Red teaming starts with research. So does social engineering. Red teaming is the practice of thinking and acting like an attacker to test an organization’s defenses, according to security consultant and penetration tester Justin White.
White recently spoke with Joe Carrigan for the CyberWire’s Hacking Humans podcast, where he explained the type of work he does as a professional red teamer. White defines red teaming as an “object-driven security assessment penetration test that's very broadly scoped,” which typically involves a physical break-in and using social engineering tactics to manipulate employees.
The first step in this process is open-source intelligence gathering, where White and his team will scour the Internet, particularly social media, for information about the company and its employees. White will then use this information to ingratiate himself with the company’s employees and win their trust:
“I'm always just trying to get little bits of information from different individuals that I can take and pivot to other individuals or other places. And I can use that to my advantage to sound more convincing that I am who I say I am or I'm here to do what I said to do because, you know, I know this name. I know about this thing that's going on at the company. Did you see what happened at the holiday party? That was crazy. You know, I've got little anecdotes like that to tell to make myself just sound more legitimate.”
White says that, in most cases, the most difficult obstacles he encounters while red teaming are organizations with sound security policies and employees who follow those policies:
“Usually it comes down to they're just following the rules. I'm sorry, sir. I really want to help you, but our policy is this and this. And, you know, that's a good thing and a bad thing. It's a good thing for the company. It's a bad thing for me. But also, that - what it tells me is that companies really need to be sure that their policies are sensible because the employees for the most part will follow policies. However, sometimes we find that their policies have gaps in them. And it's possible just following the policies that exist that you can exploit information from them. So you have to have good policies.”
When asked for his advice on how to avoid falling victim to social engineering, White replied that the best practice is to be diligent and remain aware of the circumstances. When the company’s policy is unclear, employees should follow up on the situation and make sure others are informed, rather than letting someone into the office based on trust. “That's why this whole social engineering works in the first place,” he explains, “It's human nature to want to help people.” One of the best ways to keep employees on their toes is through new-school security awareness training that allows them to face social engineering practices in a safe environment before they encounter it in the real world.
Hacking Humans has the story: https://thecyberwire.com/podcasts/cw-podcasts-hh-2018-08-30.html