Red Team: The hackers on your side
Deep within the halls of an intelligence agency, an old dance song is playing. “Never gonna give you up, never gonna let you down, never gonna run around and desert you”. The comforting voice of Rick Astley echoed throughout the office. The staff, startled by the sudden intrusion of the iconic music video on their computer screens, watched in confusion. As the video came to an end, a message appeared on their screens: “You were just owned by Red Team”. The staff looked on in shock, realizing they had been hacked and humiliated by the agency’s infamous Red Team.
As the day wore on, it became clear that the hack was more than just a simple joke. The Red Team had not only managed to take control of the staff’s computers, but had also accessed tons of sensitive information that should have been off limits to them.
As if things couldn’t get any worse, agents received a notification that Mr. Mittens, a suspected ISIS leader, was up to no good at an animal hospital in Wisconsin. It turns out that the agency’s own Red Team had exploited a data ingestion pipeline used by the office to detect imminent terrorist activity. The team had subtly modified the photographic inputs to the machine learning models in a way that no human would notice, swapping a pixel here and a pixel there. This caused pictures of harmless kittens to be mistakenly labeled as dangerous terrorists.
In the basement of this same intelligence agency’s headquarters, the Red Team operates in a world of its own. Comprised of a group of rebellious misfits, they flout the rules at every turn. The air in their aptly named “war room” is thick with the smell of tobacco, a clear violation of OSHA regulations. Profanity-laden gangster rap is the background noise as they work.
The suits in charge of the agency turn a blind eye to their questionable antics. After all, the Red Team’s job is to be misfits - to hack into the agency’s own systems and test their security in the same way that real adversaries would. And though they may not always follow the rules, there’s no denying that they are incredibly skilled at what they do.
Red teams are not always welcomed with open arms by the organizations they are attacking. Their role as “fake” adversaries can often put them at odds with the rest of the organization, who may see their actions as disruptive at best or malicious at worst. However, the valuable insights and recommendations provided by red teams can ultimately help organizations become stronger and more resilient to real attacks.
How to start a Red Team
The team
When staffing a red team, it’s important to look for individuals who are not only skilled in their areas of expertise, but who also have the ability to think creatively and challenge the status quo. This is a team where you want the rabble rousers and the misfits.
Further, as you identify potential team members, be sure to consider diversity in terms of skills, expertise, and backgrounds. A diverse team will bring a range of perspectives and approaches to the table, which can help your red team be more effective in identifying and addressing vulnerabilities and weaknesses.
You’ll want to look for individuals with strong backgrounds in cybersecurity, network engineering, and other related fields. These individuals should have experience with a variety of tools and techniques for finding and exploiting vulnerabilities in systems and networks. This will form the core staff of your organization.
But there is many other skills needed in an effective red team. For example, if you want your red team to be able to attack artificial intelligence models, you’ll want to look for individuals who have a strong background in machine learning and data science. These people should have experience building and training models, as well as experience finding and exploiting vulnerabilities in existing models. This may include skills such as adversarial machine learning, which involves intentionally introducing perturbations to machine learning models in order to cause them to make mistakes.
| Speciality | Description |
|---|---|
| Cybersecurity | Focuses on identifying and exploiting vulnerabilities in computer systems and networks. |
| Social engineering | Focuses on manipulating and tricking individuals into divulging sensitive information or access to systems. |
| Adversarial machine learning | Focuses on finding and exploiting vulnerabilities in artificial intelligence models by introducing perturbations to cause them to make mistakes. |
| SCADA (Supervisory Control and Data Acquisition) | Focuses on identifying and exploiting vulnerabilities in control systems and infrastructure (eg. HVAC systems, power systems, industrial machinery). |
| Physical security | Focuses on identifying and exploiting vulnerabilities in physical security systems, such as locks, access cards and cameras. |
| Intelligence analysis | Focuses on collecting and analyzing information from exploitation sources in order to understand the target and drive the operation. |
In addition to their technical skills, it’s also important to look for team members who have strong communication skills. Red teams often operate in high-risk and high-pressure situations and may be working with individuals from different parts of the organization, so the ability to effectively communicate and work with others is key.
The Standard Operating Procedure (SOP)
The Standard Operating Procedure (SOP) is a crucial part of any red team’s operations. It’s essentially a handbook that outlines the rules and guidelines that all team members must follow when conducting operations. The SOP should include information on the right way to access and manipulate systems, ethical guidelines for behavior, and a deconfliction process to ensure that the red team doesn’t inadvertently interfere with the organization’s incident response efforts.
It’s important to establish clear guidelines in the SOP to help ensure that the red team is able to operate effectively and efficiently, without causing harm to the organization. The specific content of the SOP will vary depending on the nature of the team and the activities it is responsible for, but it should generally cover things like acceptable behaviors and procedures for conducting operations. For example, the SOP might specify that it’s okay to play a video on a victim’s computer, as long as the source is clearly identified as the red team, but that it’s never okay to delete files or cause damage to the organization’s systems.
One key aspect of the SOP is the deconfliction process, which helps to ensure that the red team doesn’t interfere with the organization’s incident response efforts. When an incident response team is investigating an intrusion, it’s important that they can distinguish between a red team operation and a real attack. To do this, they must be notified when the red team is conducting an operation, and often only certain individuals within the incident response team are made aware of the red team’s activities to avoid interference.
Before any team member is allowed to operate within the red team, they must fully understand the SOP. This usually involves passing a written and verbal test on SOP knowledge before being certified to operate. By ensuring that all team members are well-versed in the SOP, you can help ensure that the red team is able to carry out its activities without causing harm.
Tools
Red teams rely on a variety of specialized tools to help them carry out their operations effectively. These tools are designed to help red teams identify and exploit vulnerabilities, gather and analyze information, and develop strategies for improving an organization’s defenses.
Some of the most common types of tools used by red teams include:
- Exploit tools: These are tools that are specifically designed to help red teams identify and exploit vulnerabilities in systems and networks. These tools might include exploits for specific vulnerabilities, as well as frameworks exploit these vulnerabilities and gain access.
- Network analysis tools: Red teams often need to analyze network traffic in order to identify patterns, track communications, and gather intelligence on potential adversaries. These tools might include packet sniffers and traffic analyzers that allow red teams to monitor and analyze network activity.
- Reverse engineering tools: These tools are used to disassemble and analyze compiled code in order to understand how it works and identify vulnerabilities. Red teams use these tools to reverse engineer executables, libraries, firmware images, and other types of compiled code.
- Password cracking tools: Red teams use these tools to try to crack passwords and other types of authentication credentials in order to gain access to protected systems. These tools might use dictionaries, brute force, or intelligent techniques for guessing or generating passwords.
- Adversarial machine learning tools: As machine learning models become more prevalent in computer systems, red teams will need to be able to break and exploit these models. These tools include techniques for generating adversarial examples, poisoning models, or bypassing machine learning-based defenses.
| Tool | Use |
|---|---|
| Metasploit | Exploiting vulnerabilities in systems and networks |
| Adversarial Robustness Toolkit (ART) | Creating adversarial attacks against machine learning models |
| Kali Linux | Operating system with a collection of tools for red teaming |
| Ghidra | Reverse engineering software to find vulnerabilities |
| Nmap | Scanning networks and identifying open ports and services |
| sqlmap | Finding and exploiting vulnerabilities in databases |
| Wireshark | Analyzing network traffic and identifying patterns and anomalies |
| Burp Suite | Finding and exploiting vulnerabilities in web applications |
| John the Ripper | Cracking passwords |
| Maltego | Identify relationships and patterns in exfiltrated data |
| Aircrack-ng | Cracking wireless network passwords and analyzing wireless traffic |
Professional Development
Red teams are an integral part of an organization’s security posture, responsible for testing an organization’s defenses against a constantly changing threat landscape. As such, it’s crucial that red team members are well-trained and constantly up-to-date on the latest techniques and technologies. This requires a significant investment in professional development and training.
Red teams should allocate at least eight hours per week to training activities such as paper discussions and lectures. There should also plan hands-on exercises. This time is in addition to the extensive training that new team members often undergo during their first few months on the job. It’s also important for red teams to attend offsite trainings and conferences on a regular basis in order to stay current on the latest developments in the field.
Investing in your red team’s training and professional development is not just a job perk, it is crucial to their success. The landscape of cyber threats is constantly evolving, and it’s essential that red teams stay ahead of the curve in order to effectively test and improve an organization’s defenses. So don’t skimp on training and development - it’s an essential part of any successful red team.
Conclusion
In conclusion, red teams play a crucial role in an organization’s security strategy. They are responsible for simulating external adversaries in order to test an organization’s defenses, hopefully leading to improvements. To carry out their operations effectively, red teams rely on a wide range of skills, including expertise in hacking and exploiting vulnerabilities, analyzing network traffic, adversarial artificial intelligence, SCADA, and sometimes even developing custom exploit tools.
Red teams also require constant training and professional development in order to stay up-to-date with the latest techniques being used by real-world adversaries. This includes not only in-house training, but also attendance at conferences and offsite trainings throughout the year. Red team members will also individually specialize in certain fields, like exploiting machine learning models or SCADA systems.
Finally, it’s important for red teams to operate under clear guidelines, as outlined in a Standard Operating Procedure (SOP). This helps ensure that the team is able to carry out its operations effectively, without inadvertently doing harm to the organization.
Don’t let your organization get hacked. Use the skills of a red team to stay ahead of your adversaries.