Stealing, scamming, bluffing: El Reg rides along with pen-testing 'red team hackers'

Silver tongue

It is 8:30am the next day and I am back in Gatford's office. We peruse the access cards. He opens up the large text file dump of yesterday's haul and tells me what the data fields represent. "These are the building numbers; they cycle between one and 255, and these are the floor numbers," he says. There are blank fields and junk characters from erroneous scans. He works out which belong to Estate Brokers and writes them to blank cards. They work.

More reconnaissance. Estate Brokers has more buildings that Gatford will test after your reporter leaves. He fires up Apple Maps, and Google Maps Street View. With the eyes of a budding red teamer I am staggered by the level of detail it offers. Apple is great for external building architecture, like routing pathways across neighbouring rooftops, Gatford says, while Google lets you explore the front of buildings for cameras and possible sheltered access points. Some mapping services even let you go inside lobbies.

Today's mission is to get into the guards' office and record the security controls in place. If we can learn the name and version of the building management system, we've won. Anything more is a bonus for Gatford's subsequent report.

We take the Estate Brokers stationery haul along with our access cards and fake identity badges and head out to the firm's second site.

"Don't hesitate, be confident."

But first, coffee in the lobby. We chat about red teaming, about how humans are always the weakest link. We eat and are magnanimous with the waiting staff. Gatford gets talking to one lady and says how he has forgotten the building manager's name. "Jason sent us in," he says, truthfully. Jason is the guy who ordered the red team test, but we don't have anything else to help us. The rest is up to Gatford's skills.

It takes a few minutes for the waitress to come back. The person who she consulted is suspicious and asks a few challenging questions. Not to worry, we have identity cards and Gatford is an old hand. I quietly muse over how I would have clammed up and failed at this point, but I'm happily in the backseat, gazing at my phone.

We use the access cards skimmed the day earlier to take the lift up to an Estate Brokers level. It is a cold, white corridor, unkempt, and made for services, not customers. There's a security door, but no one responds to our knocks. There are CCTV cameras. We return down to the lobby.

Michael is the manager Gatford had asked about. He is standing at the lifts with another guy, and they greet us with brusque handshakes, Michael's barely concealed irritation threatening to boil over in response to our surprise audit. He rings Jason, but there's no answer. I watch Gatford weave around Michael's questions and witness the subtle diffusion. It's impressive stuff. Michael says the security room is on the basement level, so we head back into the lift and beep our way down with our cards.

This room is lined with dank, white concrete and dimly lit. We spy the security room beaming with CCTV. "Don't hesitate, be confident," Gatford tells me. We stride towards the door, knock, and Gatford talks through the glass slit to the guard inside.

Gatford tells him our story. He's a nice bloke, around 50 years old, with a broad smile. After some back-and-forth about how Jason screwed up and failed to tell anyone about the audit, he lets us in.

My pulse quickens as Gatford walks over to a terminal chatting away to the guard. There are banks of CCTV screens showing footage from around the building. A pile of access cards. Some software boxes.

I hear the guard telling Gatford how staff use remote desktop protocol to log in to the building management system, our mission objective.

"What version?" Gatford asks.

"Uh, 7.1. It crashes a lot."

Bingo.

I look down and there are logins scrawled on Post-it notes. Of course. I snap a few photos while their backs are turned.

Behind me is a small room with a server rack and an unlocked cabinet full of keys. I think Gatford should see it so I walk back out and think of a reason to chat to the guard. I don't want to talk technology because I'm worried my nerves will make me say something stupid. I see a motorbike helmet.

"What do you ride?" I ask. He tells me about his BMW 1200GS. Nice bike. I tell him I'm about ready to upgrade my Suzuki and share a story about a recent ride through some mountainous countryside.

Gatford, meanwhile, is out of sight, holed up in the server room snapping photos of the racks and keys. More gravy for the report.

We thank the guard and leave. I feel unshakably guilty.

From the red to the black

Gatford and I debrief over drinks, a beer for me, single-malt whiskey for him. We talk again about how the same courtesy and acquiescence to the customer that society demands creates avenues for manipulation.

It isn’t just red teamers who exploit this; their craft is essentially ancient grifts and cons that have ripped off countless gullible victims, won elections or made spear phishing a viable attack.

I ask Gatford why red teaming is needed when the typical enterprise fails security basics, leaving old application security vulnerabilities in place, forgetting to shut down disused domains and relying on known bad practice checkbox compliance-driven audits.

"You can't ignore one area of security just to focus on another," he says. "And you don't do red teaming in isolation."

Carew and McKinnon agree, adding that red teaming is distinct from penetration testing in that it is a deliberately hostile attack through the easiest path to the heart of organisations, while the former shakes out all electronic vulnerabilities.

"Penetration testing delivers an exhaustive battery of digital intrusion tests that find bugs from critical, all the way down to informational... and compliance problems and opportunities," they say in a client paper detailing aspects of red teaming [PDF]. "In contrast, red teaming aims to exploit the most effective vulnerabilities in order to capture a target, and is not a replacement for penetration testing as it provides nowhere near the same exhaustive review."

Red teaming, they say, helps organisations to better defend against competitors, organised crime, and even cops and spys in some countries.

Gatford sells red teaming as a package. Australia's boutique consultancies, and those across the ditch in New Zealand, pride themselves on close partnerships with their clients. They point out the holes, and then help to heal. They offer mitigation strategies, harass vendors for patches, and help businesses move bit by bit from exposed to secure.

For his part, Gatford is notably proud of his gamified social engineering training, which he says is designed to showcase the importance of defence against the human side of security, covering attacks like phishing and red teaming.

He's started training those keen on entering red teaming through a three-day practical course.

"Estate Brokers", like others signing up for this burgeoning area of security testing, will go through that training. Gatford will walk staff through how he exploited their kindness to breach the secure core of the organisation.

And how the next time, it could be real criminals who exploit their willingness to help. ®