Hey everyone, and welcome to this deep dive where we're going to be taking a close look at red teaming.
Yeah, red teaming.
So you've you've probably heard the term before, but what does it really mean?
Right?
What does it mean in the in the context of professional cybersecurity?
Yeah?
So, and what we're going to do today is we're going to go way beyond kind of the how to hack and really get into some of the strategic thinking and challenges that these experts face.
Yeah. And it's it's not just the how to, it's the why, right, the what, the strategic element of it.
And we've had some really fascinating source material today that's going to help us kind of unpack all of this.
Yeah, for sure.
One of the things I thought was really interesting was that getting caught isn't always a failure.
Oh, absolutely, the red team getting caught can be the point sometimes, right, And even if it's not the point, Yeah, Like if you're truly trying to be stealthy and you get caught, yeah, that's still a learning experience.
Yes, what did we do wrong? What can we improve? How can we be more stealthy next time?
Yeah? And there's this, you know, there's all this buzz around like AI and automation and cybersecurity. But our sources really make this this compelling argument for why human hackers
are still essential totally. Like I was reading about this one scenario where this red teamer used basically a shortcut command this alias, and through a series of like I don't even know if it was mistakes on the organization's part or just like oversights, oversights, they ended up gaining access to their entire AWS cloud infrastructure.
It can be really really simple oversights too, you know, like a lot of times, like.
A little thread that you pull on and that unravels the whole thing.
Exactly, yeah, exactly.
And our sources also this was really interesting kind of challenging this idea of checkless security security.
Like you know, you check all the boxes and you think you're good, but right, and.
You're missing you're missing the point. You know, you're missing the bigger picture.
So red teaming forces you to think outside the box. You got it, Okay, So let's break down what red teaming actually is. Okay, Like, how would you explain this to someone who maybe isn't a cybersecurity expert.
So I like to think of penetration testing which everyone's heard of. Right. Penetration testing is kind of like we're going to check this bridge for structural weaknesses, okay. Red teaming is we're going to simulate a massive earthquake okay, and see if the whole thing falls down. Got it. So it's much broader.
So pen testing is more focused like.
Looking for specific vulnerability.
Specific vulnerabilities, but red teaming.
Is broader, bigger pictures like the.
Whole, the whole, the whole, enchilada exactly.
Yeah, it's how it's like, how would the organization prevent, detect, and respond to a real atta. You know. That's kind of the goal of red teaming.
And the book Professional Red Teaming actually goes into different types of red teaming engagements.
Yes, So there's we've got the holistic compromise, We've got specific compromise okay, and we've got assumed compromise.
Okay. So holistic is like we're going to try and like fully compromise your system.
Yeah, like take over everything.
Okay.
You know, I think like the bank robbery example, we're going to rob the whole bank. Specific is like maybe we just want to get access to customer data something very specific, got it? And then assumed compromise is interesting, Yeah, because you're starting from the point of you that the attackers are already inside, okay, you know, so you're not worried about how they got in. You're worried about what they can do once they're there.
So you're starting like midway through the movies exactly, and you're and you're seeing what damage.
They can do exact.
I mean that's kind of a sobering thought, right.
It is. Yeah, it is, and it's becoming more and more relevant, you know. I mean, it's kind of an evitability at this point. Yeah, some attacker is going to get in somewhere.
It's not if it's when exactly.
Yeah, So how do we respond?
Okay, so we've established what red teaming is, we've talked about the different types of engagements, but let's get into like why humans are still so crucial for cybersecurity.
So academics are looking at ways to automate red teaming, which is really interesting, and they've kind of broken it down into these three categories, non pivot, non exploit okay, non pivot, exploit, and exploit pivot Okay, So those are the three things.
So they're trying to mimic the steps that a human hacker would take exactly, but they're falling short in a lot of key areas.
They are.
And it's interesting the book talks about these different scenarios where like human ingenuity was.
Just and it's something you can't really program, you know, that intuition. You can't really automate that yet.
So this one scenario I was reading about this where the Red Teamer found this alias. It was like a simple command alias, and it kind of dug a little deeper and it turned out that alias actually revealed the location. Oh wow, helped their AWS jump box. So this is like a server that they use to access their cloud infrastructure and for whatever reason, the way they have this set up, the Red Teamer was able to use that jump box to basically take over our entire AWS cloud infrastructure.
That's a huge that's a huge oversight.
Like I can't imagine automated tool figuring that out.
No, because it's not it's not a technical vulnerability. It's a human error. It's an oversight, it's a misconfiguration.
And this other one, I thought this was really interesting too. They found this splunk forwarder service listening.
On a local port Oh interesting.
Right, and this is something that again, like an automated scan, it probably wouldn't have picked up, right.
It's not inherently a vulnerability, it's how it's configured and how it's used.
Right, And they were able to use that to.
Gain basically elevated privileges and then kind of pivot from.
There take over the whole network.
Yeah, take over the whole network exactly.
So it really shows you that you can't just rely on.
These automated tools. Yeah. Humans are still very much needed in this space.
So it's more of a partnership I guess it is, Yeah, between humans and machines exactly.
You use the machines to automate the boring stuff, right, and then you use humans to do the thinking.
To do the creative problem solving exactly.
Yeah.
Okay, so let's let's talk about some of the challenges of red teaming, because it's not all like smooth sailing, right, absolutely. Like one of the biggest I think is just that inherent like adversarial totally nature.
Of it, right, Like Red teamers are coming in, they're trying to break stuff.
They're trying to break stuff.
No, and that could rub people the wrong way. I bet Yeah, especially internal security teams. You know, like, hey, we're doing our job.
Right, We're trying to protect this, Why are you trying.
To break it? Yea, So there could be some friction.
There, Yeah, I would see that.
Yeah. So communication is super important absolutely, you know, having a good relationship right with.
The blue team, making sure everybody's on the same page exactly.
Yeah.
Another challenge I was reading about this is how do you scope an engagement in right? Right, because there are all these like real world constraints.
You got time constraints, you got budget constraints, right, you got risk tolerance, risk tolerance, you know, the organization might say, hey you can't do this, you can't touch that, so you be really careful yeah about how you scope the engagement.
So there's a lot of like upfront.
A lot of planning, planning, yeah, a lot of talking, you know, getting everyone on the same page. Yeah.
And this kind of gets into the legal and ethical stuff too, right, yes, absolutely, Like there are certain things that you know, maybe you can't do, you know, if there's sensitive and like iPath. Yeah, yeah, you know, all these regulations you got to be aware.
Of, and that's where those rules of engagement come in right, Yes, absolutely, So this is like a document that outlines very specifically.
Yeah, it's a contract.
What the Red team can and can't.
Do, what you can do, what you can't do.
They're allowed to access, they're allowed to touch what systems?
Yeah, when you can do it, when they can do it. You know, it's very very specific and they have.
To stick to that absolutely. Okay. So we've talked about some of the challenges. Yeah, and you know, the adversarial nature of red teaming.
But our sources also talk about this thing called purple teaming.
Yes, purple teaming.
And this is where things start to get really interesting.
So purple teaming is all about collaboration, okay. You know, it's about breaking down those silos between the Red team and the Blue team.
So instead of being adversaries, yeah, they're like allies.
They're working together, working together. You're sharing knowledge to.
Achieve a common goal exactly, which is better security, better security for everyone. So how does that actually work in practice?
So there's a bunch of different ways you can do purple teaming. Okay. One is reciprocal awareness. Okay, so both teams know what the other team is doing, okay, and they're kind of working together like in a sparring match. Okay, you know they're learning from each other, got it. Then you get the unwitting host. Okay, so the Blue team doesn't even know they're being tested. Okay, so this is a good way to see how they would respond to a real attack, right because they're not expecting it.
Yeah, like a surprise fire drill exactly, yeah, exactly. And then you have the unwitting attacker.
Yes, so the Red team doesn't know they're being watched. Okay, so the Blue team can kind of see, observe their tax observe their tactics. You see what they're doing, how they're doing it.
Interesting.
We've also got red handed testing okay, where the Red team intentionally gets caught, okay, to see how the Blue team responds. Oh interesting, like what's their incident response process? Testing their incident response exactly okay. And then finally you got catch and release.
Catch and release.
So the blue team catches the Red team, the Red team steps up their.
Game, Okay, they try again, They try again.
Blue team catches them again, okay, and so on and so forth.
So it's like this iterative process exactly where they're both learning and improving.
Both sides are getting better.
Yeah, okay, Now, one last thing before we wrap up this part of the Deep Dive, I want to talk about this concept called cappy t teaming, dag teaming, yeah, counter apt red teaming.
It's it's when the stakes are really high.
Okay.
You know we're talking about critical infrastructure like the Crown Jewels exactly. Yeah, the Crown Jewels, the things that if they got compromised, yeah, it would be a really really bad day.
Okay. And so what are like the key principles of this.
So the key principles are one, we assume breach. Okay, We're not worried about how the attackers got in, right, We're worried about what they can do once they're there. Okay. Two we focus on lead full compromise items okay, so those are the things that if they got compromised, yeah, it would be a really, really bad day.
Okay.
And three we use something called reverse pivot chaining, just basically using local intelligence gathering to figure out how the attackers got in and where they're going.
So you're like working backwards exactly from the crime scene.
From the crime scene trying to figure out what happens.
So this is like a very specific and targeted approach.
Very targeted, very high stakes.
Okay, well, I think that's a great place.
To pause for now, take a break.
We've covered a lot of ground in this first part of our deep dive. We have Yeah, we've defined red teaming, talked about why humans are still so important, talked about the different challenges, different approaches, the different approaches, and introduce these concepts of purple teaming and cap ptr teaming.
And in the next part, yes, we're going to get even deeper into the weeds.
We're going to get into the nitty gritty, nitty gritty of how these engagements are actually conducted.
The tools, the technique, the tools, the techniques, the trade craft.
That's right craft. All right, So stay tuned.
Stay with us, Welcome back to our deep dive on red teaming. Last time, we got a good overview of what red teaming is and why it's so important.
Yeah, and why humans are still so crucial in this field.
Yeah, absolutely So.
Now I think it'd be really cool to kind of get into the weeds a little bit and really see how these engagements.
Yeah, let's get into the nitty gritty, Yeah.
Let's get into the nitty gritty.
The nuts and bolts of it all, like.
What actually happens when a red team?
Yeah, how do they actually do this stuff?
So once they've kind of got the scope and the rules of engagement set, like where do they start? What are the first steps?
So the first thing you gotta do is reconnaissance. Okay, you've got to figure out what you're dealing with. Okay, you know who's the target? What are their systems? Yeah, what are their weaknesses? This involves things like open source intelligence gathering, vulnerability scanning, maybe even some social engineering to try to get some credentials.
So you're building a profile.
You're building a profile, yeah the target. You got to know your enemy.
And professional red teaming actually talks about this. They call it the shaping phase, the shaping phase, right, and it's all about involving the right people totally in the process, Like not just the technical folks, but yeah.
You need the technical people, need the operational people. You might even need legal legal Yeah, depending on what.
You're doing, because you've got to make sure that like this, it's tailored.
To the organization. Yeah, you know, it's not just a generic.
Attack, right, it's not off the shelf.
No, it's got to be very specific, tailored to their environment. There risks, risks.
And their yeah, their business. Yeah, and this intelligence gathering.
Phase can be Oh, it could be very creative.
I was reading about some of the techniques like website scraping, social media analysis.
Oh yeah, you can find a lot of information on social.
Media, and even physical penetration testing.
Oh yeah, physical pen testing is fun. What is that? So basically you're trying to get physical access to the target. Okay, so this might involve things like, yeah, trying to tailgate employees, you know, sneak in behind them. Yeah, or maybe trying to pick locks or you know, test their security cameras.
So you're actually like on site.
Yeah, you're on site. You're in the building, Okay, trying to see what you can get away with.
So you're really you're really thinking outside the box.
You got to think like an attacker.
Okay. So once they've kind of done their homework, they've gathered all this.
Intel, they've built their profile.
What happens next?
So then it's time to actually attack.
Okay, this is where it gets real.
Yeah, this is where the rubber meets the road.
So this is where like all.
The technical skills come in.
Yeah, the technical skills.
You know, exploiting vulnerabilities.
By passing security control.
Yeah, all that good stuff.
And I know the book talks about all.
Sorts of Oh yeah, there's a whole.
Range different types of attacks.
External attacks, internal attacks, wireless attacks, WI lists, social engineering.
Social engineering. So it's not just like hacking into a computer.
No, it's much broader than that. Yes, it's about exploiting any.
Weakness, any weakness you can.
Find, any weakness, whether it's a technical weakness, yeah, a human weakness, a process weakness, whatever.
So let's say the Red team they managed to get access to a system.
Okay, what happens then, So then it's all about maintaining persistence.
Okay.
You know, you don't want to just get in and then get.
Kicked out, right, You want to stay in. You want to stay in, establish a foothold.
Establish a foothold exactly.
Okay.
So this might involve things like installing back doors, creating rogue user accounts, hijacking legitimate processes.
So you're basically blending in, blending in with the normal network activity. You want to be a ghost, okay, And this is where operational security.
Oh PSC super important.
Oh PSCC, yeah, that's what they call it.
Yeah, you got to be very careful.
You've got to cover your tracks.
Cover your tracks, don't leave any traces.
Because if you make one mistake.
Yeah, one mistake and you're busted.
Game over.
Yeah.
And so now I gotta ask ye, like, where does the Blue team fit into all of this?
So the Blue team is the defenders? Okay, their job is to try to stop the Red team.
Okay, so it's like this, it's.
A cat and mouse game.
Cat and mouse game, yeah, back and forth. Okay.
Red team tries to attack, Blue team tries to defend.
But it's a collaborative effort.
It's a collaborative effort. Yeah. Ultimately, even though it's adversarial, the goal is to improve security.
So they're both working towards the same goal.
Yeah, they're on the same team, ok just different sides of the coin.
And one thing the sources emphasize a lot was documentation.
Oh yeah, documentation is super important.
Why is that?
So you got to document everything you do, every vulnerability you find, every exploit you use, because that's how you learn. Okay, you know, you got to be able to go back and see what worked, Okay, what didn't work, how you can improve.
It's like a record, it's a record of the engagement of everything that happens. Okay. Now let's get into some of the tools of the trade.
The tools.
What are so? Red teamers use a variety of tools, both open source and commercial. Okay, So some of the common categories are network scanners, vulnerability scanners, exploitation frameworks, password cracking tools, got it, and social engineering tool pits.
So give me some examples.
So for network scanners, you've got things like end map, which allows you to map out the target network. Okay, see what systems are there?
Got it?
For vulnerability scanners, yeah, you got nessus qualities Okay, those are popular ones in the basics scan for known vulnerabilities and software and systems.
What about those exploitation frameworks.
Yeah, so those are things like metasploit, which is a collection of pre built exploits okay, that you can use to attack systems.
So it's not all manual hacking.
No, you can automate a lot of this stuff.
Okay, freeze up your time to focus on the more interesting things.
More strategic stuff exactly.
Okay.
And then password cracking, password cracking, Yeah, what kind of tools.
So you got tools like hashcat, John the Ripper. These are brute force tools they can try to guess passwords. And then social engineering toolkits.
Yeah, what are those like?
So those are things that can help you craft phishing emails, spoof websites, impersonate people.
You're basically trying to trick people, trick people into giving you information exactly. Yeah, okay, so we've talked about the tools. Yeah, let's move on to the reporting phase.
Reporting.
Yeah, on the So once the attack is done.
Simulated attack is done, the red team's got to, like you got to write a report, Yeah, write a report.
You've got to summarize your findings, make recommendations, okay, and basically help the organization improve their security.
So it's not just about like, no, it's not just about pointing fingers.
Yeah, finding vulnerabilities and saying you suck, you suck.
No, it's about helping them get better.
It's about providing value. Providing value exactly, and professional red teaming talks about this concept of like an out briefing session, the out brief where they actually sit down with the organization.
Yeah, you sit down with the stakeholders.
And they walk them through the finding, You walk them through the reportation.
Answer any questions they have.
So it's like this face to face.
Yeah, face to face interaction is important.
Yeah, to make sure that everybody's on the same page, on the same.
Page, and that they understand the importance of the findings.
Okay, And one last thing I wanted to touch on before we wrap up this part, Okay, is this concept of threat hunting.
It's read hunting.
Yeah, I've I've heard that term.
It's a hot topic these days.
But I'm not really sure what it means.
So threat hunting is basically proactively looking for threats in your environment. So it's not just about waiting for alerts to go on, right, It's about actively searching for evidence of malicious activity.
So you're like a detective.
You're a detective, Yeah, looking for clues, looking for clues, looking for patterns that might indicate that something bad is happening.
So it's it's a very proactive approach to.
Security, okay, rather than reactive.
And this is super important, especially these days with attackers getting more sophisticated.
Yeah, attackers are getting really good at hiding their tracks, right, So you've got to be proactive to find them.
But is this is this a replacement for red teaming.
No, No, it's not a replacement. It's a compliment. It's another tool in your toolbox.
So it's about having like this layer layered defense.
So you're doing proactive stuff like threat hunting. Yeah, you're doing reactive stuff like incident response, right, and then you're also doing red teaming to kind of test everything. Yeah, make sure it all works.
Okay, So we've covered a lot of ground in this part.
We have.
Yeah, we've talked about this step by step process of a red team engagement from reconnaissance to reports, from reconnaissance to reporting. Talked about the tools.
And technique, the importance of documentation.
The importance of documentation, and threat hunting threat hunting. Yeah, And in the final part of our deep dive. Yeah, in the next part, we're going to talk about the ethical considerations.
Yeah, the ethical landscape, the red teaming, the future of red teaming.
The future of red teaming, what it all means for you the stay tuned. All right, welcome back to the final part of our red teaming deep dive. We've talked about the strategies, the tools, why human hackers are still so important and all this great stuff. But one thing that's been kind of on my mind, Yeah, throughout this whole discussion is the ethics of it all, right, because
we're talking about intentionally breaking into systems, exploiting vulnerabilities. I mean that seems like it could have real world consequences.
Yeah, absolutely, things go wrong. So ethical Red teamers, yeah take this very seriously, okay, And there are a lot of safeguards in place to make sure these engagements are conducted responsibly.
Yeah. The sources we've looking at really emphasize those rules of engagement.
Oh yeah, super important.
Can you talk a little bit more about what those are and why they matter so much?
Yeah, So, rules of engagement are basically like a contract between the Red Team and the organization that outlines what the Red Team is allowed to do, what they're not allowed to do, what systems they can touch, what data they can access, and when they can do it.
So it's very specific, very specific, okay, And the goal is to i mean, obviously to prevent the Red Team from doing anything illegal or unethical, but it's also.
About protecting the organization.
Yeah, protecting the organization. Like I was reading about Red teamers having to consider data privacy regulation.
Oh yeah, k ipa GDPR.
You don't want to accidentally cause a data breach exactly while you're trying to improve security, right, that would be bad. So it's not just about like being a skilled hacker. You got to have like that ethical mindset as well.
You got to understand the risks, yeah, and the consequence.
Okay, So we've we've talked a lot about communication and collaboration and especially that relationship between the Red team and the Blue team. Why is that so important for this to actually work, Because.
Like we talked about before, red teaming can be adversarial.
Yeah. Right, it's like you're coming in and saying, hey, your security sucks.
I found all these holes.
Yeah, you know, you're not doing a good job.
And nobody likes to hear that.
Yea. So it's really important to to build that trust, build trust, establish good communications.
Yeah, make sure everybody's on the same page.
And I know, you know we talked about this before, but involving like both the technical folks and the operational folks, operational, legal, legal, everybody, Like in those early stages from the beginning, to make sure everybody understands.
Yeah, what are we trying to achieve here?
What are trying to achieve?
What are the goals? What are the risks?
Right?
How are we going to do this safely and responsibly, So it's not like a surprise, No surprises. Everybody knows what's going on.
And then throughout the engagement, like keep those lines of communication open.
Keep the communication flowing.
Yeah, like provide updates, let.
Them know, Hey, we found this vulnerability. Yeah, what you're finding. We're exploiting this.
This is what we're seeing, so that everybody can.
Learn and adapt, learn and adapt in real time.
Okay, Now let's talk about the future of red teaming. Okay, because this field is constantly evolved, constant it's never boring.
Yeah, no, it's not like I'm curious. How do you see red teaming adapting to all these new threats?
The threat landscape is changing so rapidly all the time. Yeah, you know, we're dealing with like nation state actors, organized.
Crimes, sophisticated attackers.
Yeah, how do you It's a challenge, how do you keep up?
So one of the big things is AI. Attackers are using AI to enhance their capabilities.
So they're using AI to to attack.
Yeah, okay, so we got to use AI to defend. So red teamers are starting to incorporate AI and machine learning into their tools and techniques.
So it's like this AI arms race it is, yeah, okay. And we talked about KPTR teaming, which is specifically designed.
To address high impact scenarios.
Yeah, those really high stakes tax when the stakes are high, and purple teaming as well. That collaborative collaboration is key approach.
Yeah, you got to work together.
So it's it's not enough to just.
Like rely on old methods, Yeah, rely on.
Like the traditional security approaches.
You got to be proactive. Yeah, you got to be adaptive.
Okay. So red teaming is not just like a it's.
Not a one time thing, one thing. It's an ongoing process.
Yeah okay. So we're we're at the end of our deep dive here. If there's like one thing our listeners should take away from this, what would it be.
Cybersecurity is everyone's responsibility.
Okay.
It's not just the IT department's problem.
It's not just the security team.
It's everybody's product.
It's everybody's problem.
We all have a role to play in protecting our data.
In our systems, and it's not a set it and forget it thing.
No, security is a journey, not a destination.
It's a journey and not a destiny.
It's an ongoing process.
Yeah, okay, So what's the most important thing for people to remember about red teaming.
Red teaming is about making organizations more secure. It's not about finding faults or embarrassing people. It's about helping them understand their risks and improve their defenses.
So it's ultimately a force for good, a force for good, absolutely, Okay. Any final thoughts for our listeners.
Yeah, stay curious, stay informed, and don't be afraid to ask questions. The more you know about cybersecurity. Yeah, the better prepared you'll be.
All right. Well, that wraps up our red teaming deep dive.
It does.
We hope you found it informative and insightful.
We hope you learned something and until next time, stay secure.