Penetration Testing
A Day in the Life of a Cybersecurity Red Team
When well-protected companies want to thoroughly test their security, they hire a red team: a crack team of experts who take the role of would-be attackers. Lucy Ingham hears about the heist-like reality of the sought-after job from Tom Van de Wiele, principal security consultant at F-Secure
For adventurous cybersecurity professionals, red teaming may be the dream job. With work lives that more closely resemble a heist movie than a conventional office role, red team professionals are paid to infiltrate high-end corporate systems and find weak points in their security.
They use the same methods as hackers – but without the same risk of a prison sentence – and are hired by companies that already have a high level of security, including banks and top-tier enterprises, and that often assume their systems are near unhackable. They are wrong.
“My job is to break into companies and steal their secrets,” says Tom Van de Wiele, principal security consultant at F-Secure, where he leads red team operations for the financial, gaming and service industries.
“That means that if you click on my phishing email then I'm going to finish my coffee, get in my car and drive to your building, break into the building and steal information that way. Because the ultimate cyber weapon is still a ladder.”
While cyberattacks are generally seen as being solely enacted from behind a keyboard, much of the red team’s efforts involve on-location work.
“Some of these are embarrassingly low-tech others are more high-tech, but what is certain is that they work and that is why we're here,” he says.
Assembling a crack team
The typical red teamer is enthusiastic about security to the point of obsession.
“It's the thing that we luckily get paid for because we would be doing this stuff anyway: it's kind of our hobby/passion/mild obsession. And this stuff does not stop at five o'clock,” says Van de Wiele.
However, that does not mean that every member of a red team is the same: quite the opposite. Each team is assembled for a specific target, much like a heist, to cover a diverse range of skills.
“We have to be able to test different companies and organisations and different business sectors and for that reason we have a very, very specialised team,” he explains.
“That means we have people specialising in social engineering. We have – my favourite term – amateur locksmiths who have taught themselves how to open locks. We have people who do window security and access control security, embedded systems – you name it.
“Luckily we get paid for it because we would be doing this stuff anyway.”
“Any kind of profile that we can use to put together a crack team to be able to help companies to protect themselves against organised crime, against the opportunistic attacker, anyone who wants to perform any of the worst-case scenarios for our customers.”
These teams will work together to find any security loopholes they can within a company, from a lack of inter-departmental communication to overlooked ways of accessing a building. And they do so while remaining on the right side of the law and with the permission of the company.
A typical red team operation: infiltrating a bank
To illustrate how F-Secure’s red team works, Van de Wiele gives the example of what he calls “Operation Money Grab”, a fictional operation that is an amalgamation of several of his real past projects.
“It is an international manufacturer of electronic goods that we have to get into. Their physical location is in three buildings on a campus of some sort and they use a certain application, they told us, [but] I cannot tell you the application because that would give away the customer,” he says.
As with a heist, the team has multiple steps it must achieve in order to complete its goal.
“We have to gain access to the building physically. We have get access to the right department: to the financial department. We have to access that application and we have to transfer money,” he explains.
“The customer says: 'Can you please transfer €5,001 from account X to Y?'. And we are like: ' Yeah, that's fine, but why €5,001? Why not €5,000?' and the customer just smiles, which is fine. Creepy, but fine.”
Intelligence gathering
The first step is to gain as much intelligence on the company’s campus as possible, in order to identify potential security weak points.
“It's three buildings and one campus, so we have to figure out what access control system they are using. When do the guards come? What are they using for garbage disposal? Stuff like that,” he says.
This will often involve what Van de Wiele describes as “open-source intelligence gathering”, where they will purchase blueprints of the buildings from government departments, an option that is available in most European cities.
“For a few euros they will give you the architectural maps and that will show us the entrances, exits, stuff like that, via a courtyard or garden, because maybe it's not apparent from the outside; not even Google Maps has that information.”
Information can also be gleaned through the social media accounts of the company’s employees.
“This guy takes this screenshot of his new work station that's fantastic, but now you're showing me all the applications that you use the most, which allows me to target you. So watch what you put on social media,” he warns.
Where there's muck there's brass
They will also will look for information from what the company throws away.
“We're going to steal the garbage, which is usually what the juniors get, that's how you start on our team. And anything that is not purple yoghurt or hairy bananas is going to be of use to us. Gossip, mail headers, signatures, stuff like that,” he says. This can prove a surprisingly effective way of getting access.
“[We might come] across an email that says 'hah, after seven months of having this service ticket open we've finally got it through, congratulations to all of you' and then we just call up that person,” explains Van de Wiele. “'Hello, I'm the database administrator, yeah that one transaction of type 123 that didn't go through'. And the person just starts dying on the other end of the line like: 'You have no idea how long we've been working on this thing'.
“'I know, I know, but it's not going through. It's some kind of four-eyes principle, because it's been lasting for so long. So I just need to verify that your password starts with a P...it does not start with a P? Can you just give me your password so that we can get this sorted'.
“And often they give me the password, and we're done. Stupid? Yes. Does it work? Oh yes.”
“Anything that is not purple yoghurt or hairy bananas is going to be of use to us.”
Alternatively, information found in the rubbish might tell them what kind of printer the company uses, in which case they will phone up pretending to be from the company in question.
“We ask one of our colleagues with a nice warm female voice to call up the IT manager to say 'yeah there's been this security fix for Canon printers. It happened in the factory so it's on us. When can we send a guy?' and the next day one of our colleagues shows up saying 'Hello I'm here for the printer' and they leave you alone.”
Hire me, don’t hire me
If F-Secure’s red team gets nothing from the garbage, they may try a different approach: applying for a job.
“We have some CVs that will knock your socks off,” he says.
The goal here is not to get the job; in fact the team member in question will work quite hard not to get it once they are inside the building. Instead they are trying to get an interview.
“You're inside the building and you say: 'Look my wife is pregnant, it's the doctor, do you mind if I just stay in the meeting room for five minutes?' And they'll leave you,” he says.
“You log in with the computer that you've brought and then you call your colleagues saying: 'Did you get in?' and they say: 'Yep we have persistent access', because that little boxy thingy connects out to the network and then climbs back in and we're in.”
Phishing emails you can’t help but click on
The team may also resort to a more classic method of gaining network access: the phishing email.
“You will click on my phishing email. Why? Because maybe I determine that you're running Outlook. Maybe I know that you have one of these pop-up notifications on, I know when you're sitting in a meeting, you're presenting your new stuff to your colleagues,” he says.
“You see the pop up coming up saying: 'Thank you so much for subscribing to the adult content newsletter, if you did not sign up for this please click this link', which doesn't go there obviously it goes to my server with a really nasty captcha to start off and you're not gonna get it and by the time you've solved the third attempt at my captcha, my code has finished running and we're done.”
“You've never seen someone in a corporate banking environment click an unsubscribe link that fast.”
This works because it removes people from a headspace where security is at the top of their minds.
“This hits people emotionally. You've never seen someone in a corporate banking environment click an unsubscribe link that fast.”
And this is just one of a host of phishing emails the team uses to illicit such a reaction.
“LinkedIn updates: ‘Sorry to inform you, you've been removed from the company name group following a complaint. You have 24 hours to rebut the complaint through the link here’. Everyone clicks the link. Even though their LinkedIn may not be associated with the company email address, which it shouldn't. People click: it's emotion.”
Attacks from the street
Thanks to the widespread use of wireless technologies such as WiFi and Bluetooth, the team also can get into the target network in several ways simply by being in close proximity to the office in question.
Certain widely used wireless keyboards and mice, for example, have a security vulnerability that makes it very simple for a well-equipped attacker to take control of them while standing nearby.
Van de Wiele has a pocket computer for this purpose, which is set up to detect the presence of devices with this vulnerability and take control of them. And once he has control, he can input whatever he likes to the computer they are connected to without even being in the same room.
“I can make it type a small program, and if I can type a small program I can also run that program, for example, as a backdoor,” he says.
And if the company doesn’t have devices with this vulnerability, it’s easy for the team to introduce some.
“You might say, 'Tom we have pretty good control over this because we know exactly what keyboard and mice we're using'. Well guess what? We're going to send you some,” he says. “We once sent a backdoored keyboard to an IT department and the IT department could not agree on who should have the keyboard so they all had it everyday. We heard everything: they changed the keyboard, so we backdoored the whole IT department.”
“We once sent a backdoored keyboard to an IT department and the IT department could not agree on who should have the keyboard so they all had it everyday.”
Then there is the manipulation of WiFi networks. One widely known approach is to create a duplicate of an open WiFi network, such as those found in cafes, and use it to insert malware onto the phones of those that connect to it.
However, the red team takes this a step further by cloning local networks that require a password. This is possible as apps are available that provide users with the WiFi passwords of local businesses, although Van de Wiele does warn that these are generally “complete spyware”.
With this information they will set up a clone of a local network – such of that of a popular local lunch spot – in a battery powered WiFi access point that they leave in the pannier of a bicycle chained up next to the office.
The phones of employees who have previously accessed the network will re-join it, allowing the clone network to insert malicious code into any unencrypted apps they have installed.
Then the phone’s owner will be presented with a false password prompt for any services the red team knows the company uses. And if they are fooled by it and enter their details – which they almost certainly will be – the team will have access to some very sensitive corporate data.
“I'm going to get your passwords and I'm going be able to do some pretty dangerous and nice things with it. For example, accessing your iCloud backups,” he says.
Breaching the building
For all the ways in which the red team can get into the corporate network, for this operation they need to get physical access to a specific computer, which means getting into a well-guarded office after hours.
In some rare cases they do this by physically breaking a window, with permission from the company. But in most situations, access is far more straight-forward.
“We get into most buildings using a can of compressed air,” he says.
“Most buildings have motion sensors, which means that if you come from the outside and you want to walk in there's no motion sensor, or it won't trigger, but if you walk for the inside out towards the parking lot the motion sensor sees you and opens the doors.”
So how does the team kid the door into thinking they are on the other side?
“It helps to be tall. You stick a little straw through the window for the thing in the door and you spray the motion sensor and the door opens for you. That's it. These are the embarrassingly low-tech attacks.”
In some cases, a company will instead use a button to open the door. But if there is an unobstructed line of sight to the button, this can easily be circumvented too.
“If the button is right there then I'm going to bring my BB gun. I can shoot the button, which we've done as well, and the door opens.”
“We get into most buildings using a can of compressed air.”
In Operation Money Grab, however, the company is using a keycard.
But while it may seem more challenging, it simply requires making use of an easily obtainable device to clone a keycard from a distance. And given how many people wear their keycard on a lanyard round their neck while on their commute, this isn’t hard to pull off.
“If it is inside your pocket you have less chance of losing it and you have less chance of a guy like me trying to clone it,” he says.
Of course, some companies instead use a pin, but there is a tool for this too: a small sensor-like camera that when attached to a phone shows the user heat signatures. Point this at a recently used keypad and you can easily figure out the pin number.
It also helps differentiate fake CCTV cameras from real ones, although Van de Wiele is dismissive of these.
“I don't think you have to be a mastermind to figure out how to disable those,” he says. “This is compliance for you, this is not security and that's kind of why companies like to cut corners.”
Getting into the target computer
Once they’ve got in and found the target computer, they may wish to take it with them. However, if it’s a laptop, it may be tethered to the desk with a security cable.
“How do we get past this? Other than bringing huge bolt cutters? The ultimate of ultimate cyber weapons: a toilet roll,” he says.
“If you look on YouTube, you cut them in half, you roll it up, you stick it in and you turn, and most of them will open.”
Now in possession of the computer, the red team has to actually access it, which is challenging because it is locked.
“Well, your computer has ports, right? Several of them. You might even have one of these PCI express ports still exposed. You might have other things exposed,” he says.
“If you do we can put in a slot that is connected to a different computer and because the actual interface has what's called DMA, direct memory access. Using an interface, using my attack computer, I can write whatever I want in memory.
“I could write to the one condition that says 'computer is locked' and I change that, I press enter, and I don't need your password. I just change the actual value in the memory saying 'you're not locked anymore, it's fine'.”
“The ultimate of ultimate cyber weapons: a toilet roll.”
If the company has been smart enough to lock down these ports, the team can also take measures to override this.
“We go to Ebay, we find a docking station for that laptop and – wahey! – the ports are back,” he says.
If all else fails, they can gain access through the computer’s hardware, by swapping out the module that allows the WiFi chip to interface with the rest of the computer.
“We take it out, we put ours in and now again we're in the memory, where we can write and read and the software won't even see it most of the time.”
Outwitting fingerprint scanners
The final goal in Operation Money Grab is to transfer €5,001, and it turns out there is a reason the customer was smiling when they gave the team that amount.
“We need to provide a fingerprint for transactions above $5,000. That's why the customer was smiling,” he says.
For this the customer uses a fingerprint scanner, which should in theory be impossible to replicate. However, in reality, most of the tools to do so are present in the customer’s own office.
“People don't always wash their hands and there's residue of oil and fat on your fingers and with that we can lift the print off that. From your mouse, from your keyboard, from a glass. Glass is the easiest,” he says.
“We lift a print, we invert it, we print it out on paper with a normal inkjet printer.”
Lifting the print is done using a toy detective set, the dust from a printer cartridge and scotch tape.
“Usually it's pretty easy to get off. We lift a print, we invert it, we print it out on paper with a normal inkjet printer,” he explains.
“And we're verified. So we beat this with a piece of paper.
“Now you might say: 'Not my fingerprint readers at work'. Really? Are you sure about that? And can we please see the report where you last tested that? This is usually where we get the awkward pause.”
Lessons from a red team expert
With the fingerprint bypassed and the money transferred, Operation Money Grab is completed. But that may not be the end of their job with the company.
“We are successful, we're in, the customer is happy. They fix all the stuff, and we come back with even worse attacks until they can actually detect real attacks themselves,” says Van de Wiele.
“Sometimes during the job they call us saying: 'Hah, you attacked us! We saw that' and we're like 'Yeah that's not us', which means it works, right? It means we're teaching them where to look. And that's important.”
Of course, even if a company isn’t at the level of hiring a red team to test their security, there are basic actions they can do to minimise their risk.
“Try to minimise your digital footprint. That means, do you really need to have all your job vacancies on your website indexable by Google? Because that's the first thing that we go for when we want to find out what technology the company is using,” he says.
“You have to be willing to work. Try to keep that at bay.”
“Do you really want to share your birthday and all kinds of other stuff on LinkedIn? On your company pages? You want to make a big thing about the CEO's birthday today? That's great, thank you so much, because now we have his birthday.
“You have to be willing to work. Try to keep that at bay. When it comes to wireless emissions make sure we know exactly what hardware you have. When it comes to physical security it doesn't mean you have to remove all those systems, but are those systems protecting what they are supposed to protect?”
Most of all, act on the security knowledge that you have.
“You have the data but you're not acting upon it, and we want to help companies to act upon that data so they make the right decisions.”
PR nightmares: Ten of the worst corporate data breaches
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang