Getting started in Red Teaming
In this episode of Infosec’s cybersecurity podcast series Cyber Work, host Chris Sienko talks with Curtis Brazzell, managing security consultant at Pondurance, a managed detection and response cybersecurity firm. They discuss how Curtis got his start in security, the methodologies of Red Team operations and day-to-day Red Team operations and what the future looks like for Red Teaming.
If you’re searching for a solid introductory view of Red Teaming, look no further!
Tell us about the intrusion detection and response platform you’ve been building in your spare time.
Curtis created an intrusion detection and response platform to serve home consumers. It was essentially a remote security operation center (SOC) that offered detection and response for threats on the network as well as malware removal and updating.
How did you get started in computers and security?
Curtis’ passion began in third grade when his elementary school was gifted Macintosh computers. He subsequently pushed this to the limit, causing his dad to notice and prompting him to buy Curtis his first personal computer — a Compaq Presario with Windows 95.
After beginning with website design and learning Visual Basic, he got into security around 1998 with a website called crashme.com. This website took advantage of a Windows 98 vulnerability that would crash your system if you visited the website. He reverse-engineered this vulnerability, which was what opened the floodgates of his security passion.
Can you explain what a Red Team is and how it relates to things like penetration testing?
Red Teaming refers to advanced targeted, real-world cyberattacks. It’s like penetration testing but goes one step further: you’re not just identifying vulnerabilities but going in blind for an attack. Red Teams use stealthier operations and advanced tactics than pentesting does.
A big part of Red Teaming is the physical aspect of Red Team operations, such as going on site, physically dropping a malicious USB and more. Another big part of Red Teaming is phishing: 91% of breaches result from phishing.
What made you want to take your career further into Red Teaming?
Going further into Red Teaming was a natural progression for Curtis, but earning honorable mention here is definitely the thrill of breaking in. Part of the excitement comes from problem-solving and thinking fast in the moment.
Curtis likes all aspects of security and saw Red Teaming as an opportunity to take security further and to see how far he could push the envelope. However, it should be noted that Red Teaming is not as “Hollywood” as you may think.
What makes a good Red Team member?
A variety of skills is what is needed to be a good Red Team member. Most members of Curtis’ team have varying backgrounds with IT — ex-administrators, developers, security and so on. Sometimes the natural progression within a Red Team is based on your background and the specific skills you have. For the most part, you will want to have a broad set of skills if you want to Red Team.
What experience, qualifications and accomplishments should you aim for to become a desirable Red Team candidate?
The most important thing is having a passion for Red Teaming. When Curtis hires for his team, he can tell if someone is passionate about security and has a desire to tinker around at home. Being proactive with learning new skills is necessary and makes a candidate more desirable.
How do Red Teams actually work?
Red Teaming works when their operation is as close to a real-world attack as possible. This means simulating real-world attack conditions such as not occurring during business hours, using advanced tactics, being zero-day and other aspects in order to create an authentic cyberattack experience.
What are some of the common methodologies that Red Teams employ?
Curtis says this could go however you want it to go — meaning it really all comes down to the Red Team tester. Some like gaining physical entry in certain ways, such as simply tailgating somebody into the site or picking a lock. Some like leaving rubber duckies on site for a physical USB attack to compromise the domain, and others opt to search for a VPN on the outside and use phishing to steal credentials.
Another aspect is the fact that every project is indeed different, which takes a lot of thinking creatively and trying different tactics.
What type of companies employ Red Teams (and can they benefit smaller organizations)?
All organizations should be Red Team-ready, but it may be overkill for smaller ones. For those first starting out with Red Teaming, begin with vulnerability scanning and move forward from there to eventually employing a Red Team.
How often should a company test their security with a Red Team?
This depends on the organization but generally speaking, once or twice annually.
What is “too far” when it comes to Red Team testing?
This is a very important question. It is important for Red Teams to have this conversation up front with the client regarding the rules of engagement for the Red Team operation. Red Teams will not do anything illegal, but some organizations may be OK with things such as picking locks and others may not, so it is important to establish these boundaries ahead of time.
How long does it take to complete a full Red Team assessment?
This depends on the assessment but generally, two to three weeks of testing. Turnaround time can vary, as the time it takes for documentation can take as long as the testing itself.
How do you report your findings to the company so they can close their security gaps?
Reporting is saved for after testing is complete unless there is a serious, glaring gap that needs immediate attention. An example of this is if anyone can remote onto the network from the public internet. If a gap like this is found, the organization’s IT can expect the proverbial phone call in the middle of the night about the issue from their Red Team.
What are your thoughts on Purple Teams?
Purple Teams are great! Red Teams get to try to bypass the security of Blue Teams, allowing them to try different methods. Blue Teams get to use the experience to improve their own security. It’s definitely a win-win for both teams.
What’s the future of Red Teaming?
Red Teaming is a game of cat-and-mouse, constantly trying to stay on top of new techniques and methods. This will probably never change, which means Red Teams will become more important, and ultimately common, over time.
In this episode of Infosec’s Cyber Work Podcast, Chris Sienko chatted with Curtis Brazzell, lifelong IT aficionado and managing security consultant at cybersecurity firm Pondurance. They delved into a high-level detail of Red Teaming that is sure to answer the questions that many first learning about Red Teaming have.
Stay tuned for more insightful episodes of Cyber Work. If interested, you can watch Curtis’ interview on the Cyber Work YouTube page.