Red team testing: hacking and lying your way to data.

Written by Tom Wyatt on 30/11/2018

What is red teaming?

We at Bulletproof provide a range of different cyber security services, including penetration tests, managed SIEM, and compliance consultancy. Though undoubtedly the most interesting (and cool) service we offer are our red team assessments.

So, what is a red team test? Put simply, a red team test is where security experts compromise a company’s cyber and physical security through a mix of penetration testing, social engineering and deceit. A red team aims to get hold of data remotely or through direct contact with an organisation's on-premises machines. Preferably, not getting caught in the process. Once done, the team can report back to the company with what they did, how they did it (with evidence), and most importantly, how the business can stop it from happening again.

Typically, only one or two people at the organisation being red teamed will know about it – the majority of staff will be completely unaware of what’s going on. It’s like Ocean’s Eleven, only with significantly less George Clooney and more time spent on research. In fact research is the most important element.

Red team security guards
"Do these uniforms not make us stand out a bit?"
“Yeah, but we look awesome, so cross your arms and look menacing.”
Red teaming can provide an awareness as to just how susceptible a business is to social engineering.

Got milk?

It’s through a red team test that we discovered we could compromise a business using a few pints of milk (and no, we don’t mean pouring it over the servers). Red team assessments take a multi-layered approach that seeks to test every aspect of a company’s security. They test the technical, the physical, the management elements and even the people. We try to compromise a business by any means (bar violence of course). Red team tests are many things, but most importantly...


Red team tests are fun

To best explain what a red team test consists of, I’ll run through an example. Yes, the one involving milk.

We were once asked to assess an office and their systems. All we were given was the company name and their website address. We started, as we do in most engagements, by scouring the Internet for any information that could be of use.

Straight away we found:

  • Photographs of staff members posted on Twitter, each wearing their office ID badge with the printed side facing the camera (thanks to modern day smart-phones these always tend to be of such a good quality we can replicate these badges later on)
  • Floor plans of the office from the estate management company
  • Google Street View and satellite photos which suggested there was a backdoor into the office
  • Staff members’ personal Twitter accounts showing photos that included desk phones and colleagues wearing casual clothes in the background

So, from just a under an hour sifting through public sources we knew:

  • Dress code on Fridays (casual)
  • Office ID badge layout and text
  • Roughly where things would be in the office
  • Entrances to the building
red team social
Being secure doesn’t just stop at locking the door
Our phishing portal was very hard to spot because it was on their server, on their domain and complete with a valid SSL certificate.

It’s all about planning

We discovered some interesting digital things too. Their website was running a vulnerable version of WordPress and, whilst we weren’t able to fully compromise this server, as it had been well hardened, we were able to write new pages and sites for it.

Based on this we decided on a two-pronged attack:

  1. We’d create a phishing portal on the hacked WordPress server designed to look like their Outlook Web access page.
  2. We’d visit the site with a photoshopped ID badge based on the one we found on Twitter, wander into the office and try to attach malicious hardware to the network or to any machine we could get close to.

Our phishing portal was very hard to spot because it was on their server, on their domain and complete with a valid SSL certificate. Several people were caught out by it, giving us access to their accounts. The client didn’t expose any remote desktop or Citrix based services for us to use, so we hung onto these stolen credentials for later.

Bulletproof web app
Outlook Web App? or Bulletproof Web App?

Our badges looked legitimate enough at first glance, but of course they would not work on the door system as we had no idea what kind of technology was in place. We had created several kinds of card based on known RFID badge types. These didn’t work, but one using the same technology would sound out a telling warning beep, which became important later. A beeping card reader adds a sense of authenticity.

A quick look round the general area confirmed that there was indeed a back door. However, it was a fire exit adorned with a sign that read ‘this door is alarmed’. As we were trying to be as inconspicuous as possible, I decided to go through the front (non-alarmed) door.


Go bold or go home

This was a bold move, as it meant marching right into the line of sight of a security guard, who would no doubt have all manner of questions I was unprepared for. Now this truly separates red team testers from mere penetration testers. I strolled in, carrying several bottles of milk purchased previously. I nodded to the security guard and gestured to the milk in my hands: “Milk run”. Next, I swiped my card, triggering warning beeps. I repeated the process, pretending to get more annoyed, until the security guard came over.

‘This thing hasn’t worked properly since I put it through the wash,’ I said. With a pleasant chuckle, the security guard swiped me through and even pressed the call button on the lift for me. From here, blagging my way into the office itself was easy, and I dropped off the milk into the tea area – I’m nice like that.

Red team milk
The milk is in the lift... no it's not code."

Once in, I took out my laptop (complete with large Wi-Fi antennas) and strolled around with an intense look of concentration. Fortunately, if you look like you work in IT, people are reluctant to speak to you unless they absolutely have to. I found a partially empty office and plugged a disguised USB ethernet adaptor into an unmanned desk PC.

Our USB ethernet adaptor actually contained a small Linux machine that would remotely connect to our own servers and allow us to tunnel into the target network. However, it seemed the internal network had some form of filtering in place that blocked unknown devices, which would have stopped us getting anything out of our milky exploits. Game over? Not yet – remember, we were also armed with several users’ credentials. After logging into the computer, we were able to bypass this filtering and gained access to their servers.

From here on in, the rest is mostly the same as any internal penetration test. We found things that were broken, abused them, stole passwords, spread further and kept on going and gathering evidence until there was nowhere else to go or until we were caught.

We were not caught on this occasion. Instead, we provided our client with a lengthy report and helped them tighten their processes and improve their security. We showed them the extent a malicious actor was willing to go. It’s not always someone at a laptop on the other side of the world. Sometimes, it’s a man with some milk.


You are a target

As you can see, a red team test is very involved. You might think that your company is too small to attract this level of attention, and to some extent you might be right. We’re not likely to try to sneak into a five-person strong team claiming to be the new intern, but we will try every other trick in the book. We adapt our tactics to the situation. Smaller companies tend to have less sophisticated technology or be laxer in their processes. Hackers often take the path of least resistance, meaning smaller companies will always be in their crosshairs.

Of course, not every company would benefit from a red team test, but if you’re storing large quantities of sensitive data that would benefit nefarious entities, it’s good to make sure every aspect of your security is as strong as it could be, because hackers will try to get at it one way or another.


  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.