WEBVTT 1 00:00:00.080 --> 00:00:04.679 Ever wonder how prepared, like really prepared your organization is 2 00:00:04.799 --> 00:00:05.120 for a. 3 00:00:05.080 --> 00:00:08.039 Cyber attack, like not just checking the box, yes. 4 00:00:08.000 --> 00:00:09.919 Yeah, like actually facing down a real threat. 5 00:00:10.119 --> 00:00:10.439 Yeah. 6 00:00:10.480 --> 00:00:13.400 That's where red teaming comes in exactly. It's like ethical 7 00:00:13.439 --> 00:00:17.079 hacking on steroids. We're diving deep into the book Red 8 00:00:17.120 --> 00:00:19.039 Team Development and Operations. 9 00:00:19.559 --> 00:00:20.320 Great book. 10 00:00:20.480 --> 00:00:23.839 Think of it as our playbook for understanding this whole world. 11 00:00:24.039 --> 00:00:27.320 It's a fascinating world because red teaming goes way beyond 12 00:00:28.199 --> 00:00:31.480 just like finding a vulnerability, Okay, you know, it's about 13 00:00:31.559 --> 00:00:38.079 understanding how an attacker would actually exploit those weaknesses. Kind 14 00:00:38.159 --> 00:00:40.520 like a stress test for your security, but instead of 15 00:00:40.560 --> 00:00:44.159 just looking at technical specs, it simulates a real attack scenario. 16 00:00:44.320 --> 00:00:46.520 Okay, so let's say someone is listening and they're thinking, 17 00:00:46.600 --> 00:00:49.920 all right, but isn't that what penetration testing is for. 18 00:00:50.240 --> 00:00:52.880 Yeah, so pen testing is definitely a part of it, 19 00:00:53.240 --> 00:00:56.799 but red teaming takes a much broader view. Okay, Okay, 20 00:00:56.840 --> 00:00:59.799 imagine security is like a fortress. Okay, pen testing might 21 00:01:00.159 --> 00:01:02.759 if the walls are strong. Red teaming is trying to 22 00:01:02.799 --> 00:01:06.079 sneak in, maybe disguised as a delivery person, or even 23 00:01:06.120 --> 00:01:07.640 digging a tunnel underneath. 24 00:01:07.840 --> 00:01:08.319 Wow. 25 00:01:08.400 --> 00:01:12.439 It tests the people, processes, and technology all at once. 26 00:01:12.799 --> 00:01:14.760 That's a great analogy, and it reminds me of the 27 00:01:14.799 --> 00:01:17.560 story from the book about a company where the leadership 28 00:01:17.640 --> 00:01:19.959 just assumed that only five people had access to their 29 00:01:19.959 --> 00:01:23.439 accounting systems, but when the red team came in. 30 00:01:23.480 --> 00:01:26.280 Yeah, they found a bunch more people who actually had access, 31 00:01:26.799 --> 00:01:30.040 which obviously creates a much bigger security risk. It's a 32 00:01:30.079 --> 00:01:34.400 classic example of how red teaming challenges assumptions. It forces 33 00:01:34.400 --> 00:01:37.040 you to look beyond the obvious and consider all the 34 00:01:37.079 --> 00:01:38.359 potential attack vectors. 35 00:01:38.439 --> 00:01:40.239 So it's not about if you have a weaknesses, it's 36 00:01:40.280 --> 00:01:43.000 about how an attacker would actually exploit them and what 37 00:01:43.000 --> 00:01:45.400 would happen if they did exactly. 38 00:01:45.280 --> 00:01:47.799 And that brings us to a really helpful visual. The 39 00:01:47.840 --> 00:01:51.200 book uses the inverted triangle. It shows the relationship between 40 00:01:51.319 --> 00:01:56.480 vulnerability assessments, penetration testing, and red teaming. At the very top, 41 00:01:56.480 --> 00:02:00.040 you've got vulnerability assessments. Think of this is casting a 42 00:01:59.840 --> 00:02:03.680 wide net to find as many potential weak points as possible. 43 00:02:04.079 --> 00:02:06.480 It gives you a broad overview but doesn't go into 44 00:02:06.480 --> 00:02:07.120 a lot of depth. 45 00:02:07.400 --> 00:02:09.439 Okay, that makes sense. So it's like a basic scan 46 00:02:09.560 --> 00:02:11.439 to identify the low hanging fruit. 47 00:02:12.159 --> 00:02:16.080 Then what Then you move down the triangle to penetration testing. 48 00:02:16.639 --> 00:02:19.400 This is where you actually try to exploit those vulnerabilities. 49 00:02:19.400 --> 00:02:21.680 You poke and prod to see if you can actually 50 00:02:21.719 --> 00:02:25.039 get in. It's a deeper dive, but still primarily focused 51 00:02:25.080 --> 00:02:26.120 on technical weaknesses. 52 00:02:26.159 --> 00:02:28.080 And then at the very bottom of the triangle the 53 00:02:28.120 --> 00:02:30.360 tip yep, that's where red teaming comes in. 54 00:02:30.560 --> 00:02:33.439 Exactly. Red teaming encompasses all of it. You're looking at 55 00:02:33.439 --> 00:02:37.439 the vulnerability scans, the penetration test results, but you're also 56 00:02:37.479 --> 00:02:41.400 factoring in the human element. Okay, how do employees respond 57 00:02:41.479 --> 00:02:46.080 to phishing attempts? Are there gaps in security procedures? Could 58 00:02:46.080 --> 00:02:49.560 someone literally tailgate their way into a secure area? It's 59 00:02:49.599 --> 00:02:54.599 about seeing how the entire system, people, processes, and technology 60 00:02:54.879 --> 00:02:57.199 would hold up against a determined attacker. 61 00:02:57.360 --> 00:03:00.360 Okay, so it's like a full blown simulation of real 62 00:03:00.360 --> 00:03:04.159 world attack taking everything into account. That's pretty intense. But 63 00:03:05.319 --> 00:03:07.639 how do they even begin to plant something like that? 64 00:03:07.680 --> 00:03:10.280 Do they just pick a random attack scenario and go 65 00:03:10.400 --> 00:03:10.759 for it? 66 00:03:11.000 --> 00:03:14.599 Not at all. Red teams use threat intelligence and frameworks 67 00:03:14.639 --> 00:03:18.879 like mitre, ATT and CK to understand real world tactics 68 00:03:18.879 --> 00:03:22.280 and techniques. Basically, they create a profile of the threat 69 00:03:22.319 --> 00:03:25.080 they're simulating based on real world adversaries. 70 00:03:25.159 --> 00:03:26.919 So instead of just throwing spaghetti at the wall and 71 00:03:26.960 --> 00:03:29.719 seeing what sticks, they're actually studying the playbook of real 72 00:03:29.719 --> 00:03:33.680 attackers and saying, Okay, how would this group target our organization? 73 00:03:33.919 --> 00:03:35.840 You got it? And they don't try to simulate everything 74 00:03:35.879 --> 00:03:39.240 at once. The book calls it decomposing the threat. They 75 00:03:39.240 --> 00:03:42.199 break down a complex adversary into their core components. What 76 00:03:42.199 --> 00:03:45.039 are their goals, what tactics are they known for, what 77 00:03:45.120 --> 00:03:48.120 tools do they use? This helps them focus on what's 78 00:03:48.199 --> 00:03:50.759 feasible within the time and budget constraints of. 79 00:03:50.759 --> 00:03:54.800 The engagement, right because you can't simulate every single aspect 80 00:03:54.840 --> 00:03:57.960 of a sophisticated attack, but you can focus on the 81 00:03:58.039 --> 00:04:01.759 key elements that are most elevant to the organization you're testing. 82 00:04:02.639 --> 00:04:06.080 So let's say they've identified the threat they want to emulate. 83 00:04:06.560 --> 00:04:07.599 What happens next. 84 00:04:07.840 --> 00:04:10.840 This is where it gets really interesting. Red teams have 85 00:04:10.879 --> 00:04:13.360 to decide what type of engagement they're going to conduct. 86 00:04:14.360 --> 00:04:17.199 There are two main types, announced and unannounced. 87 00:04:17.480 --> 00:04:20.720 Wooh unannounced that sounds like it could get a little spicy. 88 00:04:20.920 --> 00:04:24.079 They can with an announced engagement, the organization knows the 89 00:04:24.120 --> 00:04:26.639 test is coming. They might be a little more prepared, 90 00:04:26.639 --> 00:04:29.759 maybe they've patched some known vulnerabilities where they're on high 91 00:04:29.800 --> 00:04:31.639 alert for phishing emails. 92 00:04:31.240 --> 00:04:33.639 So it's more of a controlled experiment exactly. 93 00:04:34.120 --> 00:04:36.759 But unannounced engagements, those are designed to be more like 94 00:04:36.800 --> 00:04:39.680 a real attack. Okay, the organization has no idea its coming, 95 00:04:39.680 --> 00:04:41.000 so they're caught completely off guard. 96 00:04:41.319 --> 00:04:43.360 Wow, that must be a real eye opener for them. 97 00:04:43.399 --> 00:04:46.160 You get to see their true reactions and how well 98 00:04:46.160 --> 00:04:50.160 they would actually respond to a real world attack exactly. 99 00:04:50.199 --> 00:04:52.480 And the book has this Red Team tip that I love. 100 00:04:53.000 --> 00:04:56.680 It says unannounced engagements are best for understanding overall security 101 00:04:56.720 --> 00:05:02.720 operations effectiveness, while announced engagements are better for testing specific capabilities. 102 00:05:04.480 --> 00:05:07.399 So if you want to see how your incident response 103 00:05:07.399 --> 00:05:10.759 team would handle a ransomware attack, an announced engagement might 104 00:05:10.800 --> 00:05:13.439 be a better fit. But if you want a truly 105 00:05:13.560 --> 00:05:18.199 realistic assessment of your overall security posture, unannounced is the 106 00:05:18.240 --> 00:05:18.639 way to go. 107 00:05:18.759 --> 00:05:20.560 It's like the difference between a fire drill and an 108 00:05:20.560 --> 00:05:23.199 actual fire. Right, one is a practice run, the other 109 00:05:23.279 --> 00:05:24.040 is the real deal. 110 00:05:24.240 --> 00:05:25.879 That's a great way to put it. And then there's 111 00:05:25.879 --> 00:05:29.800 another type of engagement that's worth mentioning. The assumed breach model. Okay, 112 00:05:29.879 --> 00:05:32.160 this is where the red team is given initial access 113 00:05:32.360 --> 00:05:35.040 to the system. They skip the getting in part and 114 00:05:35.079 --> 00:05:37.279 go straight to seeing what they can do once they're inside. 115 00:05:37.279 --> 00:05:39.600 Hold on. So it's like saying, Okay, we know someone 116 00:05:39.600 --> 00:05:42.000 could get in, so let's just focus on what happens next. 117 00:05:42.199 --> 00:05:43.240 Isn't that a bit risky? 118 00:05:43.639 --> 00:05:47.480 It can be, but it's also incredibly valuable for understanding 119 00:05:47.519 --> 00:05:51.600 an organization's ability to detect and respond to an active threat. 120 00:05:51.920 --> 00:05:54.480 It's like saying, Okay, the alarm bells are already ringing. 121 00:05:54.680 --> 00:05:57.279 Now let's see how quickly and effectively you can contain 122 00:05:57.319 --> 00:05:57.959 the damage. 123 00:05:58.040 --> 00:06:01.240 So it's about understanding how far an attacker could get 124 00:06:01.319 --> 00:06:04.399 once they're passed the initial defenses. That makes a lot 125 00:06:04.399 --> 00:06:06.920 of sense, but it does raise another question. If they're 126 00:06:06.920 --> 00:06:10.480 already inside, how do they actually operate without getting caught? 127 00:06:10.839 --> 00:06:10.959 Right? 128 00:06:11.079 --> 00:06:13.319 I mean, isn't there a ton of monitoring and security 129 00:06:13.360 --> 00:06:15.600 software that would pick up on unusual activity? 130 00:06:15.720 --> 00:06:19.879 Absolutely, that's where tradecraft comes in. The art of stealthy operations. 131 00:06:20.399 --> 00:06:23.600 Red teams are all about being as quiet and undetected 132 00:06:23.639 --> 00:06:27.160 as possible. I think ninja's of the cybersecurity world. They 133 00:06:27.240 --> 00:06:31.160 have to blend in, avoid detection and minimize their footprint. 134 00:06:31.279 --> 00:06:33.040 They don't want to tip anyone off that they're. 135 00:06:32.839 --> 00:06:34.839 There, so they're not just brute forcing their way in. 136 00:06:34.879 --> 00:06:37.360 They're being strategic and careful about every move. 137 00:06:37.199 --> 00:06:42.000 They make exactly. For example, they might minimize callback volume 138 00:06:42.319 --> 00:06:46.319 to avoid detection by network monitoring tools. Instead of constantly 139 00:06:46.360 --> 00:06:49.319 sending data back and forth, which could raise red flags, 140 00:06:49.560 --> 00:06:52.240 they'll try to limit their communication as much as possible. 141 00:06:52.360 --> 00:06:54.319 So it's not just about what they do, it's about 142 00:06:54.319 --> 00:06:57.759 how they do it. It's about being stealthy and understanding 143 00:06:57.839 --> 00:07:00.920 how to operate under the radar. If that raises the question, 144 00:07:01.000 --> 00:07:03.319 how do they actually get commands to their tools once 145 00:07:03.360 --> 00:07:04.120 they're inside. 146 00:07:04.279 --> 00:07:07.040 It's a great question, and it gets into some of 147 00:07:07.079 --> 00:07:10.439 the more advanced tactics that red teams use. Okay, we'll 148 00:07:10.439 --> 00:07:11.839 dig into that more in just a moment. 149 00:07:12.279 --> 00:07:14.079 Okay, so we've covered a lot of ground here. We've 150 00:07:14.120 --> 00:07:17.319 talked about what red teaming is, the different types of engagements, 151 00:07:17.319 --> 00:07:20.319 and even a bit about the tradecraft involved. But before 152 00:07:20.319 --> 00:07:22.639 we go, let me ask you this, why should someone 153 00:07:22.680 --> 00:07:24.759 listening care about all of this? I mean, if you're 154 00:07:24.800 --> 00:07:26.759 not a security professional, doesn't really matter. 155 00:07:27.079 --> 00:07:31.680 It absolutely matters, because here's the thing. Red teaming isn't 156 00:07:31.720 --> 00:07:36.199 just about protecting organizations. It's about protecting you. Think about 157 00:07:36.240 --> 00:07:39.199 all the data you have stored online. Your bank accounts, 158 00:07:39.279 --> 00:07:42.480 your social media profiles, your medical records, all of that 159 00:07:43.040 --> 00:07:44.920 is potentially vulnerable. 160 00:07:44.399 --> 00:07:46.879 To attack, right, And even if you're not a target yourself, 161 00:07:46.879 --> 00:07:49.839 you could be collateral damage in a larger attack, right, 162 00:07:50.079 --> 00:07:52.480 Like if a company you do business with gets hacked, 163 00:07:52.800 --> 00:07:55.160 your data could be compromised exactly. 164 00:07:55.360 --> 00:07:58.560 So understanding how red teaming works gives you a better 165 00:07:58.639 --> 00:08:01.519 understanding of the threats you face and how to protect yourself. 166 00:08:01.879 --> 00:08:04.720 It's about being aware of the risks and taking steps 167 00:08:04.759 --> 00:08:05.519 to mitigate them. 168 00:08:05.680 --> 00:08:08.040 So it's not just about technology, it's about awareness and 169 00:08:08.160 --> 00:08:12.079 education and maybe a little bit of healthy paranoia. We'll 170 00:08:12.079 --> 00:08:14.199 be back in just a moment to continue our deep 171 00:08:14.279 --> 00:08:17.079 dive into red teaming. Don't go anywhere. 172 00:08:16.800 --> 00:08:19.079 Looking forward to it. So before the break, we were 173 00:08:19.079 --> 00:08:22.079 talking about how red teams stay stealthy once they're inside 174 00:08:22.120 --> 00:08:24.839 a system, right, right, And it reminded me of this 175 00:08:24.879 --> 00:08:26.839 passage in the book that talks about how even a 176 00:08:26.920 --> 00:08:30.040 simple command can be a giveaway if you're not cures. 177 00:08:30.040 --> 00:08:32.200 Wait, really, like, what kind of command are we talking. 178 00:08:32.399 --> 00:08:35.919 It's a great example because it shows just how detail 179 00:08:35.960 --> 00:08:39.440 oriented red teams have to be. Okay, the book mentions 180 00:08:39.480 --> 00:08:43.200 the netstack command, which is used to display network connections. Okay, 181 00:08:43.320 --> 00:08:46.120 it seems pretty basically yeah, yeah, but the thing is 182 00:08:46.440 --> 00:08:48.799 it behaves differently on Windows and Linux systems. 183 00:08:48.960 --> 00:08:49.279 Uh huh. 184 00:08:49.480 --> 00:08:51.799 So if a red teamer is operating on a Windows 185 00:08:51.799 --> 00:08:55.919 system but accidentally uses the Linux version of the command, oh, 186 00:08:56.000 --> 00:08:59.120 I see, they've blown their cover. It's a dead giveaway 187 00:08:59.240 --> 00:09:02.919 that something's not right. Wow, and that's just one tiny example. Yeah. 188 00:09:03.000 --> 00:09:05.840 Red teamers need to be incredibly meticulous and have a 189 00:09:05.879 --> 00:09:08.639 deep understanding of the tools and systems they're working with. 190 00:09:08.799 --> 00:09:11.600 It's like they have to be fluent in multiple computer languages, 191 00:09:12.159 --> 00:09:15.519 but instead of speaking, they're typing exactly, and any little 192 00:09:15.519 --> 00:09:17.879 grammatical error, yes, could get them caught. 193 00:09:18.279 --> 00:09:21.279 That's a fantastic analogy, and it brings us back to 194 00:09:21.320 --> 00:09:25.480 that idea of threat planning and using frameworks like miterre 195 00:09:26.360 --> 00:09:27.399 att and CK. 196 00:09:27.840 --> 00:09:28.080 Right. 197 00:09:28.200 --> 00:09:31.759 Remember, it's like a giant catalog of tactics and techniques 198 00:09:32.159 --> 00:09:33.840 that real world attackers use. 199 00:09:34.240 --> 00:09:36.840 Right, So instead of reinventing the wheel, red teams can 200 00:09:36.919 --> 00:09:40.799 draw on this knowledge base of proven tactics, right, but 201 00:09:40.879 --> 00:09:42.759 how does that actually work in practice. 202 00:09:43.000 --> 00:09:46.000 Let's say the red team is emulating a group known 203 00:09:46.039 --> 00:09:49.879 for using spearfishing to deliver malware. Okay, they'd start by 204 00:09:49.879 --> 00:09:53.600 looking at the att and CK matrix for techniques related 205 00:09:53.600 --> 00:09:58.000 to fishing, like spearfishing attachment or spearfishing link. 206 00:09:58.279 --> 00:10:01.720 So they're looking for specific technique that match the adversary 207 00:10:01.759 --> 00:10:03.480 they're trying to emulate exactly. 208 00:10:03.480 --> 00:10:06.440 And they wouldn't just copy a technique blindly. They would 209 00:10:06.480 --> 00:10:10.200 research those techniques in detail, okay, to understand how they work, 210 00:10:10.399 --> 00:10:12.639 what kinds of lures are effective, and what tools and 211 00:10:12.720 --> 00:10:14.200 infrastructure are typically used. 212 00:10:14.840 --> 00:10:17.000 So if I'm picturing this correctly, they're going through this 213 00:10:17.240 --> 00:10:21.559 massive database of attack techniques, reading about how real attackers 214 00:10:21.559 --> 00:10:23.679 have used them in the past, and then figuring out 215 00:10:23.720 --> 00:10:27.840 how to adapt those techniques to the specific organization they're targeting. 216 00:10:27.919 --> 00:10:31.600 You're getting it. It's about replicating the specific tactics and 217 00:10:31.720 --> 00:10:36.360 techniques of a real adversary, not just finding generic vulnerabilities. 218 00:10:36.799 --> 00:10:39.960 And that level of detail is what makes red teaming 219 00:10:40.039 --> 00:10:40.720 so effective. 220 00:10:40.919 --> 00:10:46.679 It's like they're writing a screenplay for a cyber attack. Yes, 221 00:10:46.759 --> 00:10:50.440 based on a true story, but instead of actors, they're 222 00:10:50.519 --> 00:10:52.480 using malware and exploits. 223 00:10:52.720 --> 00:10:56.240 I love that You've got it exactly Now. Once they've 224 00:10:56.320 --> 00:10:59.240 chosen their techniques, it's time to start thinking about how 225 00:10:59.279 --> 00:11:03.759 to actually tells the organization's defenses. Okay, remember those three 226 00:11:03.799 --> 00:11:07.039 main phases we discussed earlier, Get in, stay in, and. 227 00:11:06.960 --> 00:11:09.960 Act right like a cyberheist movie. Yes, first you got 228 00:11:10.000 --> 00:11:12.399 to get inside the vault. Then you have to stay 229 00:11:12.480 --> 00:11:15.600 hidden long enough to crack the safe, and then you 230 00:11:15.679 --> 00:11:16.279 make your move. 231 00:11:16.480 --> 00:11:18.320 That's a great way to think about it. Uh huh, 232 00:11:18.360 --> 00:11:20.960 So let's break down each phase. Okay, get in is 233 00:11:21.120 --> 00:11:24.200 pretty straightforward. That's the initial point of entry. This is 234 00:11:24.200 --> 00:11:27.039 often where social engineering techniques like phishing come into play. 235 00:11:27.759 --> 00:11:31.080 The red team might send a carefully crafted email designed 236 00:11:31.120 --> 00:11:34.320 to trick an employee into clicking a malicious link or 237 00:11:34.399 --> 00:11:36.000 opening an infected attachment. 238 00:11:36.200 --> 00:11:38.480 And we all know how easy it is to fall 239 00:11:38.559 --> 00:11:41.879 for a well crafted phishing email. I mean, I've even 240 00:11:41.879 --> 00:11:44.960 seen security professionals get fooled by some of these things. 241 00:11:45.000 --> 00:11:47.200 It happens to the best of us, right. Humans are 242 00:11:47.200 --> 00:11:49.919 often the weakest link in the security chain, and attackers 243 00:11:50.000 --> 00:11:55.480 know that red teaming helps organizations understand how susceptible their 244 00:11:55.519 --> 00:11:58.639 employees are to social engineering, and how to train them 245 00:11:58.679 --> 00:11:59.559 to be more vigilant. 246 00:12:00.000 --> 00:12:03.919 It's not just looking for technical vulnerabilities and systems. They're 247 00:12:03.960 --> 00:12:06.519 looking for vulnerabilities and human behavior as well. 248 00:12:06.639 --> 00:12:10.120 Exactly. It's about understanding how people react under pressure and 249 00:12:10.159 --> 00:12:13.480 how to build a security culture that encourages vigilance and awareness. 250 00:12:13.639 --> 00:12:17.480 Okay, so let's say the Red team successfully gains access 251 00:12:17.519 --> 00:12:20.480 through a phishing attack. Okay, what happens next? That's the 252 00:12:20.519 --> 00:12:21.799 stay in phase, right right. 253 00:12:21.840 --> 00:12:25.320 Once they have a foothold, they need to maintain their 254 00:12:25.360 --> 00:12:29.399 access and avoid detection. Okay, this is where persistence comes in. 255 00:12:29.840 --> 00:12:34.360 They're essentially setting up shophand finding ways to stay embedded 256 00:12:34.360 --> 00:12:36.120 in the system without raising any alarms. 257 00:12:36.360 --> 00:12:38.799 I can only imagine how nerve racking that must be. 258 00:12:38.919 --> 00:12:42.919 They're like a secret agent operating behind enemy lines, trying 259 00:12:42.960 --> 00:12:47.159 to blend in and avoid detection. But what specific tactics 260 00:12:47.200 --> 00:12:48.480 do they use to stay hidden. 261 00:12:49.000 --> 00:12:53.120 They might install back doors, create rogue user accounts, or 262 00:12:53.159 --> 00:12:57.799 even hijack legitimate processes to blend in with normal system activity. 263 00:12:58.440 --> 00:13:02.360 So they're basically camouflaging themselves within the system exactly. But 264 00:13:02.519 --> 00:13:04.799 all of that must take a lot of technical skill 265 00:13:04.840 --> 00:13:05.399 and knowledge. 266 00:13:05.440 --> 00:13:08.279 It does, and it's a reminder that security is not 267 00:13:08.360 --> 00:13:11.279 a one time fix. It's an ongoing battle. 268 00:13:11.480 --> 00:13:11.879 Yeah. 269 00:13:12.000 --> 00:13:16.200 Organizations need to be constantly monitoring their systems for suspicious 270 00:13:16.240 --> 00:13:18.679 activity and looking for signs of compromise. 271 00:13:19.000 --> 00:13:21.960 Right, because once an attacker is inside, they can potentially 272 00:13:22.000 --> 00:13:25.399 lie dormant for months or even years before they actually 273 00:13:25.480 --> 00:13:26.200 make their move. 274 00:13:26.080 --> 00:13:29.159 That's right, And that brings us to the final phase act. Okay, 275 00:13:29.399 --> 00:13:32.200 this is where the red team actually carries out their objective, 276 00:13:32.919 --> 00:13:36.480 which could be anything from stealing sensitive data to disrupting 277 00:13:36.519 --> 00:13:39.799 operations to demonstrating that they were able to achieve a 278 00:13:39.840 --> 00:13:40.639 specific goal. 279 00:13:40.799 --> 00:13:41.480 It's showtime. 280 00:13:41.720 --> 00:13:42.639 Yeah, but it's not. 281 00:13:42.720 --> 00:13:45.480 Just about proving that they can get in. No, it's 282 00:13:45.519 --> 00:13:48.200 about showing what they can do once they're inside and 283 00:13:48.200 --> 00:13:51.399 what the real world consequences could be exactly. 284 00:13:51.440 --> 00:13:53.639 And that brings us to one of the most fascinating 285 00:13:53.679 --> 00:13:57.960 aspects of red teaming operational impacts. Okay, this is where 286 00:13:58.000 --> 00:14:01.519 things can get really interesting and potentially a little uncomfortable 287 00:14:01.519 --> 00:14:02.279 for the organization. 288 00:14:02.440 --> 00:14:05.919 Okay, so we're talking about actually simulating the effects of 289 00:14:05.960 --> 00:14:08.440 a real world attack, right, what kind of things are 290 00:14:08.440 --> 00:14:09.240 we talking about here. 291 00:14:09.440 --> 00:14:14.240 It could be anything from simulating a denial of service attack, 292 00:14:14.399 --> 00:14:20.799 to disrupting critical business processes to even manipulating industrial control systems. 293 00:14:20.879 --> 00:14:23.399 Wow, that's pretty intense, but I can see how it 294 00:14:23.440 --> 00:14:26.120 would be a powerful way to get the organization's attention 295 00:14:26.200 --> 00:14:27.639 and make the risks feel real. 296 00:14:27.879 --> 00:14:28.200 Yeah. 297 00:14:28.240 --> 00:14:30.320 It's like, look, we're not just playing games here. This 298 00:14:30.399 --> 00:14:32.840 is what could happen if you don't take security seriously. 299 00:14:33.600 --> 00:14:35.679 That's exactly the point. It's one thing to read a 300 00:14:35.720 --> 00:14:41.240 report about a vulnerability. It's another thing entirely to experience 301 00:14:41.279 --> 00:14:43.360 the impact of that vulnerability firsthand. 302 00:14:43.679 --> 00:14:46.399 Right. It's like the difference between reading about a fire 303 00:14:46.440 --> 00:14:49.799 and actually feeling the heat exactly. It makes it much 304 00:14:49.879 --> 00:14:52.159 more real and immediate, exactly. 305 00:14:52.279 --> 00:14:55.000 And that's why operational impacts can be so effective in 306 00:14:55.080 --> 00:14:55.879 driving change. 307 00:14:56.120 --> 00:14:56.559 Yeah. 308 00:14:56.639 --> 00:14:59.879 They help organizations move beyond the theoretical realm of risk 309 00:15:00.279 --> 00:15:02.720 and into the realm of tangible consequences. 310 00:15:02.879 --> 00:15:05.320 It's like a wake up call, yes, but instead of 311 00:15:05.360 --> 00:15:07.840 a loud noise, it's a simulated cyber attack. 312 00:15:08.120 --> 00:15:11.000 I like that. And it's important to remember that the 313 00:15:11.039 --> 00:15:14.840 Red Team isn't doing this to punish the organization, right, 314 00:15:15.039 --> 00:15:18.080 They're doing it to help them improve their security posture. 315 00:15:18.200 --> 00:15:21.000 So it's not about scaring people, it's about motivating them 316 00:15:21.000 --> 00:15:23.840 to take action and improve their security precisely. 317 00:15:23.879 --> 00:15:25.799 And that's why it's so important for the red team 318 00:15:25.840 --> 00:15:29.559 and the organization to work closely together throughout the engagement. Okay, 319 00:15:29.600 --> 00:15:34.000 they need to understand the organization's business goals, risk tolerance, 320 00:15:34.240 --> 00:15:39.399 and operational constraints in order to design meaningful operational impacts. 321 00:15:39.720 --> 00:15:42.000 It makes sense that you wouldn't want to simulate an 322 00:15:42.000 --> 00:15:45.919 attack that would cripple the organization or put their operations 323 00:15:45.960 --> 00:15:50.480 at risk. You need to find that balance between demonstrating 324 00:15:50.519 --> 00:15:54.039 the impact and avoiding any real world damage exactly. 325 00:15:54.080 --> 00:15:56.399 And that's where the planning phase of a red team 326 00:15:56.440 --> 00:16:00.240 engagement is so critical. Okay, it's not just about using 327 00:16:00.279 --> 00:16:03.759 the right tools and techniques. It's about understanding the target 328 00:16:03.879 --> 00:16:08.879 organization and tailoring the engagement to their specific needs and objectives. 329 00:16:09.000 --> 00:16:12.600 So it's really a customized approach, almost like a tailored suit. Yeah, 330 00:16:12.759 --> 00:16:16.440 you're taking into account all the unique factors of that organization, 331 00:16:16.919 --> 00:16:20.480 their size, their industry, their risk profile, and designing an 332 00:16:20.480 --> 00:16:23.360 engagement that will be both effective and meaningful for them. 333 00:16:23.679 --> 00:16:27.120 Absolutely, and that brings us back to the importance of reporting. Okay, 334 00:16:27.240 --> 00:16:29.879 the Red Team report isn't just a list of vulnerabilities. 335 00:16:30.279 --> 00:16:33.279 It's a roadmap for improvement. It should tell the story 336 00:16:33.279 --> 00:16:38.159 of the attack, highlight key observations, and provide actionable recommendations 337 00:16:38.440 --> 00:16:39.960 for strengthening defenses. 338 00:16:40.080 --> 00:16:42.519 So it's almost like a consulting engagement, with the Red 339 00:16:42.519 --> 00:16:46.159 Team acting as trusted advisors to help the organization improve 340 00:16:46.200 --> 00:16:49.559 their security posture. But I'm curious how do they actually 341 00:16:49.600 --> 00:16:51.799 go about writing a report like that. I mean, it 342 00:16:51.840 --> 00:16:53.919 can't be as simple as just saying, hey, you guys 343 00:16:53.919 --> 00:16:55.879 have some vulnerabilities, you should fix them, right. 344 00:16:55.879 --> 00:16:58.799 It needs to be much more detailed and insightful than that. Okay, 345 00:16:59.519 --> 00:17:00.919 one of the things that stood up to me in 346 00:17:00.960 --> 00:17:03.159 the book is that they talk about using attack flow 347 00:17:03.240 --> 00:17:08.160 diagrams to visually represent the steps taken by the Red Team. 348 00:17:08.960 --> 00:17:11.640 I think that would be incredibly helpful for organizations to 349 00:17:11.680 --> 00:17:15.200 see exactly how the attack unfolded and what areas need 350 00:17:15.200 --> 00:17:15.880 the most attention. 351 00:17:16.000 --> 00:17:17.920 It's like giving them a blueprint of the attack, so 352 00:17:17.960 --> 00:17:20.240 they can see exactly where the weak points are and 353 00:17:20.240 --> 00:17:24.119 how to fortify them. But what about risk ratings? Do 354 00:17:24.240 --> 00:17:28.720 Red Team reports use the traditional high, medium, low scale. 355 00:17:28.440 --> 00:17:32.119 They can, but the book actually proposes an alternative approach 356 00:17:32.160 --> 00:17:33.480 that I find much more compelling. 357 00:17:33.680 --> 00:17:33.960 Okay. 358 00:17:34.119 --> 00:17:38.000 Instead of relying on a subjective risk matrix, right, they 359 00:17:38.000 --> 00:17:40.759 suggest using metrics based on the red team's goals. 360 00:17:40.880 --> 00:17:41.519 Oh interesting. 361 00:17:41.640 --> 00:17:45.039 Instead of saying this vulnerability has a high likelihood of 362 00:17:45.319 --> 00:17:48.799 being exploited, they might say we were able to achieve 363 00:17:48.799 --> 00:17:51.599 our goal of stealing sensitive data within twenty four hours. 364 00:17:51.920 --> 00:17:56.880 Oh wow. And this approach provides much more actionable information 365 00:17:57.039 --> 00:18:00.759 for the organization. It's not just about the euoretical risk 366 00:18:00.799 --> 00:18:04.880 of a vulnerability, it's about the demonstrable impact of a 367 00:18:04.920 --> 00:18:08.839 successful attack, and it really brings the risks to life. 368 00:18:08.880 --> 00:18:11.319 That's a great point. This all makes perfect sense, but 369 00:18:11.400 --> 00:18:15.000 it does raise another question. We've talked a lot about 370 00:18:15.039 --> 00:18:18.079 the technical aspects of red teaming, right, but what about 371 00:18:18.079 --> 00:18:20.240 the human element? I mean, how do they account for 372 00:18:20.279 --> 00:18:23.480 the fact that people are often the weakest link in 373 00:18:23.519 --> 00:18:24.440 the security chain. 374 00:18:25.000 --> 00:18:26.920 That's a great question, and it's something that RID teams 375 00:18:26.920 --> 00:18:29.640 are very aware of. Remember those social engineering techniques we 376 00:18:29.680 --> 00:18:33.200 talked about earlier, Yes, things like phishing, pre texting, and baiting. 377 00:18:34.039 --> 00:18:38.240 Red teams use those techniques to test an organization's human defenses. 378 00:18:38.559 --> 00:18:40.519 So they might send a phishing email that looks like 379 00:18:40.519 --> 00:18:44.599 it's from the IT department, asking employees to reset their passwords. 380 00:18:44.119 --> 00:18:46.640 Exactly, and they'll track how many employees click on the link, 381 00:18:46.799 --> 00:18:49.559 how many enter their credentials, and how far they get 382 00:18:49.640 --> 00:18:52.799 before they realize it's a scam. They might also conduct 383 00:18:52.880 --> 00:18:56.119 physical security tests, like seeing if they can gain access 384 00:18:56.160 --> 00:19:01.160 to secure areas by tailgating employees or maintenance workers. 385 00:19:01.240 --> 00:19:03.799 It sounds like they're really thinking outside the box, looking 386 00:19:03.799 --> 00:19:07.480 for any potential weak points in the organization's security. Yeah, 387 00:19:07.480 --> 00:19:09.640 and that brings up another question. How do they ensure 388 00:19:09.680 --> 00:19:12.440 they don't cause unintended damage? Right? I mean, some of 389 00:19:12.480 --> 00:19:15.400 these operational impacts could have serious consequences if they're not 390 00:19:15.440 --> 00:19:16.440 carefully controlled. 391 00:19:16.920 --> 00:19:20.000 That's where the concept of deconfliction comes in. It's all 392 00:19:20.039 --> 00:19:23.920 about making sure that the Red Team's activities are clearly 393 00:19:23.960 --> 00:19:27.440 distinguishable from real world attacks and that everyone is on 394 00:19:27.480 --> 00:19:28.119 the same page. 395 00:19:28.240 --> 00:19:28.480 Right. 396 00:19:28.960 --> 00:19:31.759 We'll be back after the break to discuss that and more. 397 00:19:32.559 --> 00:19:34.319 Okay, so we've covered a lot of ground here, but 398 00:19:34.359 --> 00:19:38.920 it sounds like we're just getting started. Stay tuned, Welcome 399 00:19:38.960 --> 00:19:42.319 back to the deep dive. We're wrapping up our exploration 400 00:19:42.559 --> 00:19:46.400 of red teaming, and honestly, my mind is still buzzing 401 00:19:46.400 --> 00:19:48.680