This Anti-Cast was originally aired on February 19, 2025.
Many aspiring cybersecurity professionals dream of becoming a member of a Red Team one day, but it can be difficult to know exactly what skills, tools, and tactics to focus on to help make that dream a reality. If only there was a resource available that would help you focus your studies and training, steering you towards the most relevant elements that a practicing Red Teamer utilizes everyday! If only there were someone, a current Red Teamer with the skills and knowledge that would be willing to share their knowledge and experience with you, as well as answer questions. Well we’ve got some good news for you…that day has come.
Check out this webcast with Mike Saunders of Red Siege and Daniel Lowrie of Antisyphon Training where they discussed the skills most needed by Red Teamers to be effective.
Highlights
Full Video
Transcript
Mike Saunders
So top five skills for red teams. Like question, like, do we define what a red team is? Right. Like we could spend a whole lot of time here, because some people think pen testing is red teaming and then some people, it’s beyond.
I’m talking, I, think just for the sake of conversation, here we’re focused more on like what you might think of as red teaming being I’m starting as an attacker, part of a team from the outside, trying to gain initial access into an environment to meet specific goals, versus pen testing where the goal is to find vulnerabilities.
Red teaming is more about testing people, and usually starting with zero access or very little knowledge and trying to get an internal compromise.
So that’s kind of the direction. Although a lot of this also applies to people that are just doing pen testing.
Daniel Lowrie
Well, I think that’s a good distinction to make right out of the gate because like you say there is some conflation of the, of the idea of what red team is. We tend to use it in a general, a general sense to say, hey, anything that’s kind of on the offensive security side of things, I’m doing, maybe even as low as vulnerability scanning through pen testing, bug bounty, you name it.
It’s as long as you’re kind of doing some attack type scenario, we tend to kind of encompass that in the pill that is Red team. Go ahead Discord with your red pill gifts.
I know they’re coming. So it is good to go ahead from the outset to say, right, we are actually focusing on the idea of actual red team efforts right there where you are doing a red team thing, where it’s kind of an external black box, long form, lots of social engineering.
There’s a lot of things that are typically associated with a red team. Can you give us the highlights of, of what if I, if I were to join a red team today, what’s going to kind of be my daily job?
Like what are the things that I’m going to need to be able to do?
Mike Saunders
Oh man. yeah. So like there’s so many different ways to answer that question, because like what kind of red team is it?
You have like specialized red teams where each person just has like one job. Like if you think of kind of more like what might be happening at some of the three letter agencies, military type things where someone’s job is, is just initial access.
Their, their job is solely to get a payload in and execute and they hand it off to someone Else that, that does that. in the consulting world, you might have someone that’s a physical entry and social engineering expert.
So their job is to get in, get an implant and then hand it off to an operator and then an operator is doing something. But now we need to, hand it off to someone else to do persistence, for instance.
So there’s a lot of different things, but like, what does a person do on a red team? There’s a lot of waiting; people always want to get a red team thinking it’s going to be super exciting and it starts out being really, really boring.
Because if we’re talking about a red team where we have no knowledge or very little knowledge and no initial access and we want to get, get access, there’s a whole lot of time that’s spent doing research, doing OSINT, so just trying to enumerate employees, trying to enumerate information about the target, reading up as much as we can, getting on LinkedIn, reading job profiles to understand what technologies they have, looking at jobs that they’re posting to find out what skills they want people to have.
And there’s a whole lot of time that’s spent there that’s not generally, really exciting unless you’re really into OSINT. It’s not usually terribly exciting.
And then you work on developing a payload and you get your payload developed and then you’re waiting for someone to click and you’re sitting there waiting for someone to click on that payload and byte.
So there is a lot of really, really, it’s a lot of really high excitement punctuated, that punctuates a lot of boredom, especially in the, the early phases of it.
But, once you’re in, then it’s a matter of like, it’s kind of a race. you’re in, you have objectives you need to meet and that normally means don’t get caught.
And so you’re trying to find things as fast as possible, but to do it as slowly as you can so that you’re not raising alarms and B, playing that balancing act between making progress and staying hidden.
Daniel Lowrie
Good to know. Yeah. Well, I mean, I, I, I love that you put it out there like, yeah, it’s probably going to be not as exciting as Hollywood makes it out to be.
So the fact that we are just kind of putting that out there for the people that may be new to or thinking about, maybe I want to go down that Red team path and eventually become that Red team operator.
All Those words just sound super cool, Mike. And right. It, it kind of like gives you this sense of being like some spec ops super spy awesome stuff.
Not that you don’t do some really cool things, but it’s probably more on a, on a slow walk up to that really cool thing with a punctuated point of woohoo.
Right. There’s a reason we call it the Root dance or the D A dance or whatever you want to say is because it’s a lot of time and effort is most likely going to go into getting into that particular spot where you do have all that access you’re looking for you, you are able to kind of creep around, look around and continue to persist and start looking for those bells and whistles that might be going off alerting the blue team to your, that you’re there.
Right. So really cool. Now that, that’s a good overview of what a red teamer is and I think that that really sets the stage for us to go to the next thing which is we got, we got some skills, some things that if you really hone it will make you a super effective red teamer.
Because these are the important parts of the job. Right?
Mike Saunders
Exactly, exactly. Let’s get into it, huh?
Daniel Lowrie
Let’s do it. Yeah, let’s jump into this thing.
Mike Saunders
All right. So what is probably one of the most important skills thinking about again, like this aspect of red teaming versus pen testing, is coding.
we need to write novel payloads that will execute on a system and allow us to perform those actions. So establish some type of command, and control and then perform what we call post exploitation actions.
So everything that happens once we have some type of, of C2 breach within an environment and to get to that point we have to write tooling and the days when you can just run Metasploit, and spit out an executable or just go to the payloads menu in Cobalt Strike, generate Windows Exe and send it in.
That doesn’t work anymore. Those days sadly are gone. so we need to write these custom payloads and we also need to be able to modify existing tools.
You’re using a tool, you find out, hey, it’s got a bug, I need to be able to fix it so I can accomplish this task. And if you can’t code, you’re going to be having a bad time trying to find another tool that does the same thing and hopefully that works.
Now.
Daniel Lowrie
hold on, Mike. I have been told by many a different person on the Internet that to be in Cybersecurity, you don’t need to know anything about coding. That’s just a myth, an urban legend as it were. And here you are telling me that if I’m going to go down that red team road, I might need to pick some of that, those skills up.
So I think that there’s probably some truth to both of these things. And I think specifically within our context of red teaming, this is the most applicable of needing to know how to code.
Would you agree with me on that?
Mike Saunders
Yeah, 100%. Like when you need to be able to write custom tooling, modify existing tooling, take a payload that worked on Friday and Monday, it’s getting caught and you need, you need to get that sent off.
And so you’ve got to be able to adapt. you need to do coding for these kinds of things or someone on your team needs to be able to do coding to accomplish those goals.
Standard, network pen testing, probably not a whole lot of coding needed there most of the time. In my experience, web app testing scripting capabilities are maybe more important than straight up coding.
but you also go into like, that is like the dynamic part of web app testing. But what if you’re doing static code analysis? Need to be able to understand code to find out vulnerabilities in code.
But we, we also, say like, oh, you don’t need to know code to get into cybersecurity. Which is true because there are many aspects of cybersecurity that are not focused on code.
GRC is an important role. It’s not one that I want to do. I’ve lived kind of in that world. I don’t find it exciting, but some people really find it exciting and it’s an important role.
Don’t need to be able to code to do, GRC risk management stuff doesn’t really require it. A lot of blue team things, I spent a lot of time blue team and system administration without knowing much coding.
Scripting, scripting skills definitely help. But. And I mentioned that like in a slide here, talking about scripting languages. But what I’m saying coding, I’m talking more about like compiled code that spits out some type of executable object versus a shell script, a Python script.
Those are also very important skills to have. But, I’m talking more about compiled, but you also need to know the scripting side of things. Like I have so many payload generators that I’ve written that are scripts that spit out some kind of Template that I can then compile or it compiles it for me to build my payload that I’m using for initial access because otherwise I’m building that thing by hand every time.
Now I spit out a binary from Cobalt Strike or brute retell or whatever it is, take my raw payload and that does all the processing for me and then hey, here’s a code template or a pre compiled program or an Excel macro.
Whatever it is, it automates that workflow so it makes me more efficient. so yeah, there are so many roles that we don’t need coding for, but there are a lot of them that we do.
And I can say from experience I suffered at the beginning of kind of my red teaming career not knowing coding.
It I was able to get like one working payload and Chris, Chris Truncer helped me out with that and I got like one working Ms. Build payload and it was great right up until it wasn’t and started getting detected and now I was like well it’s getting detected.
I need to modify this code. But I don’t know what any of this code does. I just know where I paste in my shellcode,
Daniel Lowrie
Yeah, yeah, it’s, it’s definitely it can be a bit of a scary experience the first time someone goes hey, remember how you didn’t know, you didn’t need to how to code? That is gone. That is the, that’s the past, today’s the future and you need to get up on that and get those skills.
Now somebody very poignantly and forward lookingly asked the question, well what do you code in? Right, here we go. We got these things where we can do evasion. You’ve got things about fixing bugs, creating tools because a lot, a lot of stuff is already burned as you say.
Especially when it comes to public publicly available code. If it hits the Internet it’s going to find its way to be signature in about 12 seconds. So right. Being able to create these things is going to be super helpful as this role.
So now the question becomes, well what, what, what language is the best one to use? Which ones do you suggest? Mike?
Mike Saunders
Yeah, and that was a perfect question. Right to our next slide. So I do 90% of my development in Net C Sharp.
it just works, it’s easy to develop in and it, it runs pretty much everywhere. However, there are times for certain things, I use C or C because of the way the code works.
It’s easier to write in C, or C than it is in C for me. Some people like they may be, they’re, they’re just extremely gifted programmers and it’s no problem for them.
For me it’s problem. So some things I have loaders that are written in C, C C. I have Python there because I have so many scripts that automate my job, automate parts of my job and I do a lot of that in Python.
Also do Bash, a lot of Bash or ZSH or Sh, whatever some type of shell scripting language to automate things. Go and Rust are two really popular languages for writing shell code, writing shellcode loaders and writing tooling in.
And I find it to be a mixed bag with those.
I had some payloads that I had written in Rust or just like some simple test programs and by simply importing like the AES encryption crate with Rust on Windows for a hello World program I didn’t even do any actual programming with it.
I just imported this this thing it would Defender was signature in it saying hey you’re using AES in Rust.
This is sus. I don’t like it. and so that does happen from time to time that Rust and go get more scrutiny than other languages.
But it depends on the EDR you’re going against. some of them are more suspicious of those languages versus more of the more standard languages that have been around a long time.
NET is great because it’s easier right? But it also has some downsides because it can be easily decompiled and inspected on the fly.
so like everything, every decision you make has a pro and a con and there’s sometimes it’s, sometimes it’s the right choice to use one language, sometimes it’s a better choice to use another language.
And this is all just assuming Windows like what are you doing if you’re having to write on Linux? What are you doing if you’re having to write payloads on Mac, which is something becoming a lot more prevalent.net languages work there if they’ve got the right environments involved.
But also now we’re talking like what is it Swift I think is the big. Or maybe that’s iOS1, I don’t know. I’m not huge on writing stuff on Mac so I can’t answer that.
Daniel Lowrie
But I’ve definitely been down the road of getting popped by AV and EDR going hey I noticed you wrote something in Google and that’s the devil.
So no, and it would just, I mean it would be like hello world. And it would just call it Especially with like Nim. I was learning a bit about Nim and trying stuff with Nim and just for the very fact that it was a NIM program because malware writers were kind of hot and bothered about Nim at that point in time.
Just their, their ex. Their, I guess answer to that problem was to just go, if it’s a NIM compiled binary, just call it the devil and burn it with fire.
So it can get a little, a little tricky to get these things beyond the the detection systems that are available. So I guess it might even be a good idea to have a few languages at your ready or at least be able to cross compile or do something to try to evade those things using the different languages.
Is that something that you do?
Mike Saunders
Yeah, 100%. Like being able to write some things in a couple of different languages. Whether that’s for EDR evasion, just, sometimes certain things are easier in one language than another.
it’s more simple, streamlined to write. but having multiple tools in your toolkit is important for everything. If your only way of interacting with Kerberos tickets is rubious, what are you going to do if Rubios doesn’t work?
You need other tools. You need to have other things in your toolkit. and so the same with programming languages. Have a tool but also have backup tools.
I’m really curious about this other response, like what other languages people are writing.
Daniel Lowrie
Yeah, we’re looking at the poll. For those of you out there, we said, what programming languages do you utilize in engagements? We had C got 26%, C got 27%, Go got 12, Rust got nine and then other was 67.
I’m assuming that’s going to be the Python people of the world. Maybe some Bash power shellers out there that would all probably fall underneath that.
So, yeah, that’s a good question, Mike. When it comes to language understanding PowerShell, how, how important is that one as far as this goes?
Mike Saunders
Man, I’m always torn when answering that question. I generally avoid using PowerShell, because it seems to be there’s a lot of instrumentation into what’s happening with PowerShell.
You’ve got AMSI, but not only that, you’ve got signatures that are present when you load the CLR inside another process.
So if you’re doing unmanaged PowerShell, there’s already signatures that are there and a lot of EDRs and blue teamers are tuned into that, but I also hear from other people that they’re running in powershell all the time with no problems.
And so I think it depends on where your, your clients are at. I’m privileged with Red Siege to work with clients that are pretty mature and invested in improving their security, posture and always moving forward.
And I think, Black Hills has that same type of client base and it just means that some of the things don’t work. You have to use different approaches. Where I hear from other people working with other companies that are getting, maybe companies that are working on their journey into becoming a more secure and hardened environment.
And powershell, works a lot there. But there’s other languages too. Like you mentioned it, Nim, Boo, Iron Python, there’s so many different languages.
And one of the nice things about the esoteric languages is that like PowerShell is heavily instrumented. Like if you’re doing something in PowerShell, pretty much every aspect of it can be inspected.
Doing things in some of these more obscure languages, there’s not as much instrumentation written into them. And so it’s hard to understand what’s going on. Like if you ever try to decompile like a Rust program or a Go program, you’re like, what in the fresh hell is this?
I don’t what is going on. and so that makes Blue teamers life harder. That makes EDR’s life harder trying to understand what’s going on there.
So learning other, other languages is definitely something I highly recommend.
Daniel Lowrie
Yeah, good, good call, good call. a couple of people were in the Q and A area of Zoom saying yeah, Python’s the third answer. Someone even said you needed to add a.
This is a skill I need to develop. Response for the poll. That is kind of funny because honestly that’s one of the things. Unless you’re just come from a development environment and you’re, you’re going into red teaming, then it is probably a skill that you need to always be developing and working on because you don’t get to do it like that.
Like you would if you were some full stack dev that just lived, breathed, ate and slept code all day long. And now I was like, what, I think I’ll do the security thing. If you’re just like, I’m going to get into the security thing.
And now I got to bolt this, this specific skill set on it is always something that you’re kind of honing your craft on and trying to figure out better ways and new ways in which to.
And I. Mike, that’s probably how you came up with things like jigsaw and jargon, right? Is going, okay, this normally works, and now it doesn’t. How can I. How can I change the cookie dough here so it doesn’t get caught?
And. And to me, that’s just the. The examples of why you need to be able to do this as a skill for red team, for sure.
All right, Mike, let’s, let’s move on to number two. Man. We’ve camped out on coding. I think we. We all get the point. It’s something we need to get to. We need to learn on. You got number two here is the ability to learn fast.
All right, explain this to us.
Mike Saunders
Yeah, so one of the things that you need, as a red teamer, is being okay with being really uncomfortable and not knowing the answer, because you’re constantly being presented with things that you have never seen before.
You do not know the answer. You do not know how it works. However, it may be an avenue that you can use to get in or establish persistence or move laterally or maybe if you can figure out how the system works, you can extract the keys to the kingdom.
you need to be able to learn fast. And that’s a skill. Learning how to learn, whether that’s programming, like, if how to learn, you can start to teach yourself how to program.
but how do you do that? Good searching, like, understanding how to search and quickly sift out information, where to go look for things like MSDN slacks, and discords.
Make, use of your friend network. Ask questions. Like, some people are afraid to ask questions because they don’t want to look stupid. No problem here. I. I will proudly tell you I’m an idiot if, getting that helps me, with my job.
So, for sure, asking questions, knowing about things like the Wayback Machine, right? Like, you used to be able to get cached results on Google. I don’t think you can do that anymore.
But you can go to the Wayback Machine and you can see, like, this site is no longer available, but let’s go back and see what it looked like in the past. And, like, hey, there’s a treasure trove of information that’s there.
and then once you have all this information that you’ve been gathering, being able to sort through it quickly to find out what’s actionable and relevant, and then move on. And that kind of plays into the pre show banter that Chris Trainor was talking about is like, when is it time to move on, on a test?
You also need to know that during your research, like this rabbit hole, like for instance this, this past year I was working on a test where I was going up against an EDR and it was punching me in the face repeatedly, repeatedly, repeatedly.
I could not get past it and I knew that I could, but the amount of time that it was going to take was going to get here and I was like are there any other options that I could shortcut?
And I found something that got me here right, like, and I was able to go down a different path. That ended up being the answer because I knew that I could learn what I needed to learn to do this specific thing.
But it was going to take more time than I wanted to. A lot based on the engagement that I was on.
Daniel Lowrie
Mike, you got any, any secret like honey holes of information that you’re like, what you guys are sleeping on? Not a lot of people know about, but this blog or this website or this person, maybe it’s a researcher or something that has an X or Mastodon or Blue sky or whatever.
Like where’s a, where’s a good place for people to go and start really like getting some good information, maybe staying on top of what is trending or new techniques or tactics or something.
Whereas other than obviously just googling stuff and, and hitting the news. Do you have any of those hidden gems for us?
Mike Saunders
I am m a huge fan of the Bloodhound Gang. Slack. so Bloodhound Slack is a great place with a lot of different channels.
You want specific ad things, great ad people there, you want some Red Team questions and EDR evasion. Great things there. You need help with programming things.
Great channels there. There’s a lot of good channels. I really like the and I’m partial to it because it’s Red Siege, but the Red Siege Discord.
We are one of the official places for interacting with Fortra with regard to with regard to Cobalt Strike.
So if you have Cobalt Strike questions, we have Cobalt Strike developers in our Discord. so go there, ask questions, you get help.
but there are some people out there. there’s just so many great researchers out there. Like it’s hard to just start rattling off a list of people.
msdn, like once you start programming in Windows like get familiar with MSDN and understand MSDN and how to use it. I think that once I started learning how to read code, MSDN became like almost a daily thing.
Whenever I’m doing coding, just reading, how does this API work? how do I use it? What can I do with it? How can I abuse it?
Daniel Lowrie
So excellent stuff, man. I’m. I’m looking forward to checking out that Bloodhound Gang discord, channel, because it’s typically things like that that are just maybe flying under people’s radars for X, Y or Z reasons.
It’s just not seeing it on the normal avenues of information. And they go, what’s that side street over there? So I always like to ask people, hey, where’s your. Where’s your favorite little hidden gems that are out there in the wild?
One of mine is, honestly, is a Reddit thread for Red Team Security. I think it is slash R. Red Team Security. It has a lot of really good people ask good questions, and then, they give you, people will drop links to great resources and stuff like that.
So there’s, it’s stuff to be found. But, man, it’s really great when you can get a lot of people throwing their hat in the ring, as it were, as where you should go and something that you don’t see a lot of people, taking advantage of.
And now we can kind of get the word out. So that’s very cool. I’m looking forward to that Bloodhound Gang, because, yeah, getting information can be one of the most difficult things to do, is getting your Google food just right, getting your, whatever, wherever you’re searching and trying to, enumerate the things that you need to know about and learn for what you’re doing can be extremely difficult from time to time.
So having great resources and being able to utilize them is going to be a phenomenal skill. Anything you’d like to add to that, Mike?
Mike Saunders
Just don’t be afraid to ask questions, because, like, you can do a lot of research. But, like, for instance, for me, when I finally started really doing some coding, like, I need to write a shell code loader, so I need to understand these APIs.
But the problem is I don’t have the coding experience, so I can’t even ask intelligent questions. you need to instantiate the object. Like what?
Like, what does that mean if you’re not a developer, and, and all these things? Well, you can overload this function. What, what does that Mean like, you don’t know and so you don’t even have the basis of knowledge to start asking questions, to understand and just getting in forums and just being like, guys, look, I know nothing.
I need help. Here’s the problem I’m trying to solve and I know I’m not using the right words for it. Can someone please A, tell me what the right words to what I’m describing here and then B, like point me in the right direction.
Don’t be afraid to ask questions. because, man, it’s, I am here because so many other people help me.
Daniel Lowrie
Yeah, we, we got a question that’s in the zoom Q and A. And they’re asking how, how do we do this quickly? How, how do we learn coding? How do we get this skills quickly when it comes to coding, I, I definitely wanted to jump on that one because I feel like these two things kind of go together about being able to assimilate and learn very quickly and, and get that kind of a part of your skill set is projects.
Like, there’s nothing beats doing something with your hands. as far as an instructor goes, there’s no course on earth that’s going to make it, going to make it as usable.
Now they’ll be helpful to you. And I’m Mike, I totally want to get your take on this and what you think, but to be, to go find a project to build it, something is going to be, in my opinion, the fastest way of getting these skills underneath your fingertips.
Mike, what do you think is going to be the quickest way for someone to be able to learn fast?
Mike Saunders
So unfortunately, I don’t think there’s an easy answer to that because people learn differently.
Daniel Lowrie
that’s true.
Mike Saunders
I learn by pain, right? I learn things when I have a problem I need to solve and then I research and I solve it. But if I’m going to sit here and just be like, man, I really want to learn Rust.
Like, I really want to learn Rust. I’m not going to read a Rust book and figure it out. And I’m not going to just like sit down with a Rust tutorial and start writing code because it, I would rather punch myself in the face.
I can’t do that. But if I have a problem I need to solve, all of a sudden I’m invested in fixing it. Now some people are great about like grabbing a book, watching some tutorials and cranking that out.
For me, I’m like, you project based. Either I have a problem, I need to Solve or I’m going to give myself a project that I’m interested in. and then once you start doing something, you type out why this is like if.
If the reference material you’re using hasn’t said why you use that function. Like, oh, use this function, do this, ask why am I using this function? So, like with Windows, stuff like go to msdn, what does this API call do?
Like, when I started be like virtual Alec. What does virtual Alec do in like reading up on what virtual Alloc does and be like, okay, it allocates memory. Does it allocate memory on the stack?
Does it allocate on the heap? What do those words mean? Start, drawing. Start asking questions and drawing out a mental map of, how those are related so that you’re not just doing things by rote.
Oh, I write this to allocate memory. You understand how the memory is being allocated instead of just, I know to do this. That helps you ask better questions down the road.
I don’t know if I answered that because I don’t have a good answer about how to learn coding fast.
Daniel Lowrie
Yeah, I think that your answer is probably even better than mine, honestly, because everybody does learn differently. So maybe for you it’s a book. Maybe for you it’s a tutorial series.
Maybe for another person that’s going to be, watching YouTube videos and that kind of stuff. So you kind of, kind of know thyself is is going to be the number one thing to help you get to be able to do this, figure out how it is you learn and what helps you learn best.
And maybe it’s a. A variety of those different things kind of put together and maybe things have more priority than others. Again, you got to know who you are and how you learn. So figure that out and then everything else will fall into place.
So that’s where your heavy lifting is going to go, is figuring out yourself and how you learn best and then grabbing those resources that do it that way so that you can quickly spin up and get those skills.
All right, Mike, let’s move on to a topic that’s near and dear to every Red Teamer’s heart. So much so that our pre show banter was almost exclusively about this very topic.
And that is report writing. Again, a lot of people might not be like, yeah, they might not realize how important report writing is to the Red Teamer skill set.
And they might be thinking you just do cool hacky stuff all day, which is sometimes true. But A lot of times it’s, this is the money maker right here, right?
Mike Saunders
Yeah. If you want to just red team and not write reports, A, go find a malware gang and like, get involved and commit crime and like, just look over your shoulder all the time.
Or maybe B, if you start getting into some of the three letter agencies and the military type red teams, I don’t know how much reporting is involved there compared, like, from what I’ve heard, not as much.
but if you, if you are in the consulting aspect, consulting world, you got to be able to write reports because that is the product. The test is not the product. The report is the product.
The test is how you manufacture the product. It’s the single most important thing you do. And when you write reports, you have to be able to write different levels of, of technicality.
And people are throwing some links into, BB’s stuff. Yeah, absolutely. BB’s hacking, for show, report for dough 100. Like that’s a bible. Like every new tester, hire them, like, go watch this YouTube video and then watch it again.
And then if you have questions, watch it again. because it’s, it’s really that important. And you need to be able to speak to executives. Executives high level, they don’t care about technical terms.
they don’t need technical details. They need to know what is the nature of the problem, how do I address that? And executives, move quickly.
They have short attention spans because they have lots of things to do. So your executive summary, one page, two page at most, but normally one page.
Daniel Lowrie
But Mike, how am I supposed to dazzle them with my security kung fu technical acumen if I don’t throw in a bunch of crazy, industry, jargon in the executive summary?
I need to wow these people.
Mike Saunders
Yeah, you wow the people by talking to them in business terms about risk to the business. So, if you’ve got some kind of vulnerability and you can express that in terms of the business, no one cares if you got domain admin.
Like as far as, executive care, Most of them, 90% of them do not understand what domain admin means. But if you say, I was able to go as Bob the janitor and steal all of the patient records, if it’s healthcare business, or I was able to access our manufacturing details for a secret sauce, that this is the thing that our company has a patent on and that makes us money.
And I was able to access that from an unprivileged user like speaking in those kinds of terms, that has impact. So speak to executives in terms of risk and business risk, like applicable specifically to that business, if you can.
Wow.
Daniel Lowrie
Seems like we just uncovered, point number 3.1, which is the ability to analyze your findings and distill it into those, those different silos in a way that they understand.
Because if you’re speaking their language, a that’s impressive is that, you, you don’t, you’re not an executive and here you are speaking their language. So that’s impressive to them on that front. And then to be able to take that information and give it to them in a way that makes them understand what the risk is for their organization in a way that’s impactful to them, that to me that’s probably like the art to the science.
Would you agree?
Mike Saunders
Yeah, yeah, 100%. And I saw it scroll by in the discord. Someone was talking about root cause. Right? Like, and during your, let’s say you’re, during your internal network pen test, you found four, unpatched exploitable vulnerabilities.
You had a problem. There were patches that weren’t applied. But that is not the root cause of the problem. The problem is that you might have an asset management gap. And so you didn’t know these devices were there that you needed to patch.
You might have a policies and procedures problem in your patching and vulnerability management program that allowed this to happen. But where is that, like what is the cause?
And being able to then articulate that to the executives, the technical teams need to know, like, hey, you need to go patch this stuff, apply these patches, press this button, uncheck this box.
You need to be able to express those kinds of things in technical terms to technical teams. But to management, what is the impact to the bottom line? What is the impact to the things that are important, like does it affect confidentiality, integrity and availability of, of the business?
Like if you can articulate those things to the business and articulate the technical, report to the technical people, you will go a long ways.
And if you can’t, like, people aren’t going to come back. We’ve had customers come to us because like, hey, the previous guys did a great test. They tore us up and the report was absolute crap and unusable.
We don’t want that.
Daniel Lowrie
Yeah, that’s, I feel like that’s what you don’t want right to happen is. And I think we’ve probably all heard the horror stories about just super crap reports Being.
Being turned into managers going. And them just looking at it, going, how on God’s earth did you ever think that this was going to pass muster? Like, it’s. It’s the back of a Denny’s placemat, for the love of God, and you wrote it with a crayon.
And there’s 19 spelling mistakes out of 20 words. This is not how we do things around here. I know you get a lot of guff about being very, we’ll, say passionate, about good testing reports and making sure that they go through peer review and getting corrected.
Because, listen, we all like to think that everything we produce is just a pile of gold, but at the end of the day, that’s. That’s not going to be reality. So it’s great to be able to lean on other people and go, hey, take a look at this and make sure it makes sense to other people than just me.
And then, we have a good product to give to our testers. We are give to our clients. Because without that, like you say, they’re not coming back for more of that.
Mike Saunders
100. 100. Agree.
Daniel Lowrie
All right, Mike, what do you think we should we move on or we got any more to talk about when it comes to.
Mike Saunders
I mean, we could talk about reporting all day, but I think, like, there’s, enough resources out there for people to go take, a look at. But, like, all right, well, if you come into this job and you’re like, I don’t want to write reports, go do a different job, because you’re gonna have a bad time and you’re going to do a disservice to your clients.
So.
Daniel Lowrie
Yeah. All right, well, let’s, We’ve hit that horse. It is gone. It’s fun. But now we need to talk a little bit. This was a really a natural segue into. Our next point is because they kind of go hand in hand, which is communication.
Being able to effectively communicate the things that and have figured out and discovered and have other people understand that this is just kind of another form.
Is that what we’re looking at?
Mike Saunders
Yeah, yeah, because, like, you have the report, right? And the report is important because at the end of the engagement, they have something tangible that they can refer to.
Be like, these were the problems, these were the causes, these are the solutions. But you also need to be able to. People are going to have questions that.
About the report. And so you’re going to get in that debrief call, and you might be in a debrief Call with executives and heads of business units and middle managers as well as like technical people.
And you need to be able to answer questions to all of them and, and they’re going to say like well I don’t understand. Can you tell me how we arrived at this? Because like for example, for example I did this test where everyone in the company thought that they had fixed this trust issue, where this, they had a bunch of domains and all of the domains trusted each other and it looked like a plate of spaghetti with the trust.
And so I found that like everyone trusts everyone. So actually with our pre show banter I found a pen test report and the hashes for everyone in one of the domains that were from a previous pen test, including ones they had cracked.
And I was enterprise admin but now once I was there I was enterprise admin everywhere and all the domains and they’re like but this was fixed and being able to be like, just be like well I found it, it’s there, it’s on page 37.
But actually talk them through the technical piece in non technical terms, these business people and then say I’m I’m not privy to what happened before I got here, but I can tell you that as of this day, at this time, this was the state of, of affairs.
and then let them ask those questions internally. I get asked from executives, doing boardroom, debriefs, kind of like how do we compare in the industry to other things you’ve seen?
And being able to talk about like peer groups without talking about specific companies, and the kinds of vulnerabilities they have be like well we see ADCS vulnerabilities in a lot of environments.
what does that mean? we find misconfigured, Windows services related to trusts and authentication are misconfigured in 90% of our environments.
However, it’s a straightforward fix, blah blah blah. and then talking to a developer they’re like hey man, you told us that we’ve got insecure direct object reference in this web app.
Like how do we fix it? And being able to tell them, at a technical level this is what this vulnerability is doing and this is how, this is how I would approach it.
being able to do that to different, different groups in languages they understand, so they can be more effective and at their jobs and do what they need to do.
I think communication is huge and Mike.
Daniel Lowrie
And when it comes to communication. Correct me if I’m wrong, but you’re probably not. Just like, you’re going to sit down with a client, you’re going to scope out the engagement, you’re going to have all the contracts and everything signed. You’re going to do, Roe, you’re going to do, all the fun stuff that goes pre engagement.
And then you’re not going to, just going to go radio silence on them throughout the engagement. And then all of a sudden one day you’re like, okay, it’s time to everybody meet together. We’re gonna, we’re gonna hit you where it hurts.
It’s not gonna be a good time for you. There’s, there’s probably gonna be some communication in between those areas as well. How often do you typically communicate with a point of contact at?
for, for our clients that.
Mike Saunders
It varies wildly. we have some clients that are literally just like, tell us when the report’s ready. We don’t care. Unless you find that we’re actually on fire, we don’t care.
We, don’t want any updates. other people want daily updates or twice a week, or just, hey, let us know if you find any highs and criticals and others, they want more.
So we asked that as part of our kickoff call. How often do you want updates? And on a red team, that’s an eight week campaign, you probably don’t want daily updates.
you’re gonna get kind of annoyed. for two weeks, like, well, we’ve been doing OSINT and research and analyzing data and then doing more OSINT based on the data that we analyzed and the conclusions that we came to.
And then we did some more analysis and we did some more OSINT. Like, that’s not helpful. But once we start getting into more the actionable phase, then we start giving more, more frequent updates about where we’re at.
But that’s entirely dictated by what the client wants. we will.
Daniel Lowrie
Do you try to steer them in any way to say, hey, it’s going to be, it’s going to be a six week or an eight week engagement. It’d probably be a good idea to have maybe just a weekly or, or every two weeks, check in with you just to kind of let how it’s going?
Do you try to coach, them into that being a good idea? Or you’re like, hey, if that’s what you want, that’s yeah, for sure. We’ll see you at the end, for sure.
Mike Saunders
I try to always just share my experience, what’s worked with other clients, and be like, we found this works really well. But if. If you need more frequent communication, we’re happy to do that. But we found that this works well.
Or sometimes telling clients, like, actually, I think we should meet more often, like, because there’s a lot of moving pieces here, especially when there’s, When you have, like, a trusted insider that you’re working with and things, and, like, making sure that everyone’s on the same page about what’s happening.
because, I have been in a test where someone’s like, hey, man, we see what you’re doing. You’re doing this over there. I was like, I’m writing the report right now. I’m not hands on keyboard at all.
Testing. And they’re like, you’re not doing this thing. Blah, blah, blah. And I was like, that is not me. And I was like, oh, there’s a live incident happening. But, they came to me and were like, hey, are you doing this?
I’m like, that’s not me. Like, you should go put that fire out, because someone is definitely starting your house on fire.
Daniel Lowrie
that’s got to be a fun little scenario to go through.
Mike Saunders
Oh, yeah, yeah, 100%. Just be like, whoa, wait a second. Someone was doing password spraying from inside the organization. And I was like, that is not me. So that means you have someone that’s inside your organization right now doing password spraying.
You might want to figure that out.
Daniel Lowrie
Yeah. And then it makes you wonder, did they know we were testing and using it as, like, a cover? Could that possibly be occurring? And, I mean, there’s. I mean, that seems coincidental that they would be being popped at the same time you’re doing a Red Team assessment.
Mike Saunders
So, I mean, it does seem coincidental, but, like, I’m kind of an Occam’s Razor kind of guy. Like, the simplest is that they see attacks on a daily basis, and some succeed and some don’t.
And so I just happen to be there.
Daniel Lowrie
that’s funny.
Mike Saunders
But. But that does happen. That does. That does happen.
Daniel Lowrie
Yeah. I feel like one of those, old hillbilly boys. Like, you need to go take a look at your barn, because it is straight up on fire right now. That ain’t me. I didn’t start that fire. I’ve been over here starting other fires.
All right, let’s move on, because we got one more. We got about 10 minutes to go. And I think That’ll give us just enough time.
Mike Saunders
Sure.
Daniel Lowrie
To get through this one because this one’s going to be really fun. I, I really look forward to this one which is developing Red Team infrastructure. This is definitely a good skill to have if you want to be in that Red Team role or if you have gotten into that Red Team role to hone that to a fine razor’s edge.
Explain this to us, Mike. What is this all about and why is it so important?
Mike Saunders
So there’s a lot of pieces. When you come to like a Red Team engagement in a pen test, you probably have like a Dropbox on the environment or a laptop and that’s all you need. Maybe if you need to like pivot into the environment.
So you’ve got like some openVPN server or something sitting here and you tunnel through and like, so you needed two boxes. Red Team, we’ve got a lot of different things. we need infrastructure to do our OSINT from that isn’t associated with any of the rest of our infrastructure.
So if that OSINT stuff is detected, like sometimes you are doing some hands on sending packets to the target, you don’t want that originating from the same space that you’re eventually going to be having your C2 communications to.
So you need infrastructure for OSINT, you need infrastructure for phishing, and when you do phishing you probably want some templates that are built already.
You need to be able to quickly stand up sending infrastructure. with both the phishing and the the C2 operations you want some aged domains that have good class, good classification.
So you need those available, you need to know how to stand them up, make them actionable. and then you’ve got a phishing server. So you got a server that you’re sending payloads from and then people are going to be interacting with that.
Well you don’t want the server you’re sending payloads from to also be the server that they’re going back to, to communicate for C2 stuff because like now we’ve got more attributable.
All this stuff is happening at this one ip, it’s bad. You want distributed infrastructure with multiple port, multiple points, where you’ve got redundancy, and abstraction. So it’s harder to tie things back to one action, or one actor.
And then you want sock puppet accounts, like you need sock puppet accounts and sock puppet personalities, which ties into a bonus slide that we’re probably not going to get to.
But during this like you might need as Part of your phishing you might need interact with someone. So you need to be someone. Because I’m not.
Mike from Red Siege is not sending you a payload on this phishing engagement because that’s pretty clear way to get busted. So now I need to be someone, I need to be John hancock and from xyz.org and I’m trying to get you to do this thing.
And so having some, some infrastructure, air quoting infrastructure, but like having a LinkedIn account that has some connections on it and is backed by some amount of authenticity will help with that if someone does decide to look at it.
But we’re spending, you have to deploy Red Team infrastructure and it takes time and being able to do it repeatedly and so it works reliably is really important because there’s nothing more frustrating than like sending your payload and then realizing your redirector isn’t working correctly.
So callbacks are just bouncing off the firewall or they’re getting routed to the wrong place. You need to be able to stand it up quickly, repeatedly, reliably and document it, document the hell out of it and then use some skills that we Learned in Slide 1 about coding to write scripts to do this.
Whether you’re using Terraform or Ansible or whatever it is that you’re doing, some bunch of Python scripts and bash glue. Being able to tie this together so that you can stand up your infrastructure quickly and know that it’s going to work.
I think is, is a huge piece. Like I just like without it it’s, you’re just on the struggle bus and it just gets painful.
You’re spending more and more time just trying to get your stuff working instead of operating.
Daniel Lowrie
Yeah, I feel like the, the main ingredient in this little recipe of Red Team infrastructure is time, patience, having the ability. Because like you said, things need to be, they need to have a good reputation in, in the world.
Because I can stand up a phishing domain today with a let’s encrypt cert and it’s going to be like, yeah, nah, that’s cool, we’re not doing that.
Mike Saunders
Right.
Daniel Lowrie
It’s gonna, it’s gonna be a while for it to build a reputation that it is not a phishing domain because it hasn’t been doing phishing for more than 12 sec. what I mean? It’s like you can’t just fire these things off in the world and expect them to start working.
We have security in place at this point and I Mean it’s, this goes to show you that everything that we’ve done up until this point to increase the level of security is to some extent working because you, you as a red team are having to go above and beyond what used to be just, oh, this job is so easy.
Now you have a lot of work to do to make sure that you are as effect as effective and with your ability to gain access to their systems and show them where the other weak spots are.
Because now we have all this new security that is more normal to be implemented that will pop this stuff. So it takes time. Some people did ask like, do you have any good resources about when it comes to things like sock puppets?
Like what, how long does it take? And, and what are some good ways to get that kind of going and make them useful?
Mike Saunders
yeah, so that is a, an interesting question. like stand up some email account that’s not associated with your company, so ProtonMail or whatever it is, and then get on LinkedIn, upload some kind of profile picture.
It doesn’t have to be. You could be, something that you’ve gotten from a stock photo site. Although good OSINT people will be like, wait a second, that is a stock photo from here.
That’s clearly not that person. So like it’s, it’s tough. Who do you, who do you pick? But like have a photo, have some work history in there and then start interacting with other people, send out some LinkedIn requests, try to connect with people.
People love to connect on LinkedIn, maybe get active in some forums, ask some questions, participate in some things.
that all takes time. Right? Like so we all have some downtime during our development, operations. We got a day that’s clear here and there.
Spend a little time caring and feeding for your infrastructure and caring and feeding for your sock puppets. Another thing like you mentioned, talking about like phishing and aging domains and all that preparation.
Send emails from your phishing domain, don’t just stand it up and let it age because some places are actually looking and go like, have we ever seen this domain communicate before?
So if your Target’s in M M365 and you’ve never sent an email into M M365 from that domain, it’s going to be a little more suspicious. So start maybe sending innocuous emails to friends, to your own accounts hosted elsewhere.
Get some communication going back and forth so that hopefully you pass through multiple different providers like it’s good to have friends in various places.
So I have friends that have proof points. I have friends that have, Microsoft 365. I have friends that have CrowdStrike. I have friends that have Sentinel One test things out, right, like get it seen and with the email stuff like send email to different mail providers, where people are going to be expecting it, not classifying it as spam.
Right, because that’s the opposite of helpful. and start, start doing that to build some provenance for your domain.
Daniel Lowrie
Mike, do you does, do you ever reuse these, these infrastructures or do you have like a set amount of infrastructures that are kind of ready, they’re baked, they’re, they’re ready to work.
Maybe you got a couple other that are in the fire and are cooking but not quite ready for prime time. Is it a, is it a process that, that kind of works cyclically like that? Or you just spin up some infrastructure and use it till it’s burned and then lather, rinse, repeat.
What’s your process for this?
Mike Saunders
so for red team stuff it’s pretty much always new build it from the ground up every time because blue teams aren’t expecting, they don’t know the test is going on. They’re inspecting things, maybe submitting things to Virus Total and then virustotal now sees or Joe Sandbox or whatever.
And now they’ve got this IP in this domain, is associated with malware activity if they did actually detect it and detonate in a sandbox. we’ve had people report our stuff to like, some of the MX health record stuff to be like, hey, this is a spammer or this is whatever.
So use a lot of different, we use a lot of different infrastructure, and then we’re constantly standing up new stuff all the time because it’s something that just, if we get burned, we got like, that’s going to affect every engagement down the road from now on.
So we need those things to just be kind of be unique so that we don’t shoot ourselves in the foot and use a bad classification domain, from the start or never get a chance to have our email delivered because they’re like, hey, this is a spamming domain.
Daniel Lowrie
Yeah, I bet it’s real fun when you have a domain, you have all this infrastructure built and you’re working with it and you’re, you’ve already started the engagement and then it’s like all of a sudden. Have you ever had that Happen where it just becomes like oh we’ve been discovered or it has been classified as a phishing domain or something like that.
Yeah just totally cut you off at.
Mike Saunders
The knees like knowing how to protect your infrastructure. So like I’m blanking on his name. Curious Jack is his twitter/uh GitHub type handle works for trusted sec.
had built this, this list of basically like Apache what is the host.
What is the file in Apache that like you can use for rules for how things are handled. I’m, I’m totally the Htaccess Yes Htaccess rules.
Daniel Lowrie
Thank you.
Mike Saunders
or doing it with like mod rewrite and having it set up to block the majority of like the various threat intelligence and virus scanning and those type things companies.
and Netcraft because we had stood up one we were doing a Microsoft 365 credential fish and I had had an error it was before I had automated building my mod rewrite rule set to block everything that I didn’t want.
And Netcraft scanned scans the Internet all the time on behalf of a bunch of companies. One of them is Microsoft and they saw this Microsoft 365 fake login page and they’re like hey, issued a domain takedown notice and like reported us like immediately.
And so like I had to start from scratch. I had to go get a new domain. I had to stand up new infrastructure. the registrar was ready to like yank our account. We’re like hey this is part of an authorized red team. We have contracts, blah blah blah.
But I got burned by that before I ever got started. so protecting that as long as possible like learning how to use mod rewrite and redirectors and protect your infrastructure because man that’s a bad Mike needed.
Daniel Lowrie
Mike needed some burn cream for that sick burn. Yeah 100 oh that sucks. I’m sorry to hear that Mike. But I guess it is just cost of doing business from time to time when it comes to this whole red teaming thing.
This has been fun. I’ve enjoyed it. We’ve got our poll completed with what C2 do you like do you use? It says what C2 do you utilize on engagements.
And we’ve got over 100% of interaction with this which is interesting to me because 50 of people are 48 now 48 people said cobalt strike.
We got 7 with brute retell, 6% with nighthawk and then 59 with other which yeah, yeah, I don’t know how that adds up to 100. But, there are.
Mike Saunders
Well, probably because, we use multiple. Like if it allows you. Like we use multiple on a thing. People, in there, like, oh, Sliver is underrated, no Empire.
Like, it depends on what your target’s using,
Daniel Lowrie
Right.
Mike Saunders
Havoc’s another great one. that’s out there. and we try to in our OSINT understand what the target’s using.
And some work better than others. I love Cobalt Strike. However, a lot of EDRs have written signatures specifically for Cobalt Strike, not for the technique.
Right. So I take a shellcode loader and it blows it up and says, this is Cobalt Strike. I take the same exact shellcode loader, but I put brute retell shellcode in.
And it works just fine because they’re writing signatures specifically for cobalt strikes. So I might use, brutel. Nighthawk has advantages too, because it’s not used as much, not as well known, not as heavily signatured.
Same thing with things like Sliver or Havoc or men. Like, you can find 8, 000 different C2s out there and oh, GitHub is.
Daniel Lowrie
Just chock full of C2 stuff.
Mike Saunders
Yeah.
Daniel Lowrie
I’ve been seeing Loki. have you seen Loki?
Mike Saunders
I have not seen it yet. I’ve. I’ve seen. You’re talking about Bobby Cook’s project that he’s talking about.
Daniel Lowrie
It looks nice.
Mike Saunders
Yeah. Yeah, I don’t think he’s released it yet. I’m waiting.
Daniel Lowrie
No, he’s still cooking on it. Yes, but he’s been posting.
Mike Saunders
It’s pretty awesome. I can’t wait to see see it. And there’s, there’s so many out there and goes back to having, different tools in your toolkit, having different C2s. And sometimes you don’t need a full fledged C2.
Sometimes you like a stage zero that just allows you to get in, enumerate a little bit of information to understand the environment before you launch a full fledged C2.
Like so many different ways to accomplish the task.
Stay up to date on our upcoming live Anti-Casts and more at https://poweredbybhis.com
Don’t forget to check out our Course Catalog for our upcoming free and affordable cybersecurity training!