A red team is, like its name states, a team. This is a great thing since each member brings his or her own experiences into the mix. Each member of the team has a specific area that he or she is responsible for. These are usually based on the knowledge of that particular person and on his/her personality.
Yes, personality plays a huge role here. For example, not everyone is comfortable with physical security breaches, social engineering or writing attack codes on the fly. If a team member is not an expert in coding the initial exploit, they will usually be the one calling the target and causing her to run the exploit. Although we are masters of our specific sectors, we can do work in other areas as well. We all know how to code and also understand the basics of digital and physical security. However, some of us are experts in these areas and we often take the lead when a related operation comes along.
Still, the success of a project or operation is a team effort, always. Their combined knowledge and ridiculous thinking is key.
During one project, we had two guys in the field trying to assess the personal security of a large corporation’s C-level executives while they were abroad. They were working with limited equipment and relied on us, the guys back at HQ, to help them through the project. These were two of the most capable hackers and security experts I know. Although both had years of experience (one of them being a former SOF operator), they knew that they would need help from the team to successfully complete the op.
The executives stopped at a local cafe to have breakfast like they did every morning. One of the execs opened his laptop and began checking the news. When the guys from the team started scanning, as we usually do on public networks, they immediately noticed someone performing a vulnerability scan on the executive’s computer. This is easy to spot if you have a sniffer running on the network. Now, they could have assumed it was one of those ‘target of opportunity scans.’ Given who these executives were, the country they were in and based on past experience, the guys decided that this was likely a targeted attack. They called us back at HQ and requested that we begin coding a backdoor for the exec’s computer. They also sent us the results of their own vulnerability scan.
The project went from being an assessment about the personal security of the execs, to a digital VIP protection operation.
The idea was to breach the VIP’s computers ourselves. We would then install a backdoor and monitoring program before the attackers had a chance to infiltrate the system. This would allow us to detect the attacker’s identity. Hard to do, but sometimes it works.
Given that we didn’t want to alert our customer yet, “Y”, the master exploit coder, immediately started reviewing the scan. Meanwhile, I began to configure a computer so that it would have the same specs of the executive’s: same OS, same apps, etc. Once this was done, I wrote a program that would eventually be installed on the attacker’s computer if we could send them the code.
The program was complex. It was one that needed to crawl an unknown network, save the attacker’s data (such as IP, domain info, OS, etc.) and find a way out while extracting the data in a way that would not alert the attackers. Right… Hey, that’s what we do. We had about 7 hours to do this, taking into account the time difference between the exec’s location and HQ.
With “Y” and my code tested in less than 6 hours, we sent the package to the guys deployed: an attack code that would exploit a vulnerability at the OS and install a backdoor. The backdoor would then download the counter-surveillance code from the execs’ computer. I wrote it with the hope that if the attackers managed to breach the computer, we could then piggy-back onto the connection, leading us to the bad guys’ computers.
In the meantime, we called our client’s security department and updated them on the development. We wanted to make sure the execs didn’t have any sensitive data on their laptops. They corroborated that the two executives did not have any proprietary information (as per our advice to people traveling to this part of the world). They also gave us permission to install the backdoor on the execs’ computers. It was easier this way. We then forwarded this information to the guys on the ground.
The rest of us went to sleep while “D” stayed at HQ to monitor the situation.
70 minutes later, “D” came to wake me up – I was napping in a sleeping bag in my office. He said: “We have movement.”
It was on.
Continues with Part 2. Standby.
(Featured Image Courtesy: polycentric.csupomona.edu)