Adversary Mindset

TSS’ Inaugural Red Team Training

Armed and Ready | Typical load-out for a TSS physical Red Team

It’s a recurring theme in the InfoSec community for experienced practitioners to feel that they lack knowledge in their field of expertise. For anyone who’s familiar with this so-called “imposter syndrome”, the notion of delivering a technical training course will likely seem daunting. Daunted is certainly then how I’d describe the feeling of putting together a hands-on red team training course with the goal of opening it up for public consumption. Putting your knowledge on show requires overcoming that subconscious doubt that your knowledge isn’t advanced enough, or interesting enough, or useful enough to be presented in a public forum. In my experience, that voice should be prejudicially escorted to the bin. With my concerns put on ice, it turned out that the combination of my red teaming, combined with the extensive, field-tested wisdom of Wayne Ronaldson would amount to an informative and engaging couple of days for twenty-something highly experienced aficionados, practitioners and miscreants of the trans-Tasman InfoSec community.

Our intention for this course was twofold (as you might have guessed from the title). Firstly, we wanted to walk participants through a number of techniques and approaches that have been successful for us and which we frequently employ on real red teams. These discussions were structured around social engineering, physical entry and digital exploitation. Secondly, we wanted to put red teaming in context with respect to certain types of actors. Rather than just compromising willing organisations and stating that “things are broken — fix them”, our approach centres around the tools, techniques and practices (TTPs) likely to be used by certain adversaries (be they criminal groups, unscrupulous competitors or state backed actors), the adversary’s risk appetite and the information they would seek to target. As a class we discussed this at length, teasing out what an attack looks like when it’s performed by an intelligence service vs. a mercantile criminal organisation vs. an ideological group vs. a corporate competitor and so on.

Be Alert but not Alarmed | Excerpts from the instruction manual of the target building’s alarm system. Students would have the chance to intercept the alarm disarm signal using a HackRF and then replay the signal against the live system.

We ran this initial offering of the course over two days, which in hindsight was asking for a lot. Where I thought my content dealing with digital reconnaissance would take around an hour to deliver it took over two. Not because the content was poorly timed, but because every module sparked more discussion. As a result, we didn’t quite get through our material, but I think the constant sharing of “in-the-field” experiences generated more value for the participants than we could have expected.

Throughout the course we regularly returned to the concept that attacks spanning digital, physical and social exploitation techniques are the cornerstone of effective red teaming. Unfortunately, practicing such attacks legally is difficult outside of approved engagements. This makes it tempting to avoid leaving your operational comfort zone on the grounds that you want billable engagements to be a success, reducing your appetite for risk when it comes to trialling new tactics. To help get people out of their comfort zone we organised a physical access challenge wherein groups of students would perform a covert break-in at a local office (rented by TSS). They’d need to enter the premises at night, bypass access controls, alarm systems and perform a search without alerting employees of neighbouring businesses. The intention was to provide a safe environment in which people could perform a training “my first break-in” scenario. While the risk of detection was very low, the fact that the exercise was being performed “live”, so to speak, clearly took some people out of their comfort zone. My hope is that in future, anyone who attended the course will have a better understanding of their own mental and physiological reactions to covert access and that they’ll be able to use this experience as a basis for developing techniques and strategies that help them remain calm and focussed in the field.

Staging Ground | Teams worked from a hotel room to compromise the networks of a target company. Simultaneously, their colleagues were on the ground, breaking into the company’s warehouse.

This is really just the tip of the iceberg, we pushed almost 24 hours’ worth of class time into a two-day window (that’s red teaming for you!) and we’re already looking at a raft of improvements for the next training session. We plan to have a challenge network integrated with the course for students to step through the compromise and propagation of a real network. We’ll be setting up live interactions from “target” users for students to perform phishing and social media interactions. We’ll be tailing target individuals, cloning access cards and picking locks, cold booting laptops, hiding from AV and using covert channels to avoid network defenders. Our wish-list goes on. For now, we’re extremely grateful to have had the opportunity to work with such capable individuals, to OzSecCon for having us and to all the TSS staff who helped us toil in the shadows.

Until next time.

T.