Modern red teaming: 21 resources for your security team

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer, Independent

The information security stakes for organizations have never been higher. Nation-states and wired criminals are mounting attacks with increased sophistication. Consumer awareness about information security continues to rise and, with it, greater expectations about the protectors of their data.

Meanwhile, regulators have ratcheted up their scrutiny of data-handling practices, most notably in the European Union, where violations of the new General Data Protection Regulation (GDPR) can result in penalties of $23 million, or 4% of global revenue, whichever is higher.

Organizations are starting to recognize that traditional security measures, such as penetration testing and vulnerability scans, fall short in meeting their information protection demands. That's why red teaming is gaining popularity.

Red teaming can give an organization the kind of comprehensive testing needed to expose vulnerabilities at every attack level and allow it to better understand how to respond to cyberattacks. Red teaming goes beyond system-specific tests and focuses on an organization's assets—looking at, for example, the risk of intellectual property theft and the security of customer contact lists, personal identifiable information, and payment details.

When your organization embraces red teaming, you will need resources to get it right. Here are over 20 resources, from discussions to training to tools, to help do just that.

State of Security Operations 2018: Go Inside World SOCs

Pentester Academy

This monthly subscription service offers online video courses primarily about penetration testing, but also in the mix are courses about operating system forensics, social engineering tasks, and assembly language for information security. Other topics include exploiting buffer overflows, making hacker gadgets for demonstrations, and explaining security implications of actions.

Vincent Yiu

Yiu describes himself as an "offensive cybersecurity operator." His red team experience led him to create a Twitter feed where he posts insightful tips for red teamers. He has also rounded up many of his tips and posted them on his personal website.

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

Twitter #redteam resources

If you're looking for trending red team information, you can find it on Twitter with the #redteam and #redteaming hashtags. You can find guidance for topics including how to use group policy objects for persistence and lateral movement, places to find tools for red team activities, and alerts about interesting software, such as Photon, a fast web crawler that extracts URLs, files, intelligence, and endpoints from a target.

Daniel Miessler

Miessler's online musings are a grab bag of tech writing and free thinking. He produces a newsletter and podcast, maintains a website, and can jump from a topic such as DNS binding to "Anatomy of the American Death Spiral." His red team writing at his website includes "Purple Team Pentests Mean You're Failing at Red and Blue" and "When to Use Vulnerability Assessments, Pentesting, Red Teams, and Bug Bounties."

The Daily Swig

This is a news platform for web security, sponsored by PortSwigger Web Security. It's a good place to learn about red team-related developments—hacks, data breaches, exploits, web application vulnerabilities, and new security technologies. Recent pieces include "Major Jobs Website Left Sensitive Client Data Exposed for Months," "A New Tool Helps You Find Open Amazon S3 Buckets," and "Offensive Security Has a Crisis on Their Hands Right Now."

Florian Hansemann

Hansemann is an ethical hacker and penetration tester. His tweets and blog focus on tools and techniques of interest to red team members. For example, he covers Tokenvator—a tool to elevate privilege with Windows tokens—and how to write a payload for process injection in Windows.

MWR Labs

MWR publishes tools useful to red teams. Its Twitter feed offers advice for addressing problems faced by security testers, such as bypassing memory scanners and circumventing Windows NT LAN Manager authentication on a website.

Emad Shanab

Shanab is a lawyer and ethical hacker. His Twitter feed includes techniques useful to red teams, such as writing SQL injections and forging OAuth tokens.

RingZer0

This team of hackers operates a capture-the-flag website full of challenges designed to test and improve the kinds of programming skills needed by red team members. The group also has a Twitter feed, where it offers hacking tips and red team advice. 

Bug reconnaissance

"How To Do Your Reconnaissance Properly Before Chasing A Bug Bounty" is an article by Hussnain Fareed, a web developer, machine learning enthusiast, and security researcher in Pakistan. The piece talks about where to test software for vulnerabilities, and tools that can be used to discover them. Despite its whimsical and informal presentation, the article can be a useful resource for red teams planning a reconnaissance strategy.

Mitre ATT&CK

Mitre's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated knowledge base about adversary behavior. It follows the phases of the lifecycle of threat actors and the platforms they're known to target. It was developed by Mitre red team leader Blake Strom, who set out to create a framework that detailed an attacker's behavior after compromising a network.

"There could be hundreds or thousands of variants of malware, including backdoors, Trojans, remote access tools, and so on, that adversaries use to get inside a network," Strom explained in October 2015. "But once they're inside, they exhibit a lot of common behaviors. They learn about their environment, gather credentials for legitimate users and accounts, and move to other systems in the network to steal information or set up some longer-term operation or effect."

ATT&CK is very useful for understanding the security risks of known adversary behavior, planning security improvements, and verifying that defenses are working as expected.

Will Schroeder

Schroeder is an offensive engineer at SpecterOps, which provides red team services to companies. His specialty is attacking Microsoft's PowerShell, which he frequently discusses in his Twitter feed and blog. His latest writing includes a guide to attacking domain trusts in Microsoft's Active Directory and a discussion of bypassing application whitelisting and executing arbitrary unsigned code in winrm.vbs.

The Hacker Playbook

Despite being distributed on anachronistic technology—paper—this handbook for hackers remains a popular source of information for red team practitioners. Topics covered in the book include recon tools and tactics, lateral movement tips and tricks, and password cracking. Author Peter Kim also has a Twitter feed where he offers hacking tips and mentions those of others.

Nettitude Labs

Nettitude supports a Twitter feed where it posts tips, tricks, tools, and tutorials of interest to red teamers. It also offers a number of free hacking tools at its website designed to do everything from cracking passwords, exploiting WordPress vulnerabilities, and harvesting reconnaissance information to creating a command-and-control system with PowerShell and designing XSS payloads.

Red Canary

This company offers cloud-based security services but has some free offerings worth a red teamer's attention. For example, it offers a buyer's guide to endpoint detection and response, as well as a number of tools useful to red teams using Mitre's ATT&CK framework. It also provides a blog and Twitter feed with tips and information of interest to red team members.

17 tips for a successful red team

This article, by tech freelancer Nasrumminallah Zeeshan, contains a tutorial on "color" teams, as well as tips specific to red teams. Another article by Zeeshan of interest to red team members explains how to build a list of log files that need to be inspected regularly for security reasons.

SANS Digital Forensics and Incident Response

The SANS Institute is a major provider of cybersecurity training. Its DFIR—digital forensics and incident response— Twitter feed contains the latest news about SANS courses and tips from expert practitioners. SANS DFIR also has a website with a number of hacker tools that red team members may find useful, such as attention-deficit-disorder, a program to pollute memory with fake artifacts; Folder Shield, which can be used to conceal folders on a system; and Timestomp, an app for altering NTFS time stamps.

Red Team Journal

Red teaming as a concept reaches beyond technology. It's a systematic way for an organization to incorporate critical and contrarian thinking. That's the idea behind Red Team Journal. It has technology-oriented articles, such as red teaming versus pen testing, but it also has think pieces, such as "The Red Teamer's Manifesto." RJT also has a Twitter feed with many lively contributions about the larger aspects of red teaming.

PenTestIt

This website bills itself as "the source for all things information security" and has some interesting tidbits for red teamers. For example, it has a list of malware sources, including Trojans, remote-access Trojans, keyloggers, ransomware, bootkits, and exploit packs. It also has a Shodan query page. Shodan is a search engine often used to discover unprotected databases exposed to the Internet. In addition, there's a useful article on adversary emulation tools.

Awesome Red Teaming

This is a very detailed list of red team resources maintained on GitHub. It breaks down every technical aspect of red teaming, from initial access, execution, and persistence to lateral movement, collection, and exfiltration. It also covers gadgets, books, training, and certification.

Have we missed any of your favorites? Please let us know in the comments field below.