Security
Reader small image

You're reading from  Cybersecurity Attacks ‚Äì Red Team Strategies

Product typeBook
Published inMar 2020
PublisherPackt
ISBN-139781838828868
Edition1st Edition
Tools
Neo4j
Concepts
Cybersecurity
Right arrow
Author (1)
Johann Rehberger
Johann Rehberger
author image
Johann Rehberger

Johann Rehberger has over fifteen years of experience in threat analysis, threat modeling, risk management, penetration testing, and red teaming. As part of his many years at Microsoft, Johann established a penetration test team in Azure Data and led the program as Principal Security Engineering Manager. Recently, he built out a red team at Uber and currently works as an independent security and software engineer. Johann is well versed in analysis, design, implementation, and testing of software systems. Additionally, he enjoys providing training and was an instructor for ethical hacking at the University of Washington. Johann contributed to the MITRE ATT&CK framework and holds a master's in computer security from the University of Liverpool.
Read more about Johann Rehberger

Right arrow

Chapter 2: Managing an Offensive Security Team

When it comes to managing an offensive security team, the primary goal is to build upon the foundation that was established in the previous part of this book. The next step directs all resources on the team toward the common goal of your offensive security mission.

Managing means to get the roadblocks out of the way of the team and to enable them to do their best work. This also means to review and observe the work of the team to ensure adjustments and improvements can be made over time.

In this chapter, we will be covering the following topics:

  • Understanding the importance of creating a business rhythm for the team, including planning cycles and time for reflection
  • Managing and assessing the team
  • For best results – let them loose!
  • Growing the team
  • Red team management styles and strategies
  • Lessons for managing logistics, meetings, and how to stay on track
  • Leading and inspiring the team
    • ...

Understanding the rhythm of the business and planning Red Team operations

When I first became a manager and led an offensive security team, I was extremely lucky to have an experienced, yet humble, partner at the company to be my manager and mentor. In the past, he had managed a large test organization that shipped a flagship product of our organization with consistently outstanding quality, and he was directly responsible for the quality of what eventually became an 8+ billion-dollar business.

Besides countless stories and analogies he shared with me about people management and software testing, he also helped me understand what it means to run an offensive security team through the angle of running a business.

I'm certain most of you have not looked at it that way, but, as a manager, it's critical to think about managing a budget, demonstrating impact, and justifying the existence of the team and program. If you have a team with a handful of offensive security engineers...

Managing and assessing the team

As a manager, you must assess performance and provide critical feedback to individuals in the team. This feedback should not only highlight what the individuals do well, but also their areas for improvement. If there are problems, ensure that you have the hard discussions fast and quickly, and not let issues pile up or ignore talking about problems.

Regular 1:1s

Recurring 1:1s are a great way to establish connection between employee and manager and to share the common goals and set deliverables to measure progress and outcome. It's advisable to split 1:1s into two separate categories, that is, ones that focuses on tactical day-to-day statuses and tasks, and some, less frequent ones that are there to discuss long-term career growth. The more frequently ones should probably occur once a week, but it depends on each individual. Some people need more management advice and guidance compared to others.

A critical part for the individual pen...

Management by walking around

I am a big believer in management by walking around. If individuals only come to you when there are issues or feedback, then insights are limited. It's better that the manager actively seeks dialogue at times. One way to achieve that is by wandering around the organization and chatting with people. A good place could be the kitchen area; be involved, learn from others, discuss and brainstorm ideas, and, most importantly, actively listen. These conversations can include individuals from other teams, not just your own group. This is an effective long-term investment for building and leading an effective offensive program. You will hardly encounter anyone who does not have an interest in security. The individuals you will encounter can share pain points first-hand and highlight problems, such as security processes that are being put in place that reduce their productivity. Some individuals will also have great attack ideas or share some vulnerabilities...

Managing your leadership team

One aspect that is often forgotten is how critical it is to provide constant feedback to management and leadership about the state, problems, progress, and issues.

Change can only be achieved by reporting status and, in the next chapter, we will discuss multiple ways of how to stay visible to ensure leadership does not forget why they wanted an offensive security program in the first place.

Managing yourself

Among all the topics we've discussed, it's critical to not forget to manage yourself to avoid burnout and frustration. The important step is to set a clear vision and operational mission for the program and the team. It should be straightforward for everyone on the team to be able to make decisions on when to take on certain tasks or moving forward with certain operational steps without having to consult someone at each stage.

The goals for each team member should naturally roll up toward your own goals so that the entire team moves in one common clear direction. This will also free up the manager's cycle to think about strategies and the long-term evolvement of the program and team, and not be stuck with day-to-day operations.

Take time off. If you built the team well, they will be able to fully able operate without your presence. That's why it's important to focus on principles and build a framework early on.

Also, block time off...

Handling logistics, meetings, and staying on track

An approach that works well in my career when it comes to project and operational planning is that it's best to keep it lightweight and focus on the people, rather than implementing a detailed task tracking system. Tracking the high-level deliverables via a simple tracking solution that allows you to highlight the start and end dates of tasks should probably suffice.

The detailed tracking and progress of a project can be tracked within the attack plan (maybe in encrypted OneNote files), which goes beyond the project management aspects and already merges a lot of the logistical with the technical details. This is the place where the team tracks details of tasks, draft findings, the results of scans, and so forth. Such a shared document allows the team and authorized individuals to get insights into day-to-day detailed progress and work. It's a complete logbook in many ways.

When it comes to planning, the best approach...

Growing as a team

If the program drives home some early success stories, it is typical that management would like more coverage and better operations. This is great news! Especially since, when you first start out, it might be a one-person show.

You must also think of growing backups and replacements since there will be attrition for various reasons over time. It's important to think early on about backups for individuals.

If your team grows beyond five individuals, it will become apparent that there are different subfunctions that team members fulfill. Some will be more interested in coding and automating things, while others will want to be more hands-on with finding new stuff, doing research, and building new exploits and ways to pivot through the environment while challenging the blue team's detection capabilities.

This could be the time to align resources further to split out an offensive tooling team and an offensive operations team. Another option is to attempt...

Leading and inspiring the team

If you followed the path in this book, you are on a good trajectory to successfully create a working offensive security program. You established a vision, did some paperwork to have the basics covered, and modeled the path for success. Now it's time to actively walk the way and inspire the team. This also means to take ownership of the program and be accountable and responsible for its outcome. If the team fails with an objective under your leadership, it's your fault. Don't come up with excuses about why someone on the team did not deliver something on time. If an operation fails, it's the leader's fault. You are there to inspire and enable everyone to do their best.

For the best results – let them loose!

A mistake of offensive security engineering leaders (who are or were pen testers themselves) is to quickly call out issues and try to micromanage pen tests. This is especially difficult for someone with a strong technical background and understanding of offensive techniques.

For me, this was also a difficult task. At times, it feels difficult to let go and trust someone else, but if you hire the right people, there is no reason to worry.

Attempt to see the big picture and focus on what you do not know, rather on the things you know well. Focus on the territory that needs exploration, focus on strategy, and discuss with stakeholders you did not meet before to understand their needs and where your offensive team can help them improve or highlight deficiencies.

Protecting the team from unwanted external influences, such as possible reorganizations, unnecessary paperwork, or committing to work that is not in favor of the mission of...

Leveraging homefield advantage

The concept that the home-team, which plays on their own grounds and amongst their supporters having an advantage over the away-team is referred to in sports as well. Let's look how this applies to red teaming.

"Whoever is first in the field and awaits the coming enemy, will be fresh for the fight; whoever is second in the field and has to hasten to battle, will arrive exhausted."

– The Art of War, Sun Tsu

Finding a common goal between red, blue, and engineering teams

The biggest advantage an in-house offensive security team has, compared to a real-world adversary, is homefield advantage. Unfortunately, many organizations are not exploiting this advantage. In fact, in some organizations, offensive and defensive teams operate in complete silos rather than learning from each other:

Figure 2.2: Ineffective communication prohibits the implementation of effective mitigations and defenses

Attackers...

Disrupting the purple team

The danger of prolonged, exclusive, purple teaming is real. If an organization solely depends on purple teaming internally, it is strongly advised to have an external red team assess the progress and work of the purple team on a regular basis.

Regardless, the offensive security team should periodically run red team operations that are covert to reevaluate end-to-end testing if the progress during the purple team operations is effectively in place. Look through Chapter 4, Progressive Red Teaming Operations, to get some ideas of how things can be mixed up to challenge stakeholders and think about new or modified objectives that an adversary might have.

Summary

In this chapter, we covered the importance of creating a regular rhythm for the team, including operational syncs, planning cycles, and time for reflection.

We covered management aspects for assessing the performance of the team and individuals and talking about how the manager is responsible for enabling the team. This includes ensuring the team has what it needs to be successful.

Afterward, we covered different ways of how to plan for future operations and what strategies can be leveraged to get a wide range of potential offensive operations in the planning cycle.

Leveraging the homefield advantage of the internal security teams is something we discussed thoroughly. This can help break down organization barriers and encourage close collaboration between stakeholders, including but not limited to red and blue teams. Purple teaming can ensure that effective mitigations and improvements are implemented quickly throughout the organization. It also raises security...

Questions

  1. What is meant by leveraging homefield advantage in this book?
  2. What does STRIDE refer to?
  3. What does normalization of deviance mean? Are you observing it in your organization?
  4. State two management behaviors that fundamentally inhibit the formation of an effective team.
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 4 of 17
Next Chapter
You have been reading a chapter from
Cybersecurity Attacks – Red Team Strategies
Published in: Mar 2020Publisher: PacktISBN-13: 9781838828868
© 2020 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Johann Rehberger

Johann Rehberger has over fifteen years of experience in threat analysis, threat modeling, risk management, penetration testing, and red teaming. As part of his many years at Microsoft, Johann established a penetration test team in Azure Data and led the program as Principal Security Engineering Manager. Recently, he built out a red team at Uber and currently works as an independent security and software engineer. Johann is well versed in analysis, design, implementation, and testing of software systems. Additionally, he enjoys providing training and was an instructor for ethical hacking at the University of Washington. Johann contributed to the MITRE ATT&CK framework and holds a master's in computer security from the University of Liverpool.
Read more about Johann Rehberger

Other recommended products

Related to this chapter

Hands-On Red Team Tactics

Hands-On Red Team Tactics

Red teaming is a process in which you use an attacker-like approach to secure your system, data, and network from getting breached. The main goal of the book is to equip the readers with the means to a smooth transition from a pen tester to a red teamer by focusing on the uncommon yet effective methods in a red teaming activity.

BookSep 2018480 pages
Learning Neo4j 3.x

Learning Neo4j 3.x

With increase in complexity of data relationships, graph databases are quickly becoming the de-facto standard for organizations who manage large volumes of connected data. This book aims at getting you started with the popular graph database Neo4j along with covering key concepts like modelling transitions, searches, traversals, relationships and protocols to navigate through complex networks of information. Also take a trip down the new and improved feature additions to version 3.x such as the APOC library, security, various plugins and extensions for spatial operations on data.

BookOct 2017316 pages
Adversarial Tradecraft in Cybersecurity

Adversarial Tradecraft in Cybersecurity

By taking you through the logic of complex strategic decisions of offensive and defensive teams, this book will prepare you for real-time cybersecurity conflict and show you some of the best techniques used in the industry. Whether you’re part of an offensive or defensive team, Adversarial TradeCraft in Cybersecurity will prepare you for the daunting challenge of taking part in real-time action.

BookJun 2021246 pages
Practical Threat Intelligence and Data-Driven Threat Hunting

Practical Threat Intelligence and Data-Driven Threat Hunting

Threat hunting is the act of proactively tracking and eliminating adversaries from your network as early as possible. Practical Threat Intelligence and Data-Driven Threat Hunting covers both threat intelligence and the act of threat hunting from the first steps to advanced practices.

BookFeb 2021398 pages
Cybersecurity Threats, Malware Trends, and Strategies

Cybersecurity Threats, Malware Trends, and Strategies

Cybersecurity Threats, Malware Trends, and Strategies shares numerous insights about the threats that both public and private sector organizations face and the cybersecurity strategies that can mitigate them.

BookMay 2020428 pages
Learn Penetration Testing

Learn Penetration Testing

A penetration test, also known as a pen test, is a simulated cyberattack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF). This book teaches you various penetration testing techniques in order to become a proficient Penetration tester.

BookMay 2019424 pages
Network Security Strategies

Network Security Strategies

After prominent market leaders have been impacted by advanced cyber threats, network security has become a top priority in terms of successfully keeping attackers from breaching networks. This book will help you design a robust network security ecosystem that helps prevent traditional and new and evolving attacks.

BookNov 2020390 pages
Threat Hunting with Elastic Stack

Threat Hunting with Elastic Stack

Elastic security offers enhanced threat hunting capabilities to build active defense strategies. Complete with practical examples and tips, this easy-to-follow guide will help you enhance your security skills by leveraging the Elastic Stack for security monitoring, incident response, intelligence analysis, or threat hunting.

BookJul 2021392 pages
AWS Penetration Testing

AWS Penetration Testing

AWS is a very popular cloud service that many organizations are implementing into their infrastructure. AWS Penetration Testing is a comprehensive introduction for those who are new to AWS and Ethical hacking, that will have you up-to-speed in no time.

BookDec 2020330 pages
Cybersecurity – Attack and Defense Strategies

Cybersecurity – Attack and Defense Strategies

Cybersecurity – Attack and Defense Strategies, Second Edition is a completely revised new edition of the bestselling book that covers the very latest security threats and defense strategies, updated for 2020.

BookDec 2019634 pages
Cybersecurity - Attack and Defense Strategies

Cybersecurity - Attack and Defense Strategies

With cybercrime on a rise, cybersecurity has become extremely vital to industries. Companies have started adopting more stringent ways of preventing system breaches. This book will explore Red Team tactics that can be used in penetration for accessing sensitive data and Blue Team tactics that can help you defend your system from complex attacks.

BookJan 2018384 pages
Incident Response in the Age of Cloud

Incident Response in the Age of Cloud

This book is a comprehensive guide for organizations on how to prepare for cyber-attacks and control cyber threats and network security breaches in a way that decreases damage, recovery time, and costs, facilitating the adaptation of existing strategies to cloud-based environments.

BookFeb 2021622 pages

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages