Sunday, 12 May 2013

Welcome to the red team!

You may not know that ‘red teaming’ refers to the practice of “viewing a problem from an adversary or competitor’s perspective. The goal of most red teams is to enhance decision making, either by specifying the adversary’s preferences and strategies or by simply acting as a devil’s advocate. Red teaming may be more or less structured, and a wide range of approaches exists. In the past several years, red teaming has been applied increasingly to issues of security, although the practice is potentially much broader. Business strategists, for example, can benefit from weighing possible courses of action from a competitor’s point of view.” That definition comes from the Red Team Journal at

One thing that red teams are often asked to do these days is test IT security. The red team will try to infiltrate a company’s IT system in order to identify any previously unknown vulnerabilities. It seems that one of the best ways to get into a system is to be the first to find a new vulnerability in the software that no-one else has spotted. This ‘zero day’ vulnerability can be used to get malware of some kind into an organization, and, from then on, the red team own the IT system. And that’s why it’s a good idea to pay a team of experts rather than wake up one day and find the bad guys have found their way into your IT infrastructure.

Basically, that small piece of malware can be used by the red team to gain access to the network. And from there they can gain access to any documents or databases and download whatever information they want. If you’re company is a bank, they could find a way to steal money. And a lot of the time, no-one would know it was happening until it’s too late.

Internet Explorer has been in the press over the years for the number of vulnerabilities that it once had, but nowadays, Java is a prime target for red teams because Java is meant to run on 3 million devices – providing what’s called a large ‘attack surface’. Stack walking refers to the way that the different components of an IT platform exchange information about security privileges. This makes it an ideal target.

Attacking the software is getting harder these days, but there’s one component of an organization’s computer system that is always potentially vulnerable – and that’s the people who use the computers. In the past there were stories of dumpster diving – where people would look through dumpsters and rubbish bins for information on paper that was thrown away. Nowadays, most companies collect and destroy paper, so that can’t happen. Even so, walking around a building a visitor can still find passwords on Post-It notes stuck to screens. There’s also a technique called spearphishing that can be used. In this, a seemingly legitimate e-mail contains a malicious link or attachment. Once a person clicks on the link or opens the attachment, the malware is on the system. Another technique is to send infected memory sticks to staff, who often plug them in to see what’s on them, and, again, the malware strikes!

Red team members can now use social media to find the names of staff as well as details of their experience, so that e-mails and phone calls from the red team can sound quite legitimate. Part of the answer is SIEM (Security Information and Event Management) solutions. These provide real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances, or managed services, and are also used to log security data and generate reports for compliance purposes.

The other part of the solution is education of staff so that they don’t insert memory sticks or click on attachments from unknown sources. But often, the best way to get access to corporate data is to find a disgruntled employee. So maybe another part of the solution is to ensure that staff are happy – that terms and conditions are going to avoid people feeling disgruntled. And if they are, then policies and procedures must be in place to manage that situation. And that’s not so easy with a large organization.

Mainframes are mostly used by large organizations – which obviously puts them at risk from unhappy employees. The risk is increased because most mainframe sites also use other platforms – PCs etc. And there is a new and huge security risk with BYOD. The red team could, perhaps, get a piece of malware onto someone’s tablet, which then gets connected to network, which then starts opening security doors all the way to the mainframe.

You may feel your data isn’t important enough to warrant the employment of a red team to test out any exposure to vulnerabilities you might have. But most organizations can learn from the types of vulnerability red teams exploit, and take steps to ensure that they are not at risk from them.

No comments: