Tribe of Hackers Red Team 1.0

Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity by Marcus J. Carey and Jennifer Jin (2019) belongs to the Tribe of Hackers cybersecurity book series. It was recently shared with me here at Fluid Attacks, and now I would like to share with you some of the highlights that I selected for this post. Maybe there’s something that will pique your curiosity.

Marcus J. Carey is an American hacker with more than 25 years of experience in cybersecurity. He’s someone who describes himself as an inquiring, curious person since he was a child. He never denied himself the possibility of generating and raising questions to expand his knowledge on various subjects. Hungry minds are what we usually count on, or rather, something that characterizes us as humans regardless of the information we pursue. That hungry mind of Marcus made it possible to give birth to this book that I currently hold in my hands.

Let's take a look at what we can learn from these almost 300 pages. In the beginning, Marcus says: "You probably picked up this book to learn from the best in red teams." Yeah, we're indeed interested in red teams. It is also true that, as in many branches of knowledge, the information shared by 'the best' is usually valuable. Here, the questions, formulated with the support of a cybersecurity community on Twitter, are addressed to hackers specialized in offensive security, aka red teaming. That sounds great!

At Fluid Attacks, we work purely as a red team, which means we are continually testing or attacking infrastructures, applications, and source code to find vulnerabilities that can pose risks for both owners and users of those systems. On the other hand, a blue team is responsible for defending the systems to ensure "that the confidentiality, integrity, and availability of all assets are not affected," Marcus says. In other words, the red team, with its cannon, verifies how effective the blue team’s work has been in establishing the wall. Then, when we refer to the combination of both sides, implemented in some organizations, we talk about a purple team.

Specifically, Marcus and Jennifer (his collaborator) asked the same 21 questions to 47 experts in red teaming to shape this book. Of course, the first to answer them is Marcus himself. We are going to focus on some of his opinions in this post; possibly the first one of a series focused on Tribe of Hackers Red Team.

According to Marcus, "it is uncommon for people to start directly into red team jobs." (Well, it’s noteworthy that most hackers at Fluid Attacks began working as red teamers and never were part of blue teams, as I was informed.) He says that the best way to get a red team job is to start working for a blue team and gain cybersecurity skills as a software engineer, systems administrator, or related roles. Once there, you can get more involved in cybersecurity events and networks, and also prepare and seek to obtain some certification from those related to red teaming. Besides, you can download virtual machines and web applications with vulnerabilities if you want to start practicing by yourself. Of course, to avoid problems with the law, keep in mind that it’s prudent to exploit only systems that are either your own or have explicit permission for this type of activity.

From an organization standpoint, one of Marcus’s phrase is quite remarkable: "I believe that everyone in information technology and software engineering should know how to build, secure and hack anything they are in charge of." Although it may certainly sound excessive, this comment reflects a suggestion of skills integration. And this is partly what many companies have achieved by allowing the formation of purple teams. However, on the other side are the companies that have opened their doors to pentesting only for compliance and have kept it quite limited. That should be concerning for them!

For one of the questions referring to the most important control to prevent a system from being compromised, Marcus chose "restricting administrative privileges for end users" as an answer. He mentions this as something easy to implement and scale in any organization. It is something simple but it yields significant results. This is also the case for "two-factor/two-step authentication, password length, and automatic updates." All this is linked to his other suggestion on the general defense of systems against attacks: put policies in place and follow them. By the way, have you heard about our Rules, Fluid Attacks' compilation of security requirements? Check them out to get an idea of how we do this!

Now, if you’re working as a red teamer, and you have to debrief and support an external or internal blue team after completing an operation, you should act as a professional. What does that mean? "Always let them know you are on the same team as far as the big mission goes," Marcus advises. At the same time, don’t get upset and help them if their plan to correct the issues you discovered doesn’t work or is not applied correctly. Besides, as a relevant recommendation for useful reports, don’t dismiss the idea of using CVSS, MITRE ATT&CK, or NIST as references. Use publicly shared knowledge, don’t try to reinvent what is already stated, and consequently gain ease of information transmission and credibility.

Marcus highlights how crucial empathy can be for a red teamer. He says: "Put yourself in the other person’s shoes and don’t be a jerk." Therefore, he proposes this human characteristic as one to consider when recruiting red team members. Nonetheless, I think it is necessary to clarify that empathy is common in people (leaving aside atypical cases), although its level of expression is variable. It is true that some of us show more empathy than others, but it’s also true that it is something we can improve.