Security, Managed IT Service, Cloud

Ethical Crime: Tales From the Red Team

March 16

On this episode, Will sits down to speak with James Webb, the Director of Cybersecurity and Technology Vala Secure.  Vala evaluates security layers from an adversarial party approach, simulating full-spectrum cyber-attack tests to breach the environment, access data and compromise accounts.  Red Team exercises expose risks by acting  just like a criminal-doing whatever it takes to get into your network. James has been in IT over 20 years, and has seen it all. Listen to his Red Team tales in the latest episode of Technology Simplified!


Will Slappey: Welcome and thank you for listening to Technology Simplified-Tech Talk Everyone Can Understand. I am your host Will Slappey, and today I am joined by our special guest, James Webb. James is the Director of Cybersecurity and Technology at Vala Secure. He has been in IT for over 20 years and holds a master's in cybersecurity from the University of South.

As a business owner myself, I know cybersecurity is always a top concern; from phishing attacks to social engineering, there's a lot to be worried about. There are just so many different methods cyber criminals use to get access to your secure information, and James has seen it all. So, to get us started here today, James, what are some of the craziest things you have seen and done in your career?

James Webb: To start this out the best part of my job is the Red Team events. During the Red Teams, that's when we actually get to be criminals. And I know when you say Red Team, people think, oh, its guys sitting in a closet or sitting in a basement, and all they're doing is they're trying to hack your information.

And that's not true. We're out there trying to get information from your people. We're trying to steal your equipment. Depending on how far you want us to go we'll break a door. If we want the information, we're gonna get it. A criminal's a criminal, right? That's how you have to look at hackers or any other type of information stealers that are out there.

If they want their stuff, they want your information, they're gonna get it. They're, there's nothing you can do to stop 'em.

Will Slappey: So, James, client comes to you. On Red Team, just so our listeners understand what that means. So a client comes to you at Vala Secure and says, Hey James, I want you to a Red Team event, and so that means that they've hired you to be an ethical criminal, right? You're there on their behalf pretending to be a criminal, and then now you are literally, like you said, potentially knocking doors down to see if their security holds up or not.

Is that it, am I saying that right?

James Webb: Right. That's a hundred percent correct. Yes. If I can steal a badge from one of your employees, I will steal a badge from one of your employees. Like I said we have everything laid out, so you understand, we're not gonna do anything crazy and not cause bodily harm and things like that.

But we will go to, we will do the best we can to social engineer your personnel and get their information by stealing their R F I D tags using, technology and equipment against them that we can like I said, steal R F I D information.

Will Slappey: So, have you ever stolen someone's badge and broken in?

James Webb: So there was an event going on where it was badged entry, so you had to have a badge to get in. There was no if, ands, or buts about it. And only one area made the badges and you had to be pretty much on the list to, to get the badge. So, it's actually really easy. You just follow these guys or girls around to restaurants and so on and so forth. A lot of people don't think about it, and they leave the badge hanging somewhere on their body. Bump into 'em, just take the badge. I've seen people leave badges with their phones sitting on a table when they get up to throw their trash away.

People don't think that someone's gonna be after a badge or any type of equipment that's gonna be laying around like that. So, you just follow, start a conversation with them too, as well. Anything you do to get their mind off of concentrating on where their equipment is or their badge is, it's the best way to do it.

You can just sometimes just do it right in front of 'em. They won't even know.

Will Slappey: So after you stole the badge, then what was next?

James Webb: So after I took the badge we had to go back and do some manipulation to get, our face on there. Which isn't as hard as you think it would be because most people, you just show the badge and they let you in.

So, if you can get a picture over the top of their picture and maybe some laminate to make it smooth. They usually don't touch the badge or rub the badge and you show them the badge. They just look at your picture and they let you right through.

Will Slappey: Gotcha. So y'all manipulated the badge, got your picture on there. Sounds like you got in past security.

James Webb: Yes. Got in past security and actually dropped off an evil twin. I was actually able to go in and it's a wireless router. So, you find out, cause you can pretty much get a Wi-Fi signal from right outside the area, a gate, wherever you can pull up the Wi-Fi, especially have a direct directional antenna so you get the name or even if it's just a Hidden Sid, you can still find the information you need.

So we created an evil twin. We went in and it was actually really easy. No one paid attention to me. I just walked over and plugged it in and set it on a desk next to the coffee pot. And then we went through their router and we used a Wi-Fi pineapple. We kicked everybody off of their Wifi and shut it down.

And they all had to reauthenticate to the evil twin. So then we were just capturing data left and right. We did get, yeah, we did get bank information and things like that. You'd be amazed at what people look at. We're not gonna use that against you. We just wanted to prove the point that, hey but we did get a lot of business information, actually some intellectual property.

Will Slappey: What's another have you ever stolen anything? You mentioned a criminal case before. Have you ever stolen anything in a Red Team event?

James Webb: Oh, yeah. So we actually had a client that we showed up, we told them that we were from Dell. They let us right into their server room. And there were some computers in there. We actually picked up a computer and just walked right out and told 'em, “Hey, we're gonna take this and we'll be right back”. Took it, put it in our car, and went right back in and started doing more. Wow. Very easy. Then we used that we used that same equipment after we copied the hard drive to get into another building. We said we had equipment to deliver, and it was already marked with their stuff, so they let us right in.

Will Slappey: Yeah. What's the purpose of this? Why would a business want to have a Red Team event?

James Webb: Everybody gets their technology tested? Technology's great, everybody knows that. But who's actually testing your policies and procedures? What happens after an event? Are you testing your IT people to say, yeah, we are going in and we're cleaning this up. Do they know what they're doing?

Because, if you can get in and you can drop some malware or anything in there and they don't clean that up properly, or disconnect the system, then you just have a constant in, so your organization's wide open.

Will Slappey: Yeah. Everybody thinks about the inbound type of stuff. People think of you're a firewall and whatnot, and not necessarily thinking that the guy in the uniform that's coming in might be might not supposed to be there. Exactly. And just for our listeners, just so everybody knows, what James and his team does is a hundred percent legal.

They have the full consent of the business. They're getting paid to do this work. It is all up and up. But they're trying to replicate and simulate what a criminal would do to test and see whether or not be it would be successful. So just so everybody's way out there.

James, let me turn the conversation here a little bit. Have you, what are the sort of trends that you've seen lately that, that we should be aware of? Anything, on the horizon, cybercrime wise, things changing that you would want our listeners to be aware of.

James Webb: Yeah I think the initial one that everybody thinks about is social engineering. And when you say social engineering, a lot of people go straight to email. I'm getting these spam emails. No, that includes it. But social engineering is just a whole gamut of trying to get in or get information from anybody. You'd be amazed at what people will tell you. People think that other people are inherently good, right? Everybody's oh, he is probably just asking questions. He's curious. But really, I'm trying to get information out of you. And that's one of the big things you gotta watch out for. And that also leading to third party.

Nowadays you got a lot of organizations that are hiring contractors and things and letting them use their own equipment, so on and so forth. Or they've got another organization that does stuff for them that may not be as secure. So if I'm able to break into we'll just say Bill's computer and Bill works for some little company and his computer is connected into where he can get into your stuff and he's got account credentials and all that. I steal his information and I just use his box and I pivot, and I can get into the larger organization's information technology and steal all their stuff.

Will Slappey: Yep. So what is practically speaking, if I'm a, an average employee, what can I do to help prevent myself from being socially engineered?

James Webb: I'd be cognizant. It's you. You can't trust everyone. Don't click on the links. Don't just don't sit down and have a conversation about what you do in an organization with someone you just met. Even if you've known 'em for a little bit, they could still be trying to work their way in. Just be cautious on what you tell 'em. A lot of people use passwords and usernames with pets. Animals, kids, things of that nature. And once you get that information, hey, oh, you've got three kids, or what are their names?

That's potentially, you're using all three kids' names, you're throwing some special characters in there, but you can run that against the rainbow table, which everybody needs to understand. Rainbow tables are up to about 20 to 25 characters now. So in a rainbow table is used for brute force attacks, even if your password is very long, it can still be, if it's got the time it can still be busted.

So just be cautious on who you're telling your information to, is what I’d say.

Will Slappey: And on choosing your passwords, right? On the other side. Oh yeah. Don't use the don't use what city you live in. Don't use your kids' names, don't use your birthday, don't use, your phone number, somebody else's phone number or whatever, as a part of a password because it could, somebody could find that information about you online or whatnot, and then all of a sudden you, even if you have, like you said a 16, 20 character password, but if they narrow it down to a group of seven words and add special characters in there. And no one would ever use an exclamation point and a password that probably never very uncomfortable or an at symbol. Those really throw people off, right? Its good to keep that on top of mind.

James Webb: I wanted to bring out be really cautious on social media cause you can post a lot of things on there that can give me ideas on, what's your passwords? I could find out where you work. You can get a lot of information just off social media and then I can start trying to phish you by using that.

Will Slappey: Or like I heard the other day phishing, other people like , if they find out that you're at a conference or something, and then now they are, reaching out to a coworker and says, “Hey, I'm at such and such conference, and can you help me and buy, can you go buy some gift cards or something like that for me?” They use that information about what you're doing with somebody other than you, but they assume “Oh. That's them.” Like the, they put it in the context, right?

So, is there any area of an organization as you see as more vulnerable than others? Some, something to watch, from a business perspective,

James Webb: I would always say the people. Your people are gonna be your weakest link. That, and any type of misconfiguration, people aren't perfect, so there are gonna be misconfigurations. So, I would say check your equipment, make sure all your configurations are right and train your people, get your people to know what's out there and what can happen and always stay up on your policies and procedures and get those checked by a third party. That way they can read through and make sure that, everything in there is correct and it's keeping you safe as an organization.

Will Slappey: What percentage of compromises use a person as a part of their strategy, do you think?

James Webb: Actually, I just heard today that 96% of the new emerging threats are coming through with social engineering. So, people, as I said. The technology has gotten very advanced.

Will Slappey: Wow, that's a critical target point of “Hey, if I can trick somebody into giving me information or getting into their account, or information about the business”, whatever it is. It seems like obviously it's the number one target area. Good to know.

So, if a business owner wanted to, really prioritize security, maybe they're already hearing something here. Already having that on the list, what advice would you give them about how to best go about, prioritizing security for their organization?

James Webb: First you have to identify all your critical assets. But a lot of people, and I, some people might say this is number two, but I'm gonna put this right there with number one. You have to have your management buy-in on what you're doing. If your management doesn't support the fact that you're trying to create a safe cybersecurity environment, lower your tax surface, then you're not gonna get very far.

So once you got there, buy-in, start going through all the assets and find what's critical to your organization, what you need to keep safe. And then from there I guess you could just go through your risk management steps and make sure that; all your risks are either transferred or mitigated at some point to help protect yourself.

Will Slappey: I think you are dead on James too, because you know, I've heard plenty of people talk about the two-factor authentication takes longer. It's a pain in the butt. I don't like the longer password, et cetera, et cetera. And you really have to have that buy-in. Because otherwise, if you won't do the things that you need to do and you gotta get over that hump to realize, hey, it’s worth taking the extra 10 seconds on two factor than it is the hours and potential money loss if you get compromised.

So James, last question here for you, go back to where we started. I know you're always up in your game taking it to the next level. So what is the next, intense, Red Team type of test that you've got in your sites that you want to do, that you want to try next to push the envelope, but maybe you haven't gotten the chance to do yet.

James Webb: I think it would be a real good Red Team event. We've done a couple here so far and they've been great. But I really, you learn a lot as you do 'em and I'm just aching to do another one to really test the policies and procedures and the IT staff of an organization and of course the people.

It's always good to, to have someone say you can't come in or even better if they let you in.

Will Slappey: So, what would be like that next thing? You've stolen a computer so far; you faked a badge. What's the thing you haven't done yet that you want to do on that next Red Team event?

James Webb: I would like to turn a server off. Either physically or, virtually or, through the network, just turn it off, just something a little important. Maybe an email server. Just make 'em think, something we could turn right back on, but that'd definitely wake you up.

Will Slappey: Have you seen that reaction? What has been the reaction? After you do a Red Team event and you come back and show 'em the finding, are they surprised? Are they expected? What's the average sort of response after a Red Team event from those business decision makers?

James Webb: I actually got a response during the Red Team, when they actually figured out it was towards the end that we had breached their information. I was told by the person that had hired us, she didn't tell her IT team, that if she wouldn't have known we were doing this, she'd be throwing up.

So, I thought that was pretty impressive for someone to say it makes you sick to your stomach when you realize someone's been in your system and who knows what they have.

Will Slappey: Yeah. Just glad that it was you guys and, not somebody with some ill intent. Hey, that's a great note to end on. Thank you, James, for joining us today. I learned a lot and I know our listeners did too. Hopefully you were able to ease some anxiety by giving the listeners some tools to help fight cybercrime and by sharing what to be on the lookout for. If you have any questions for our listeners out there about the discussion, please reach out to us.

We'd love to talk to you more about it. And as always, please follow Technology Simplified-Tech Talk Everyone Can Understand to stay up to date on all the latest news, free of jargon and undefined acronyms. Have a great day everyone.