
Tribe of Hackers Red Team 4.0
47 is the number of red teaming experts we can find in the book
Tribe of Hackers Red
Team
written by Carey and Jin (2019). And we only have published three
entries about it, each one dedicated to an expert in the following
order: (1.0) Carey, (2.0)
Donnelly, and (3.0)
Weidman. So, why not make room for a fourth
entry? Or, is this starting to look like The Fast and the
Furious? I’m
just kidding!
Figure 1. Image taken from here.
Here I want to show you another standpoint on red teaming (another
expert answering the same questions), with the corresponding
recommendations for any of you, that’s all. The previous post displayed
what we could consider, to some people’s astonishment, a ‘strange’ case.
I mean, I presented one woman’s ideas and advice related to ethical
hacking, and that’s rare because, unfortunately, at present, it’s not
common to see many girls practicing this profession.
Now, it would be interesting to read (why not to learn) about the
opinions and recommendations of another ‘curious’ case. On this
occasion, a person who does not appear in the referred book with his
‘real’ name. And, contrary to most of the experts interviewed, a person
who does not display a picture in his section. Yes, apparently, it’s a
man and uses the alias “Tinker
Secor.”
Let’s see what we can get from this guy who served in the US Marine
Corps, has worked as an intrusion detection analyst, and now is a
“full-scope penetration tester with experience in testing and bypassing
the security of logical, physical, and social environments.”
For those hoping to be eager beavers on red teams
Tinker was recruited and trained to become a red analyst after gaining
some blue experience and some reputation, especially giving talks
concerning defense operations in the US Marine Corps. But we already
know that it’s unnecessary to have gone through a blue team to belong to
a red one. Indeed, as Tinker accurately says —when asked about the best
way to get a red team job—, it is “just like getting any job, you split
your time between building up the skill sets required and networking.”
There you are!
So, what does Tinker recommend you to build up your skill sets? First,
“study the following: systems, networks, virtual environments and cloud,
[thick/web/mobile] applications, scripting, physical environments,
social exchanges, [and] basic attacks [and] defenses.” A lot of
things to absorb, huh? Well, here’s what he puts forward about
practicing: “participate in scripting challenges, build a virtual lab
inside your cheap laptop and install systems and connect them together
through networking, and do capture-the-flag exercises online or at
conferences.”
Conferences and meetups, that’s the kind of events Tinker suggests going
to for setting up a network and “hunting for a job” (beyond the typical
but not negligible online application). He even recommends volunteering
at such events and, if it’s possible, organizing some of them. Of
course, don’t forget to “join some reputable online groups”!
Figure 2. A quote from Tinker Secor.
For those already sweating blood on red teams
Tinker boils “red teaming down to quality assurance.”
As simple as that.
Therefore,
when you intend to offer your services
to some reluctant or nontechnical clients
(reflecting no need for security),
use some assessment as a demo,
and prove to them that
red teaming is really necessary nowadays
if they want to guarantee quality in their systems
not only for them
but also for their customers or users.
A well-established red team should possess a clear as a day
understanding of each of its members’ particular skills. As Tinker says,
it is common to see, in these groups, people who “can do a little bit of
everything.” However, mainly in large projects, the leaders could
delegate tasks according to the team members’ special abilities and
bring them together to discuss their evaluation and reporting activities
at certain times.
Regarding what the client has to know after the red team obtains results
in an assessment program, Tinker expresses the following: “The biggest
thing is to go through the attack methodology and show what worked
[…] and what did not work in the attack.” The idea is to let the
client know the details of the path followed by each analyst together
with the procedures carried out. Furthermore, apart from reporting
vulnerabilities, Tinker recommends the delivery of information related
to positive findings. “Positive findings will include the security
apparatus that prevented specific attacks as well as times where the
blue team detected, responded to, and contained the attacks.”
For firms that in security aspire to be on the ball
“Security quality assurance assessments and penetration tests
can and should be conducted
at all stages of a security maturity model.”
That’s the answer Tinker gives
to the question of when to introduce a red team
into an organization’s security program,
for you to keep in mind.
(You should not forget the term DevSecOps.)
After that,
if it’s possible for your company,
following Tinker’s advice,
it’d be excellent to have a dedicated person
or a team that continuously conducts ethical hacking
in your systems.
(Have you heard about our main service
of Continuous Hacking?)
In addition,
Tinker believes that for the sake of your firm,
you should not employ only vulnerability scanners.
It is better when you mix penetration tests
with them.
As he says,
the two “cover different areas and have different strengths and applications,
and companies should employ both.”
According to him,
it’s typical to see firms implementing vulnerability scanners
from top providers
and using them to detect security issues,
for then,
after several months,
remediate only some of them,
usually ignoring medium and low severity findings.
There is no creation of programs
for managing and repairing vulnerabilities,
and in subsequent analyses appear more extensive vulnerability lists,
on which, again, no proper action is taken.
(Now,
I repeat the question for those companies that have fallen into that error
but recognize it as such:
Have you heard about our main service
of Continuous Hacking?)
That’s all, folks!
Of course, you can access the complete information of the interview in
Carey and Jin’s
book.
Here I have just shared some highlights of the answers given by Tinker
Secor, one of the 47 red teaming experts you can find there. On the
other hand, if you want to be part of the Fluid Attacks
team, you can
check out our Careers page, and if you require
information about our services and solutions for
your company, please click here to contact us.
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/tribe-of-hackers-4/