Breaking into Red Teaming: Phase 3
Breaking into Red Teaming: Phase 3
The key(s) to being a recognized and sought-after red team operator.
Overview
This is the fourth and last part in our four-part series: Breaking into Physical Red Teaming. If you haven’t read Phase 1, it contains a description of timelines, an overview of our approach, and details on how we are working to prepare the next generation of physical red teamers. You’re a red teamer so we know you like breaking the rules, but we suggest you start at the beginning for this one.
Phase 3: The Professional Red Teamer [This Article]
Timeline
This post focuses on the professional, employability, and soft skills you should have as a physical red teamer. Phase 3 (steps 8 - 12) should take two months for you to complete. If you finish early, then pause and practice the soft-skills that are your biggest gaps. Whether it’s public speaking, knowledge of Advanced Persistent Threats (APTs), or understanding industry frameworks, take the time to become a well-rounded red teamer with these skills.
Bored? Good. These are the least-exciting skills in the toolbox of a top-notch physical red teamer, and they’re also the most important. The fact that these are less exciting than breaking-and-entering skills is exactly what makes them rare among operators, and is what will set you apart from the rest of your peers. You have gotten good at hacking locks and badges, now focus on hacking the workplace by making yourself more employable as a red teamer.
Step 8: Red Teaming Ethics & Laws
Ethics: Your job is to now act unethically, ethically. In other words, how do you pretend to be someone acting unethically while still being ethical? They call red teamers “ethical hackers” for a reason. Same tactics, opposite motivation from the bad guys. Being creative, having strict ethics, and never losing sight of your ultimate goal are your best assets as you tackle the difficult task of being ethical adversaries. Here are some steps to take:
Watch “Red Team Ethics” by Roy Iversen and Tarah Wheeler.
Review HackTheBox’s Ethics in Ethical Hacking Explainer.
Take time to think about, research, and write out responses to each of the scenarios listed in this post. Don’t do more than one a day to give yourself time to consider options. Ask friends, co-workers, and security professionals what their opinion is and spend time writing answers from various perspectives. For example, write how you would feel about a social engineering scenario as the red teamer, as the security leader, as the victim of social engineering, and as the company leader. There’s no right answer, but I’ll give you two hints: 1) You should always be asking the question “Is this worth it?”, and 2) Most ethical conundrums can be navigated or avoided by simply being creative. I suggest doing one or two of these per week, while also honing and improving your skills. The insight you gain from previous ethical questions, plus legal and ethical readings, in combination with the writing improvement, will all result in significantly increased and improved responses as you progress. Not to worry, because the questions get harder as well. You can view the scenarios HERE.
Draft your own Code of Ethics as a red teamer. Google cybersecurity code of ethics and similar search terms to do research, and then draft your own list of principles, ethics, and values that you will live by as a red teamer.
Note: Moving forward you should have flexibility around this Code of Ethics. Not in whether you follow it; you should always adhere to the ethics and principles you lay out for yourself. You should have an open mind and willingness to update your personal Code of Ethics as you grow as a red teamer, as you change jobs, as the industry you work in changes, etc. A willingness to grow, learn, and adapt, combined with a strong Code of Ethics will take you very far as a red teamer.
Red Teams & Laws
This is an essential area for professional red teamers to be well-versed in. Spend time researching your local laws, learning about red teams gone wrong, and thinking through what steps you will take to stay on the right side of the law. Here is our recommended reading:
Watch the Coalfire Debrief with Brian Krebs after the Iowa arrests.
Review the Federal Lawsuit filed by the Coalfire testers against Dallas County. (Click the “Download PDF” button to view documents).
Review, in detail, this After-Action Report.
Bonus: There was a case where a pen tester was hiding in a parking garage somewhere in Europe, waiting to break into a building. A woman left the building and got very scared by the random tester hiding in the garage near her car. Although inadvertent, this is a notable case that caused both real-world harm to the company’s employee, and reputational damage to the company since it made the news. With that said, we can’t find the article we read about this event. If anyone finds it, please add the URL to this article in the comments and we will give you a shout-out in the next article we publish!
Step 9: Red Team Risk Management
Now that we reviewed the worst-case scenarios, let’s talk about how to avoid them. There are many steps to take during the steps of a red team engagement. From scoping to planning, surveillance to infiltration, here are some key steps to take at each step. As a current or aspiring physical red teamer, you should familiarize yourself with each area below and note that these are the bare minimum steps a professional red team should take prior to an engagement.
Scoping:
Ensure you identify the exact locations being tested, and the relationship between the organization hiring you, the building owner, building management, security providers, and more.
Obtain leases or other legal agreements that may shed light on the permissibility and constraints relating to what you can (and cannot) test.
The Proposal:
Whether you are an in-house red team or a consultant, you should be drafting a proposal or similar plan that outlines the specific goals, tactics, approach, threat model, communications plan, safety plan, and more. Take an hour (or more) to practice documenting the various safety measures for the below scenario.
You are a consultant hired to conduct a red team of an oil refinery. The client has asked you to conduct the test during the day, during operations, and during business hours. They encourage you to test their physical measures, technology, and personnel. You assemble a team of six experienced testers with a wide array of skills to complete the job. The Director of Corporate Security that oversees security for the offices and various refineries has hired you. They called the local security manager and let them know a test would occur in the next month. No one else on-site knows about the test.
Complete the following sections for this hypothetical proposal:
Letter of Authorization: Who drafts it, who signs it, whose contact information is included, and what letterhead is it on?
Notifications: Do you notify law enforcement (LE)? Do you need additional individuals on site to be informed of the test beforehand? Develop a notifications plan.
Communications: Develop a communications plan internally for the team, and externally for the client as the test progresses. How, where, and how often do you communicate with each party? Employ your best business continuity planning; develop plans B and C to ensure you have ways to reach all critical players.
STOPOP: What are the triggers for Stopping Operations (STOPOP)? Is it when goals are met, or law enforcement is called, when the first individual is identified by security, etc.?
Safety Plan: Develop a safety plan, including listing potential hazards/risks, and Risk Mitigation Measures for each of the areas (and any others you can think of):
Legal/Compliance Risks: Is there risk of running afoul of laws? If you are trying to lift (pickpocket) a badge off an unsuspecting employee, is there a chance that they view unwanted touch as assault? Are there any regulatory bodies or concerns relevant to this type of client that you need to adhere to? (Hint: there are.)
Privacy (Laws & Ethics) Risks: Will you be accessing sensitive information on individuals or corporations? How do you ensure you are on the right side of privacy laws, and beyond that, how do you ensure you are ethical about your approach to gathering/leveraging sensitive information as part of this operation.
Law Enforcement Risks: What is the likelihood that LE will become involved, and what is the plan to prevent this from happening, detect it in case someone does call, and react quickly to cancel or de-escalate any situation involving law enforcement?
Escalation Risks: In what ways could this scenario escalate? Could the refinery shut down operations (resulting in business loss), could their GSOC notify company leadership of an active emergency, or are there other notable ways the situation could escalate outside the control of the red team?
Weapons/Firearms Risks: Are there firearms or other weapons on-site? Could employees, bystanders, or security be carrying weapons? In what scenarios could they draw or use weapons, and how do we mitigate against this risk?
Environmental Health & Safety (EHS): Are there chemicals on-site? Are there any lasers, high-temperature, dangerous equipment, heights, or other potentially dangerous equipment or EHS scenarios to plan for?
Safety Brief: Prior to going into the field (even for surveillance), the entire field and oversight team should sit down and do a safety brief. The discussion should cover the operation’s goals, scope, communication, escalation procedures, key risks, risk mitigation measures, and when to STOPOP. Each member of the team should have an opportunity to ask questions, challenge any assumptions in the planning process, and voice concerns.
Prior to going out into the field, you should always do a safety brief with all involved parties to cover the ground rules, communication plan, and risk mitigation efforts. It may seem like overkill, let me tell you from experience that every scenario I mentioned has come up more than once in real-world assessments that I have done or led. Having worked through the risk mitigation plans ahead of time makes it easy to be decisive, safe, and effective. It protects you in the field, in the boardroom, and in the courtroom. Taking the time to proactively identify risks showcases to clients and your team the professional rigor that you put into each assessment. Take the time to develop robust safety plans prior to entering the field. All in, this should be a two-to-five-page document, using tables and bullet points to organize data into easily digestible content. It can be internal to the team or shared with the client as an assumption-check to ensure you proactively identified key risks.
Lessons Learned: Finally, all red teamers should keep their own Lessons Learned. Following an assessment, there should be a debrief to cover how the operation unfolded itself, and to discuss any lessons learned and areas where improvements can be made. By capturing these lessons learned, and reviewing them before the next assessment, you will continue to manage your risk, improve your capabilities, and hone your craft as a red team.
Step 10: Learning From the Real Baddies
Take one month to digest as many movies, news reports, YouTube videos, books, and other media about stories of heists, cybercrime, organized crime, espionage, and other crafty criminals as possible.
Resources:
Podcasts
Movies & Shows
Heat (Movie) - High-stakes heists
The Americans (TV Series) - Espionage, deep cover, and operational security.
The Italian Job (Movie) - High-stakes complex heist.
Argo (Movie) - Disguises, espionage, and psychology of pretending to be someone that you are not.
Articles, News, and More
Set Google Alerts for your topics of interest and read (at least) the headlines each day.
Set up Google Alerts relating to your industry to track attacks against similar companies.
Read Verizon’s DBIR
Follow corporate reporting on Advanced Persistent Threats (APTs) and read the latest reports:
YouTube Videos: Find relevant topics and review articles relating to various breaches and approaches. From Urban Explorers to Protest Groups to breaking into the power grid, spend some time on YouTube finding relevant heists, breaches, and content to learn from. These also come in handy if you are in a meeting and need a quick example of real-world scenarios of breaches to quickly demonstrate.
Write About the Following Topics: Take time to write a page or more of content, answering each of the following questions.
What is your favorite heist in history? Why?
What are your favorite examples of excellent OpSec? What are a few examples of horrible real-world OpSec that resulted in arrests or worse?
Which of the threat actors in the corporate threat reporting do you think have physical capabilities? How might they show up and use in-person attacks to aid in their mission?
What trends in recent news stories, breaches, and heists have you noticed? How will that information aid you as a red teamer?
Step 11: Security Frameworks, Standards, and Regulations
This one is admittedly the least sexy, but often one of the most important facets of security assessment programs. Ultimately, audit teams assess against some sort of standard, framework, regulation, or specific set of requirements, while red teams assess a program against its performance when faced with real-world adversarial tactics. In other words, every assessment needs something to be compared against in order to be useful; otherwise, you are simply making observations about a security measure.
For example, without anything to compare against, you may state “The security guard was standing in the corner of the lobby, looking at their phone”. Is this allowed or expected behavior, or does this violate a written policy, goal, or procedure of that guard? An auditor, who is assessing against the Federal Risk Management Process (RMP) may note that the security guard should be visible (check) and monitoring ingress/egress (unlikely to receive a ‘passing’ grade on this one). A red teamer will compare the expected performance of a security officer (they deter, detect, and prevent unauthorized entry) to the actual performance (they don’t notice the tailgating alarm as you tailgate into the building). All said, knowing what you are assessing against is a very powerful tool for any red teamer.
Additionally, the ability to show a client or internal team that they are not meeting a requirement laid out by an industry standard, framework, or regulation can be a powerful motivator to correct deficiencies. You may be asked “well why do we have to fix this, no one would break in the way you did!”. Instead of pointing to your theoretical threat model, you can point to standards put out by the federal government, industry groups, and other entities that establish an expectation of security working in a certain way. Once you establish the broader existing norms and best practices, you can then detail your threat model, and finally discuss the performance of each layer of security against the norms and against the threat scenarios you tested against. That sends a much more poignant - and targeted - message to the blue team responsible for managing the organization’s defenses.
For those interested in red teaming, we highly recommend familiarizing yourself with these frameworks. You don’t need to memorize them, or even read them fully. Instead, download and skim each one. Understand what information is available and store it in a library you can use on your next (or first) assessment. We also recommend picking a few controls and threats (e. g., “security officer in lobby”, “camera coverage”, and “location of door hinges”) and look for any references to those controls within the standards. This familiarizes you with how to look for relevant material and the level of specificity each standard contains. Some will include specific details about the type and location of hinges, while others may simply state it must be difficult to remove the door from the outside. Understanding where and how to find this information is critical for a professional physical red teamer.
Standard to Review:
Federal Facility Security Levels: One, Two, Three, Four, and Five
There are many more. Use Google, ChatGPT, or your favorite research tools to find the relevant standards, guidelines, and regulations that cover your topic areas. A red teamer well-versed in what the industry norms are is a red teamer that can articulate the impact of their assessments, avoid missing common tests, and help their organization remain ahead of the competition.
Step 12: Report Writing and Impactful Communication
Most employers and clients will want both written final reports, and a presentation of findings. The best red teamers are able to take complex, convoluted, and contentious topics and present them clearly, concisely, and confidently. Whether you are linking a series of vulnerabilities together to make an impactful attack chain or presenting a critical finding to a high-ranking and non-technical executive, effective communication is essential for professional red teamers.
There are many ways to improve these skills, but nothing beats practice. Whether you’re new to red teaming, or aiming to level up your skillset, this is one of the most important focus areas. Take one final month of focused time to practice and improve your capabilities. Focus on being able to answer key questions to various audiences. Here is a copy of our red team writing practice sheet. Edit the questions and audiences as needed to meet your career goals or match your current position. Take a stab and answering these questions now. Ask for feedback from various parties and work to improve the answers.
As you work through the practice sheet, we recommend taking a few courses and watching a few of our favorite videos about writing an impactful communication:
LinkedIn Learning (Use your local library card for free access!)
Ninja Writing - Excellent course that teaches you how to write with impact. Spend time on this and try all the practice modules.
Leading with Vision - The easiest way to motivate people to action is through a compelling vision of what the future could look like if they do (or don’t) act in a certain way. This course gets you excellent free online access.
Podcasts
Think Fast, Talk Smart - Apple, Spotify (Listen to at least 6 episodes)
Darknet Diaries - Listen to at least 4 episodes. Focus on how Jack tells stories and brings the reader along. Find episodes relevant to your line of work and physical red teaming.
Practice
Practice writing and presenting every single day. This may be as simple as asking ChatGPT to asking you two random questions relating to physical red teaming, and then you verbally respond to one (3-5 minutes) and write out the second. In this scenario, you should record your verbal response, watch it after, and write down how you’d like to improve for the following day.
Whatever you do to practice, just make sure you are consistent, repetitive, creative, and give yourself an opportunity to learn and improve as you go. Try to explain to non-technical friends or peers about concepts of red teaming in 90 seconds or less. One of the hardest parts of red teaming is trimming down complex and detailed content to simple, compelling, and clear statements that meet your audience where they are.
Find a way to practice and let us know what worked (and didn’t work) for you!
Bonus Step 13: Lessons Learned
This is a red team special: take some time after you have completed all twelve steps to write about what lessons you learned. From how you learn best, to whether you trust strangers on the internet to lay out lesson plans for you, to which specific steps were most interesting, all the way to how you would improve this 12-step plan, take some time to capture the lessons you learned throughout this process. If you’re willing, send it to us when you’re done! We’re always trying to improve our material, help our community, and learn from our peers. That’s you now!
You’re Done!
Congratulations, you did it! If you went through each of these steps and followed our painstaking roadmap (or improved upon it), then please send us a message or make a comment below! The physical red team community is small, and we (and our peer companies) are often looking for physical red teamers to join as consultants or employees. Drop us a line, let us how the process was, and we’ll make sure to add you to our red team rolodex.