own red team role.
How can someone gain red team skills without getting in trouble with the law?For building skills, I am a huge advocate of participating in capture-the-flag contests. Also, jumping in on bug bounties is a good way to build web application hacking skills. Building a home lab doesn’t have to be expensive and can provide you with a test platform for performing red team research without breaking laws.
Why can’t we agree on what a red team is?I think many have a hard time understanding where a pentest stops and a red team starts. There is definitely some overlap between the two that people get hung up on. Commonly people describe red team engagements as a penetration test without restrictions. But red team engagements do have
“The key to being a good red teamer is having the knowledge
to attack an organization from many angles and the discipline
to use the one method that is necessary and won’t get
you caught.”
18 • TriBe of Hackers red Team
restrictions. If they didn’t, then kidnapping, extortion, and blackmail would be in the rules of engagement. So since red teams are not truly unrestricted, I think people have a hard time grasping why it’s different from a pentest.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?For the majority, I think they still think red teams are trying to sling exploits with Metasploit. I haven’t had to use an actual software exploit in years. Configuration issues, bad passwords, and poor user awareness of phishing are typically how we get in. Once inside a network, it is 100 percent a game of credentials: pivot, dump creds, pivot, dump creds, rinse, and repeat.
I think the most toxic thing I’ve seen is how some blue teamers and red teamers treat each other. Many treat the other side as an adversary in a bad way. Our job as red teamers is to help the blue team get better. We should never gloat about our ops. The same goes for the blue team. I love purple team assessments where we can work collectively to make the organization better. Some of the coolest things I’ve found on engagements have been on purple team engagements.
When should you introduce a formal red team into an organization’s security program?Only after an organization has gone through multiple penetration tests and has done their due diligence in mitigating any of the vulnerabilities presented to them would I consider recommending a red team engagement. The most important thing to consider when deciding whether an organization is ready for a red team engagement is, can a red team get in using a vulnerability that shows up in a pentest? If so, the organization is not ready for a red team. The organization should already have an internal social engineering program to ensure its users don’t submit credentials to a malicious page the red team hosts. Solid alerting and hardening of infrastructure should be in place, and I damn well better not find an exposed portal that doesn’t have MFA.
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?Explaining the fact that it is a true test of their defensive capabilities usually is effective for me. I like to describe a pentest to a customer by explaining that I am going to attempt to find as many vulnerabilities as I can but will likely be very noisy. I explain that on red team engagements I may find only a few vulnerabilities but will be much less noisy and those vulnerabilities will likely be much more valuable to them, as they probably allowed me to compromise the network.
What is the least bang-for-your-buck security control that you see implemented?For the most part, if you are paying for antivirus, it is the least bang-for-your-buck control. I say that because, honestly, the free Windows Defender that comes installed by default on Windows systems is actually pretty good for doing what antivirus is supposed to do.
Have you ever recommended not doing a red team engagement?Yes, during scoping calls, if I sense that the customer hasn’t done previous pentests or struggles to conceptualize what a red team is, then I might
Beau Bullock • 19
recommend something else. Definitions are huge in this industry. Without the proper definitions being agreed upon, it can be difficult to determine if by red team they actually mean pentest or even vulnerability scan. Laying out these definitions usually results in a customer realizing they meant a pentest instead of a red team.
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?One of the easiest-to-implement controls that makes our lives hard as red teamers is Microsoft’s Local Administrator Password Solution (LAPS). Randomizing local administrator passwords on every system makes it so that the compromise of a single local admin credential doesn’t allow widespread access to every other asset in the network. Network segmentation between hosts, including client isolation so workstations can’t talk to other workstations is another great control to have in place. If I can’t pivot from one workstation to another, it’s going to be hard for me to escalate privileges in the domain.
Even though this question asked for only one control, I would say the following are the most important things to look at locking down to prevent full domain compromise: MFA everywhere you can implement it, VPN requiring MFA and client-side certs, strong password policy (15 characters or more), strong log consolidation and alerting, application whitelisting/behavioral analytics software, strong egress filtering (allow web ports out only through an authenticated proxy with filtering in place), and user awareness to social engineering. If the organization implements those things, I’m going to have a bad day as a red teamer.
Why do you feel it is critical to stay within the rules of engagement?Staying within the rules of engagement or not is like the difference between landing a shell on your target and landing a shell on the personal device of your target’s significant other. One of these things is a highly illegal thing to do, and you might not be able to unsee what you see there.
If you were ever busted on a penetration test or other engagement, how did you handle it?Busted? What’s that?
What is the biggest ethical quandary you experienced while on an assigned objective?One time I was tasked with performing a penetration test for a company and made my way to the CIO’s system, where I found some very questionable things. I had a Meterpreter shell on the guy’s system and noticed some KeePass processes running. I thought, “Cool, I’ll wait for him to leave, log in, and then see if he left KeePass unlocked.” Late at night after he left work for the day, I connected to his system using RDP. Sure enough, he had left KeePass open, so I now had access to a ton of creds, including some personal ones of his.
But I also noticed some other windows open on his system. First, he was using RDP to connect to another company’s server outside of the target network, where he appeared to be doing some sort of “system administration.” To make things stranger, he was also using RDP to connect to a personal system. This personal system had well-known tools on the desktop for performing mass spamming and other tools. At this point in the engagement, it became an ethical quandary, so I stopped the engagement. I ended up hearing from the customer later on that the CIO was let go.
20 • TriBe of Hackers red Team
How does the red team work together to get the job done?Collaborative infrastructure across the entire operation is necessary in my opinion. To be successful during the operation, we need to be able to share shells, data, and so on, easily. On the reporting side, it’s the same thing. We don’t want to be working in separate documents. This creates too much work later when we want to merge them. If we can collaborate on the same document platform, it creates a much smoother reporting process.
What is your approach to debriefing and supporting blue teams after an operation is completed?After an engagement, I like it when the organization can get all the entities involved in a meeting with me. I want the security team there as well as members of the SOC and maybe even other sysadmin-type employees. This way, those who typically don’t see pentest reports now have an awareness of what can happen on the network. In turn, this helps arm them with the knowledge that they need to be diligent in protecting their own systems. I typically walk through the entire operation, from reconnaissance to initial compromise to escalation and finally data compromise.
If you were to switch to the blue team, what would be your first step to better defend against attacks?Not switching back to the blue team. But if I did, I would first have a long discussion about budget. Knowing the budget can help you know how to best divvy it up to get the most out of it. You don’t want to go blow your whole budget on the latest blinky light system that likely requires another full-time employee to even manage. There are so many free and open source options out there for securing a network, but many of those require time and effort as well. So perhaps using your budget to hire another co-worker might be the best bet. Some things I would try as soon as possible if they weren’t already there would be to deploy Microsoft’s LAPS, up the password policy, and deploy MFA.
What is some practical advice on writing a good report?Take lots of notes while you are testing and essentially write the report as you move along. The worst thing you can do is fill up a notes document with screenshots but forget why you actually took them. Trust me, I know it is really hard to stop what you are doing and go write a couple sentences. Especially when you are faced with a new shell, it can be tempting to just start hacking away at it. But if you don’t document, you will be regretting it later.
How do you ensure your program results are valuable to people who need a full narrative and context?As much as possible, I try to explain what an attacker who was actually trying to do malicious things could have done. Most real attackers don’t have the same deadlines as red teamers, so they are not worried about being done within a few weeks’ time. They can take all the time they want. So for many organizations, being able to tie an actual threat actor’s potential actions to data you provide can result in great value for them, because they understand how bad things could really be.
An important part of my red team engagements is that I’m not placing domain admin access as a primary goal. In most cases, the data I want doesn’t require domain admin credentials to get it. I feel like the goal of the assessment
Beau Bullock • 21
needs to be something that the organization deems sensitive. If I can show that I’ve been able to compromise the CEO’s desktop or maybe a database containing credit card data or plans to build a battleship and then describe how these would be useful to an attacker, most organizations seem to find value in that.
How do you recommend security improvements other than pointing out where it’s insufficient?Oftentimes I’m providing positive findings to customers to let them know where I think their controls are working. Even though something might be preventing me as an attacker, there are cases where those could still be improved. For example, maybe the organization has an exposed Outlook Web Access portal. Maybe I wasn’t able to access it during the assessment, but I still might recommend that they move it to the internal network and protect it behind a VPN.
Additionally, constant testing of your controls is a must. Even though the red team engagement is over, learn and utilize some of the techniques that were used. The methodology of the tester should be outlined in the report and will typically include both successes and failures. While some of the tester’s techniques might have failed during your engagement, you might find that something gets changed on your network without you knowing and now those techniques are successful. Lastly, having management support behind security improvements is critical. Policy controls that executives need to address should be provided in the report.
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?The hacker mind-set and creativity are the most important nontechnical character traits for a red teamer. Frequently on red team engagements they will be faced with challenges they have never seen before. Having the hacker mind-set means they will not stop when they face the unknown, but instead they will question everything and find unique and new ways to face a problem. When facing highly secured environments that utilize defense-in-depth strategies along with quality alerting and response, creativity on the red team is a must.
What differentiates good red teamers from the pack as far as approaching a problem differently?Most of the really good red teamers I have met specialize in some area heavily. This enables them to develop a deep understanding of a certain technology or software. Becoming a master of infrastructure setup, coding, device hacking, lock picking, or any other area will help you develop a niche skill that is useful on red team engagements. Having the ability to approach unique problems with a creative mind-set can make the difference between a successful red teamer and one who fails. ■
“Having the hacker mind-set means they will not stop
when they face the unknown, but instead they will question
everything and find unique and new ways to face a problem.”
