[red team] what preparations should be made to join the red team?

What on earth does the red team do ?

In the red team , You need to emulate 、 Simulate or otherwise act as a 、 A group The invaders Or an imaginary enemy in theory . These activities usually take the form of individual exercises or exercises , The aim is to train Blue team , The blue team consists of groups or individuals responsible for various fortifications . also , This confrontation can be carried out at any level , from Application security To Active defense facilities , wait .

Besides , The organizational form or type of red teams also varies with different companies . for example , In some companies , Part of the red team's responsibility is for someone “ Who is ” Of , besides , They are also responsible for other offensive security tasks , Such as Penetration testing or vulnerability assessment etc. . And some companies' red teams , There is a clear division of labor among the members , Attend to each one's own duties , So as to concentrate on the detection and response of security incidents .

in any case , As long as the abilities of the red team and the blue team can be well matched , No form matters .

The lifecycle of a security attack

First , It's important to understand The lifecycle of the attack , also called Cyber attack chain , Or abbreviation Attack chain . This outline defines all the steps required for an intruder to complete an attack . Most of the red team's business work is completed according to these steps , Because these steps are Serve a specific purpose Of , Often referred to as “ Targeted action ”.

picture source ：Fireeye/Mandiant Consulting

Intruders are usually classified according to their motives , For example, through Steal payment data to make money Invaders, etc . Because all the steps involved in the attack process are carried out around their motivation , therefore , Knowing these things can help the blue team organize their fortifications .

If you want to understand these steps in depth , Also known as tactical （ Or tools ）、 Technology and procedures , Please refer to MITRE ATT&CK frame .

What role should I choose ？

Red teams usually have a lot of skills , But how to organize them to get the most out of their roles , There is no right way to do this . however , It is helpful to logically divide the activities into two different groups , Engineering and operation . This is a common strategy used by all types of technical teams .

In short ： Engineers build tools , Operators deploy and use tools .

Many teams create specific for a particular operation , Usually a temporary operator role . for example , A member is responsible for sending phishing emails , The other member is responsible for attacking the target and executing the red team payload Take action on incoming remote access when .

How the red team allocates these skills among one or more team members depends entirely on style 、 Ability 、 Training and availability of talent . We should choose several of these roles to train , So you can be flexible when you join a small team .

What skills should I learn ？

It's simple ！ Select the relevant skills you are interested in , This makes you a better technical communicator . Try more , See what's better for you ……

The skill selection of the red team and its relevance to the role

Aggressive thinking

With the development of security industry , All over the world “ Duct tape and bubble gum ” Are beginning to surface . The design goals of most systems , Just to accomplish the assigned task . Your job will be to take these systems apart , And investigate its sticky internal structure .

It's a technique that allows you to overcome all difficulties .

Example ： You have to learn Unlock with spring leaf , Instead of using a key .

Skills development ：CTF、wargames Or penetration test is a good way to exercise aggressive thinking , such as PicoCTF and Hack The Box. Look for live demonstrations at local meetings CTF Group . The real key here is to always question the assumptions .

Penetration test

Under the banner of penetration testing , There are many things that can be classified as vulnerability assessment , But for the sake of discussion , Let's describe it here as the process of searching for known vulnerabilities on the network or host .

Although this is not the responsibility of the red team , But you have to be sharp in this respect . In the course of confrontation, using known loopholes to launch an attack is to train the blue team Event response A good way for analysts .

Example ： Scan for authentication free MongoDB Examples with Let the cat out of the Valuable data .

Skills development ： Familiar with the existing automatic vulnerability scanner , Such as Nessus or OpenVAS. Like aggressive thinking ,CTF、wargames Or penetration test is also very suitable for developing this skill .

Vulnerability research

There are no mandatory requirements , But as a member of the red team , If you have the ability to dig 0-day The ability of the vulnerability , Nature is excellent . This skill can be used to exploit unknown vulnerabilities in third-party or internally developed applications .

This has a lot of overlap with penetration testing , But the key difference is ,0-day The vulnerability mining process is very time-consuming , And from the perspective of detecting and responding to security events , It may not be able to effectively improve the blue team's coping ability in this regard .

Example ： Your team will find that there is a great risk of vulnerability in an internal application . After that , A exploitable vulnerability has been found through research , And write a proof of concept tool , such , Your team can use this tool to implement code execution attacks .

Skills development ： There are many articles or books about application vulnerability exploitation , Such as Security Sift On the site https://www.securitysift.com/windows-exploit-development-part-1-basics/, perhaps Dafydd Stuttard and Marcus Pinto Written “https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470” A Book .

software development

If the red team wants to succeed , The key lies in its software development ability , This point cannot be overemphasized . Top red teams are almost indistinguishable from standard application product teams ; They also use formal development methods , Use version control and release software , Set up a roadmap , Use CI/CD technology , Write test cases , wait . If you don't know , Most red teams look like development teams .

You will find that , I need to write code in multiple languages , It depends on the platform and countermeasure technology you intend to use , Besides , You must also work with others to program .

This aspect , The most important thing is to understand Minimum feasible product （MVP） principle . To make the code work , want Prepare corresponding documents . If it becomes an important tool in the future , that , More events can be invested in the future to improve it .

Example ： Your operator needs a way to search for sensitive files in the host . To provide appropriate support , You can write a Python Script , List all possible private keys and spreadsheets .

Skills development ： For ordinary programming books , Corresponding improvements may be needed in this regard , But there are also many books that focus on the aggressive use of programming languages , for example Justin Seitz Compiling “ Black Hat Python: Python Programming for Hackers and Pentesters” A Book .

infrastructure

In order to make the red team play its best role , It is best to establish and maintain C2 The infrastructure chores are left to others .

For infrastructure , Reliability and reducibility are very important characteristics . Use infrastructure automation and configuration management tools , Not only can fast iterations be achieved , At the same time, it can also save the time spent on the terminal .

Infrastructure is code It should be the dream of the red team , thus , You don't have to pull out a small team every day to manage the entire infrastructure .

Example ： Your Reverse proxy Should be configured to resist “ Good thing ” analysts , And the function should start from The repository or Containers Automatic deployment in .

Skills development ： Try a free trial AWS Resources and corresponding automation tools , Such as CloudFormation and OpsWorks To build a cloud based web lab . Besides , Recommended reading @bluscreenofjeff Written Red Team Infrastructure Wiki, Understand the relevant processes of red team optimization .

Networks and systems

In the design and implementation of infrastructure , Be sure to find out all the details about the host and network —— Reliability and security are in the details . This cannot be overemphasized .

These systems can be hosted by public cloud or private cloud 、ESXi Virtual machines on 、 Physical or virtual network . They usually face various attacks from hackers , therefore , We must make sure that the red team can easily simulate the way the attacker works . meanwhile , You also need to be very familiar with the command line .

Besides , Familiarity with these topics will also help you get things done in your target environment .

Example ： After obtaining access to the target host , The first step is usually List running processes .

Skills development ： These skills can be developed through conventional methods , But it needs more practice , Such as setting up reverse proxy 、 A firewall 、 Authentication, etc . Besides , You can also set up in the laboratory such as Empire And so on. Subsequent use of the framework , And explore its various functions .

Reverse engineering

Reverse engineering Is the process of analyzing certain objects , The aim is to figure out how it works .

Reverse analysis can be used to analyze In opposition Malware （ This is often called Malware Analysis ）, To master its functions , And how attackers use them . We can learn from many place Find malware samples for reverse practice , But be sure to Be careful .

Besides , We can also use reverse analysis to understand how the target application works , In order to find out the corresponding Exploit code .

Example ： Suppose you want to use an unusual COM Object to execute code . You need batch analysis Windows COM object , To find the one that contains the Import function The object of .

Skills development ： You can read through Chris Eagle Written “The IDA Pro Book” A Book , To learn how to use IDA Pro, Or read @malwareunicorn Written Reverse Engineering Malware 101.

social engineering

When an intruder launches a network attack , First step Usually the sending network Phishing email , therefore , It is very important to know where people are gullible .

Social engineering is widely used in the attack process , For example, pretend to fall on the ground USB equipment , Water pit attack, etc .

Applied social engineering is a part of the actual work of the red team , Designed to deceive unsuspecting users . Of course , Fooling people is only an optional step . Besides , You can also skip phishing , Use existing access rights directly , Or deliberately leave the team members with remote access to a specific host , To reduce operation time .

This kind of testing is different from measuring and training the security awareness of end users Phishing assessment .

Example ： The customer asks you to create a convincing whaling Tools , To test their awareness of prevention .

Skills development ： Check your spam folder for phishing samples , And master @HackingDave Provided Social Engineer Toolkit How to use .

Physical security

Some red teams even work on physical security . This test can be very simple , For example, sneaking into a place , Then leave a drop box at the designated place . Although this is an interesting topic , But many companies have not attracted enough attention .

Example ： The network jack in the headquarters hall is located inside LAN On , You need to demonstrate attacks against them .

Skills development ： The lock , Security system bypass technology , Badge cracking （badge hacking） and Fraud game （confidence games） etc. , Are good training methods .

Threat Intelligence

The red team needs tactical intelligence from multiple threat intelligence sources , So as to provide rich materials for the intruder simulation in the tactical bucket . Besides , We can also add new functionality to tools and documentation , So that you can search for information about specific intruders , Such as blog posts .

Threat Intelligence can also determine the intruder's motives , And in what is called Intrusion tracking （ threat actor tracking） To identify the attacker's behavior patterns . The red team can use this information to design the background of the confrontation exercise .

Threat Intelligence can also come from more moderate sources such as security researchers . Their work can not only predict the tactics of invaders , Can even influence Their behavior .

Example ： You know that certain intruders will send macro enabled when they get persistent access malice Office file To take advantage of WMI subscribe , So you can design POC To reproduce the behavior .

Skills development ： See a lot about malware analysis and intruder tracking technology Articles and reports .

Detection and response of security incidents

Blue team will be your main customer and competitor . They are experts in security detection and response . The red team needs the ability to predict the blue team , And make full use of this knowledge in the work process .

Learning the company's defense mechanism can make red team members more valuable than other offensive security practitioners .

Example ： You know the blue team will monitor and Powershell dependent journal , therefore , When you design to use Poweshell Vulnerability tools , You can The calling version is 2 Of Poweshell, Not the latest version Poweshell.

Skills development ： Build... On your lab network Security Onion, And host based monitoring tools , Such as sysmon or auditd. Pay close attention to them when carrying out relevant operations in the laboratory . You'll find out , You can also think from the blue team's point of view . Besides , You can also often read how to effectively prevent and detect intrusion methods Related articles .

Technical writing

It is a challenge to clearly describe pure technical issues and take into account the feelings of the broad audience , But its importance cannot be underestimated . As a consultant , Technical writing is important to provide valuable The report crucial .

Doom Asylum , I hope you have as few reports as possible .

Equally important , Document the tools and processes used by the red team . There is a lot of information about this , The only way to maintain situational awareness is to write detailed documentation , And keep updating the documents .

In planning , Most teams plan to submit proposals , Specify the risks and rewards of a particular red team activity , For management approval .

Example ： For your proposal for action , You need to assure stakeholders that , You can complete relevant activities safely and responsibly , And give specific activity results , Of course , Must be given in writing .

Skills development ： Developing this skill is very challenging , We recommend taking a formal course in technical writing , for example Coursera Related courses offered . Besides , You can also write questions about your area of expertise , And invite some experienced acquaintances to be your reviewers .

Training and reporting

All the above skills are based on the ability to achieve the teaching objectives of the red team .

You should be able to provide brief introductions to key blue team stakeholders through the red team work report （ report ）, Note the chain of events related to the statement . Clearly 、 Unanimously 、 Do it without harsh judgment , Not only is the red team the right way to show its value to the larger organization , It is also the right posture to maintain a positive relationship with the blue team .

You should also be able to organize a variety of knowledge related to the red team , And provide this knowledge in an individual or group training environment . such , Not only can you share your understanding of relevant topics , meanwhile , The audience can also ask questions in real time , such , They don't have to learn relevant knowledge indirectly by observing your work .

Example ： Suppose the blue team of the company is analyzing Windows Medium Backup data flow Problems encountered while using the method of . At this time , You can treat yourself to ADS Understanding , And the tactics commonly used by intruders , Make a brief report , To the blue team analyst .

Skills development ： Look for opportunities to introduce yourself to others about topics you are familiar with , For example, writing blog posts , Or explain it to friends who are interested in safety . If you want to improve your public speaking skills , We recommend it to you Toastmasters, Or in Small local meetings Give a speech on .

Should I go to the internal red team ？

It depends on what you want ……

external （ consulting ） The red team gives you the opportunity to learn from many organizations . And you'll find , Different organizations have different effects on maturity 、 Agility and acceptance requirements vary . This is a great opportunity to learn and understand the situation of the industry .

On the outside （ consulting ） Red team work , My work is aimed at all customers . also , The feedback loop between you and the client's defender is usually very shallow , Although we can't understand the internal operation mechanism of customers , But also away from office politics and corporate infighting .

Inside （ company ） The characteristics of the red team are just opposite to those described above . You can select one of the companies with a specific maturity , And have the opportunity to deeply understand the internal operation mechanism of the company —— however , thus , You can't be a consultant .

You will experience all the complexities of being directly funded by a fully functional business , The primary task of these businesses is to operate the business , Not information security . You will fight side by side with your defenders —— Event responders 、 Intelligence analysts 、 Safety Engineer …… Not only can you use their expertise to improve your skills as an attacker , Besides , Using this knowledge , It can also help you build a better security organization in the future .

So , You may need to make many compromises . You will grow with many others in your organization . You will have a visible impact on systems that protect critical information 、 Measurable and responsible impact .

Conclusion

For you, , The most important thing is to stimulate interest in the field of offensive security , All kinds of skills are very important for effective red team cooperation , therefore , No matter what skills you have in this field , There is absolutely no shortage of employment opportunities . Besides , It's also important to figure out how you want to influence the organization . Your biggest challenge is to find such a company ： There is a red team , And share your values , At the same time, I am willing to grow up with you .

actually , Red teams are usually based on previous attacks or （ hope ） Defensive safety experience to hire relevant personnel . So how can we stand out ？ To understand what the defense needs , And what their daily work is like .

The core of the red team is to challenge the hypothesis . It always looks critically at systems or humans , And politely challenge ：“ Why does it work this way , Can we do better ？”