Ashish Rajan: Hello, and welcome to another episode of Virtual Coffee with Ashish if your here for the first time we’re talking about red team in cloud, and I have an awesome guest to talk about this as well, but before we get into this, this is a live stream so it’s online every week, every Sunday morning at 8:00 AM.
And the audio becomes available on the podcast website. But we’re also on all podcast platforms as well. Apple, Spotify, you name it. We would be there. It’s called cloud security podcast. Right. Now, since you’re here, we’re going to talk about red team.
And what does these red team folks do online? Or on the internet, in the cloud everywhere. And to demystify this for me, I have a really good friend of mine, Brianna, but before I can bring it on, it’s starting to become a tradition in the virtual coffee with Ashish. I want to start with that.
Brianna Malcolmson: I’m good. Thanks. How are you
Ashish Rajan: today? Good. Good. Thank you for coming online with us and helping us demystify what red team. What does it really do? Now I I’m going to start with something, I [00:01:00] guess, for people who may not know Brianna how did you get into security?
Brianna Malcolmson: Oh yes. So I have been in cyber security, I guess, as a career for over 10 years now, but I got my start. Kind of when, you know, when you started going on the computer, like around age 10 or something like that. And then growing up in the days of like online chat rooms and using computers at school.
I always liked to go home and play Neo pets and, you know, Neo pets has a lot of hacks in it. I was just always very interested in the computer and to my parents, tried to keep me off the computer, which was a good call on their part. What and then after I finished high school, I. Went to college and ended up going to college in the United States at Penn state.
I was actually on an athletic scholarship golf when I didn’t know what I wanted to study, but they had a degree that was called security and risk analysis with a focus in [00:02:00] cybersecurity, which was really focusing on hacking. And ever since I was a little kid, I’d been fascinated with the idea of computer hacking.
It’s pretty cool. Right? And all of a sudden I was presented with this idea that I could do computer hacking as a career. And they said it was like a pretty good career. So fall semester I took a class and not, and I was like, yes, sign me up. So I studied information security and so that’s not just hacking, that’s like all the theoreticals of security and also risk analysis.
Which is always been quite interesting to me as well. Not a lot of people are also interested in the statistical side of risks. So it was kind of nice for me. I like that. And then, yeah, after I finished my degree I got hired as an information security analyst. And so for a couple of years, Yeah, I was doing that.
And from there I’ve had a bunch of different jobs. I’ve worked in incident response. And after that being a defender, I decided I wanted to switch [00:03:00] over to the attacking side and trained in red teaming and penetration testing which I did then for five years. And yeah, after that, I’ve actually just made a recent switch back to corporate security.
So I’m enjoying doing that
Ashish Rajan: now. Wow. So quite a varied set of skill set they’ve gone through as well, incident response. And I think almost feels like a natural transition from that into red teaming, pen testing, and now into corporate security. I guess for people who may not even know what red team does, and before we get into that kind of side, I’m curious to know, and this is a question that we ask everyone as well.
Like what, where does cloud security mean for you?
Brianna Malcolmson: Yeah, so cloud security is interesting for me because back in my 1st job, I remember I was at a company. That ran a web application. And there was a lot of discussion about whether we should move out of our data center and into the public cloud or create our own private cloud.
And they’ll just talk about cloud and let’s kind of like, well, what is the cloud back then? And now we have a kind of a different idea of what the cloud is, but for me, I think. Cloud kind of really signifies a [00:04:00] difference between having your own data center and having to manage the hardware there and the infrastructure and the networking, as opposed to.
Outsourcing that to a cloud provider like AWS or as your, and having that lay on managed. And then you have to focus on still all the things you have to focus on back then, but not so much managing the hardware or connecting the network cables. And that, and that sort of thing.
Ashish Rajan: Yeah. And I think the fact that you’ve mentioned the responsibility part as well, because a lot of people talk about cloud security from a technical standpoint and people kind of tend to forget that.
Oh yeah. We’ve kind of given us some of that to the cloud host part of what we still have. Some in our court as well. So that’s pretty good. I’m going to ask this question. What is red team? Blue team purple teams.
Like every time I go on the internet seems to be like everywhere. I want to be red team. I want to be blue team. I want to be like, what are these teams all about?
Brianna Malcolmson: Yeah, we have so many colours. It doesn’t really describe what we do at all. And generally, like, I would usually be very opposed to that. [00:05:00] I generally stick by words, have meanings and definitions and you should make the definition.
Describe what it is, which are red, red, blue, white. It doesn’t, it doesn’t do it all. But The red team is you can think about it as attackers. We try to pretend to be attackers and try to hack into companies to reveal flaws in their systems or vulnerabilities. And then we present that information back to them so that they can implement the necessary changes and try to fix them.
That’s kind of like the really simple. High level of what a red team is, but in a more broader sense, I would also say the red team is the kind of mindset of being able to. Think through a problem and kind of see any gaps or flaws and try and recognize patterns at every layer all the way from hardware to like interacting with people and be able to point out those problems and find them when other people don’t typically see [00:06:00] them.
So that’s the red team. And then the opposite of that would be blue team. So if the red team or the attackers, the blue team are the defensive team, so that’s practically every team in cybersecurity, but isn’t specifically the hackers. And yeah, then you have purple team and that’s kind of like a cool word for when you want to like, kind of, I wouldn’t even say it’s a level up.
You want to move away from the basic of one team attacks, one team defends and you want to kind of. Bring those together in some way where you can benefit both teams simultaneously without having a huge division.
Ashish Rajan: So red team is basically attackers blue team defenders and purple team is a mush of two together.
Like, I mean, in a good way, not in a bad way, in a good way, but the thing.
Brianna Malcolmson: For many years, I was like anti purple team because it really like, if not a descriptor, it can be so many different things, but also red teaming can be so many different things. So can Blue teaming. So it’s [00:07:00] really hard to just say, like define it. But as an example of what I would call a purple team exercise is something like.
Having, when you might even call it like a white box, I’m going to bring another color. Yeah. Know
the defensive team knows what’s happening. And then maybe even sitting in the same room as the attacking team and they’re attacking, you might tell them what. Hacks or attacks they’re doing on the network while the blue team sits and tries to look at it in real time. And so you can have this kind of mesh with both teams are working together and it kind of lowers the tensions between both teams.
Whereas usually you would have the red team do an attack, finish it, the blue team, maybe catch them, we’ll find out about it and have to run an incident. And then you meet up afterwards. This is more like you could do it at the same time.
Ashish Rajan: So would that be like a real world capture the flag? I kind of scenario,
Ive got Kevin here, Kevin’s a regular as well on this podcast. If you want an InfoSec color wheel, there’s actually a color wheel for this. Thanks for sharing that color. I don’t have no idea.
So there’s [00:08:00] green, yellow, orange, and white. Just to confuse things even more. So this is amazing. So I didn’t really realize there could be so many colors and I think it’s well put together the definition between red team blue team and bubble team. Cause that’s kind of where it is that also the place where people talk about the whole thing, like think like an attacker, attacker led mentality.
Brianna Malcolmson: You able to think like an attacker?
I think it comes with experience and I’ll probably talk about this a bit later. The longer you’ve had. Delving in the world of sysadmining or defending, or just experience you, you see attacks, you see attacks against technologies, you see vulnerabilities. And eventually you’re able to think like, Oh, I know what an attacker would do in this situation.
Ashish Rajan: right. So sounds like the red teaming is that the same as in pen testing or threat hunting then?
Brianna Malcolmson: No, they’re very, there are different. You could definitely. Have during a red team exercise, we tend to call them when we do our red team work, we tend to call them red team exercises or red team operations or [00:09:00] red team tests.
And you could have a red team exercise that looks exactly like a penetration test. The difference would be that it doesn’t always, it may not even necessarily be anything like a penetration test either. So when you’re doing your red team, you’ve got to take into consideration many things like what is the company that you’re working for?
What is their industry, what is their high value information that they really care about? And. What attackers would try and steal from them. And then you typically base your exercise like around those practice, whereas, or the penetration tests, typically the saying, Hey, we’ve got this application.
We want you to try and hack in from the outside.
Ashish Rajan: Oh, yeah. I’ll give you two days for this. So find what you can. This is the budget we have. That’s usually pentest conversations, I guess. I totally feel bad for for companies where it just want to give two days probably is not fair
so what does red team do? I mean, if you were to kind of define and cause it sounds like this, there could be a red team exercise, which may have multiple elements that could be pen testing. [00:10:00] That could be something else. Like I’m, I’m even considering they might be social engineering as well, to some extent.
So what could be a typical red team exercise? What would they do?
Brianna Malcolmson: I think it is really important to consider like a lot of factors but it can run all the way from. Hardware hacking or firmware reverse engineering up to the network level, up to the application level, up to the human level and human psychology and social engineering.
And then even physical on top of that You ended up doing like a wide variety of work really based on the industry. for example, if you’re working at a electric car company, cause I know electric or self-driving car companies, they have.
Red teams, they might really care about the fact of, Oh, we’ve got a computer on board, our car. If someone can metal with it, they might be able to crash a car and people might die. So we’re really interested in hiring people who are experts in. This sort of software or hardware to make sure that there aren’t any flaws in it.
And so you could have [00:11:00] red team is focused exclusively on that kind of car hardware software, or you could have something like a cloud company where they’re really interested in making sure that their database that lives in the cloud is secured. And so they’ll hire. Red team is who have skilled in network penetration testing or application penetration testing to design exercises like that.
Ashish Rajan: Worthwhile calling out cause red team could be internal and could be someone brought in from the outside as well.
Right. It doesn’t really have to be always an internal team. Is that right?
Brianna Malcolmson: I tend to think of red team. Like when I’m speaking of it, I tend to think of internal red teams. Cause that’s been my experience. However, you can also hire firms that do. forms of penetration Tests and they also offer red team services, which are kind of like usually scaled up penetration tests.
They might go for longer, or they might focus in different areas. All of my red team tests have, I’ve done a lot of research on the business. And you know, there’s a difference between like working as a red teamer on an engagement [00:12:00] and. Also or designing a red team program for a business.
There are a lot of different skills and things you have to think about in those two things as well.
Ashish Rajan: Oh, that’s interesting because do you mean when you were in your red team space as well? Cause it’s, it’s technically like a program. It could be like an AppSec program.
How often this is going to go on for whatever, what are the objectives? And to your point about what are the crown jewels for the company as well, that need to be accounted for I feel like today we should do some exercise. A what do you think?
Brianna Malcolmson: Yeah, it is. You really have to kind of. Think about what the company’s objectives are and how long your exercise is going to last and what the value you’re going to be bringing to that company for as opposed to just being like we’re going to hack you.
Ashish Rajan: Yep. we’ve got a few people who have just started in the cybersecurity space and certainly cloud security space as well. So some of the questions that came through from confused the audience members were like, what’s a cyber kill chain from a red team perspective or your perspective.
Brianna Malcolmson: Yeah, definitely. So cyber kill chain or the kill chain is generally just the steps that you take in order [00:13:00] to Complete your objective as the red team. So for example, I’m on the red team. I’m decided that I’m targetting a company. My objective would be, I’m going to steal the social security numbers from this products database.
Your kill chain would then be all the steps that you take to get there. So it might be you do some external recon where you look up people on LinkedIn, or you send emails inbound to see who reads them. That’d be step one and step two might be sending a phishing email that someone clicks on and puts their credentials in.
So it’s like a chain that you build up. Step three, install malware, step four, pivot into production. That five link the database. That’s the kill chain. And
Ashish Rajan: you just put yourself on the internet as I have a database that I have to sell, I guess, for lack of a better word, I was gonna ask in terms of the whole cyber kill chain, is there like a publicly non-example that you know of which you can share with the audience from a [00:14:00] cloud perspective, I guess.
Is there a cyber kill chain example that you would have from a cloud perspective that you found interesting or you’ve heard of?
Brianna Malcolmson: Yeah, so I kind of think of like maybe not cyber kill chain, but like recent attacks that have happened and you can probably work out the kill chain yourself.
Some that have happened in the cloud or like Uber with your open S3 buckets, misconfigured S3 buckets. That might be as simple as you do recon of brute forcing different S3 bucket names. You find one and then you download it all. So it’s a very short kill chain in that instance.
Yeah, something like that.
Third party, supply chain and attacks , where they compromised a build system and then compromise downstream customers.
Something that you can’t really do very well as a red team because you can’t get permission technically usually to hack a third party supplier, to target your company that you’re trying to red team.
Ashish Rajan: to your point about the kill chain and [00:15:00] the way you would think about it from a red team perspective and how you can apply that, when I talk about red team and, and talk to red team people, there’s always this conversation about threat actors.
TTPs . For people who don’t even know what TTPs or threat actors is, how do you define it?
Brianna Malcolmson: Yeah. So as a red team, like there is a lot of time spent thinking about what real attackers and that would be the threat actor saying the same thing would accompany. So we spend a lot of time researching.
Or what companies look like else and what companies have had recent attacks that are publicly known and the TTPs are the techniques, tools, and procedures that actors used in order to do that breach. in some ways I’ve emphasized, it’s like, cause it’s hard. Cause in some ways you really want to mimic things that actually happen and people know that actually happened, but at the same time, you’ll see attackers doing things that they really haven’t done before. Like Ithink, or so brazenly, like in solar winds. And so just because an [00:16:00] attacker has never done it before, if it’s possible, it doesn’t mean that they haven’t done it.
And you don’t know about it. Or that it can’t be done. So it’s kind of a balance between doing realistic exercises that we know are likely to happen to an organization and then being really novel and coming up with new things.
Ashish Rajan: This reminds me of a couple of organizations before, where you almost know the people who were clicking on a phishing email.
If, when you’ve spoken to them and you let you try and give them those just hints by giving them security awareness training, like you should do this to just saying, I’m sure you would have your own stories, which we can probably get into offline, but for the moment Anyone who’s listening about probably doesn’t have a red team in the company.
Can they do red team activities themselves as a small project, or you need to have like an internal red team to even even start doing this?
Brianna Malcolmson: No, I, so one of the things I’ve been focusing on a lot more in the last couple of years is doing smaller. Engagements that are less of an upfront cost and not as [00:17:00] dangerous because there are a lot of dangers and risks in running red team exercises when you’re hacking into systems that you’re really not supposed to.
So if I was saying, if you just wanted to start off small team red teaming and you don’t have experience with that what I really like to do is tabletop exercises. And this can really be done by anyone. So, and I run this program myself, I call it red team camp. And what I do is I pick a scenario that might be an attack that recently happened or an attack that I think could work at the company.
And I contact the team that are responsible for that area or that product. You set up a meeting with them. And you kind of all sit down at the table and walk through. Okay. So I just got here and I did this, and maybe you have someone from the security, defensive team there as well. And I say, well, if I go to shell on your laptop, would you be able to see that?
And like, would you be able to detect that? And how would you detect it? Oh, well, what if it wasn’t this type of. Application, [00:18:00] what if it was a script? And so then you kind of talk through the different steps that you might take as an attacker. And if they say, well, that was blocked. And then you say, well, no, I tried this and you kind of like have this back and forth tabletop to see whether you can find any holes in the process or the systems or the detections.
And that’s kind of like something that anyone could do to get started in. Like red team, like thinking like an attacker that isn’t gonna put you at any
Ashish Rajan: risk. Oh, that’s an interesting one. So anyone listening to this can basically start red teaming to your point first step, identify the crown jewel, identify a potential public attack that has happened before or just recent.
And then I guess it’s probably a, how long is the thread kind of question? It could be as long or as short as they want it to be. Right.
Brianna Malcolmson: Yeah I typically do it for like a couple of hours, but it all depends on like the level of effort and the level of people you’ve got.
You can do it in under an hour to the main goal is to find something that no one knew about or that, you [00:19:00] know, usually what I find when you do this is that there are some maybe. S REs or ops people or a developer, who’s like, Oh, I know the flow of that. You know, you can get you into this system that nobody else knows about it.
Like, you write it down. Okay. Let’s fix it. And the developers and operations people, they know so much. And they definitely know about security flaws. You don’t need a security person to point that out, but this gives them a really good platform to raise those issues in front of people and to get them fixed.
Ashish Rajan: That’s actually really true. And I love the fact that you’re able to kind of tap into that almost like you don’t really need to be a security person to do this as well. This is something that I promote in the podcast quite often that although some of us may have security titles, but doesn’t really mean we know all the answers.
We actually need a lot of help from the other side, from ops people, from developers to even make our jobs as successful as well.
Brianna Malcolmson: Yeah, definitely. I’m always I’m always amazed. I think that in the last like 10 years, things have changed a lot into improving [00:20:00] relationships between security and developers.
And I love to see that it’s a good collaboration.
Ashish Rajan: Oh, and I’ve got a question for Vineet. Do you need a jailbreak pass before conducting any new exercises?
Brianna Malcolmson: Yeah, absolutely. You’re agreeing to do any sort of, here’s where I draw the line, like sitting in a room, talking to people, fine, doing anything that is written in your company handbook that you’re not allowed to do.
You need that you need approval and you need typically not just approval from your manager, but probably like whoever’s in charge of, of the area that you’re operating in. So , I’m never going to tell anyone to. Go and do our red PM. Without making sure that you’ve got lots of approval first.
So stick to things that aren’t hacking until you’re on a red team.
Ashish Rajan: Oh, actually that’s an interesting point because to your point about a cloud environment is generally not just one server or just one application or just one. Microservice is so many interconnected dependencies as well. So like for lack of whatever shit can go really wrong [00:21:00] very quickly.
Brianna Malcolmson: Yeah, exactly. the difference between traditional red teaming, maybe in a you, you run your own data center environment versus a cloud. There is the possibility that. Like it is a shared tenancy. You can escape from the VM or from the sandbox and jump onto the management plane in theory, and then have access to other customers as well.
So you have to really carefully define the scope of what you’re doing and stick to those rules. And have a get out of jail free card.
Ashish Rajan: I’ve got a question from Josh as well. How does the red team activity help identify the risk of threat related to security of the cloud? Any thoughts on this question?
Brianna Malcolmson: It’s a very broad question.
Ashish Rajan: I think maybe if you take it from more like a, I guess from an organization perspective
Brianna Malcolmson: yeah. So how we help is that typically an organization knows the sorts of. So they have when you’re designing a system, like, I always say it’s like [00:22:00] everyone designs a system to be as secure as they think they can make it. No engineer or developer or anyone is sitting around going like, I’m purposely, like I’m gonna make this old, like version of this run on the public facing cloud.
Right. So. You know, you can look at it and say, okay, when you get to a point where you said, okay, we think we’ve done all we can to secure our cloud public facing. And you’ll say, good. Now I want someone to prove that I’m wrong. I want to hire a red team and I’m going to say red can try and break my defenses.
And if the red team can, then that’s how they help to identify the risks or threats.
Ashish Rajan: Yep. Oh, would you replace this with a threat modeling exercise cause it sounds like this, there could be a good overlap between them, would you say a red team can get involved in that phase as well?
Because I guess as a team, there’s only a certain number of threat actors they may think of, but a red team could bring additional perspective from what’s happening [00:23:00] out in the wild, I guess.
Brianna Malcolmson: Yeah, I think any security professional can do can do threat modeling red teams included.
Ashish Rajan: Interesting comment from Kevin as well too, talking about not breaching AWS or I guess cloud terms of services as well.
That’s the other handbook you should be careful about. One is your company handbook and the other is the cloud providers handbook, I guess.
Brianna Malcolmson: Break. Any laws ever? That’s
Ashish Rajan: I agree. Cause I think the jail sentence seems to be like really intense, 25 years, 30 years of breaking into a computer, like is going on here. It’s just a computer, but anyway, I’m not going to get into that. So as Brianna mentioned, do not break any laws, any law anywhere, that’s it just be good citizens of the world.
All right. I’ve got a comment from Paul as well. I see smaller. Organizations are adopting purple teams for the wrong reason. They like the idea of a smaller, cheaper team of Jack of all trades rather than specialists. Do you see this as well? Brianna?
Brianna Malcolmson: Yeah, I think it’s hard. I think I would have used to have said the [00:24:00] same thing that it’s the wrong reason.
I think I take a much more balanced approach. These days into that, it’s not always possible to hire a team of like three to five people with a high salary. You’ve got lots of experience in hacking to, to do this kind of exercise, but at the same time it’s also really hard to take someone who hasn’t been trained in penetration testing or red teaming and expect them to all of a sudden.
know What to do. So it’s like anything, it is a specialist activity, all the people can do it.
Ashish Rajan: But then again,
Brianna Malcolmson: maybe all you can afford right now and that’s okay. You’re, you’re trying to do something.
Ashish Rajan: Oh, it reminds me all the DIY projects that I have started thinking I would finish this, but totally screwing them up later.
Like I should’ve just called in a professional. It’s one of those ones I feel.
Brianna Malcolmson: Yeah, exactly. And it can also be really hard because if you don’t have. The experience and this is in every industry and every kind of specialty to know like intuitively and this situation, this is okay to do in your [00:25:00] situation.
This is not okay to do. It can be really hard to make the right judgment call. And when you’re doing red team exercises, the stakes are very high. So I typically wouldn’t want inexperienced people trying to hack in and just. Hoping that they make the right judgment call without any experience.
Ashish Rajan: Oh, that’s an interesting one then.
So if someone wants to get into this kind of space of red teaming, what would your advice be for them? And I think we kind of spoke about the TTPs and stuff as well, but if someone’s getting pumped by this, Oh my God, Brianna you’ve sold me the career of becoming a red team person what’s the pathway for it?
Brianna Malcolmson: Yeah, there’s a lot of different pathways to it. I’ve seen people who have spent their entire career doing penetration testing.
I’ve seen people who have started in defensive security and move forward. I think that I would definitely advise Kind of going back and forth throughout your career? I wouldn’t advise like staying in penetration testing and like continuing that forever on or staying in defensive and never having a go at the offensive.
I definitely think that [00:26:00] having defensive security experience is really important to being an effective red team or, or offensive security person because you. Really need to have some understanding of what sort of attacks happened. what floors are in different systems? What floors are in different architectures and you kind of gained that over the years by like seeing it happen.
And until you have that kind of patent recognition in your mind, you may just get stuck. Someone say, like, I’ve seen this happen with really junior people that like, okay, now go and enumerate like the services of this company. And they’ll be like, I don’t know how to, or what to do. And that’s a learning process and you can learn that doing it, or you might break into the edge, you suddenly have access to a system.
And you’re like, okay, well, what do I do now? I have no idea, but if you’ve seen like attackers and how they move through networks and the different sorts of things, they try, you can like have a better idea of what you might want to do.
Ashish Rajan: That’s a great. Interesting perspective, because this is what I [00:27:00] feel like a lot of people miss out on to your point about the experience and pattern recognition.
That’s where the experience comes, really plays a part, right? Because you can learn a lot of stuff and you learn an ideal way of doing something, but experience kind of gives you I think. Something even asking, plus your point, doing an unmapped scan or whatever. And suddenly you’re like, well, I’ve got all these IPS.
I found one IP, which has these open ports now, or do I do like, I it’s funny. I think people should just go on reddit at some time. And it’s a great, interesting perspective that sometimes some of those basic things that also people like just need to go out and explore more and stuff. So a great point.
I must say Brianna, I think it’s a great advice for people, so I’m sure it will be. A good step forward, just to be able to emulate a few people as a starting point document emulating. There is something called attack framework as well, which kind of is could be I guess a point of start, but have you used it?
What are your thoughts on it?
Brianna Malcolmson: The MITRE attack framework.
Ashish Rajan: Yes. MITRE attack framework.
Brianna Malcolmson: I don’t really use it like personally for red [00:28:00] teaming. I don’t think it really fits well with my way of how I think about. Kind of getting into an organization. Like I never really sit down and be like, here’s all the possible techniques I can use and then just go through them one by one.
It’s more of like a dynamic process when you’re in that. I think the MITRE attack framework is really helpful for defensive and kind of shoring up to make sure that they’ve covered all their bases of well-known attack paths that attack as you use.
Ashish Rajan: All right. to your point earlier, and circling back to what you were talking about, a smaller project, sometimes in a defensive team, they could use the MITRE attack framework to kind of find out what are the possible recon methods into a cloud environment and kind of move from there.
Is that right? Yeah,
Brianna Malcolmson: definitely. I would definitely advise, like, using that to kind of see, do you have detections for every everything listed on there and what gaps do you have and can you implement something new for those different techniques? And I guess I even thought like, Oh, if I was really stuck on a red team, I could go on and see like, Oh, have I tried every single thing here?
[00:29:00] Ashish Rajan: So that’s a good point. Yeah. I mean, there’s always more to do, right? I think there’s and to your point, it’s not always. That the attackers would use the same attack as well. You, you may be able to craft something unique for your own environment just because you know, the environment as well. So that’s a great point.
Switching gears to a bit more like, I think cause we have a few folks who are in leadership roles as well, and I’m pretty sure you’ve run a team for yourself as well. What do you think are some of the challenges of running a red team challenge in the company?
Brianna Malcolmson: Yeah. The major challenge with Red Team is communication.
You have to have good communication skills. You have to be very comfortable with going to senior leadership and presenting them with what you’re going to do and getting buy-in from them. Is, is of Supreme importance. You will not succeed at running or building a red team unless you know how to get buy-in for the operations that you’re going to do, because if you don’t you’re going to make people very upset.
You will hack into something and be like, well, I was hired to hack in and you go take it to [00:30:00] the head of the product and ahead of the product can react in two ways. They can be like, Whole, no, like what did you do? I’m gonna file the person who made that mistake or they can be like that’s not that bad.
Like who cares? You know, like you don’t want either of those extremes. You want them to be like, thank you for doing this. I wanted you to do this. Like I said earlier, you want it to kind of be like, Oh, I know I’m ready. I know I’m secure. Can you please have a go and try and break in? If you find anything I’m ready to give you the resources or the team, the resources to fix it.
Ashish Rajan: I think it reminded me of a conversation that I had and I guess a lot of pentesters have it as well. The, sometimes the initiative is hard to explain why something could be important, but then there’s sometimes. Things on our side as well. Like sometimes your point earlier, we may lack experience because it’s my personal embarrassing story though, where I think, I can’t remember exactly what the thing was this ages ago.
And I think it was, I was like, Oh my God, this needs to be fixed right away. But the person like this is a low risk. You do know this, right. I don’t know why you’re pushing for this. I think to your point does that [00:31:00] play a part in this as well?
Brianna Malcolmson: Yeah. So also things to consider when you’re like, that’s a really good point when you’re organizing a red team or starting a red team, is I always like to look at it from an enterprise risk perspective, and that’s gonna sound like boring to people who just want to hack things, but you also don’t want to take your pitch to whoever’s in charge and having them say hi, this has nothing to do with what we care about.
Or what’s valuable to us, and you’re not thinking about it from a business perspective. So you, you really want to have an understanding of the business and the risks that they care about before you formulate what you’re going to do because, or else you’re not providing anything useful.
Like you’re finding like low severity, like you said.
Ashish Rajan: Yeah. And too, but how do you get a buy in though? I imagine that’s probably a hard part as well. Right? Because you’re almost to your point a skillset, you communicate. Yep. Great. You’ve communicated. This is a problem we should solve it. And then we spoke about the risk as well, but then there are these higher levels you kind of have to get to where it’s more of a business conversation.
How do you show value [00:32:00] for a red team from that perspective?
Brianna Malcolmson: So this can come into a lot of like choosing what you’re going to do and where you’re going to do it. A red team can like work effectively at different levels of operation from. Breaching the perimeter stealing the crown jewels and then closing it incident all the way down to doing red team exercise, a tabletop exercises where everyone’s talking about it.
And you want to pick what you’re doing for the place you’re at. You also want to, if you’re starting a red team you want to go in with executive support already. Like you want the people who are in charge to understand why they’re hiring you, what they want to get out of this so that you’re not left trying to do your job without anyone understanding what it is.
And then as far as providing value, I really want to like, Challenge more red teams out there. Do you think about the ways that we measure how, what we do and how we show that back to the [00:33:00] business? Because it’s, it’s difficult. It’s always difficult insecurity. We don’t have really simple metrics, like how many users or monthly active users that we can measure.
So I think that it hasn’t been well fleshed out and it’s something that I worked on a lot in the last few years when I was red teaming of trying to come up with new. Methodologies for measuring value, but that’s a challenge I issue with, to every red team out there.
Ashish Rajan: It’s a good one as well. And to your point, it’s not real framework for users to show value to the business of why security should be important.
And especially in an organization, they’re probably. Security is just a, I guess, a supporting body as well, even though it’s supporting the whole organization, but I think security is also one of those teams where when everything’s working fine, no one thinks about them, but then basically you get breached you are like, Oh my God, in security and get them on board, blah, blah, blah.
You just like get to the choppers. It’s like one of those scenarios at that point, you’re going okay. I was already here, but sure. , it’s a good segway into one of the questions that’s come through pretty broad question, [00:34:00] but how long does a typical red team exercise take?
Do you have a goal in mind, when starting a red team exercise or is it an ongoing process?
Brianna Malcolmson: Yeah, so I would say I always have a goal in mind. When I start a red team exercise. And it’s usually based on broad scope starting from the outside of a company, trying to breach the perimeter and moved towards the objective. And then we’ll usually take three to four months to do that. I don’t really do that anymore. And I don’t know whether that’s really necessary. I think you’ve got to adapt based on the company’s willingness and these days.
I think I’m seeing a lot more companies who are willing to admit that. Security isn’t as great as, as people used to think, it was like the chance of a breach is going to happen. So you don’t even have to break in from external. Like there’s no point fishing someone. If everyone agrees that someone can get fished, you can just say, I’ll start with access to a system right here.
And I’ll go from there, cut down your time from four months to like one month and do that. You can really change the amount of time you spend on doing these exercises and still [00:35:00] get the same amount of value without wasting all the time.
Ashish Rajan: Oh, that’s interesting one. And I’ve got to think I’ve got another question, which is probably another addition to what we were talking about earlier from Josh again.
Hello again, do you think the mindset of organizations are changing when you present the vulnerabilities? There are always people who say we have been doing this way since the beginning.
Brianna Malcolmson: Yeah, I do think it’s changing. I think it really depends on the organization. I know I say that a lot. It’s another call out. If someone’s been there for 10 years and they have been doing it that way the whole time. Yeah. If you’ve got like new people or a new company, And they’ve only been in there updating technologies rapidly.
They might be less of us to change it all depends on who you’re dealing with and what their tolerance for changes.
Ashish Rajan: Yep. And I think that’s a good point to mention the fact that it’s different for different organizations as well. Right? Because I think some people come from a, I guess, a FinTech background or a compliance background, they’re very switched on about security.
They’re always like, Oh yes, we should definitely do this. Whereas you [00:36:00] may have people who have never seen security before. It’s only like. Wait, why do we pay you money again? And this kind of like becomes one of those questions again. It’s hard to explain that. Why does your job exist? So it’s like calling out.
I think I’m supportive of your idea, Brianna, that it is. Unfortunately, depending on the organization kind of answers where it’s depends who you talk into and the person already has. I think one of the examples that someone told me once before, I think it was talking to some of the UK and they said like after A security incident, the whole organization’s mindset of what security changed. And they wanted to be much more proactive about security. Like not that I wish this on anyone to have a data breach or any of that, but just saying that could trigger a reaction as well, where suddenly people realize, and that’s where you hear the stories of people showing to the executives that, Hey, this is how easy is that.
It is for me as an outsider to attack your system. Do you think this is valuable for us to fix it? So now maybe not that extreme, does that really work
Brianna Malcolmson: Absolutely. Yeah. That it is kind of a cycle and I’ve, I’ve been like playing with mental models of different red team kind of [00:37:00] concepts over in like in the last year I’ve been thinking about it.
And one of them really is that cycle of. a beach happens that people care about security. we fix the holes. No breach happens for a long time when a breach happens. Hopefully that cycle kind of moves down through time. your vulnerabilities and your exposures get worse. And you’re able to, and the things you implement are less patches and one-time fixes and more systemic problem solving like architectural floor remediation so that you thought to eliminate like entire classes of vulnerabilities, as opposed to just fixing the one that was found.
Ashish Rajan: I’ve got an interesting question here. I love question. What’s the difference between the red team and the AppSec team?
Brianna Malcolmson: Yeah, totally. So application security team typically focuses on working with, Oh, this is what I think they do not working with working on the software development life cycle working on maybe tools and [00:38:00] code to prevent.
Vulnerabilities coming into the products, ways to scan the code scan, third party libraries, make sure they’re up to date ways to build the CI CD pipeline so that it’s done in a secure manner. Application security focuses on, you can be an application security pen tester, like you can do part of our red team exercise that involves.
Something to do with application security, like maybe exploiting a cross-site scripting vulnerability, or maybe doing command execution through URL parameters. Hopefully that makes sense to you. It’s only a small part of what you would do. So say you, maybe you only do that for like 10% of your time and the rest is focused on the overall goal.
Ashish Rajan: That’s an interesting point. And just to add on to that, would you say red team exercise, almost like a validation as well for like apps that could be involved in a product or a project in the [00:39:00] beginning? Whereas red team is usually like almost you’re validating. Hey. I’ll be like, I think we’re talking current exposure versus AppSec is ongoing exercise as well.
Like where you go, okay. If you have a new product, new release, let’s do some chart modeling. Let’s see what we can do from a SAS test or to your point, is that a cross site scripting or static code analysis? Like all that kind of goes into that building process and red team is also supporting in that, Oh, you’ve built something, but this is how we can ongoingly keep it secure.
Or this is a thing which is a blind side. Is that another way of defining it?
Brianna Malcolmson: Yeah. So I would say there’s a couple of more differences. There’s a, it’s a very, very different job. But overall, say, think about it like this. If you’re on the app sec team, you might say, like, I know what I need to do.
I need to systemically remove. Command injection from our entire code base. So you set up a project to do that, and you know, you do your research that you do X, Y, Z, you eventually finish it. The red team says like my goal is to steal some beta from the [00:40:00] database that that application is connected to.
And I’m going to try all these different attacks. Hopefully one of them will work. I have no idea if any of them will work. I don’t know how long it’s going to take. Maybe I have to go a completely different way. I have to attack that completely different application or someone to get there. So it’s a really, like if you’re doing application security, you’re working on the defensive side where you’re actively trying to secure something for the long term.
And if you’re doing red teaming, You’re working on an operation by operation basis, trying to achieve a goal.
Ashish Rajan: That’s a good definition. And sounds like it’s a very sexy field. As I say it, I was going to say with all the conversations about how do we attack this and how do we take over this?
And that he was definitely one of those sexy fields within information security. Is it all fun always though.
Brianna Malcolmson: Yeah, so definitely not. And this is like a lot of will come up to me. It’s like they’re in college or whatever. And they say, I want to be a red teamer. Like, that’s the only thing I want to do.
Like how do I become a red human now? [00:41:00] And because it’s hackers, right? It’s like the movie, that’s the thing. Because what we do is when we present our results of our exercises back to the organization, you know, all you see is we fish this person and then we pivoted over here and then we privilege escalated and then we have to Gibson and it looks like it’s all fun all the time, but it really isn’t like what you don’t see is a lot of the boring work.
Like sometimes you end up scanning like. Oh, God, sometimes it’s the entire internet, but like an entire set of IPS or domain names. And then looking at all the results for like six hours, just reading it line by line. Or sometimes you write a report detailing all the things you did in excruciating detail, because they’re looking at this from a forensic side of attack and they want to make sure that their timestamps line up with what you did and reporting can take you weeks to just write up a report.
And, and then to where you just can’t, you just can’t get into a system and you might have spend like, A [00:42:00] week trying to and you can’t, it can have a lot of like really boring, tedious downsides as well.
Ashish Rajan: I feel like that’s the reality of all jobs as well as sounds because it’s not exciting enough to say that you’re looking through logs or looking through IPS for six hours, because salts is always on a fast, forward, more in any movie as well.
Like five minutes later. Oh, I have I’m into the Pentagon and you’re like, ah, this is a lot longer than that, but sure. Five minutes later and I think I’ve like there’s definitely a lot of misinformation about the, some thanks for clarifying this. I do want to ask in terms of, I guess, the changes you’re seeing after being in the space and I guess talking to some of your colleagues as well, do you feel that the red team is kind of changing with the whole COVID and I think now everyone’s remote.
Now everyone’s basically primarily working from home. Do you see things changing in the red team space because of the whole, I guess primarily working remote, like exercise have increased or I don’t know what else you might be noticing on [00:43:00] your end.
Brianna Malcolmson: Yeah, I find it really difficult to read team. Remotely, that being said, I’ve done it.
Like I’ve run a remote red team. It’s the sort of creative, it’s a creative endeavor when you get down to it. So it works a lot better when you have people sitting next to you in the room and you can talk at length about what you’re doing and what you’re trying to do and your thought process in real time.
It’s like, there are periods of close. We have to go heads down and like research, but when you’re actually. In the middle of an operation, it functions like a thousand times better. If you’ve got the people that you’re working with in the room with you. That being said, like everything’s adaptable and you can always adapt and make it look better.
Like have a discord where you’re chatting with people in real time or a video call or something like that in order to get that same talking experience. But
Ashish Rajan: remotely. That’s a , great answer.
Thank you so much for this. For people who want to reach out and have maybe follow up questions on the whole red teaming and what’s [00:44:00] involved in ways, where can they find you online? What are your, what are your good places to hang out with you? Yeah,
Brianna Malcolmson: hit me up on LinkedIn. Brianna and Joann and LinkedIn and yeah.
That’s that’s about it.
Ashish Rajan: Cool. Well, I just wanted to say thank you so much for taking the time out. This has been really informative and looking at the questions over here. Definitely sounds like a lot of people got value from it as well. So I do appreciate you taking the time out and I guess I thank you for celebrating well pre Australia day celebrations with me, I guess.
Brianna Malcolmson: Yeah. Thank you so much for having me on this has been really fun and yeah, I enjoyed it.
Ashish Rajan: Thank you so much. All right. I’ll I’ll I’m looking forward bringing you back again, but I’ll see everyone else in my next episode and I’ll see you soon as well, Brianna.