AusCERT 2017 – Red teaming to make your security response stronger

Red teaming is a well-known tool for improving your resilience to a cyber-attack. The idea is you have a team of people, either internal experts or internal people learning the craft with the support of external partners such as penetration testers, who play the part of hackers trying to infiltrate your organisation and execute a cyber-attack.

A blue team fights back, trying to counter the attack. While the results of the exercise might be measured in terms of the blue team’s response, the real benefits only come if the red team do a great job.

During the 2017 AusCERT conference, experienced security tester Wayne Ronaldson walked through a red team attack to illustrate security from an adversary’s perspective as a way of educating the audience into how prepare and protect against both simple and sophisticated threats.

Ronaldson’s simulated attack involved playing the part of a state-based threat actor. His attack aimed to breach the business by attacking the company on several coordinated fronts.

Th key point, Rondalson said, is that smart attackers take time to understand the culture of their targets. They can leverage this in ways many don’t expect.

It gives attackers an entry point through social, physical and digital channels. This is critical. Very few successful attacks rely on just a single attack vector. The most sophisticated attacks against seemingly impregnable targets use multiple channels. Even the first known state-sponsored cyber-attack, Stuxnet, took advantage of multiple attack channels through USB thumb drives and the exploitation of four different zero-day vulnerabilities.

It’s also important to understand company supply chains said Ronaldson. While you might feel your boundaries are well protected, the same might not be said for your supply chain and other partners. Smart hackers and red team members will exploit the trust you have with your supply chain to execute an attack.

While there have been plenty of headlines about the skills shortage in information security, Ronaldson said there is one quality that the best hackers and penetration testers possess that won’t appear on a university degree: persistence.

In order for a red team to succeed, and therefore teach your business what it really needs to know about its security posture, they need to persist. And this is crux of the cybersecurity challenge facing businesses today.

Companies have thousands of assets they need to protect, stored a massive array of devices that are used by people with a vast continuum of security awareness. One the other hand, red team members have a single goal.

This is why persistence is key says Ronaldson. Many security experts point to the asymmetry faced by infosec professionals. But that asymmetry is only possible through the persistence of threat actors. And this is why it is important for red teams to not only be highly skilled in several disciplines, such as social engineering, networking and software development, but to also be resourceful and prepared to try a number of different tools, over a period of time.