Red Red Whine by Dan Cannon

all right thank you very much um so I'm done from North Korean I uh I'm the company it's a cyber security training and penetration testing company and I've been doing this for about 12 years as a perspective of a pen tester and then running red team engagements and I'm going to stand here for the next 13 minutes and moan about red teaming to be honest because I don't always whinge about red teaming but when I do it with a crowd of people who feel awkward about leaving so we're going to talk about the fact that there's uncertainty around what red teaming actually is we've heard both Holly and Andy talk about some of the really interesting things they've done

some of the really foolish things that clients do but quite frankly there is a huge amount of effort put when people are talking about red teaming to talk about really super Elite kind of hacking techniques that we all get to use and feel like great spy who are breaking into buildings and defeating blue teams and doing goodness what kind of really technical stuff and for the most part it's incredibly unnecessary we all feel great doing it I'm not yeah I'm not denying that at all and it's a lot of fun to do it but for the most part it's not giving people what they need and anyone who did see Holly's talk earlier will know that the industry is

not improving and that's because we're trying to push this kind of talk of well we need to go more advanced we need to go more in detail then we need to go more technical as opposed to actually fixing the stuff that's wrong third thing about security testing throughout the ages now once upon a time there was just no security testing we had computers everything was isolated everything was okay no testing happened until people found that there was an issue and then we had to really try and think about how we we improved security so vulnerability scanning came up we still do it it's really effective it's yeah aim is breadth its aim is being able to figure out where a known

misconfigurations where is something that we can find an ability to examine an environment and identify problems next we've got pan testing this is what I spend the vast majority of my time doing it's a lot more fun the vulnerability scanning because you actually get to start properly attacking systems and taking advantage of it uh dumping passwords attacking users all these good fun stuff that we all enjoy doing and it's really useful to be able to find the fundamental flaws that exist in a machine and be able to actually prove that there's a problem and show why we need to care about what's going on when we think about red teaming too often we're just thinking about an

evolution of pen testing being watch Red teaming it's just super cool pen testing where you're not told here's a web app here's a commuter here's a network you're told here's a company instead red teaming should be that kind of emulation of a real world attack it should be something that is actually going to be representative of what a company is going to be the victim of and what the tactics techniques and procedures of some form of threat actor is going to do not just fantastic so what is fantastic and what is red teaming what's well what's red team it was no red teaming ultimately what we've got to think about is anyone who's trying to do red teaming and say they

can do it in days uh is is just a charlatan who needs to be called out with a snake or a Salesman they are anyone who's saying that yeah red teaming is all about identifying and exploiting vulnerabilities is completely missing the point the objective of a red team is to be able to hit those kind of key areas that a company is concerned about those Key Systems that key data some form of thing that will cause damage to a business if they are compromised and ultimately the tactics differ we're talking about threat emulation versus just being able to identify and demonstrate issues this is this is what we have as a problem with an industry where things

aren't improving because we're just selling things that aren't red teaming at red teaming the common misconceptions we have that clients have it is what causes this problem is the clients will think that red teaming is just the same as pen testing that think it's a phishing campaign they'll think it's a malicious Insider assessment but they won't think big picture I had a client recently who was convinced that red teaming was the idea of me sat at a computer on the phone to the blue team suck saying I've just failed to log into an account via IDP 10 times in the last one minute have your theme alerted to that this is not red teaming that was a billion

dollar company who were convinced that they were doing continuous red team testing because every month they would have someone turn around and go well yeah we're testing whether or not the new rules are being triggered when someone does something and you kind of turn up and have a mind blown of you've invested how much in your blue team and you've got how many really smart professionals here that you are all convinced that you're protected because your red team testing is continuously just turning around and running random automated scripts and saying did you see that did that alert this is not going to help anyone and fundamentally I mean it didn't help them because we then we we then had a minor

disagreement where I turned around and ask for a domain admin account to test something got the age-old comment from the ad people if you're the hacker you figure it out and then had the upset phone call about two days later to turn around and say have you created a domain admin account outside of the uh work in progress and outside of the the processes in place to do this and I had to say I go well you do red team testing you've got all this alerting this is stuff you should be able to pick up but they fundamentally weren't able to do that because they're not doing Red Team testing and they're not checking then everything's

everything is actually going according to plan we've got to get the basics right fundamentally if you can walk into a company and tailgate your way in that's great you can turn around they'll have a fantastic War story about physical intrusion physical penetration testing if you can walk up to someone and convince them to give you a password amazing you get a great War story about social engineering and if you can then absolutely destroy their Network and get the main admin then that's great you've got a fantastic War story about how you've been able to just turn up to a business and absolutely decimate them and how you're really clever and they're not and quite frankly there'll be a lot of people in

this room who probably have a really good number of those War Stories and they're nothing short of fact hysterical at the same time but if we can get the basics right if we can actually focus on talking to clients about what it is that they need and actually being able to turn around and think how are we going to protect businesses then we can turn around and start thinking about what's been what's being put out onto the internet is it actually secure have you got horribly configured firewalls that are just letting all traffic go through there was a business that I worked with within the last three years that had a 2003 vulnerability on a FMB protocol

that was facing the internet that was a very awkward conversation to turn around and be like there is absolutely no way that you don't have to burn down your entire network because you have no idea who's in your network because you've got all this stuff on the internet and your firewalls are just shop no one's managing them no one's monitoring them and people are opening whatever they want and that just leaves a huge huge point of entry to attack us red teaming yeah it's probably gonna find that but quite frankly the basics of turning around and saying don't open RDP don't open SMB or don't have FTP all these really common things don't put it

on the internet and just let anyone access to it would have helped them yeah we all know that fishing's one of the main ways of getting into a network probably doesn't really need to be spoken about but the fact that I'm quietly confident there will be at least a dozen of you in here who know of a company that's still using 2003 service 2008 servers means that we've also got a problem of thinking well red teaming you get great stories about absolutely decimating companies and getting domain admin but if you get it on a 2003 server in 2023 it's not that clever it kind of ruins the story a little bit when you turn around and go oh yeah no it was it

wasn't even Eternal blue it was 08067 from way back in the day that some of you probably don't even get the reference we then got to think about password security yeah there's yeah the the absolute worst I've ever seen is a domain admin who argued Point Blank that he was using the most the best password advice that you could get of four random words as his password those four random words where we will rock you [Music] it's not quite as random as he'd have hoped it's not quite as long as he'd have hoped it kind of defeats the purpose of it and he was just absolutely livid when I rang him up and went mate

come on like your domain admin of a huge environment like for the love of God we've talked about this just Eve I mean at that point you kind of think even password I don't know 27 would have been a little bit better because we could think that he's at least incrementing stuff and then we've got the fact that so many of us have Smart devices now that are on the network that we're connecting we're either connecting to guest Wi-Fi's and we're potentially having a point of entry through our equipment we've got developers who do feel entitled to put things like wireless networks on networks so they can make things easier and these again represent a potential

breach to the company and if we can get users familiar with the fact that when they add stuff to the network it is a potential breach point then we can try and solve this again interesting kind of things where we've seen this happening people hooking up their phones to the Wi-Fi and not realizing that that data is traversing over to the corporate Network I once found out to my horror that uh up until around about 2017 Grindr didn't encrypt their data traffic um at all and so you could turn around and find out every user who has their mobile phone on their Network get an understanding of who they are what their weekend plans are what their user

accounts are and start sending targeted phishing campaigns specifically to them that you know they're going to follow because you're building up a very specific idea of what this person does in their private life so this is something where you think the company itself has no visibility of that but as someone who is trying to attack you've got that ability to see that and ultimately this is a risk that companies aren't really thinking about so if we can get the basics rights then I'm saying red teamings you know not needed but ultimately red teaming can focus on doing the really clever work that it needs to do not having someone come in to do our red team and realize that

actually you can get domain admin within 10 minutes and therefore barely any work really needed to be done so ultimately people like listen to these talks to hear about red teaming jobs that have happened um there's a couple that I want to talk to you about one of the global pharmaceutical institution one was a UK financial institution and one with a global infrastructure institution um I don't know why I picked the word institution uh but let's talk about how these works that was a a global pharmaceutical company that we worked with where we took the approach of running through oceans being able to identify where their attack surface was and chaining together some really interesting web zero days and

vulnerabilities to be able to get onto their Network and be able to completely pone it and within about five weeks we had network access to four continents and we had access to everything that was sold as a red team engagement it's great it was it was it was something really interesting it took the perspective of being able to say what is an external attacker going to be now I'm okay with the fact that every every red team has to have a slightly different methodology but when you see the fact that there are such varieties in the different ways we worked with these industries you'll see there's absolutely no consistency and that is also one of the issues because for the

UK banking institution we tried fishing um and it fundamentally failed nobody clicked the links nobody did anything I think we got one username and password and we got one username with them as an expletive underneath it so I can only assume that the person realized it was a phishing email shockingly didn't report it to it though so when we went and dropped USB sticks on site uh it were none the wiser that there was potentially a malicious attack happening against them but this was an interesting one where it shows really the importance of making sure that when you have a red team engagement you've got the right people with the right skill set because they

had an okay blue team they felt they they escalated it up to the point of contact to actually understood that there was a blue team happening and he rang it up seven hours after a USB stick had been deployed to say we've reverse engineered this and we blacklisted all the AWS IP addresses you're using to attack the network that's really good great job fantastic didn't feel like telling him that six and a half hours ago we pivoted around the network got persistence and compromised a shitload of accounts thought we'd leave that for the report to be like congratulations you were only six and a half hours too slow um and then we moved around the network

and compromised it but the whole premise was completely different but this one there was such such a focus on being able to actually just get domain admin that you think that you think the way we did this was not through any real emulation of a threat actor that's that's really realistic this was we dropped a USB stick on site and someone plugged it in there are gonna be people who do that but quite frankly realistically we could have provided the exact same value by turning up and plugging in a testing laptop and being like okay this is how this is how someone's gonna do it the fishing didn't work this is how someone's gonna attack your network the

the weeks and weeks of oh sin were absolutely useless the fishing was useless nothing really provided any value in this client fundamentally could have just done with the pen test it because once we had one compromised machine it was it was game over so fast whereas at least at least this one it took it weeks to get through our active directory it was an actual challenge and then we had uh the pharmacy was going to start and change the text and then we had the uh the infrastructure company this one we went for a human breach mentality uh so you've reach for anyone who doesn't know is where you turn up and you've already got a foothold in the network and it was

really good we we pivoted around the network we had a look at what we could and couldn't gain access to and eventually had to spend weeks bypassing their EDR solution again really really useful because they had a blue team that could focus on this and they had a blue team that were constantly looking out for this kind of malicious activity so the value to each of these was different but they all had the capability to actually identify an attack so we all had something that we were actually achieving this is a red teaming engagement that's not just can we exploit machines but it's can you figure out this is happening and if you do can you block it the edr1 or this one

was particularly interesting because they did get alerts but they weren't sure what was happening for the first couple of days and thought it might have been just faulty alerting and then it took a long long time for people to be able to recode the custom implants that have been created so it was really really interesting how we try to do this but again the value of these kind of red team engagements was that there was a blue team to try and defeat to try and circumvent whereas companies who were smaller than us who hear the word red teaming who hear the buzzwords who think cyber security is just constantly changing the words for no reason turn around and go because

could I have already an engagement why because I've been told I need one if you've got no AV or EDR who really cares you know your machines are already going to be compromised to Suicide attacked if you've got no segregation you're going to be ruined as soon as someone gets onto their network if you've got no software control or patching policies you're going to have stuff on your network that's awful and then if you've got no one absolutely no one looking at alerts or logging or God forbid you've got you know grads doing it who have absolutely no idea what they're looking at then you've got no protection in place and it's all Just an

Illusion that as soon as we peek behind the curtain we realize that you've spent a lot of money on an engagement that really didn't need to happen because it wasn't that complicated the common objectives I hear when it comes to clients talking about red team engagements are the ones who can benefit from it are that it costs too much it's too hard to get approved it doesn't give a consistent list of vulnerabilities to defects and no one would get onto our machines so the assume breach is pointless that last one's my favorite when a client says absolutely no one would get onto their machines so it's pointless and you literally just spoke about people being able to get jobs and

get machines anyway and be able to get into companies but we've got to focus on the fact that for some of these companies these are really valid points companies that turn around and go it doesn't give a a conclusive list of vulnerabilities to fix will know but if that's what you're after you're not after a red team your maturity is so far below that that you don't really need a writing engagement you need either a vulnerability assessment or a pen test or something to go on loads of these companies will focus on this kind of thing and they'll completely ignore the fact that actually their development life cycle is shut and every time they publish a new

application whether it's internal or externally facing it is being built on Sand and it is just waiting for someone to poke it with the same stick they poke the last one to get access to the database again and again and again and we've seen billion dollar companies turn around and go oh we've got a framework of how we build our applications and you talk to them and be like okay when was the last time anyone tested the framework that you're building the market oh well they don't they do they do individual spot checks the pen test of some of the web applications and then you turn around and identify the yeah the framework's fundamentally flawed and

every single application that you create no matter what amount of effort you put into it every single one of them is broken and you just are completely unaware and then you think the cost of a red team is is a great deal but the cost of being able to find out that you need to fix the stuff you're building on is where the value is and the ability to turn around and say Here's a list of issues is just as valuable as a red team depending on that kind of maturity level of a business so it's all about trying to make sure that we can focus on where is the company in their journey through security what are

they actually trying to achieve and then we can try and help them the right way the other issue is that all techies just want to be bad guys deep down every single one of you do and I know you do because I do as well the idea of selling a job where you break into a building in the middle of the night and you plant a Raspberry Pi and you do this that's literally what the vast majority of companies selling red team are doing unfortunately they're not replicating the ttps of real world attackers they are turning around and going go put this Raspberry Pi on that Network we've got remote access to it it's our rats that's really Advanced and

really Technical and you look at it and go it's a pie with a 4G dongle if you go and sit there on your laptop you're achieving the exact same this is not red teaming this is just an internal web app or an internal infrastructure assessment that you're doing via 4G for some reason um but the problem is we all love the idea that everybody loves the idea of breaking into a building anybody who's done physical security or who is interested in it give it a go because it's it's terrifying and exciting at the same time um but too many of us are really focused on that kind of really exciting technical attack really exciting stories

that we're going to get after doing these kinds of jobs and and that kind of really like good Rush of endorphins when you turn around and be like okay not only did I break in not only did I lie to that security guy's face and he let me through that security door but I then plugged my stuff in and I've ruined this network and I'm the smartest one in this room and nobody even knows it and any minute now I'm gonna put the hoodie up put the mask on and just sort of sit here and cackle like a madman and then get kicked out because you've ruined it but that's the problem that we've got

right we all we all like those really exciting things um and we've got to really kind of temper that enthusiasm and make sure that we're working with clients directly trying to improve security the point of red teaming is to give an ability for companies who are at that level good tests that will make sure they can understand how are they going to get attacked how are they going to be compromised companies that don't need it shouldn't be paying for it and shouldn't be engaging in it they should be focused on getting the basics right getting their pen testing done getting their patch management sorted because it is still upsetting to the point that I swear when I see a 2008 machine on a

network um and did you just kind of look at people that go really for the love of God can we please move on luckily I haven't seen a 2003 for a while but like I said that one just just a couple of years ago was a 03027 for anyone who remembers that from back in the day the princess school issue from a Microsoft over the Internet instant admin on the phone within five minutes determine ago so the Russians are in your network how do I know because why wouldn't they be honestly why wouldn't they be the Chinese are here as well probably the Koreans it took me all of five seconds like oh my gosh what are

you doing I mean luckily I haven't seen too many 2003s lately I feel sorry for you if you have because they must be awful arguments

it's when it's it's when the problem we also have is when people go that's Mission critical so we can't ever patch it or update it I genuinely think we'll hit a point where 32-bit operating systems become the most secure because everybody will have just forgotten how to attack them all the tools will have developed and will turn around and go you know what screw it let's go Windows 98 on here that'll be fine nothing will work but what's the big problem as well the big problem is we have also not only the fact that we get really excited about selling work not only do clients not understand what they're buying but then you have charlatans the snake oil

assessment who turn around and have skills Matrix like this which I was provided at a previous role of a company who wanted to wanted to have me pay for them to come and do pen testing now some of you might want to be optimistic and give them the benefit of the doubt and turn around and say it's probably a multi-skilled team and those who are saying they can do red teaming but can't do anything else probably have some level of skill set somewhere in the bag deep down if you really reach um and that's what they're that's what they're providing to that group unfortunately that was not the case this was a legitimate skills Matrix from a

company that were trying to convince me I should hire them to do red teaming and when I turn around when okay big question though I mean why can only one person do purple teething because if everyone can do red teaming why can't anyone but one guy do red teaming with documentation which is essentially what purple teaming is right yeah do you have people who are going to be on the phone to the blue team just screaming and crying while they're hacking a computer system because they can't communicate and actually work properly but equally how do we have this situation where companies who don't understand what's going on are being told this guy can red team but let's

look at um yeah let's go number four this guy can red team and purple team but God help you don't ask them to do and app mobile wireless social engineering files don't ask them they can't do it they don't know how but they could definitely red team your company and you kind of think what the Earth is that guy doing this is the kind of thing that we do have to deal with and you think if the basics are there we can determine and go you know what anyone who can't do that one shouldn't be doing red teaming but also any company who's thinking about red teaming should be in a position where they're turning around and saying

well we've already looked at our infrastructure we've already looked at our application we've already looked at all these different elements to try and protect it [Music] um and again if anyone does want to give any one of these Consultants the benefit of that unfortunately as someone who met them you're all far too optimistic they were they were devastating people but this is this is what we've got to deal with this is the challenge so is it even worth it is red teaming even worth it it absolutely is you're in the right maturity level it if the company is ready for it if the Consultants are skilled enough to do it and if people are prepared to both

understand that the goal of this is to replicate ttps the the testers are able to do that and you can work together to really try and figure out what is the value you can provide to a company and that's me if there are any questions um yeah feel free to channel I think we've got five more minutes um and uh feel free to connect on on LinkedIn or Twitter or anything and um I'm happy to talk about retaining wins and moon about everything that's wrong with the industry at any point any questions yep what's your opinion absolutely love it I think I think we should be trying to automate absolutely everything we do uh there's nothing

worse than I mean red team inside there's nothing worse than going on a pen test and turning around and finding out you can get the main admin within 15 minutes because everything's bad we should be automating as much as we can with the simple checks with all that so that we can spend our time focusing on chaining together low risk issues focused on understanding how the small minute misconfigurations then lead to an actual sophisticated attack but yeah we can automate the hell out of all the boring work then that'll be great and if we can turn around and provide people who have the knowledge and understanding with a huge dump of data to go okay

here's everything you were going to do anyway take it and figure out what your next steps are going to be that it's only going to make everything improve

I mean upsettingly things exposed to the internet is is your classic SQL injection is is always a concern when it comes to you're sort of gathering of data acrossite scripting is still a really good way to be able to try and get people's session cookies and then be able to try access admin areas um but there is still far too many services on the internet that shouldn't be that are just vulnerable so you know they're I we still get a good amount of success with that yep relationship with your customers yeah yeah yeah I have issue where

it's kind of important time assessment yes

history and knowledge I think the ones who the ones who want to engage like that are the ones who are at that level of maturity that they get it um the ones who turn around and be like oh well we'll see you next year are the ones who are very material being like well we've got accreditation to achieve or we've got some kind of Regulation that we need to abide by or a requirement for a pen test and you turn up next year and go okay so I'm going to just cross out last year's date I'm going to make sure that the the one new patch that you haven't done there but all the old ones are still there as

well there you go have it back uh that reporting day really wasn't needed but the ones who turned yeah I think it's when you can get those companies to get it no matter where they are from the complexity of vulnerability scanning pen testing red team because they all have their place and their value that the clients who are Keen to work with are kind of their long-term service provider in security it's a much better approach because you could I mean the point in time assessment we only get however long we get to understand what their what their network is what their challenges are and what they're doing to try and fix it and the longer we can work with

them the more we're able to terminally give them more contextual advice for them as opposed to okay here's best practice which they could also get from online so yeah long-term engagement is always going to be much better than

but uh that's what I'm thinking deep down um the main way I try and do it is determine and try and discuss where they are at the minute so they're trying to go oh we want a red team okay oh great when was the last vulnerability scanning that you had done what tools are you using for that because that will help us understand what things you might be missing what kind of severity you're doing how you're managing to track that and what's going on I start to ask about what their penetration testing program is to get an understanding of whether or not they even have one and has how seriously they take it and then if

they're turning around and going we're going to have that it just it seeds that little bit of doubt in their mind to turn around and give you the opportunity to say okay well maybe yeah let's let's work toward a red team but let's start this stuff at the beginning because there's no point wasting your time and money on this when it's gonna be easy the one at the back yeah

so ultimately the way we engage maturity level is very much based on whether or not people are doing vulnerability scanning pen testing or red teaming whether or not they've got the internal employees to actually understand their patching levels and understand whether or not their configurations are there if someone's not doing device hardening and they don't have a gold build they're not at any serious level of maturity because they haven't thought about it so we understand what they are and aren't doing think that's what we've got time for it so thank you very much