Open in app

Sign in

Write

Sign in

The Hunt for the Red Team

Ross Hosman
7 min readMay 23, 2022
Used this image for our company all hands

Red teaming is an important part of any security program because it gives you a real world exercise to test your security posture. You may have the latest and greatest security kit that the sales person swore up and down would have stopped <insert latest major breach> (hint: It doesn’t) but have you actually tested it against a determined adversary? If you haven’t read my previous red team engagement post, I suggest you check it out here.

Since that post I’ve joined Drata — a security and compliance automation platform that is building trust across the internet. At Drata we believe in leading by example when it comes to our own security and compliance journey, so we are going to talk about our red team exercise in-depth and hope that others do the same.

The Setup

We do a blind red team engagement meaning that no one in our company except the coordinator knows about the attacks that are happening. We don’t know the who, what, where, when or how which makes it more realistic. We typically have our compliance leader act as the coordinator.

Everyone in the company is a target, no exceptions. That includes myself and every executive team member as well as security team members. The only rule that we have is no going after outside board members. You are allowed to engage however you see fit from email, text, phone calls, social media, etc. Your attackers don’t have limits so why should your red team.

Flags are set with by the security team during the initial scoping call before we disengage. In this exercise we set the following flags:

  • Get into our financials/bank
    - If you can get access to a company’s financials you can potentially transfer large amounts of cash out of their accounts and compromise their ability to operate
  • Compromise an employee device for persistent access
    - If you can gain persistent access to an employee device you can commit many actions as them
  • Download a copy of our source code
    - Our source code is our IP and is incredibly valuable to us
  • Obtain access to the production databases
    - This is where we keep our customer’s data and is the most important thing for us to protect
  • Access to other production applications
    - Other applications can be used for attackers to pivot and gain even more privilege

We believe these flags represent the biggest risks to our business and most businesses if there was a compromise.

The Attacks

Our third party had no restrictions on the types of attacks they could launch and they weren’t time boxed so their possibilities were pretty open. We saw a smattering of phishing, spear phishing and vishing used against our employee base.

Generic phishing email around employee appreciation

Generic Phishing Attack

This one caught us a bit by surprise because it really shouldn’t have gotten through but it did and the team responded quickly. Most employees simply reported the phish while we did have one employee click on the link. That employee’s accounts were suspended while we investigated and ensured their device was not compromised.

Spear phishing attack

Spear Phishing Attack

Another spear phishing attack was launched which should have been blocked. The domain was only a few days old and is an obvious spoof on Github. However, our software engineers did a great job of reporting it with no clicks!

Social engineering attack against support

Social engineering against support

The red team gets points for creativity but they were still unable to get a foothold. The attackers reached out to support through our chat pretending to be a customer whose logo is on our website and they registered a domain similar to the customer to engage even further with us. The attempted to get the support agent to install some software to help them troubleshoot a supposed Drata agent issue. The support agent immediately let the security team know.

Social engineering attack that was thwarted before it began

Thanks Okta security team

This attack was stopped before it began as the Okta security team had reached out to our team (kudos!). We already had some block rules in place due to the previous attacks so this was a non-issue but it was great to see a vendor be extremely proactive.

Vishing attack on employees

Eventually the attackers started calling individual employees attempting to be certain executives in the company, including myself, to get employees to perform certain actions. This was reported quickly by an employee and the other employees never engaged with the attacker.

These attacks were done over a month+ long time period in which we never knew if this was a red team exercise or a real threat actor. The list above isn’t all the attacks that were done but a good portion of them and I’m happy to say the red team never gained a foothold which is nearly unheard of.

The Defense

We operate with a defense-in-depth security posture so that no one security control can fail and leave us exposed. With this layered security approach attacks would have to bypass multiple controls to be successful.

Security training, realistic phishing and a security culture

We ensure employees receive great security training when they onboard and annually there after through our partners at Curricula. We also use the platform to send realistic phishing emails to our employees purporting to be from companies we have relationships with. Lastly we have a security culture that comes from the top down, the entire executive team enforces that culture routinely with staff.

Monitor all the things

We use our friends at Obsidian Security to provide real time monitoring across our SaaS estate and help us identify potential threats. We also take all the logs from the different services we use and dump them into a Snowflake security warehouse and analyze them with Sigma Computing (more on this in the future).

Defense-in-depth

Cloudflare Zero Trust

As we are a remote first company many of our security tools also have to enable employees on the go. We have been rolling out solutions like Cloudflare Zero Trust for dns/web threat filtering and privileged access. We also assess the endpoints connecting to make sure they are Drata managed. Combine this with the other endpoint protections we have in place from partners like Crowdstrike and Kandji you have a great multi-layer endpoint security posture. (Look for a more defense-in-depth post in the future)

Lessons Learned

Red team engagements are a learning exercise in themselves and although we were successful in repelling the attacks we still learned plenty.

What we did really well:

  • Our security training, routine realistic phishing and our culture allowed employees to quickly spot and report attacks.
  • Security and IT teams had practiced our incident response (IR) plan and procedures. We were able to respond quickly and efficiently.
  • Defense-in-depth worked well and we are able to respond and repel attacks in multiple different ways

Our opportunities include:

  • We need to continue to create a culture where employees feel they can report security incidents or mistakes they make
  • Move totally to Web AuthN
  • Move to blocking newly seen domains in email and web traffic
  • We need remedial security training for employees who continue to have security issues

We shared these lessons learned with our entire company and have come up with action plans on our opportunities.

Conclusion

Once you have completed your red team engagement please make sure you share it with all of your employees and if you can give them an executive summary of the actual report. Most of your employees are really interested in these exercises and you sharing with them makes them know they are an essential part of the security of your company.

Security
Red Team
Hacking
Cybersecurity

--

--

Ross Hosman

Written by Ross Hosman

223 Followers

Web Hosting Fanatic! Cloud Builder, Security Geek!

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams