You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
Key Takeaways
The video discusses the nuances of red teaming in cybersecurity, highlighting its differences from penetration testing and the importance of understanding client needs and simulating real-world attacks to test defenses. Tools and techniques such as lock-picking, social engineering, and bypassing door sensors are demonstrated.
Full Transcript
hello everyone and welcome to today's sands webcast you're probably not red teaming and usually I'm not either my name is karol off of the SANS Institute today's featured speaker is Stevie and olam security auditor and penetration testing consultant with the core group if during the webcast you have any questions for our presenter please enter them into the questions window located on the go-to webinar interface at any time please note that this webcast is being recorded and a copy of the slides and recording of this webcast will be available for viewing later today it can be found on the sans registration page and with that my ten the webcast over to Demian all right how is everybody doing thank you again for tuning in I always enjoy both being at sands events in person and reaching out to you here online so this is a new one for me this is not a new one in the sense that I'm about to be critical of some maybe some sacred cows or just some received wisdom that everyone thinks is well of course it's that way I'm good at being critical about things what I'm not always good at is being critical of either myself or of trying to take myself down a peg and I as as much as many other people in this industry have used the term red teaming or the title red teamer in a way that I think is a little too broad in the past I think it's a trend that still goes on and hopefully if we tease apart some details talk about where the industry gets it right or where the industry gets it wrong we can we can all come away a little bit wiser and a little bit better positioned to serve the needs of others so yeah I mean it's it's no joke if anyone knows me and many of you do and you come up to me and say hey all the time it my job is fun right I am for those who don't know me I am the physical penetration and covert entry person in sans land and and elsewhere my team and I well we break into buildings more and more you start to see physical penetrations offered as part of the lineup of services that certain firms can conduct these days but getting inside not just your social engineering but getting inspired through physical compromise of locks and doors and alarm systems and access controls it's fun and you'll see some videos along with the images as we go I do know that the webinar can make some videos a little choppy but even if it's choppy playback you can tell I mean this is a lock door this is actually a municipal water pumping station and that door just sprung open with the use of a little hook this is me being filmed by another company trying to make of some production about oh what's this covert entry thing talked to me and Here I am down below a door using what's called an under door attack and actually opened it so quickly that the hosts look at this cameraman he said did you get that the cameraman said I don't know can you do it again a little more slowly and by now if anyone hasn't seen good lord this infamous video of me showcasing a bank that was locked at night my wife happened to have her phone out recording me and I just kind of blow a mouth full of whiskey right through the crack in this door triggering a motion sensor on the inside which pops the door lock these and many other eclipses and photos of me online have definitely an effect on people saying oh man that job is so fun I I wish my company offered services like that I would love to get to do what you did it must be so cool to be a be a Red Team person like that so let's let's talk about that I bet a lot of people believe what you just saw in those clips our examples of the skills of quote red teaming I'm gonna say it's not I'm gonna say there's more to it than this and the definition has a little bit more nuance so let's let's get into this now by no means am I the first person to try to bring some rigor and some discipline to these kind of topics the idea of what is or is not a Red Team engagement has been talked about at length by Chris Nickerson his buddy Chris Gates those two did talk about adversarial simulation at brew con Wild West had confessed you know the inestimable Dave Kennedy right Dave Kennedy was one of the first people I ever heard talking about a concept of a purple team Carlos Perez also had a talk called thinking purple at Derby con Chris gates again he gave a talk with Hayden Johnson called purple teaming the cyber kill chain he did that at sektor and toronto so what is purple teaming right I mean we think we know if the red team is we we think we know what the blue team is and all of a sudden people are saying purple well it's not just kind of mashing the two teams together is that all it means this doesn't mean you take people with red team skills and blue team skills and hire them to work together on on what on engagement so I'm consulting I think my favorite quote of the people you just saw in that slide was was definitely gates Chris Gates said oh yeah I heard of that purple teaming right that's when you put a red teamer in the sock with the blue team and then you just charge the client double for some reason because it's new well okay I guess that's a workable definition for some but before we tease out purple and red let's let's go back to blue let's go back to the defensive side there are three core elements to security any security model should be thought of in three facets right and they're all represented here of course they you got your padlock you got your ones and zeros and you got your guy in a suit and if you think I'm joking just search stock image sites they literally all have the padlock the ones and zeros and someone in a suit because of course you have to protect yourself from the person who's not in a suit but as much as we like to joke about bad stock image I mean that this really does those three elements are sort of correlated to the way we should be thinking about the layers or the surfaces of our security your padlock is your physical security your ones and zeros what's that well that's your network security and I realized many times these are related digital network security physical security tied together by who who's your trustworthy person hopefully well that's your you know the human side of your security but that crossover is really where you get it that's what's where you get these interesting attack models and the Kotak surfaces so what about an electronic access control system is that well is that an electronic security is that is that physical security it's sort of both well who's responsible for it who has ownership of it in the domain this is something Chris Nickerson a friend of ours has talked about many times the the convergence of different surfaces are where you start to see really interesting attack options so is this what red teaming is what's that that red starburst right in the middle the convergence of all three areas is that where the red teaming like lives it sure is red well let's think about this a little more let's think about attacking on these different vectors the physical vector the the lock-picking and you know covert methods of entry what I'm very well known for many of you may have played with these sort of tools and tactics at least as a hobby if not perhaps on a job so sure enough you know lock-picking opening a lock even a terrible little lock like this a little wafer lock why would I show wafer lock well because it's the lock that holds you know everything else in the building your key cabinets your alarm panels they're all behind terrible wafer locks well that's one sort of a single surface attack and it could be even more low-tech here we see a door bypass and in fact I'm just using a piece of garbage a little piece of plastic to pop into a server room that's an obvious attack that people understand they understand one method of attack against one surface the physical surface what about the digital surface well plenty people understand this kind of attack on the side of it to the attacker it's not nearly as cool to show obviously on a screen look Metasploit happening but many of you have these skills many of you understand if you're on the digital defensive side well you have to patch and harden your systems segment your network many of you understand on the attack side yes a digital attack means while I can get root on a box okay there we go cool meterpreter session opened I love the crossover idea though right I love the idea of here we have a badge system here we see literally a physical access control but it's electronic and what's happening if you've never taken one of our classes or seen other talks that we've given it sands here we have a sniffer tool a covert interception tool that's actually going to be punched down on the bus wires the actual Wiegand bus behind this badge reader which will give my team and I full credential logs of everyone using this door it'll give us the ability to replay these credentials to get in later we can sniff these credentials over the air and then turn them into a valid badge but even this normally kind of the realm of attack that you wouldn't talk about outside of Governments a few years ago even this is understood now oh okay yes so this is a blended attack maybe on a couple surfaces but I get it sure this sure is an attack I understand that and how many of you have taken you know lance and other people have done securing the human right attacking via the human vector social engineering bluffing look just look like you belong there right we talked about this plenty of times and for those who think this could never work I mean good heavens this was a famous photo we've showed a few times this was in Oklahoma a man dressed up like an armored car driver and walked out of a Walmart with $75,000 he just said oh I'm here for the you know here for the daily pickup if you think that keep your head down and look like you belong there it is invalid how about this guy this is a famous video of a man who stole a bunch of beer one weekend in Alabama he doesn't work for the grocery store he's just a guy with sort of an outfit on taking a big cart of cases of beer out the door he did it to multiple grocery stores so quote look like you belong there absolutely a valid attack vector I'm here to fix the phones so we understand these independent vectors but again is this red teaming all of these videos show people my team and I breaking into building as you see the badge reader let's let's actually share a couple of brief stories together and when we're done I want you to tell me we'll talk about what is or isn't red teaming when everyone likes my story so here we go story number one the elevator repair technician so right off the hop elevator technicians a great cover story if you have to do physical on-site work number one elevator technicians don't show up too often there may be there on a semi-annual unless something's really wrong so people in the building don't know their elevator guy quite as well as they might know their FedEx person number two anyone can kind of look like an elevator technician I mean Here I am with a badge that says Otis but I don't think Otis field technicians even wear badges let alone ones that look like this I just made one and number three anybody can be an elevator tech performing an emergency phone test now I don't think anyone's gonna get in real trouble for this if you ever want to use it on a job I don't believe it contravenes any local laws or ordinances anybody can perform an e phone test if you are in a building you don't know what to do just get in an elevator if you've got your metal clipboard you look at your contractor kneel down go ahead and press the call button on that emergency telephone wanna know what an e phone test is like there are three steps first and foremost whenever anyone picks it up sometimes it's a machine and automated service but many times you'll reach a human it might be someone on-site a security desk it might be someone at a remote service it might even be the police it doesn't matter who you reach as long as you start off by saying mmm this is a test of an emergency phone I'm a technician performing a test let them know right off the bat to test even if the phone dials 911 it's probably not a big problem step two you ask the other party can you hear me can you hear me clearly right now and you can drag that out of it you can you know how can you tell one two three one two three can you hear me okay very good ma'am and step three the one that really really is a curveball you ask them can you identify the location from which I am calling and this one sometimes if it's a guard we we've reached actual guards on-site in the building as we did in this story that I'm about to tell you and that really flummoxed them they had I don't know where you're calling from and I you know we just drag that out a little bit longer put them back on their heels a bit so again anyone can look like a contractor that metal contractor clipboard which I always use to hide a bunch of other bypass tools and things so I'm in this building and I understand okay I'm gonna do an e phone test and I'm talk you know we reached a guard the guard you know didn't know where I was calling from and I said oh that's okay we're just we're just testing the elevator sir now what happened on this job though the teammate I was with they had to go back to the hotel they've forgotten you know a remote drop box kind of device they were tasked with installing on the network and I said no problem I'll just sit in this elevator my teammate said are you just gonna what do you what are you gonna sit how long can you I know you can make any phone test lasts a while but you can't make it last an hour I said no provident took out my keys if anyone has seen my elevator hacking talk just disable the elevator from the key the key switch I said in there just read Twitter and it turns out I'm glad that I had time to just read because the the teammate of the hotel things were going slowly I won't get into exactly what went wrong but it had to do with a faulty USB keyboard and this poor soul was using on-screen keyboard with his in-room TV and an HDMI cable trying to set up his scripts but I didn't mind I was in an elevator the elevator was disabled because I had turned it off I just had it had it no one's gonna bother me I'm hiding in this elevator then I nearly had a heart attack because somebody I thought was pounding pounding their hands on the outside of the the hoistway doors and ice calm down calm down deve all right look this clearly it's a look at my watch it's 5:15 it must be the cleaners they must be wind Xing fingerprints off the doors turns out it was it turns out it was in fact a security guard now they weren't trying to get in the elevator but I figured out what happened when my teammate came back from the from the hotel eyes he radioed me okay I'll come let you in I reenable the elevator turned it back on as I exited the elevator to let him in the lobby I looked and there was a sign taped on the door literally I had been in the elevator so long that they thought it was out of order they said please use the elevators on the north bank you know the other side of the building so we had a chuckle at that but sure enough now it's after 5:00 now no one's in the building who comes around the corner security guard now fortunately for me I've got what I've got my metal clipboard of my Otis badge first words out of his mouth like wow you guys got here fast we said oh yeah you know you're paying for the enhanced care so let's see if we can get this elevator running again and you know I did some things with keys that looked like I knew what I was doing and of course the elevators running again I had already turned it back on I performed an e phone test right in front of it oh yeah I heard there was some testing going on earlier says the guard apparently during shift change they communicated oh yeah well you know we're here for those elevators you've had some kind of problems where the newsflash every building has elevator problems at least people think so if you say oh the elevators are running slow though oh yeah we've had that problem so what happened then well we had the guard take us around we had the guard so can we check your elevator controller logs maybe there's some some entries on that database that will explain the error fault codes we should check that guard let us in everywhere escorted us around my buddy dropped the pone plug in the server room success because who doesn't want to keep their elevators running of course you want to you want to trust your happy otis technicians so that's one story for you we're gonna ask in a minute if you think that's red teaming how about here story number two the cable technicians i cannot stress how much a little bit of recon can really be a payoff if you want to look like you belong somewhere if you find out who somebody's integrator is who somebody's utility company is any sort of a firm that's a badge or a name that recognized on sight you can turn that into a slightly convincing ID if you have a badge printer I encourage a lot of people that if you do physical work get a badge printers are out in the field with you you're making badges at your hotel room or your Airbnb get yourself some polo shirts that have the logo on them so you look like you belong there this was a job where Babak and I we're just walking around the building we haven't even gotten in yet we're just casing the whole place we say okay so what you see a building though right there's a possible door on this side of the building and and as we're talking it's late at night bobak kind of said hey who's who's that way over there we look way across this dark parking lot and we see a white truck and of course sure enough that's a security guard dude we don't see the guard yet we're looking again it's very dark way across the park in another building we see somebody walking around kind of checking doors like oh that's that's definitely a security guard now he hasn't seen us and something we ask all of our students whenever we talk about social engineering we say all right you haven't been spotted you know the guard is there they haven't spotted you what do you do and a lot of times students will say things like we'll definitely you know get back in your car get out of there we had one students say look for the best Bush you can hide in I said all right I admire your your your at your ingenuity of trying to find how to you know conceal yourself but every so often we'll get what we think is the right answer and some students will say go up and approach make a new friend which is what we did we waved at him from across the parking lot flashed our flashlights call the guy over and we started having a conversation we just did send a look we're here from Verizon have you seen a big bucket truck it's supposed to be coming out here tonight we were just pulled off of another job this is building 12 isn't it yeah that's building 12 we'll say look well obviously we can't you can't let us in we don't want you to do that sir and the guard says no I couldn't do that we said yeah but look we're looking for Phil Mickelson he's the allegedly the manager of this building he's supposed to let us in that you know you haven't seen any is this a 9:00 to 5:00 is anyone here at night we've knocked all the doors and the guard starts leaking some information know that I've never seen anyone out here past 5:00 5:30 I come around every couple of hours you know we don't usually have anyone out here we said oh man all right well we're gonna try to figure out what went wrong all right thanks a lot you know is there a place to get a cup of coffee we'll get out of your hair we left but now we've got some information we know the buildings probably vacant we know the guard only comes around every few hours and more than that he knows us now do you think he verified anything we told him do you think he could what was he gonna do is he gonna radio dispatch and say yeah so there's some people out of the parking lot they didn't ask me for anything they didn't ask to be let in and they left that's an odd thing for a guard to call in we weren't really trying to get in the building yet we were just trying to find Phil so we don't think and even if he could what who's he gonna verify this with dispatch are they gonna know that Verizon was working in the area probably not so we waited half an hour came back we did get in the building how did we get in latch slipping again these little latch hook tools if you've never used one if you've never tried one ask me in the questions about where we find them ask me about how many doors these work on simple tools that reached in grab a latch pull it away when a door is not fit properly absolutely a killer so that's what got us in this building so now we're in the office we're moving around we're popping computers going into drawers that are unlocked we found a server room I'm trying to under door tool on this server room right eventually I get in there sure enough this is fantastic but at one point as I'm walking down the hall bobak comes up to me hey hey dude you got put that stuff away put your bags down come I think I hear someone so we walk around it around a corner sure enough there's the guard the guard we made friends with in the parking lot first words out of his mouth were not hey what are you doing in the server room they were not hey are you sure you're supposed to be in this part of the building because to him oh we're those nice helpful polite people first words out of his mouth work hey did you guys find Phil we said of course we did Phil let us in we're all good but it hasn't been two hours so now we're a little curious we say hey huh I thought you only came around every couple of hours it's only been you know 45 minutes or so what's uh what's going on well it turns out he had been dispatched over and over to a door that we kept opening we were opening a door and we didn't see normally we bypass all the door sensors but there was one door we didn't catch a door sensor and it kept alerting a silent alarm he kept being dispatched clearing it being dispatched clearing it and five and we told the client this we said look you know we had we had an interaction with your guard in the in the building they said no that could never have happened we said no pull your tickets and they did they pulled the dispatch tickets and sure you know door 21 Jay George George wondered you can't find any signs of forced entry Verizon is working in the building and made a prop door open instructed field technicians to keep doors closed after 30 seconds they will alert so that level of interaction with the guard of course you know look look what look like you belong there who wouldn't trust us so that was another big win that was a great job and it was very valuable for the client they didn't fire anybody thankfully they did some education that was that was a really positive experience again was this red teaming well let's talk about it after the last story the last and final story I'll give you is the armed guard story now most of the time our jobs don't involve regular jobs it'll regular guards not armed guards right so most of the time regular guards are not very well trained this was a guard desk in a building where literally the guard is just not there and there are this all these log books of packages received in the building keys and the building key cards I just sat there in the guards chair with all the key cards just kind of spinning around in the chair waiting to see if somebody would come along again late at night I don't know where this person is they never came back I got bored and eventually walked away but that's an average guard armed guards tend to be a little more on the ball now have we done armed guard jobs yes we have have we ever been worried not really armed guards aren't going to engage with lethal force unless you're doing something very egregious but they are a little more sharp they're a little more frosty so we said all right let's see how this how this job's gonna go we wanted to grab some electronic credentials to get into a more secure part of a building if anyone has never seen any of our electronic has control presentations or again taking any of our classroom time we talked about weaponizing long range hid kind of badge readers long range RFID credential readers a battery pack a little boost converter the big coil allows you to put this in a bag or backpack and if you just get next to somebody this video here this is a badge grab right out of the you know the other guy's pocket about a foot away there's our friend Dennis getting successful credential grab off somebody and he never had to touch them never had to reach into their pocket so we said alright let's do this we know these guards all have badges we're gonna put a you know a badge Reed or a big long-range weaponized badge reader in our laptop bag send somebody in try to get close to them try to get a badge read so who we gonna send in well these are armed guards right what most armed guards aspire to be many of them are trying to career track one day to be a cop we said alright well one of the guys done our team used to be on the force send it a cop Rob get in there just cop it up man talk about police things so Rob goes in bobak is out in a car so Rob drove this is late at night you know it's 10:00 10:00 11:00 at night middle of a winter parking lots cold the cars cold you can't leave a car running that just looks weird Rob pulls up with this car walk to the front door and Babak is in the backseat under a couple of coats and he's remotely connected to the badge reader trying to see if we're getting results from that from that Hunt pad he will send a message to Robert saying all right we got a badge get out of there Robert had to walk so far to the vestibule that he lost signal with Bob at almost immediately so now babak's completely blind but just in the back seat shivering Robert keeps trying to get close to these guards and he must have spent almost an hour in this Lobby because the guards being armed it's a natural part of their training their inclination is to blade off they go strong side back and if you get near one they'll start still just blade their body away so every time Robert tried to walk near somebody they would subconsciously without even room they just kind of take one step back and Roberts you know he puts his bag on a counter and it holds up his phone today wearing these restaurants good and hoping they'd leaned over the counter with their badge nothing happened nothing working but persistence is key right finally start saying goodbye start shaking alright well fellas I'll see you later the last card says goodbye to Robert goes for broke he says alright this is gonna either be it or not swings his laptop bag in front of him just gives the guy a surprise hug and kind of I think he tells the story he held on to it a good second or two made a little weird says alright fellas see you later I'll leave gets back out to the car where babak's still freezing says what took you so long in there Robert said I think I think I got a read I think you're gonna read they just went immediately they pulled over on the side of the road popped out the SD card Roberts you know Bobby's talking to the Badger II look oh my gosh all right we got one good credential but whose credential did we have we had guard permissions the next day they were on a new shift everyone comes back with copies of the guard badge we bluffed our way past when the you know people in plain clothes are badging into the building and the terminal that the Security's looking at says guard guard it says what are this what's this is oh these are VIP badges they expire at midnight we just came in from the you know California office okay says the guard because the badge works right two beeps it's green we got into an elevator overrode some elevator restrictions to get to a lockdown floor they made it to the server room Bob it picks the lock on the server room door gets in there right up to the network rack now we weren't actually allowed to connect to their network but we physically demonstrated we could we could we could touch the infrastructure complete win a complete win across the board now the big question which one of these scenarios counts as red teaming you heard three stories which one was the red team engagement how do you judge we've talked about this a little bit earlier is it the all surfaces litmus test do you have to attack successfully on the physical the electronic and the human side let's see which which story did that how about the first story the elevator repair story well we walked into a building I hid in an elevator for a while I encountered a guard I kind of bluff my way through in interacting with that guard by showing some Oh look I'm here from Otis and then the guard escorted us everywhere was that red teaming I would really just call that social engineering we really didn't touch a lot other than the human surface in terms of leveraging our access so is this a red team engagement no no I would not say so but a lot of people would think it is oh I did that red teaming thing I bluffed my way into that building how about this time how about the cable technician story you heard right we're here from Verizon so we walked around a building we interacted in social engineered a guard pretty effectively we were able to physically get through a lock door a couple of locked doors in fact using bypassing and picking that's a blended attack but it's a blended attack on only two of the three surfaces is that red teaming was this a red team engagement I'm gonna say no it does not qualify in my mind well then process of elimination right we must be talking about the third story what happened there well we had this hunt pad we had prepared we established some rapport so a little little human sector we grabbed that RFID credential on the digital vector okay we made a new digital badge we got past some more guards elevator systems I would call this digital oh then we picked those locks and bypassed our way in okay physical we've got every of the three you know the three surfaces now we only famed the network attack but we could have absolutely done that we're allowed to connect to we demonstrated full impact across everything was this a red team engagement maybe this must be the one right you know what for me it's not I'm not gonna call any of these three stories fun as they were none of these three in my opinion qualify as true red teaming how come that last one a lot of you might have thought oh this must be it I mean they they hit all the surfaces they did all the things some people are gonna get hung up on the fact that well we weren't allowed to touch the network right because the network wasn't in scope oh do you have full scope no scope is that what makes something a red teaming engagement how much scope a lot of people a lot of people hang their hat on this argument and see people even friends of mine talk about this their red teamers can't have a limited scope right adversaries don't have scope therefore a red team can i disagree i think adversarial testing to be valuable for defenses you shouldn't have artificially ridiculous scope but there are certain things that can be in or out of scope here's the example I like to make let's say you are charged with testing the efficacy of bulletproof vests body armor you might have someone on your team how many people know the red teamer like this there's oh we're testing the the soft body armor we're gonna test our bulletproof vests well let me let me go ahead and get my artillery cannon my light weapon here are you gonna point this to this bulletproof vest let's see how that goes Wow then they look at you that huh bulletproof vest pull my leg this was a terrible - like I blew it right away well if the client wasn't testing whether their bulletproof vests could face a cannon then you just wasted everyone's time if cannons are not in scope that makes sense and you don't do that that's that's you I'm sorry this is just where I start to write I we know people like this we know people who think they are the king of all kings and look at how badass they are stop thinking you know more than the client a lot of red teaming has its best value when you are modeling the correct threat when you do actual adversarial modeling you sit down on your kickoff calls you really do the research and engage with the client to figure out what their threat is and you model the relevant threat because what declines ultimately care about most of the time and I'm gonna borrow from my buddy Chris again on this one he says a client only cares if a vulnerability is going to cost them money or make them look bad that's it if you can't demonstrate that something you did would cost them money or make them look bad many times the two are related you're not doing a really good job red teaming so what is the actual job of a red teamer well we've talked about thinking unconventionally you have to be able to think away an attacker would think not the way it invention offender would think and make your attack across all surfaces yes however you have to model the relevant threat if okay if you're testing bulletproof your body armor it's not supposed to face off against a cannon if you're testing how strong a lock or access control system is on a front door it's not school hope to face off against a wrecking ball so model the relevant threat yes you should demonstrate real impact being theoretical is fine on a tabletop exercise but as people like to say well someone in there reports well what we could have done we could have gotten your badge and cloned it and they say well did you do it no well no but if theoretically it's no well did you do it is the question that people like to ask a true Red Team engagement demonstrates actual impact but all these these points while they're valid were missing something there's a fifth point there's a key key element that none of my stories actually showed you what was missing you've seen it in all the pictures I was showing you the blue team where is the blue team in all of this that's what red teaming is red teaming is not the same thing as pen testing pen testing you show up you break into a lot of stuff and you leave red teaming by its very nature you can't have one without the other the red team has to interface with the blue team to provide that's what a red team's value is a famous analogy that has been used and I love it is the idea of sparring you are an adversary who is there specifically to make the blue team better to work and play up their strengths to build their talents how many people think this is red teaming the idea of one person is way more powerful completely outclassed as the defender and absolutely wrecks them just smashes them beyond all belief boom and then what happens will you come back six months later the red team the the penetration tester if you will is just as strong as they were the blue team is just as defenseless as they were and you get the same result six months later is that valuable to the client no not at all what you want to see is engaging with the defenders after your after your attack you want to see the defenders getting stronger you want to build this into your jobs if you can please I beg of you when you start thinking about your gig if you're just a pen tester that's fine most pen testing jobs are just alright we plan we knock things down we write a report or frankly in most of our lives because jobs are scheduled to close together you're bouncing from one job to the next so quickly that you're writing the report on the plane I mean I've known companies that do this in my world though that's that's just pen testing if you're a blue team er please build into your job schedule some time on site wit I'm sorry your red team or please build time with the blue team and let's let's look at some examples right I have I have some good pointers for you here some fun things this was after the conclusion of a successful intrusion of a data center now what are we what is the footage here I know that the footage may be a little choppy I'll show you an image in a second we're using the mirror and a flashlight up near the top of a door what are we looking for in this door I referenced it earlier that's a door sensor that's a door contact sensor right why are we showing that why Mike's talking with us well we literally walked around this whole data center with the blue team we took them out of the sock we said look here's what we did to get in this door here's the we slipped a magnet up in the doorframe we showed them the magnet sensor sensitivity we showed them we said alright well how can we make your did your sensor logs show anything all right let's tune the sensitivity oh you got an alert but you didn't get alert that was a forced door condition here you and I'll get told again here stand on this stand on this ladder you get up there check the door sensor and the blue team actually getting to pretend they were the adversary that to me is red teaming not sticking a red teamer in the sock getting the blue team out of the sock and walking around with you showing examples of exactly the tactics you used and then they can fine-tune their defenses bobak actually spent time in one of the IDF closets looking at their door controller all of these inputs for various sensors around their door stones should be supervised din puts meaning if there's any disruption if they say that if the signal goes high or low it should alert a lot of them weren't configured right and he's there on the radio with a blue Timur and he's just unplugging door sensors okay trying door 12 did you get it no you didn't get no alarms all right mark that down trying door 10 the alarm goes all right door 10 is configured right that was an alarm let's try door 8 so going around and showing people things we found this is a medical facility where we actually showed look all right you've got these nice keypads but you have all of these extra switch boxes has anyone ever looked at what they are and the whole blue team said no and we never really use those I think there's some sort of emergency something or other they were in fact they were an emergency override that would unlock the doors in the event of system failure well what do we see on the back here we see a tail cam of a key switch we see a momentary button that would yes indeed unlock the door but does anyone see this little red button up here what's that that's a tamper sensor that's a tamper switch if you take this freaks plate off that should set off an alarm I realize this is a photo not a video if it were a video you would not be hearing any alarms these were not configured correctly on half the doors we checked and again the blue team had no idea because no one had actually walked them through this kind of an attack before once they knew what it was they knew how to guard against it the next time we came back everything was much tighter they had all these switches working my favorite job ever that we actually really saw a good traction with a blue team getting better was a biometric reader once big data hall on a data center had a biometric reader I won't get into the nitty-gritty you can ask me in the QA essentially we leverage the fact that we and in weig and out we just kind of bridged our connections and took the biometric reader out of the loop we were actually able to do a pass-through attack and show them look when this biometric reader is off the wall the way you have the system set up it's you shouldn't be wiring it this way it's easy to bypass the client was so impressed the next day they had technicians out there changing the configuration making it harder to make this feasible so by all means that was some of the best value ever even though it'll make our job harder as attackers interfacing with the blue team so that they get better after you've come around and knocked everything down that's what your job as a red teamer should be now I don't just want a finger wag and be very prescriptive here so I'm gonna give you an extra little gift as I oh and like to do I don't think in any of my previous sands talks I've given a huge rundown of key to like systems in terms of my current allotment of keys that I like to carry what do I mean by this what I mean by keyed alike systems well lots of entry systems in fact telephony access control systems are some of the bigness biggest offenders on the front of doors lots of entry systems come from the factory keyed alike and their keys are all well known and easy to purchase this is a linear system if you're curious in this photograph right here all the linear systems use this little key right here what can you do if you get inside of these panels with a key - like system well inside you have a nice momentary switch that will allow you just to fire up whatever door relay is inside the cabinet Here I am getting into a gated facility without even getting out of my car reaching in there's my key reach inside here little momentary switch that I'm just gonna press with my finger beep and now I don't have a badge for this building I don't have a pin code for this gate but sure enough the gate is open outstanding right so yes the idea of using a key if you have the right key to get into a lot of these boxes absolutely very nice to have here's another brand door King you may have seen me talk about door King in the past because boy do they have some market penetration door king systems the door King 16 120 key you better believe I carry that with me all the time - why because if you're inside that cabinet you can absolutely trigger door releases an example of this here so we have a locked gate for this building here we have a door King system now there's a lot going on here and we could talk about the electronic attack surface we can talk about pretending you belong there like a delivery person using the delivery access lock but what am I going to do I'm just gonna reach in behind this panel press a momentary switch and away we go because the door kings are all keyed alike and that door is open there are a number of key to like systems and I love to provide people with my list of favorite key to like keys if you do any physical jobs many of you follow me on twitter the CH 751 oh my goodness the CH 7 v 1 is sort of America's primary baloney key any rinky-dink little wafer lock this is a generator that somebody opened up this is a shed outside of some building that has some wiring in it that opened up medical facility had their panels with ch 751 hazardous storage in this building CH 751 this is all the same key these are not a bunch of different keys that have the same name literally all these keys are operating all these locks and they're all the same key this is not the storage cabinet that you just saw by the way what's this well somebody tweeted at me this is the snowcat the keys to their snow cat or a CH 7-5 one in the security world absolutely you will see access control systems and alarm systems where the panel is a CH 751 that t box I showed you earlier that key box was a CH 75 one giving me access to the whole building extra hilarious is the fact that this this entire offices key collection has within it no less than three additional CH seven five one keys so if you want to buy yourself a CH seven five one keep it on your key ring you'll never be you'll never be alone in places would want to use it if there's a lot of places you'll find it works a little bit less of an application but also worthwhile depending on if you want to get into key to like systems as the 1284 X it is not the only vehicle key that's universal out there but it's one of the biggest 1284 x's ford motor company's primary fleet key which means that there are a significantly nonzero number of police cruisers out there in the country that operate on their doors on their trunks on their glove boxes and yes even on their ignitions with the same key the 1284 x key not a chipped key it's not electronic but sure enough it'll start up a car there away you go so I like I like talking about key to like systems because they really blow people's mind the idea that how are all these things keyed the same my favorite one for those of you who do network pen tests as well who's seen this lock before a lot of you have maybe you've seen it in this situation yeah it looks familiar to you this is a lock made by the emka company the emka company is an industrial cabinetry firm they make tons of hardware that is popular in server environments on network racks the entire emka product line is effectively three keys and of those the middle one there the ek 333 is I'm going to say like 90% of the locks from m'k I've ever found so what do I carry with me all the time this is the little gift I'll give you this is my everyday carry set and if we want to talk about true red teaming let's think about the three surfaces that you can attack on physical digital and human right well we didn't mention this tubular key this is an Fe okay one if you've seen my elevator hacking talk that was a previous webcast Fe okay one's a very popular elevator key it's the one I use to demonstrate to that guard look I'm here working on the elevators you can do some social engineering with that that EK three three three key the emka server rack and server cabinet key well that allows you physical access to digital resources see four one five a and the two two two three four threes at the bottom the two two two three four three well that's the linear key C four one five a and the CH seven five one those are just two very common physical keys that open a lot of cabinets and you know file drawers desk drawers what's this the sixteen 120 that was your door King again another blended surface physical but electronic access control system I personally keep a couple jigglers on my everyday set just so I have them and I round it out with that 1280 for X key if I want to I don't know I've never never pretend to be an officer but it sure is funny if you show people who are officers hey look I can open your doors that's that's never really been done on a job but it's definitely been a source of mirth at times this whole set fits folds up nicely in my pocket by the way what's what's dangling on the end here what's this well that's a wire loop inside of many of these boxes and again we get more deeply into this during our network access controls and our electronic access controls class here we have a door king system that I'm going to use what key and use that 16 120 key to open the door King box and inside even though there's no override switch hooked up I can still just take my wire loop bridge those two contacts on the panel and boom that fires the door relay and that's gonna let me in so if you want to carry a red teamer key ring or a pen tester keyring or sometimes called deviance devious keyring this is absolutely the way we do it we fold it on up it's in all of our pockets it's in all of our job bags so that's my little extra bonus gift to you I don't want to just you know you know be angry at people who use terms wrong I want people to use terms right and use keys right so how would we conclude all this and then we'll jump to your questions well a lot of this talk was not just about skill building but untangling terminology and one of my favorite friends in the industry his name is Patrick he wrote a whole blog post called on pentesting professionalism and chill and in this blog post he you know he talks about how if you understand if you have a really good kickoff call with the client if you understand what people really want it's the first step in a really successful engagement because using the incorrect terms telling the client you're delivering something that they weren't thinking they needed you can sort all that out if we're all on the same page when we start and that's better value for us it's better value for them so I'm really happy that he wrote that up I encourage everyone to check it out I encourage everyone if these are topics that you like to hear give SANS your feedback stay connected with the SANS community because any one person can say boy I sure feel better now that I know that red teaming means this and not that well if you're not sharing with others if you're not communicating this fact to others you're just one person with a definite and the rest of the industry is going another direction so by all means follow up at future sands events stay online stay connected come out to the next sands ICS the oil and gas summit is coming up in general though whether you think you're on the blue sea the blue side or the red side of the house working together is how we become better together I love the sparring analogy I love the idea that no one should go away from a job feeling like they were the King Victor and everyone else was just left smoldering in the ashes yes it's fun getting in getting caught is the goal so that's what I hope for everyone else I hope whether you do the network side the human side the physical side or a combination thereof that you understand that we should all be working together to make things better together so let's keep making things better together and that's my that's my take on red teaming and where I define it how other people define it and how hopefully we can all move the ball a little further down the field and let's see let's see about questions here now I'm trying to expand my questions window fantastic webcast yes thank you very much but I cannot or is it just Steve didn't actually have a full question so Steve just said fantastic webcast thank you well thank you Steve out of a hundred and some-odd people who are participating in our webcast today you're the only one who's spoken up not a question but that's I'll take it you're very welcome ah so I'm trying to scroll through a number we do have some questions here let's see ah the questions window is just monstrously small and doesn't seem to have any possible way of expanding itself oh so deviant I would suggest you click on to the right of the word questions there's like a square with an arrow that'll unlock if you hover over it that's the way to unlock it from the control panel to the right of the word questions is a box that just says ask her if it's still locked in the control panel correct it is in the control panel yes okay so if you're on the tab that says questions just move your cursor to the right still in that gray bar and hover over it you can unlock it from the control panel or I'd be happy to read them for you because there are quite a few let's have you read them off because this is I'm not seeing what you're seeing unfortunately but I'm I'm not onyx guy I'm a hardware guy it's ok where do you find the latch tools is the first question oh sure sure so latch tools that you saw in the slides and videos sometimes they're called Shrum tools sometimes they're called traveler hooks sometimes they're called loitering tools the the actual source where we order them is in the garment and textile industry they are a textile tool I don't recommend you have to go through that kind of industry if you want there's the Red Team tools comm website to be a little self-serving that is where all of our students after we issue them to every student in our sans classes and elsewhere but if anyone wants more of them and follow up I want one for my other tool kit Red Team tools comm is where you can get yourself set up there hey thanks someone says I clearly followed the wrong career path how do I start a career with the Red Team Alliance all right very cool there so this is a bit of a development now that I and a number of people across other parts of this industry have pushed for the notion of red teaming doesn't really have a standards body the way I mean obviously sans has the jack on the electronic side especially offensive security and others they have actual you know OSCE osep the red team's certification group and with it the red team Alliance is a body that's been put together by a number of us trying to bring some demonstrated competencies to the industry so actual lock picking lock opening door opening demonstrated competencies to gain a cert that can be backed up so if you wanted to follow up with us follow up with us at the red team Alliance that is possibly what we might say is a good foot in the door option for some people having a real cert that says not well I've read some some of this online I I watched a YouTube video once that's half the people out there that say they do physical penetration following up with us attending some of our sans courses I don't like to sound like I'm selling you hard here but definitely getting a cert that has real competency and meaning behind it you know that's that's that's paired with an exam is at least a foot in the door speaking of courses which course do you teach so at the sands The Sands event so the next one coming up is sands network security in Vegas in about a month so you'll find a lot of our content we are not full-time Sands instructors because this is a it's a niche topic it's kind of if you've seen but what Jason and all of his team have - they have these crates of Pelican you know gear they already carry enough stuff to the Sands conferences they don't need to be hauling boxes of locks and lock tools and access control devices like we do so we are what's called a hosted course if you look at any of the sands programs at the very bottom of the list usually are the hosted courses and I believe I just talked to Susie the other day I think we still have some room for the sands network security class that's coming up there's still some seats left in that one otherwise you know catch us at Orlando catch us at Austin I believe we're gonna be on the docket there or reach out to us on Twitter and you can always ask us hey where were you guys gonna be next alright thanks you have a lot of feedback fantastic webcast thank you exceptional great as always great presentation and now and now we'll move on to the next question let's see let's see I think you covered people are people are asking about good resources to learn well this one specific Jimmy good resources to learn lock-picking wow that's that's also Slyke a t-top self-serving answer I guess because I wrote a book years ago that is still in print because oh and I think someone in my house is handing it to me right now in fact Thank You dearest Wow it's like the Magic Man show right here so practical lock-picking and keys to the kingdom where two books that I wrote man I I am not good at sales I'm super uncommon I'm gonna put these away that's makes me makes me nervous hold enough stuff that I've written like that but yes I mean I've I've written a couple books honestly as much as a references they can be there's almost no substitute for really hands-on hands-on type courses so if you don't go through us there are great courses taught down in Kentucky if you wanted to go down to the Locke masters security Institute they're a little bit more focused on people in the professional trade of locksmithing than they are on entry technician work and I'm not gonna lie as far as covert entry technician work covert methods of entry you're either gonna you know go through us or you'll get trained by other people who we trained and that's kind of always a fun thing when someone says oh we have that you know great pentesting job our company's got a great crop of people and we find out who works at that company like Trane 90 percent of you good good good candidates there so yeah our class most of our classes all start with a foundation and basic mechanical manipulation and bypassing and then we have other modules the electronic access controls the safe manipulation courses you name it we move without a hand in it all right well specifically some people are wondering um how to check lock-picking laws where to get sets of common keys and then you know regarding state to state laws like how do you get sure of course though registered in your state a lot of people are possibly asking this because many of them may have just attended DEFCON and at Las Vegas where the reception was not as warm and fuzzy at the Caesars as it has been in the past if any of you are familiar with tool tool with 3 OS t ooo L so tool the open organization of lock Pickers I'm on the board of that tool is a nonprofit that does outreach and education on a very basic level about locks and lock systems there is a map on the tool website a tool with three o's tool us is where you can see the map the the chapters meetings page has a link to this big colored map where we show all the nation's laws concerning locks and locked pick tools lockpicks are usually defined at his burglary tools but many things are defined here let me be reached on cross my desk here oh look I have burglary tools right here oh my god my going to jail no well because most common Hardware implements can be defined as burglary tools if there is demonstrable criminal intent and that's the big key as long as you're not doing something that demonstrates you have criminal intent you're usually fine now so usually there are a handful of states for real states of four or five states of concern where the law is a little bit hazy and one of those states is Nevada this year at the Las Vegas events and the trade shows and at the Caesars property in particular there was more friction than in the past because of misunderstanding about the nuances relating to Nevada law I am NOT a lawyer I am NOT your lawyer I have paid lawyers though and my lawyers assure me that no it is not a go directly to jail do not pass go problem with lockpicks even in Nevada I would encourage people to research it a little more on their own if you want you can start again with the tool website we have links to and citations of every criminal statute from all 50 states and the District so do I think it's a big problem No do I ship and sell lockpicks everywhere yes I mean like the firm that I mentioned does the firm red team tools.com that is that is where all of our students students go to get more tools we issue them in the class if they break them or want more they want to give them as gifts well yeah sure the same one I gave you in class you can have that same pick set you know just buy it online and that has never really been a major problem for anyone I know as long as they're not being dumb as long as there's no demonstration of criminal intent okay thanks don't you get past the metal plates on the outside two doors to protect the latches so guard plates or shielding plates that are over top of the latch work on a door a couple of ways one here let me reach into a bag over here so what I have in my field kit don't they know one can see that that's piano wire so absolutely a valid vector of reaching down behind a door plate fishing piano wire in and trying to snap the door latch if the latch is not fit properly that's worked on a number of occasions for us other times though if the plate is up there over the panel and over the latch many times the best vector is under the door let's throw that under door attack reaching up on the inside grabbing pulling down on the interior door handle that will usually release the door or we have a different tool that's very similar that works against crash bars doing something to release the door mechanical mechanism that way doesn't matter what the pleats doing because now the entire latch has actually been retracted by the door handle or the bulwark is there a guard that goes under a door yes the ASSA ABLOY company makes something called the pemko 5:30 p.m. KO pemko 530 model i believe it is which is a popular retracting door bottom that when the door shuts it drops down locks into the ground prevents under door incursions all right thanks I think time for one last question how often do you come do you come across secured access doors with badge readers next to them but the door hinges are on the wrong side where the pins can be simply punched out and the door removed a significantly nonzero number of times this has happened many many many exterior doors are designed by its conventional construction is in swing style doors so we we will see that you know the hinges are not as visible there but out swing doors do happen especially in office environments if you have you know here's a server room and it's in a hallway sure enough that door might swing outward in which case the hinges are facing you now there are better designs of hinges there are what are called security hinges where they actually have a peg sticking through when the hinge closes this little peg actually pops into the place and now even if you've not got the hinge pins out you can't wrench this hinge apart from the outside that's a nice option to use in such an environment but I will not lie that it's dumb as it sounds I have absolutely pop hinge pins out and just walked a door away from the wall and slipped in the other side just as easy as that sometimes going over the drop ceiling or yeah that you're the question asker they're there they're right on the money in terms of dumb vectors that often work despite the Faculty of this beautiful electronic you know multi-factor keypad a badge reader thing so does it happen yes not often but it does happen is it is it by passable yes is it fixable yes and that's um that's I think kind of summarizes our whole industry right that's a good ending question because sometimes the silliest vectors are easy to fix but they're still very prevalent and very exploited on jobs and then you have the satisfaction of both getting in and showing the client how simple it is to repair their problem any other questions I you can always find me on Twitter I think my last slide there had my my various guises of information you can catch me on the Twitter you can catch me at a bar at a conference but this is always this is always fun I'm really glad to be here and yeah thank you all so very much all right I'll get Network security so I look forward to meeting you there okay thank you so much for your great presentation which helps bring this content to the sands community to our audience we greatly appreciate you listening in for a schedule of all upcoming and archived sands webcasts including this one please visit sans dot org forward slash webcasts until next time take care and we hope to have you back again for the next Stan's webcast
Original Description
In a world where it seems everyone and their dog is doing penetration testing nowadays, many individuals have started attempting to distinguish themselves by referring to their work as red teaming. Heck, that’s wound up in some bios which have been written for me in the past. However, this term is over-used and often misapplied. In this talk, Deviant offers up a straightforward metric for untangling these terms, and then share tips, stories, and advice on tools that can help you in future Pen Tests or (if you’re truly performing them) Red Team Engagements. Follow @SANSICS for more content.
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from SANS Institute · SANS Institute · 48 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
▶
49
50
51
52
53
54
55
56
57
58
59
60
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
SANS NetWars
SANS Institute
SANS DFIR NetWars
SANS Institute
Hack The Drone - SANS Cyber Academy UK
SANS Institute
SANS VetSuccess Immersion Academy
SANS Institute
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
The 2015 SANS Holiday Hack Challenge
SANS Institute
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
SANS VetSuccess Academy Overview
SANS Institute
SANS ICS Security Summit & Training 2017
SANS Institute
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
WannaCry recap, patches, and analysis
SANS Institute
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
SANS Data Breach Summit & Training 2017
SANS Institute
SANS Secure DevOps Summit & Training 2017
SANS Institute
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
SANS Institute
SANS Institute
ICS515: ICS Active Defense and Incident Response
SANS Institute
SANS Institute
SANS Institute
Introducing the NEW SANS Pen Test Poster
SANS Institute
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
SANS ICS Security Training, Munich, Germany
SANS Institute
SANS Automotive Summit Webcast
SANS Institute
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
SANS Security Operations Summit & Training 2018
SANS Institute
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
A Sneak Peak at the New ICS410
SANS Institute
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
Introduction to Linux
SANS Institute
Introduction to Malware Analysis
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
SANS Webcast - Zero Trust Architecture
SANS Institute
SANS STX Cyber Range
SANS Institute
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute
More on: AI Security
View skill →Related Reads
🎓
Tutor Explanation
DeepCamp AI