- Cybersecurity Attacks:Red Team Strategies
- Johann Rehberger
- 268字
- 2024-12-21 01:41:35
Growing as a team
If the program drives home some early success stories, it is typical that management would like more coverage and better operations. This is great news! Especially since, when you first start out, it might be a one-person show.
You must also think of growing backups and replacements since there will be attrition for various reasons over time. It's important to think early on about backups for individuals.
If your team grows beyond five individuals, it will become apparent that there are different subfunctions that team members fulfill. Some will be more interested in coding and automating things, while others will want to be more hands-on with finding new stuff, doing research, and building new exploits and ways to pivot through the environment while challenging the blue team's detection capabilities.
This could be the time to align resources further to split out an offensive tooling team and an offensive operations team. Another option is to attempt and rotate functions over time – this really depends on the team but can be worth a try.
Throughout my career, I have observed that the most effective operations are achieved while working closely together as a team, sharing state and progress daily toward achieving the goal. It should always be considered good practice to have at least two pen testers working on a given target. When the team grows, it's important to keep the coherence of the team intact and encourage communication and collaboration, though naturally, some friction will evolve.
If your efforts are successful and the team grows, it is likely that you also the need to get someone on-board who can help with managing logistics.
Enabling new hires quickly
As I mentioned briefly previously, let the pen testers loose and have them go find the problems and issues. When onboarding software developers, it's common that companies get the new hire through the complete sequence of performing a check-in under guidance of a senior engineer on the first day. This is super empowering. Imagine you get the computer, set up your email, enlist in code, perform a minor bug fix, go through code reviews, and test and deploy the change – all under senior guidance, and all on the first day. That gives a new hire insight, confidence, and already a sense of accomplishment and an immediate mentorship relationship with the senior engineer who helped.
In the security world, I have experienced struggles with onboarding, both onboarding vendors as well as full-time employees. Most likely that is because it's a more niche and ad hoc field compared to general software development. It's common that security testing specific software is not available since there are no isolated environments to set up attack machines.
Ideally, you have a mini security assessment on an internal website ready for the new hire to look at during the first week. They feel engaged quickly and have something to work with while they are going through the dry business onboarding training and so forth.
So, make sure that your new pen tester, especially if it's a seasoned pen tester, has all the software and hardware needed to get going quickly and can be let loose!
We've briefly touched on training, which is also part of ensuring the team is ready.
Excellence in everything
If you want to read a great book, I'd suggest Peopleware by Tom DeMarco and Timothy Lister. I have a signed copy! The book describes Teamicide. In fact, it's an entire chapter, and lists sure strategies that inhibit the formation of an effective team. Among my favorite ones are the following:
- The defensive management
- Bureaucracy
- Quality reduction of the product
Nothing can be more demotivating for a team than being asked by leadership to rush something and deliver mediocre results. That is a sure way to lose talent and results in cynicism.
Always work toward excellence in everything you do and in everything you ask the team to do. Push back on leadership decisions that would lead to a bad product or an insecure system for your customers. Keep pushing for excellence and encourage the team to deliver excellent results. Be excellent yourself. Have excellence in planning, excellence in execution, and excellence in remediation and education.
This implies holding yourself accountable, admitting mistakes, and encouraging others to do the same; a mistake is the way to learn and improve over time and nothing is cheaper than learning from the mistakes of others. Lead by example, lead with excellence.
Offensive security test readiness
Being prepared and ready to engage in offensive security testing with the highest possible professionals, expertise, and dedication is critical for success. It's the red team manager's responsibility to ensure that everyone on the team has everything they need to be successful. This includes basics, such as the right hardware and office space, as well as resources to simulate and practice attack scenarios safely. This is to ensure that the individuals have what they need to be able to perform their duties efficiently and successfully.
Building an attack lab
Go and get decent hardware for your team. In today's age, you need a budget to get resources in the cloud for various tasks such as port scanning and so forth. Pen testers need to be able to run at least two to three VMs with various operating systems. Running both Linux and Windows is usually a must to get the best tooling to test things.
Speaking of testing, having a budget to build a minimum pen test lab for exploring and testing new attack vectors should also be considered test readiness. The lab might mimic the corporate environment and production elements. For instance, having a Windows Active Directory domain to test out new tool, tactics, and techniques is very helpful in order to avoid doing research on the corporate environment.
The lab can also be used to set up detection technologies in order to understand how an adversary might bypass or manipulate detection agents, anti-virus technologies, or log forwarding.