A candid chat with our red team penetration testers
Watch the video or read the article
Bulletproof sat down with Jordan and Gillian, two of our red team penetration testers to find out more about what they do, what a business gets out of it, and what their best stories are. If you’d like to watch rather than read, here’s the video:
What’s the difference between red and black teaming?
Essentially at Bulletproof we like to distinguish the difference. So, for a Black Team we focus on physical assessment. We're not hacking a network or a system, we are hacking a site or a physical building. And it’s not just a building that's in scope so we also include staff. On the contrary, a Red Team would focus on the networks and the actual systems that they have in scope.Jordan
Simulated attacks involve both Red and Black teams
You can also blend them together with a 'simulated attack' where you have components from a Black Team and a Red Team in scope. As an example, you could use a Red Team to gain access to an organization's networks and potentially modify security camera footage or open doors for the Black Team to then go into the building.Jordan
Open-Source Intelligence (OSINT) can help Black Teams
We have OSINTs as well so 'open-source intelligence' stages, where we look at information that's available online through public repositories and websites and that helps us with the research for a lot of these engagements, especially with the Black Team side of things because the staff are also in scope, we need to understand our targets.Jordan
Black teaming at work
Recently, in a Black Team engagement we incorporated some phishing elements. We found that having access to staff's phone numbers and being able to send phishing emails at the same time allowed us to reproduce a convincing requirement for us to be on site. If it was a random case of somebody wanted to remotely access your laptop to ensure that it was compliant, and you were from the IT team you'd be suspicious. But because we'd already figured out a way to enter the site, being able to phone up employees and say, 'I'm on site on this day can I come to your desk, and we can do this?' That implies a 'higher level' of trust, they assume that you're meant to be there. If you're able to walk to the desk the likelihood is that they're going to give you the laptop.
That’s ultimately how Black Team, Red Team OSINT and phishing can all work together in a simulated attack.Jordan
When to use Red/Black teams?
Customers want to focus on their physical buildings. We will also use some OSINT.
Customers want to focus on intrusion detection systems (IDS), SOC capabilities and external security.
What’s the difference between red teaming and penetration testing?
Pen tests are just more narrowly defined. Usually with a pen test you’re only attacking a web application, or an internal infrastructure. With a Red team it's almost all bets off. While you can't impersonate a police officer, you can phone people up, send them a phishing email, try to break in, plug into the network. So, it's much broader, and usually when we get Red Teams signed it's for people that say, 'Do whatever you want I just want to see how far you can get, and what information you can get from it'.Gillian
What do you enjoy most, red teaming or black teaming?
Personally, I quite like phishing just because you're a bit farther removed. You just send that email, and you see credentials coming in.Gillian
I love the initial step of getting access into the building. Sometimes it's difficult and we get a little bit stumped, sometimes it's super easy. But I like the idea of creating the illusion or bypassing reception, tailgating, and basically gaining the initial foothold.
Gillian prefers working her way around once we’re in the building so, usually we do assessments together and we make a pretty good team on that front.Jordan
Social engineering at work
Sometimes businesses have good protection systems against phishing and people will be quite well trained. You phone them up and they're immediately suspicious, but then you can just walk in! Sometimes it's the other way around; a phishing email goes through, you ring someone up, they're happy to meet you, give you their password etc, but walking in will be difficult.Gillian
I think having that fake level of confidence is hard because when we're planning an assessment, we create stories that we're going to use on the day to get past reception, to get through doors or to tell security guards.
One thing that's difficult is to think 'Okay but if they come back with this question? What are we going to say, what's believable, what do we have on us that could like help with that illusion of trust?'Jordan
Fake it ‘til you make it
If you get to reception and you look nervous like you're not supposed to be there, people notice straight away. If you have that 'fake level' of confidence people don't tend to question you as much. But I guess another one of the hardest things is if you gain entry to the building, looking like you know where you're going because you need to get to point B and you don't know where point B is!Jordan
If you're able to do it, it works even if you're wrong! We had an assessment where I walked into the building, I went into a meeting room to try and see if I could plug in, (because usually that has ethernet ports) and someone came in and they said, 'Where are you from?' I just gave a name and apparently, this wasn't even the office we were supposed to go to and the name I gave made no sense to the people that I said it to, but they were like. 'Oh, okay’ and everybody just left, and let me be on my way.Gillian
Mapping the surroundings
The last assessment we did as soon as you walked in, had a massive touchscreen with every floor, and it had a floor plan of where each room was. That was perfect because Gillian went in first and took pictures of each floor and I hadn't been in yet so I could study each one. So, even though I hadn't been in the building when I went to each floor, I'd memorized the floor plans, so I knew where I was going, and because I knew where I was going, I didn't look suspicious.Jordan
On scoping calls, I often get people saying, ‘why do we need to do internal tests, because someone would need to break into our building, and who's going to do that?' But you can prove to people that it is possible to do and that it is needed.Gillian
What do you think companies get out of Red Teaming?
Testing the security setup
We have some examples where we managed to get in, tried to plug in and nothing happened. And that is something that companies can get out of it.
We also take a holistic view. We don't just say, 'Oh you need to fix just one thing,' we go at it in layers, find out if people are being educated and if they have an extra layer of security if someone breaks in. Taking a holistic view can pinpoint issues that need to be addressed as well'.Gillian
Alerting to internal issues
Sometimes it's better to work backwards. If you do an internal infrastructure and you say, 'These are all the things that are wrong in the network.' Then when we do a Black Team assessment we can say, 'here's how easy it would be for an attacker to break in.' what we do is basically provide a bridge. It can also help a CISO (Chief Information Security Officer) to say how easy or hard it would be for an attacker.
I've worked in some large banks and what they do when we raise a lot of issues is they will often reduce the severity that's available externally. Say we find SQL injection- which is a big issue if it is unauthenticated. They reduce the ‘rest rating’ quite significantly if it is only available internally. Us being able to do a Black Team assessment and bridge that gap to say, 'You know, this is how easy it would be to break in,' gives everything more context.Jordan
Testing the SOC
On the technical side, organizations don't really get a chance to properly test their SOCs or their Intrusions Detection Systems (IDS) against being targeted by trained professionals. Quite often, random attacks on the internet are loud scans that are easy to detect. Red Team scans are slightly harder, so it’s good for a company to know if a hack team were to target them, would they pick that up.Jordan
Is that when Purple Teaming can come into play?
Yes, if they want to have that collaboration, it very much depends how companies want to approach it. On one of the tests, they wanted to have their blue team (their defensive team) be aware of what we were doing only after they realized we were doing something. So, we just did it in stages. At first, we tried to be quiet, and then upped it a little bit, and then at one point we threw a lot at the network. Then it became a Purple Teaming collaboration where we would say, 'Okay we've done this did you pick it up? We've done that did you pick it up?'Gillian
So, when would you advise a business to start Red Teaming or Black Teaming?
Don’t use Black Teaming when… You have an organization that's very remote, has very few sites, and the sites they do have aren't really connected to their internal network (it's literally, just like a shared office with access to Wi-Fi), then there’s not much value in a black team assessment because most of the company resources are not on site.
Do use Black Teaming when…Your organization has at least one site where there's a lot of potential sensitive data, that's either on the network or stored in files or there are server rooms, that's when black teams can become beneficial. If you have a lot of sites, then obviously it's going to be more beneficial, because the physical attack surface is much bigger.Jordan
Sample testing sites
Because some organisations use similar security controls across multiple sites, companies may choose a select approach, for example testing one or two out of five possible customer support centres. and the recommendations that we raise can be applied to all the sites in scope.Jordan
When to use a Red Team?
Where a Red team differs from a standard pen test is when you have security controls in place, like a mature SOC and you want to understand the full attack path. As pen tests have a narrow scope that focuses on one thing, to test something like whether an attacker would be able to get from outside the company (for example, on the internet) to three or four internal networks in, a Red Team is going to give you that knowledge.Jordan
What's the coolest thing you've done as part of a Red or Black Team exercise?
Empty parcel delivery
The first one that we did together I think was cool just because it looked a bit hopeless from the start. It's one where we were there the day before and there were turnstiles everywhere and guards. We went around the back looking for a side entrance, and immediately someone walked up to us and asked what we were doing there. So, I thought 'This isn't going to work.' Then we went to a parcel shop, got a little parcel ticket made, tried to get in that way, they stopped me and took my parcel. So, someone got an empty parcel that day.Gillian
We saw there was a box filled with lanyards and with key cards on top of the reception desk. Jordan had the idea to pretend to be drunk, knock it over and then I pick one up, which we didn't go for, but that would have been funny! What we did instead was Jordan went in pretending to be an IT engineer and the moment the receptionist looked away he grabbed a pass, came back outside, and gave it to me. I went in, tried to beep it but it didn’t work so I went to reception and said, 'Hey you just gave me a pass that's not working.' And they said, 'Oh so sorry', and gave me a new one! That's how we got in.Gillian
There was quite a lot of like moving parts to that one. When we stole a badge from the box it wasn't simple because there were so many cameras and security guards all looking at this box. How do you steal something in plain sight?Jordan
Fake badge swap
When I went in the following day, I wore a fake badge that Gilly had made. My plan was to take my badge and put it in the box, pretend that I forgot something, run in, and when I went to get my badge, take a different one. It ended up being much better because when I put my badge in the box, the receptionist for whatever reason turned around to sort some paperwork, the security guard was behind me and my body was blocking the box, so I just swapped it instead.Jordan
Police got involved!
The police got called because the fake badge used my real name to match the name on the car. After I swapped it in the box they realised when they emptied the badges at the end of the day that my badge was wrong, and they phoned the police, but we managed to catch it before they came.Jordan
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.