In This Article
Red teaming (sometimes abbreviated as just RT) can be described as executing an operation against a corporation or government entity to identify various gaps in their security policies. This could cover physical security, digital security, personnel/employee screening, and so on. The goal of a professional Red Team is to find as many shortcomings as possible so they can be brought to light and fixed before they can be exploited by a bad guy.
Taken down to the individual level, RT can also be used as a way to take an inward look into yourself to find a solution to an internal struggle you’re dealing with. Ultimately, anything and everything can be red teamed. It’s not all code, MultiCam, and tradecraft. It can be as simple as looking at an issue or situation and assessing it from various angles.
In this article, we focus on the mindset used by “red teamers.” When it comes to this way of thinking, it’s commonly referred to as the adversarial mindset — which is a fancy way of saying “think like a bad guy.” Now, why would the adversarial mindset be helpful to the average person? How can you filter this down to make it useful for the prepared citizen? If you approach your personal security (or PERSEC) not from your own perspective, but from the vantage point of a potential bad guy, you’ll be able to defend yourself, your family, and your property more effectively.
I’ll give you a simple example. Let’s say you’re thinking about installing a CCTV camera somewhere on your property. Where would you put it? Probably someplace that has the best view of the area you wish to monitor, right? But would you mount it at a height of 6 feet? No? Why not? Maybe because it would be easy for someone to reach and tamper with? That’s a good point. Congratulations, you just used the adversarial mindset. Now, how many other ways you can apply that same line of thinking to protect yourself either at home or in your workplace? The following are a couple of lessons that I’ve learned from red team assignments throughout my career. Hopefully they can provide a foundation for you to take a hard look at your routine and find some safety gaps to fill.
When I was asked to do this article, I was posed this initial question: “What are some of the lessons learned from your work on a red team?” My immediate response was “Lessons learned are simple; it’s really easy to park a car somewhere and blow it up. Everyone’s too busy looking at their phones to notice a guy park a Buick in the always-open handicapped spot and start walking across the street to another waiting car and take off.” Although accurate, this scenario was hypothetical. The rest of these events actually took place.
How often has a service provider or utility company employee knocked on your door unannounced to read a meter, check your internet cable, offer you a today-only discount on extermination services after a free on-the-spot assessment? How do you know they were actual employees with sincere intentions? Was it their attire? Or the plastic ID badge they had on? Was this enough for you to let them in your home? One of my favorite red team covers or MOs (modus operandi) is to pose as a utility worker. An MO is generally defined as “someone’s habits of working.”
What do you know about a utility worker’s MO? Probably not much, when you think about it. Just that they usually wear a hardhat and have a clipboard — both are cheap and very easy to obtain. Usually they have a shirt with “Electric Company” on it. Maybe a logo, which is also easily obtained off of the company’s website. With a quick trip to the local office supply store, I can print said logo onto transfer paper, and iron the name and logo onto a shirt. While working on an assignment, I was able to gain entry to the client’s office building while dressed as utility worker.
When I checked in with security, I provided a fake company ID and driver’s license. The guard attempted to scan the bar code on the back of the ID, which didn’t work. But I had already created a very convincing crack in the ID which explained the lack of scanning ability. I told him I had cracked it while attending a baseball game after sticking it into my pocket without a wallet. I also built in an ample amount of “aging” to my fake ID by lightly rubbing the freshly printed card on my blacktop driveway prior to deployment. The guard then entered my info manually, took my picture, and I was granted entry under the guise of “checking feeder line equipment.” Don’t know what that is? Neither did he.
The gist: Perception isn’t reality. As Ronald Reagan once said, “Trust, but verify.” If an unfamiliar or unannounced person comes to your home or place of business and wishes to be granted entry, you can be kind but cautious. Look at their attire and identification, then verify it. If you’re at your place of business, contact your security staff if you have one. Or, based on the person’s perceived business (utility worker, construction foreman, etc.), contact that specific department to see if they’re expecting anyone.
Ultimately, if a visitor is granted entry to your place of business, they should never be without an escort. If you’re at home, check their attire and identification (company issued and driver’s license). Make sure the names and pictures match and the license is local, then ask for their main office number so you can verify their identity. Before dialing the number, type it into Google to make sure it’s not a cell phone and that the number is prominently published on the company’s website. Never accept cell phones or unpublished numbers as a means of verification.
Above: Generic “Security” badges can be bought online. When paired with matching shirt and slacks, a false air of authority can ease most people’s suspicions. Don’t be afraid to question.
Don’t take the “that’s my supervisor’s cell phone” excuse. Once you’re able to verify the person’s intent and identity, it’s still up to you if wish to grant them entry. If you’re a stay-at-home mother with children running around or napping in the next room, schedule an appointment when your spouse is home. Especially when there are two or more people requesting to enter your home, don’t put yourself in a situation behind closed doors where you’re outnumbered. And above all, trust your intuition.
Even if everything checks out and you have that “bad feeling” or the hairs on the back of your neck start to stand up, listen and dismiss the unannounced visitor(s). Remember, most companies advertise that their personnel are “background checked,” but there are many different types of background checks and they aren’t all created equal. Every bad guy who has ever lived has had a clean background at one time or another. A clear background means the person doesn’t have a known history of criminal activity, nothing more.
Tip: Check to see if your locale has “solicitation licenses.” Many areas have started requiring these for door-to-door salesmen and the like. They usually require a background check prior to issuance. In many cases, just asking if they have a solicitor’s license will cause them to leave. If they do, ask to see it and then call your local police department’s non-emergency number and ask them to verify the license, then check with business that they’re supposedly representing to verify their identity (just as I described above). Also see if your area has a “no-knock list.” This is something else that many locales have started using to cut down on the number of people going door to door unannounced. If your area has one, take steps to get your address on it.
During a job, I was asked by the client to measure the risk of the “ex-employee route” to see if I could gain entry to their facility while having a moderate understanding of what the business’s culture was like — their internal system for identification, access control, etc. They wanted to know if I could circumvent their physical security using only internal information about day-to-day operations — the kind of information any current or former employee would know. After taking some time to understand how the business functioned, I noticed that in many cases, associates who predominantly worked from home, or worked closely with clients, weren’t normally issued access badges since they weren’t coming into the office on a regular basis. That meant there was a good possibility that the security guards had no idea what some of these people looked like.
On top of that, in many cases the company’s internal employee directory system provided no individual photos either. So, if you were a remote employee who knew specific internal information, you’d be granted entry. I then chose an employee who worked on the opposite side of the country who was a “remote employee” as my cover and fabricated the remainder of the MO. I created a fake driver’s license from my cover’s home state (harder to identify since it’s not local and unfamiliar), memorized his employee ID number, and created a backstory about why I needed to be there.
When I approached the receptionist, I explained who I was (the cover’s name, an active employee); gave her my (fake) license; provided the employee ID number; explained that I was on vacation, a deal with a client was going south, and that I needed to access the LAN (local area network) to assist my team. I then off-handedly complained about my hotel’s Wi-Fi. Because I had a driver’s license with the correct name, as well as an employee ID number that was valid and matched the name in the employee directory, I was eventually granted entry. There was no picture available to provide verification and no one called the employee’s supervisor to verify my identity. Just a backstory, a smile, and the fog of legitimacy. They even offered to create an access badge for me so I could access that building, or any of the client’s other sites, going forward.
The gist: If someone wishes to gain access to your place of business and they present themselves as a fellow employee, that doesn’t mean they aren’t a former employee who has knowledge of internal information. Take all appropriate steps to verify their identity — a name and an employee ID number aren’t enough. A picture should be included in the verification process (and if it isn’t, you should take steps to have your business leadership implement a system that includes pictures). If you’re provided an unfamiliar or out-of-state license, a quick Google search of that state’s name followed by “driver’s license” should bring you to that state’s DMV or similar department. Then verify that it’s a current license type.
Also, be sure to utilize internal assets to verify the employee’s perceived identity. In the scenario above, if the receptionist had placed a call to the supervisor of the individual of which I assumed his identity, my cover would have been completely blown. Also, if your business utilizes an internal messaging system, check to see if that person is logged in. Also check to see if the individual has an out-of-office message on their email or internal phone number. In many business and corporate settings, it’s considered bad form to go on vacation without setting an out-of-office message on your voicemail and email.
Let’s remove physical access from the picture altogether and focus on digital information security. Could you let someone in your home or workplace without even opening a door, or even giving them a key? Of course you can. Digital intrusion is the way of the future. If I can gain entry to your life without having to worry about creating an MO or spending large amounts of time on preplanning or reconnaissance, why wouldn’t I?
(Note: This isn’t my technique, I didn’t invent it, but I’ve used it and so have many others.) What if you found a memory card or USB stick laying on the ground in a public place or in the cafeteria in your office? Would you want to be the Good Samaritan and return it to the rightful owner? Would you maybe be curious about what’s on it? It’s the modern-day equivalent of finding a blank VHS tape. Let’s say curiosity, or your intentions of trying to find a “rightful owner,” get the best of you, and you insert the device into your computer. You know enough to know not to download or run any software or program files since that could install a virus.
When you open up the device on your computer, it only looks to be pictures and video files. You commence to opening the pictures and they open just fine. But you’re not installing anything, right? Wrong! The pictures had malicious code in them and they’re creating a “back door” for me to access your computer. Ah, but you have virus protection software and a whole gaggle of cyber-security software that’ll protect you. Maybe. Or maybe not, since there are plenty of ways to subvert these applications and malware designers are constantly evolving and updating their code. The news showcases examples of this on prime time what seems to be almost monthly. So, if I gain entry to your home or office computer, what do I have access to? Think about what’s stored on those computers and what could be done with that information. All because you looked at a picture.
The gist: Be just as suspect of things that you plug into a computer as you would of people who you grant entry into your home or place of business. No amount of curiosity should supersede your goals of maintaining your personal or professional INFOSEC (information security). If trusted friends or family give you a memory stick to copy family photos, then you’re most likely safe, just be sure your virus and digital security software are up to date. Beyond that, only use memory sticks that you’ve purchased yourself from a trusted source, and ensure they’re unopened and show no signs of tampering. Never use USB devices that are sent through the mail for promotional purposes. Promotional material is very easy to fake and doesn’t even have to be sent through the mail, it can be easily placed in your mailbox while you’re at work.
There are several examples of this being successfully executed across the globe. In 2017, a major U.S. insurance provider created the perfect opportunity for this attack to be launched on a large scale, but luckily no one, to my knowledge, exploited it. Someone thought it would be a good idea to provide USB devices in a mailer that would give you information on the services you could expect from their insurance company. Because of the sheer number of these that were mailed out and the very real danger that it posed, INFOSEC professionals and digitally savvy civilians alike took to the internet to scold this prominent insurance provider of their clear violation of what should be common sense protocols.
Perhaps the most famous use of the technique was discovered in 2010, allegedly part of a multinational cyber-warfare initiative. The Iranian nuclear program was disrupted after a sophisticated malware known as Stuxnet targeted its uranium enrichment centrifuges, causing them to fail to produce usable nuclear material. Analysts believe the malware was covertly introduced to those secure facilities on infected USB sticks.
If you didn’t buy it, it didn’t come from a trusted source, or has been exposed to the general public out of your control (left at a coffee shop or received in the mail from your new insurance provider) consider the device compromised and destroy it. It’s not worth the risk.
Utilizing the adversarial mindset in your everyday life comes down to applying a few different “lenses” to your outlook: observing what’s happening around you, thinking about how actions or decisions could be exploited by those with ill intent, being kind but cautious when dealing with people you don’t know, and the old adage of “trust but verify.” Every day, we go to work and are posed with problems that we are tasked with solving. The adversarial mindset allows you to be proactive, troubleshooting the problems before they arise so you, your family, and your workplace can be as safe as possible. Never forget to think like a bad guy.