How BlackHat influenced my interest in Red Teaming

Every year thousands of cyber security professionals and hackers gather together in one place, Las Vegas. The events in question are the BlackHat, BSidesLV and DEF CON conferences. If you who haven’t been to a “hacker” conference, picture tens of thousands of hacking enthusiasts, taking over the Las Vegas strip (and some of its computers!), talking about the latest hacks, security tools, and vulnerabilities found in some of our most popular software. For hackers around the world, this is a return to the mothership. I spent 8 days at BlackHat, where I attended security training, listened to briefings, discussed current industry events with security experts, and viewed demos of new security products. I had been to BlackHat before, but as a newbie (or what hackers call a “n00b”). I was fresh to the industry and barely knew anything. This time around, I’d come to the conference as an intermediate; I knew more about my industry and I’d made a few friends along the way.

One of the better trainings given at BlackHat this year was Adaptive Red Team Tactics. The main goal was to give students the opportunity to think like a Red Team member. The purpose of Red Team engagements is to covertly infiltrate a company’s network, and test the response time of an organization’s security monitoring team. Throughout the training we were taught about stealthily pivoting through a network without being discovered by anti-virus or intrusion detection systems. Unlike other penetration testing classes, this class focused more on post-exploitation – techniques that attackers follow once they have obtained a foothold into a network. The class showed many ways we could map a network from one compromised machine using domain controller queries. The training also showed that we could easily retrieve user passwords from the memory of a running application. I left with a new found respect for post exploitation, and Red Team engagements. I also left with a weariness for Active Directory, having viewed how easy it was to pivot through and obtain credentials on an Active Directory environment.

Red Team engagements can last anywhere from 1 week to 6 months, depending on whether it is a one off or persistent engagement. There are many benefits to performing a Red Team test:

  1. Finding out the easiest ways into your network – was it a phishing attack, a vulnerability in your software, or vulnerable 3rd party software?
  2. What are the misconfigurations in your network? Is a local admin also a Domain admin? Are there hashed passwords stored in plaintext on one of the boxes in your system?
  3. Finding out the response time of your security monitoring team. Did they even discover the compromise? How long before they discovered the compromise?

Red Team engagements are a vital part of a company’s threat assessment; surprisingly, however, many companies avoid having such tests performed. It could be that they are naïve enough to believe that they will never be compromised or are just plain short-sighted, but nowadays with new technologies that make it easier and faster for developers to deploy applications, this is not a chance they should be willing to take. We no longer live in an age where companies only offer one product or static single-function websites (where the attack surface of the company was minimal). Organizations these days have new software releases daily, and have sophisticated websites that offer products that impact organizational revenues. Organizations, today, are also responsible for keeping their clients’ sensitive information as well as their own safe from the prying eyes of attackers. It’s time that companies shed their pre-existing notions and figure out how good their security really is.