Red Teamer, Ethical Hacker, Researcher
“Matt! You’re with the red team. Move it!” Yelled the drill instructor. Matt took the red helmet of the table, and ran to join his crew.
They were sent to the forest, with only one job. Find a way to attack the fortified position. Nothing is out of the picture. Get as creative as possible. After all, won’t the enemy use everything they can?
Matt and the red team huddle up and discuss tactics. A frontal assault would be suicide. But maybe that’s what they are counting on? The blue helmets that is, the blue team. Their job is to defend the camp. Drawing up their own maps, possible attack positions. What could the red squad do?
They account for every situation, watch out for the flanks. Always guard your back and don’t get caught slacking. But Matt and his team of crimson helmets have a plan. Start a frontal assault, make them think there’s more of you there. Quickly circle around the back, while the frontal assault moves to the left flank. And leave your helmets in the trees.
The red team put their hands in the middle of the huddle, give it a good oorah and move out.
Now what if all this moved to a different front? What if the camp becomes your network, and the main tent your Domain Controller?
First of all, tell me a bit about yourself. What do you do for a living?
I’m Matt! I’m a cybersecurity practitioner with 10-plus years of experience. I have a strong affinity for offensive security work. I also write content, make training, sometimes record a meme YouTube video, and generally just try to be an approachable, contributing member of our community. I’m the creator of Practical Malware Analysis & Triage, which is available on TCM Security Academy. In my day job, I’m a red team engineer for a large cybersecurity firm.
How did you get to where you are now?
I served in the US Marine Corps for 5 years as an intelligence analyst and system/network administrator. My military job school taught me everything from processor architecture to logic gates to networking protocols to Linux and Windows administration. Cybersecurity wasn’t part of the curriculum, but I also took certification programs to meet the requirements to handle classified information systems.
When I left military service, I finished my undergraduate studies at Northeastern University and took a job at the Massachusetts Institute of Technology Lincoln Laboratory as a cybersecurity analyst.
To better round out my cyber defense skills, I took the different offensive security training programs like OSCP, eCPPT, CRTO, and eCPTX. I loved the offensive side so much I never went back! I then took a job playing the opposing force for cybersecurity training programs and eventually made it onto the internal red team in that same organization. Today, my official title is Principal Security Research Engineer & Red Team Engineer.
So what was training like with the US Marines? And how do you go about becoming an intelligence analyst there?
US Marine Corps boot camp is a lot like what you see in the movies. Lots of yelling, drill, the rifle range, and uniform maintenance. Combat training was basically just living in a hole in the ground for a month and playing war in the woods.
My actual job school taught Information Technology and I was assigned as a system administrator for a stealth fighter jet squadron after graduating. Once I was at my first unit, my officer in charge asked me if I wanted to be cross trained as an Intelligence Analyst and perform both roles. So, they sent me to Intelligence Analyst school to fill an additional billet.
Most of the time, you’ll sign an enlistment contract to be an Intelligence Analyst at the beginning. I was a bit of a special case.
When you do red team engagements, what is the time frame of your engagement?
I’ve been on internal red teams that did long term engagements, which were about 4 months. I’ve seen, though not been on, consultant red teams that have a much smaller engagement timeline. Consultant engagements are usually a few weeks, not months.
These days, I’m in a bit of a unique environment. I’m on a red team that operates in simulated networks for our clients. Imagine several thousand Virtual Machines that are built specifically to look like the client’s production network. We design attack emulation campaigns inside of this range and launch them from emulated Internet addresses, so my attack might look like it’s coming from Germany or Russia or even the US!
We bring the client’s defense team into the range and put them into a 24–48-hour event where we attack them with about three-years’ worth of threat presentations and score them on their detection and remediation capabilities. It’s extremely intense for attackers and defenders, but it’s always fun to see how the defense team is trying to pick up on your attacks.
What changes when planning for the big virtual tests, versus a regular external/internal red team?
I usually never have to worry about initial access because we will know the layout of the range ahead of time. We place vulnerable VMs on the network perimeter for some low tier threats that are meant to exploit public facing applications.
I also craft phishing payloads and set up transparent proxies for credential capture, but it’s usually part of the simulation to make sure that a user falls for the phish. Sometimes I even go onto that workstation and play the role of the user and click on something I shouldn’t.
The remainder of the emulation is usually rehearsed ahead of time as well. I’ll know the layout of the network and perform some discovery to generate artifacts, then identify my objectives and go after them quickly. It’s understood that the threats presented during this engagement condense threat activity you’d usually see in six months down to 48 hours, so we tend to move fast.
The simulation also removes certain initial access vectors because of the medium. I can’t really do real life social engineering for initial access. I also can’t really drop a physical device, though I have emulated a dropped device by adding a RaspberryPi VM to the simulated range and, unbeknownst to the blue team, started my attack by SSH’ing into it. That one was fun, and they never saw it coming.
What is in scope for these big simulations? I imagine the point is to simulate a Nation State attack or something akin to that?
Yes, we’ll stratify our threats into tiers — low, medium, and high. Each stratum of threat has different objectives, motivations, tradecraft, and sophistication levels.
Low threats are usually assigned with opportunistic exfiltration, “smash-and-grab” style tactics, and simple objectives. Low threats also represent other kinds of nuisances, so I’ve built and deployed things like simulated crypto miners and BitTorrent service emulators as payloads to fit that profile.
On the other end, high tiered threats represent APT, Nation State actors, and other highly capable criminals. High tiered threats are usually built to emulate a specific profile based on a real-life breach or emerging threat-actor playbook. I’ve built playbooks that emulate FIN7, APTs 28 and 29, OILRIG, and others. I also tend to write custom tools for those engagements or heavily modify open-source tools based on the open-source reports on those threats.
When you’re emulating an APT, how much research do you have to do before hand? And how do you go about it? Sounds a bit like Threat Hunting in a sense.
Tons! I lean heavily on the technical reports that cover the specific threats. So, for something like FIN7, I’ll Google for the technical papers that cover their specific TTPs. So, something like this is very handy: https://mandiant.com/resources/blog/evolution-of-fin7…
It’s like threat hunting but instead of trying to come up with the details to search for in an environment, I’m researching to build the details that someone will search for.
Do you do both internal and external red teams? How do they differ?
I’ve done both external and internal red teaming on live production environments in the past. These days, my engagements are emulated external engagements. One of the biggest differences between the two is the scope of engagement and what you need to focus on.
For external engagements, the name of the game is usually phishing, public facing service exploitation, tons of Open-Source Intelligence (OSINT) gathering, and/or other types of social engineering. I’ve drafted playbooks for social engineering routines that involved dropping devices, calling up users and masquerading as a help desk employee, all manner of phishing pretexts, and other kinds of authorized shenanigans.
Internal engagements for red teams are usually scoped to focus on what happens after initial access is gained. They usually called this “assumed breach.” Sometimes, if the red team hasn’t progressed towards their objectives for an external engagement, the leadership may allow the team to continue the engagement as if it were assumed breach. For internal engagements, thorough enumeration of the environment is key.
A lot of the time, the objectives can be met by using low level user credentials that are over-privileged. Maybe a low privileged user has access to an internal SharePoint site that is chock full of sensitive data! If the red team can stay in a low profile and siphon data out to meet objectives, they usually never worry about Domain Administrator access or moving laterally as it’s too risky to the operation. We do make use of administrator credentials if we absolutely need to, but it’s usually treated as a last resort. We don’t hang out in the context of the DA for very long!
When you do internal red teams, how often do clients monitor their network? And how do you have to factor that in?
This depends on the level of sophistication of the environment, the maturity of the defense program, and the capabilities of the team. Some defense technologies for network monitoring are extremely robust. Darktrace comes to mind!
I also always groan a bit as a red teamer if I see Palo Alto firewalls on a network. In terms of detection and prevention, PA firewalls are vicious. I would say that broadly speaking, host-based monitoring is the thing that catches red teams the most during internal engagements.
If you set up your C2 well enough, it can be extremely difficult for the defense team to identify egressing C2 traffic. But if the endpoints have robust detection solutions on them, one false move and it could be over. All of this is contingent on the defense team paying attention to the alerts, however, and that’s the same for network monitoring and host-based monitoring.
You also mentioned Active Directory credentials. Most people in the know have probably heard about Bloodhound and the like. Is this usually too noisy? Do you use other tools or methods?
I love Bloodhound! It’s a masterfully built tool. If I’m not emulating a specific threat and I have a choice of how to deploy Bloodhound, I’ll try to stay off the endpoint and won’t use the SharpHound.exe collector or the PowerShell script.
There’s a Python script by Fox-IT that collects the same LDAP information but can do so remotely. So, if I’m not doing a specific threat emulation that calls for running SharpHound on the endpoint or as a reflective assembly, I’ll open a SOCKS proxy on the host and do a Stay-Off-the-Land style attack by running that bloodhound,py script through the proxy. That way I don’t have to drop SharpHound to disk or run it in reflectively, which are both risky.
Now if we come back to host detection. I imagine it’s common for AV software to be present on host machines. What kind of steps do you have to take to avoid it? Or is not actually that common?
AntiVirus is common across the industry, but the solutions vary in terms of how they detect malware and what they do when they detect it.
There are also the more sophisticated Endpoint Detection & Response (EDR) platforms as well and those vary in the same way. CrowdStrike Falcon is the one everyone usually knows. AV/EDR evasion is a game of constant evolution.
For AV, let’s take Defender as an example. Defender has very robust signature detection capabilities and may even do some sandboxing (I’m not sure because Microsoft keeps that part under close guard), so one of the best ways to defeat Defender is to use custom tools or modify the open-source ones that you want to use. When you think you have modified it enough, try running ThreatCheck against it and see if it flags your payload as malicious. It usually doesn’t take much alteration to defeat signature detection. But that’s still only part of the puzzle.
Custom tooling is also effective against the big-name brand EDRs… for a little while. One of the constant pains of red teaming is that you may get no detections for a payload today but then tomorrow, Falcon will catch on to your payload because it submitted it to the mothership CrowdStrike analysis servers which determined it was malicious. There are more technical solutions for EDR and AV evasion that I won’t get into here for brevity’s sake.
But I will leave you with my one-stop, bona fide, certified, 100% effective OR YOUR MONEY BACK, favorite EDR/AV evasion trick of all time. The trick is called “Finding Endpoints Where EDR/AV Is Not Installed Or Was Installed But Misconfigured And Living There.” When I deploy this technique, I have a 100% success rate.
Do you practice your skills in your downtime? What do you do keep up with the infosec space? And how do you avoid burning out?
I’m usually always writing content, building things in my home lab, and trying out new attack methods in my off time.
I used to spend multiple hours outside of my normal job researching, writing open-source code, and doing certificate training programs. I’ve toned that down a bit recently and am trying to focus more on sustaining a healthy lifestyle to facilitate my professional interests, not the other way around!
That’s how I address the specter of burnout; I realign my perspective so I’m focusing on keeping my mental health as sound as possible and trusting that the productivity will come from that effort. I think my mental health is currently the best it’s ever been, but there was a time in the recent history where I was in a rough spot. I learned the lessons on how to prevent it from happening and stay vigilant.
I also keep a consistent physical exercise regimen and never go more than 3 days at a time without vigorous physical activity, at the absolute least.
I like to say that burnouts are like concussions. Every subsequent one does more damage than the one before it. I stay extremely attentive and make sure I have enough rest and off time to avoid burning out.
What are some tips you would give to a first time red teamer? For an internal and then an external test?
I won’t throw technical tips into the hat for new red teamers. The technical skills will come to you in time.
In general, I’d say “focus on responsibility”, “don’t be afraid to create and invent”, and “take care of your own mental health, success follows shortly after”. Lots of people can learn the technical details of red teaming. It’s not common in the field right now to find red teamers who go out of their way to act responsibly. Start there.
Continually ask yourself “is what I’m doing right now legal? Is it ethical? How can I do it responsibly?” I have a full course coming out on this soon at the time of writing this which will be available for free at the Taggart Institute! https://taggartinstitute.org
Create and invent. Try to learn languages that allow for custom tool creation. In robust environments, it might be the only choice you have!
And take care of your mental health. Red teaming is extremely intense sometimes. Make sure you get enough time away from the field of cyber strife.
And to wrap up… If you could give advice to your younger self. What would you say?
Take care of yourself and keep up with the healthy routine.
Technical mastery will come in time as long as you keep showing up. It’s the “keep showing up” part that you have to watch out for.
Be kinder. Nope, even kinder than that. You act like you have something to prove a lot, try to not do that ;) You have nothing to prove to anyone.
Take the opportunities as they arrive but remember to weigh the opportunity costs.
Go to Lake Tahoe in early 2022, it’s a blast.
Love doesn’t cost you anything so give it away without hesitation.
Give the imposter in your head a seat at the table but don’t let him run the show.
Enjoy it all, time is moving faster than you think it is.
It really is incredible how diverse the careers in cybersecurity are. The stories that people can tell, and knowledge they have.
Never would have occurred to me that companies also do the big APT-like simulations on virtual networks, amazing! Feels like a new point on the bucket list.
If there is something you should remember from this interview, think of Matt’s advice to his younger self.