Site icon The Security Student Podcast

Show Notes: An Introduction to Physical Red Teaming with Shawn Abelson | Episode #32

Overview

In this next episode, I was joined by Shawn Abelson, physical red teamer, business owner, and graduate faculty member with the University of Minnesota’s Security Technology Program. Shawn’s led and developed Red Team programs and he has a ton of great insights for those interested in the red team philosophy and how to develop red teaming skills. His experience spans diverse roles in the public and private sectors. Shawn has earned his Master of Science in Security Technologies from the University of Minnesota and now instructs in that same program.

Today’s conversation focused on what red teaming is, what a typical client engagement looks like, how an aspiring professional could get into physical red teaming, and much more.


Highlights from This Episode

  1. Creativity in Red Teaming: The importance of creativity in designing tests that do not create unnecessary risk.
  2. Blue Team Collaboration: Red teaming should serve the blue team, helping improve security rather than just pointing out flaws.
  3. Empathy for Security Staff: Understanding the conditions and constraints of security staff, encouraging an empathetic approach to red team assessments.
  4. Diverse Training: Suggesting prospective red teamers seek diverse training sources to gain a well-rounded perspective.
  5. Building a Public Profile: The value of contributing to the community and building a public profile as a way to advance in the field.
  6. Utility to the Organization: Red teaming should be seen as a service to the organization, emphasizing its utility in enhancing security.
  7. Use of Technology: The role of technical skills like using Proxmark for cloning badges or understanding RFID systems.
  8. Career Paths in Red Teaming: Discussing multiple paths into red teaming, including consulting or specializing in a niche aspect of security.
  9. Continuous Learning and Sharing: The importance of continuous learning and sharing knowledge within the community to foster growth and collaboration.

Memorable Quotes:

RESOURCES MENTIONED


Use CONTROL + F to search the transcript below if you want to learn more!


Transcript from this episode

*Note: this transcript was generated using automated software, and may not be a perfect transcription. But I hope you find it useful.

Travis  0:00  
...

So I think one really good place to start for listeners would be Could you share a bit about the work that you're doing today? Yeah, of course, today, I have got a partner at a small firm that focuses on testing and validating security systems. So security programs, not just systems. So we we typically brought on by chief security officer on the physical side or the InfoSec. Cyber side. And our goal is to assess all of the security programs that are in place on the physical, technical, and kind of human protocol side. And so there's a lot of assumptions in security, we implement things and we don't really know if they work until an adversary shows up in tests that are until until you know, something hits the fan and, and you rely on it. And so our goal is to kind of be the and the fake adversary, the sparring partner early on to identify if there's any assumptions that need to be corrected, we stress test programs, and then we help companies and kind of security managers mitigate gaps that they didn't know they had before a real adversary is able to show up and test them. And so it's been a lot of fun. I've been on the blue team side, implementing different security measures for a long time, and consulting as well. And now I get to test and actually go out and see what, what truly works, what, what works the way we think it does and how to improve. So that is what I've focused my time on recently. And it's been kind of the most interesting and fun part of my career so far. Yeah. For me, it just says that type of work sounds so fascinating, because it seems like there'd be a big role in applying creativity and how you're going to craft these different types of approaches to testing the security measures of all these different companies. So for me, that seems like a really fascinating aspect to Yeah, creativity is my favorite kind of personal favorite part of being able to show up and think think like an adversary be creative about what what someone might do.

Shawn 4:30
We can always plan for what we know will happen again and again. But we never want to be the case study where something happens. And so being creative to make sure we can test as many ways as possible and give clients and users the information they need. So yeah, that personally that's that's the most exciting part, outside of actually getting to, to work with the, you know, the blue team, the folks that hire us to build and fix the programs, spending

A lot, a lot of fun being creative on both sides, the adversary side and the other side. Because in order to combat the creativity from an adversary, you have to be creative in terms of how you're detecting, deterring, preventing, responding and all that. And so, yeah, I think that has been one of my favorite parts, I ended up, I was always interested in creative things. And I ended up in a field where I was worried, and we didn't get to bring that to the table. And now it's a core part of what I do so fully agree there. Yeah, that's awesome. And I have about 10,000 More questions along those lines. But I'll move the discussion along, but I think I'll have a lot more questions as as we work our way through.

Travis 5:42
And so Shawn, I was curious, what initially got you down the path to working in security, generally, even before you got into Red Team? Was there anything that inspired you?

Shawn 5:53
Yeah. So through, you know, school early on in college, I was planning to be a doctor, I think there's a lot of people that I can say that. And I started working as a EMT, and working in EMS, and then emergency management as part of that. And I loved it and kind of continued that for a while. But it was exciting and interesting. And kind of I was hands on able to help people and plan, you know, an emergency management side was really interesting. But also, everything was a little felt a little dark, like you're always planning for the worst. And I guess on the security side, you still are, but I had an itch to be more proactive. And so I loved that part of what I do, I think the business continuity, emergency management is interesting. And I still try to do as much of it as possible. But it's what introduced me to the security world. And then I ended up going through a master's program at the University of Minnesota and security technologies, which, which kind of opened me up to the wider world of security, counterterrorism, counter Intel, espionage, like all of the kind of exciting parts of this. And so it was a kind of a arc in terms of going from reactive emergency management, and being proactive on it as much as possible to being purely proactive on the security side of the house. So that is that is how I ended up in the field. And from there, I had a internship with the craziest interview process I ever had, it was for a small red teaming company. And the interview was trying to break into a building that was a client of theirs. And I was somehow successful, I still think about that. I had about 10 minutes to prep, which today like it's a red team, I spent a lot of time preparing. And I can't believe with a 10 minute prep time, I was able to, to do what I was able to do at the time. But it was I was hooked at that point. And so I started working there. And kind of the rest is history.

Travis 8:14
Yeah, that's pretty impressive to have 10 minutes of prep time. And that's also a really interesting hiring process, generally. But Shawn, I want to ask you a little bit about the master's program that you did. So doing a security technology Master's. And maybe we're a little biased, because I know you're also one of the faculty and we have like several mutual friends who are involved in that program. But when you were doing the program, like what were some of the, I don't know, some of the core skills or some of the core competencies that you felt you you were really able to take away from there and go apply in your work. Are there any that stand out to you the most are things that you found to be the most useful when you moved on to working in corporate and then supporting other types of clients?

Shawn 9:07
Yeah, the the two most useful things that I took away was perspective and a huge tool belt. So from a perspective standpoint, just kind of understanding the motivation behind different security practices and threat actors understanding, thinking of security from a systems perspective from interdependency and how when one domino falls on a cyber attack side, physical has major knock on effects and so perspective just there wasn't a specific skill. I walked away with that. Out shined how important that perspective was in my career. So that's a big one and then tools the program was Physical, somewhat, there's a little bit of physical, it was a lot of infrastructure, Homeland Security, cybersecurity, and InfoSec, and even public health. So really anything across the spectrum of ways to keep people safe, and understanding a couple of the best tools from each of those tool belts not being an expert at them. But definitely knowing how they work. And being able to have run through a few trials with them, was really helpful, because I was able to show up to, like lead small groups or show up to a meeting at a big company and be able to say, we're trying to solve a problem in a certain way, there's a couple other ways in a in a adjacent sister profession that we work in, we should talk to them because they've dealt with this before and, and being able to kind of build those bridges and knowing that those tools exist. And so it was really the exposure to the perspectives and the tools, more so than other academic programs, where maybe you walk away as an absolute expert in JavaScript or standing up firewalls, or whatever it is, it was kind of a broad, more security leadership, focused program. But I think those are the the biggest positive takeaways that have benefited me. But yes, you're also right. I'm biased as I as I have come full circle. And now I get to kind of teach and help improve, it's been a lot of fun.

Travis 11:37
One, so just thinking about the curriculum, I think it's so useful to be able to, like, for some people, they might just be out there doing some type of self study if it's, if it's the type of security work that they're not actively involved in. But being able to get a feel for the, like the theoretical stuff, but then also have teachers who have been involved in it, who are bringing in people that are doing that work day to day, being able to ask those kinds of questions, stuff like that is so critical, rather than just buying a stack of books from asis and trying to learn theory from that from there, so I could see, I could see people getting a ton out of that. And then also, I'm really envious of you like being part of the grad program and being able to teach some of those younger professionals. That seems like it could be a ton of fun, and then also super rewarding as well.

Shawn 12:31
Yeah, I wouldn't be too jealous, you're doing the same on a public scale at the podcast. I mean, I've learned a ton from different perspectives and tools and people that I know follow on LinkedIn and get to read from from the podcast. So you know, same same approach to kind of helping the the security field from different, different angles, but it's, uh, yeah, they're both definitely rewarding. It's a lot of fun. Yeah, of course.

Travis 12:58
Okay, so we talked a little bit about how you got into security. And then when does your career start directing you towards red teaming? How's that happen?

Shawn 13:11
So, so I've come full circle, I started working for a consultancy, that does red teaming, and also as a student in the security tech program. And now well, over a decade later, I'm partly teaching the program that I was in, and I run my own consultancy, that that does that. And so I started and then in the middle of my career, I had some time where I was working for a bank doing financial investigations relating to counterterrorism and fraud. And then for law enforcement, not doing red teaming, but doing a lot of investigative work that helped build some of the red teaming skills in terms of Osen and finding information that's hard to find. And then eventually, I ended up at Facebook. They I lucked out, it was a dream job, just kind of full, full transparency I, I saw them I was looking at other jobs as well. And I saw them post a head of physical security red team. And then I went went all in on that and talk to as many people as I could to get get my name on that list and eventually got picked up there. And so I led the red team for four years. That face Facebook, physical security red team, and then started started doing it myself. And so it's been a really interesting I have kind of moved when I was consulting. Originally, it was purely on the physical side, and obviously meta or Facebook. There's huge tech company with a ton of infrastructure and so I moved much more into the information security side of it. Under there's incredible InfoSec Red Team cyber red teams there that I learned from. But there's also an assumption challenging side there's there's a lot of safeguards that exist in processes and onboarding new vendors or something where there's, there's no one really testing it to see if it's secure. And so we weren't just running around breaking into buildings, it really expanded my perspective of red teaming from just breaking into buildings to testing a wide array of kind of processes and controls that are in place.

Travis 15:38
And that's really fascinating, especially for a company like that, that has, you know, a giant global footprint, tons of resources. Yeah, that just seems like, it'd be one of the more fascinating places to work. And also, it is kind of funny, just how coincidence and circumstance and luck put us in some of these positions to because sometimes we're just in the right place at the right time when they're doing hiring. Because I mean, there could be someone graduating right now, it's like, not not an awesome job market. So yet it is funny, just how like luck plays like a small role in really everyone's career, because no one's career is just like, completely linear.

Shawn 16:18
Yeah, I don't. Yeah, I absolutely lucked out. I think that there's not many people who have gotten to go out and actually physical, like, do physical red teaming. And so I was lucky that I had the one of the few candidates that the years of experience actually in the field doing that, and that you're able to lead teams a lot safer and a lot better if you have that experience. So totally, it was a great time I got to build the I think it's the largest, red physical red team in Silicon Valley, which was awesome to build and see what they're, they were able to do so. Yeah, I definitely. Definitely was a career highlight being able to do that.

Travis 17:00
Yeah. And in getting to do some of those projects, were there any big lessons learned that you are? I imagine there's tons. But are there any that? Are there any big lessons learned that you could share with us that you've learned doing some of those red teams, whether it has to do in, you know, being someone who's leading people, or whether it's something more tactical? Or are there any lessons that come to mind to you that would be interesting to share with the group listening?

Shawn 17:30
Yeah, of course. I mean, we had our own lessons learned register. So I mean, as we went, like, we ended with hundreds and hundreds over time, but I think with any, I can pick a few really useful ones. One is really that. There's security, I mean, security is really hard. There's a million, like I just said, there's hundreds of lessons learned, there's a million ways places to focus attention, there's dozens, if not hundreds of vulnerabilities that a red team will uncover. And so one of the main lessons is helping on the risk management side. So you uncover let's say, a couple of dozen vulnerabilities. Having a process in place to prioritize mitigating those, whether whether you identify them from a red team, or if you identify them from a real world incident, having some type of improvement. I'm not a huge fan of committees, but if it's necessary, or at least some level of accountability where where things get fixed, but we stood up an entire risk management team that helped fix the vulnerabilities the red team identified, it takes a lot of work, it's it takes one operation to uncover dozens of vulnerabilities. And then it takes people tons of time and resources, money and effort to to actually take broad kind of broad improvements across an organization. And so as a red team, it's important to understand just how heavy the lift is for the folks that are expected to fix it, and then putting everything in place that they need to be effective. And so that was one of them. Another would be kind of helping with the root cause. And so it's easy to social engineer your way into a building. And in the report, you can write security guards were vulnerable to social engineering. But again, that that doesn't get to the root cause that doesn't provide quite as useful as of information. And so after a red team assessment, we'd often go just walk around and I mean, if we tricked people, I always, always, always want people to walk away feeling good. And so going to the security guard and be like, Hey, here's The deal, here's what happened. Don't worry about it like you did, you did what you did. Now, if it's good, we always ask like, can we put your name in the report is a commendable element. If they didn't do something perfect were like names, your name is not going on the report, we talked broadly about what happened. So don't worry. But can you talk me through your thought process, and sometimes there'll be like, well, we have 300, separate SOPs, operating procedures, I read about 15 of them. And I can't, in any given moment, when I'm stressed out, and you're trying to get into the building, like I can't remember all of them. And so suddenly, we can show up and start talking to our blue team partners about being concise with the SOP is about having very specific memorable rules. And we, by doing more of a root cause analysis, we can be a lot more useful to our partners. I guess the last one top of mind, is just assumptions like, and I fell victim to this before. I mean, we implement security, we implement security measures as security professionals and we assume a vendor product is going to work, we assume that our system is going to act in or like our, our seven layers, we're doing a Swiss cheese model all of our layers of security or something's going to catch the bad thing. But without testing it, it's it's hard to tell. And so if we would just kind of end up in the position of assumption hunters where we're listening and planning meetings. And we're saying, well, we just heard you say you assume that the doors will lock when you press the panic button. But has anyone actually gone out, press the panic button to see if these ballistic doors truly lock and keep people safe. Whereas the three quarters of a million dollars, we just spent remote kind of hinging and all of the impact, hinging on that assumption. And so I mean, I use that as an example, because we actually showed up and someone said that the doors act a certain way, we're like, cool, let's test it, like it can't hurt, call the G sock and tell them the buttons gonna get pressed. And lo and behold, the doors didn't lock. And so in the worst worst case of a some type of violent incident, having someone that goes out and tests things to make sure they work the same. And it doesn't need to be a red team. I just I think red teamers are often the ones that feel empowered to actually pull on doors and press buttons. And it ideally there's a QA team, or the installers are doing that. But I think that's one of the biggest some of the biggest takeaways I've had. Just from from a broad perspective.

Travis 22:53
Yeah, and that's something I've seen, too. It's It's not until a security assessment gets done when people start questioning, or yellow. And really, people have an excuse to test some of these things in their environment. Like, I could think of one organization that I went to, and I asked someone in their back office, hey, there's a blue button over here on the wall, what happens if you press it, and one person says, Oh, if you press that the police are gonna come. And then another person says, if you press that, it means there's severe weather or it's for a hurricane response. It's like, and then he press it, and nothing happens. So it's like, a lot of organizations, really, you just need someone who's going to give you a good excuse to test all of these protocol where someone got trained on it 10 years ago, but no one's actually ever tested is just a good excuse, like you said, to go back and test all these different assumptions, and just ensure everything's going to respond the way that we assume and the way that we like it to respond. And then you also mentioned, risk management too. And I think that's so critical, too, because I could see it being really easy just to create a giant snowball of all these vulnerabilities that you've collected after days and days, or maybe a full week long red team. But yeah, having to go back and see each of those through to their conclusion. What action did we take on it? Did we decide, oh, you know, this is this is actually very low risk, we're willing to take the risk, or hey, this is this is actually critical. We need to solve this this week, if possible, something like that. So I think that's such an interesting approach. Yeah,

Shawn 24:30
I mean, that to me, that's another big takeaway, like a red team will find, let's say 50 vulnerabilities. You can probably focus on six, seven of them and get most the most bang for your buck. But there's going to be 20 that are that are almost just informational like or every organization has a risk appetite where they're like, cool, we know this, but it's not worth spending the money on it. And I think as red teamers, we should always kind of give that choice we should never say like, you're putting all of your people at risk by having a door that after an hour and a half of me trying to pick the lock I was able to get there. I mean, ultimately, certain things are are noteworthy that sure it takes it takes someone unfamiliar an hour to get into your building, but in real life, that is not a realistic scenario for an adversary. So I think like, ultimately, like we are part of the business, like any any security organization, blue or red team is part of a bigger business. And that business, usually the goal is to make money and so finding the specific vulnerabilities that you can actually spend money on and get good risk reduction for each dollar spent. But also giving the option not to like there's there's plenty of vulnerabilities that are like, maybe don't order this door next time and find a different manufacturer or work with the manufacturer to improve it. But don't spend any more time or money on fixing it. Because no one's going to do what we did, we kind of went above and beyond. And so I think risk acceptance is is a big thing that I encouraged. Not have everything but but having the option to do so because ultimately, that's what companies do, I'd rather have them do it, knowing what it means to acknowledge and accept the risk versus just getting a report and leaving it on a shelf. So I'm a big fan of adding risk management like to security programs, so you can document what your decisions are. And if you have more money, or if someone asks why we didn't manage a specific risk, if something happens, you can point to the fact that the risk was lower, and we'd spend your budget on things that are more likely or more impactful. So sorry, I'm a big risk management nerd. I could talk all day about this. But But I think the marrying of the risk management and security helps make our lives a lot easier. And also kind of our decisions more thought out and more defensible. When when people come asking.

Travis 27:13
Yeah, that's a very good point. Because on the flip side, it's going to be the company gets Yeah, 60 page report. And they don't they just don't address many of the items. Or maybe they have started dressing items. And it's not even in any type of logical, prioritized fashion. So I could definitely see that being critical. And I think I might have jumped ahead a little too far. If I could take the conversation just back a little bit. I should probably ask you to describe to people what Red Teaming is. And if possible, if you could just give I guess, maybe like an example of like what a fictitious red team engagement might look like or like a typical type of ask in product for a client. Yeah.

Shawn 28:03
Great Call. So I'm

Travis 28:05
the same way. as well. Of course, I know a read to me is, of course everyone sees

Shawn 28:10
that is that is an assumption. I should have checked. That. That's it. I'm glad you did. Thank you. So So ultimately, Red Teaming is testing a system with the intention to improve it. So typically, there I divided up into kind of analytical and systems. So analytical Red Teaming is testing assumptions. There's two great books. Bryce Hoffman and Micah Zenko. Both wrote books on red teaming, I recommend them to anyone interested in it. It's it's not about there's a chapter and I think Michaels book about physical red teaming. But ultimately, it's about perspective. And like for any person interested in red teaming, I always recommend like perspective is the beginning place, but I'm overcomplicating it. Red Teaming. On the physical side is testing security to see if it works. So you put the hat on of a bad person of an adversary of however you want to kind of approach it. And then you go out and you actually go hands on and test the system. So you if there's an anticline fence, you see if you can climb it, if there's cameras, you see if you can, if you see if you can walk in because often they may not be monitored, but if there's alarms, you go out and see if you can get the door open. And then with the people they often have 15 to 300 SOPs and then you go out and you see if they're actually doing what their they say they're doing and so there's a spectrum of kind of quality assurance on one end and red teaming on another. Red Teaming is fully you you kind of are a red cell so you fully approach it as an adversary. You don't have any insight information. And so typically the group that brings us on, let's say, it's a head of security for kind of big retail organization that sells electronics, and they have a new prototype that they're testing out. There's a lot of interest in that prototype and the source code. They've seen some groups probing maybe to get access to that. And so they want to test that. That is what they have what they've spent millions or even billions of dollars on, that it's secure. And so they reach out. And we would kind of start with scoping. Like, there's, there's a lot of paperwork, it's kind of like being a copper EMT. Like for every minute of excitement, there's a lot of paperwork in between to make sure things are done the right way. But for for this, like scoping would be questions like, were like, What is the site that you want us to test? Do you want us to actually steal the source code? Or do you want us to plug in a little USB that beacons out to a specific server to tell your IT folks that we were in your server room? Or do you want us to steal a prototype and actually walk out of the building with it? What what is the specific goals? And then do you want us to steal one prototype? Or do you want us to steal one? And then go back and then steal a different one? And then keep going until we get caught? And do you want us to escalate until we get caught and act completely ridiculous? To see what the responses are? Do you want to just see like, can we get in and out and on the way like Mission Impossible style. And so ultimately, there's a lot of upfront questions and scoping to make sure we are safe in the process to make sure the client doesn't add any risk to their security programs through red teaming. I mean, that is essential, we want to mitigate and minimize their risk by Red Teaming and never add to it. But once that stuff is done, we'll get letters of authorization or Get Out of Jail Free cards. And then we can actually hit the ground and begin working. So what that looks like usually there's a little bit of Oh, since so being good at Oh Cintas is essential. You gather as much as you can, you might do some remote social engineering, have a couple of calls, maybe set up a meeting or two. And then when you hit the ground, you start with surveillance, see what uniforms people are wearing? See what the foot traffic patterns look like? What type of security they have? Are there turnstiles? Is there one security guard at the front desk that has to go out and deal with a loud noise out or disturbance outside, and then they leave it empty, like, these are all real cases. And if so, can you figure that out by watching for a couple hours, and then that allows you to go back and gather resources like order uniforms, print a fake badge, etc. Plan a distraction. At that point, you can show up and actually begin probing, usually I don't go right into execution, usually we'll we'll do a little more probing where we might be kind of aggressive, not aggressive, it's never want to use that word. But it's more hands on surveillance, recon and probing. So you're not trying to break in. But if there's a good opportunity at that phase you're willing to, but you might be pulling on some doors and just checking a few things. And at that point, you might have more information, more planning, there's a lot of lots of meetings and discussion. But then you hit the ground running for the full Red Team execution, which can be from a few hours to a few days, at most typically, we've done multi week ones we've done kind of compressed three, four days. But ultimately, that is when you implement the plan. And so in this case, if you're trying to get access to the prototype or the source code, you've hopefully figured out what floor it's on, or at least what employees have on their LinkedIn that they're working on it. Maybe you're impersonating that employee trying to go in with a disguise to get a temporary badge or one of the multiple routes. Typically, you've practiced some social engineering or you've cloned a badge at this point. So you get in there's some type of communication with usually like an analyst I call them Overwatch because their goal is to get you out of trouble if you need to provide information, etc. And so communicate with them a little bit what's happening, and then then you go and hopefully steal the prototype or get caught stealing the prototype, which is equally as useful data And then you get out and you really kind of finish, you either escalate if the client asked or you're done. And then ideally, like the thing I've seen clients have the most benefit from is like, right, right. When you're done, like you steal the prototype, you escalate, a security guard catches you or a rant. Often, honestly, it's a janitor or maintenance person. They know the building, they're protective of the building. And so I cannot tell you how often someone other than security that works in facilities or facilities management, like will catch us and report us. It's really good. Like there's when a security is biggest allies and assets. But once someone catches you, you stop the operation, like everything's done, you can go talk to the like security guy and take your wig off, or go go smile and be like, Hey, I'm so sorry, I caused stress that caused your heart rate to go up a little bit. Here's why we're here. You did an awesome job. And like, the gold when walking away is like, everyone should be like, holy crap, that was ridiculous. I'm glad that I like challenged you and set something and everyone should walk away feeling good. Even if they let you into the building. You tell them like, Hey, it's okay. You're not going on the report. Like we're professionals. This is what we do. But everyone should walk away feeling good. And then the people that hired you, ideally, should meet you right when you're done. And then you can, instead of sending him a report, where you try to describe a vulnerability in a door or hardware, like you'd be like, Hey, check this out, here's what we can do take two hours and do a walk through, like I call it like an adversarial walkthrough. And that, that has been equally as compelling to security leaders and decision makers as a lengthy report well.

And then the last thing, we'll often end up on like retainer for a couple hours a month to help them manage the risks, where we've identified 50 vulnerabilities or something, we're trying to get them to focus on the six that will be the most impactful, and we'll meet with their folks, maybe retest it and kind of help on an ongoing, it's the dropper reported walk away, is the most common thing, I'm trying to push folks away from that, because being able to assist even a little bit in an ongoing way, is really is really helpful. Because sometimes the fixes don't actually address the root vulnerability. And so, or there's just really creative ways that red teams are able to help. So that is a typical approach. And obviously, if we walk out with a prototype, in this case, there's safeguards like we've had, for really high value prototypes, we'll have someone from like the the supply chain security team, waiting in a car outside. So as soon as we walk out of the building, we hand it to their people. So it's not ever out of chain of custody. And so so there's a lot of ways to work around that. But ultimately, once these steel, steel, the things are captured, the flags that they've asked you to the goal is to make sure every everyone is happy and comfortable and knows exactly what actions they can take to mitigate those risks before a real adversary might try to exploit them.

Travis 38:35
Thank you. Yeah, that's a super in depth explanation. But then it also makes me think about the makeup of a red team, like on a red team. Are there specific roles for the players there? Or is everyone kind of does everyone kind of have the same level of abilities, specialization at something like that work,

Shawn 38:58
there's almost always like, you should almost always have different specialties. Oftentimes, the the folks that are phenomenal at social engineering might not be the ones that know how to read the data from a badge reader or weaponized badge reader, and actually parse the ones and zeros and replicate it with a Proxmark and emulate or like inject a inserted ESP key into a badge reader. And so like, there's between like, the social engineering and the technical. If you're big enough red team, like having an analyst on the red team helps in a million ways. I've had that once, and a big enough team to do that. And it's like from whether it's for like writing reports to be able to say like, this adversary is trying to hack us, but they also have a history of trying to break in and so we know who's going to target us. We know how, but having an analyst that can actually do that instead of a red teamer is amazing. And then they also help in the field with Osa and, and everything. And so yeah, usually a technical person or social engineering person. I call it like a Overwatch, but just someone that has the bigger perspective to, to make sure that if there's armed people there that those armed people know something's happening, or at least like to mitigate the risks associated to their like with the team with the red team and to the red teamers. But that's really, usually you just need, like, you can do it with as few as two people, I think, a technical person and a social engineering, that is not a full Red Team, typically. But those are the two areas that you need. And oftentimes, there's sub specialties like lockpicking, or bypass, which are very different than the technical side of hacking and hacking RFID badge or a system, which might be different than social engineering. And so like, there's lots of different ways to approach it. But usually, there's different roles, but it depends on the company, some companies have different teams managing tech, and they don't really want they either don't want to be tested, or they're not the ones hiring you. And so they might say, we have a bunch of folks that are like, we need to increase security awareness. So focus on social engineering. So I would build a different team that meets the end user, the client or the company's needs based off of the situation, but sorry, long answer to your question. But yes, you kind of build your team according to the needs and who you already have and what your what you think your attack vector might look like, if it's technical, or, or social, or whatever it is. Yeah,

Travis 41:57
that makes sense. That helps me better understand that where, yeah, some people are going to have their own specialty, and they're going to bring some unique skill to your team where, yeah, not every not every person needs to know how to clone credentials, or, you know, do some other very technical exploit. Yeah, that makes a lot of sense. It makes me think so in terms of skills or competencies that a good red teamer needs to be successful to be a useful contributing member of your team? What are the typical skills and competencies that someone needs? Or what do they need to build on?

Shawn 42:39
Excellent question. So I get that question a lot that it's it's a really fun, like I'm so I'm super lucky. It's a really fun field to work in. I've had really cool experience building teams and creating resources. So actually, I've been writing a lot. So I actually wrote on this topic recently. There's, from my perspective, there's three kinds of skills or skill areas to get into physical red teaming. The first is just fundamentals. It's perspective. It's understanding, what is red teaming? What is the red teaming the adversarial perspective? How do you what is an assumption? And how do you identify them and from a security perspective, and then learning like, there's more and more not to use a buzzword but like there's more than more convergence between like cyber and information, physical security. There's a bunch of AI red teams right now a lot of those guys are in the spotlight. And so the first fundamental skill is just just fundamentals like learning what red teams are out there. What is red teaming, deviant Olaf is a really good video called I'm not red teaming. And usually you're not either on YouTube that really some sums up red teaming in my mind. But ultimately, understanding that is skill one. The second is just technical. Like that's what we all think of as just technical skills, like lockpicking social engineering, oh send the packs of physical access control systems like learning how to clone badges, etc. And then bypass techniques so how to like Lloyd's and shims and different ways under Door tool. There's really there's fun skills like things you can do at home, learn how to do at home. There's I mean, lock picking, like everyone I know that's in in any type of red teaming honestly, as has dabbled in it just because it's the this is something that's secure that I want to break. It's this like, tendency of red teamers. And so, frankly, there's a small only, like five or 10% of the physical Red teamers, I know are really, really good lockpicks. And I'm included in that if someone has a mediocre lock, even if someone has like a normal lock, I can probably get in eventually. But it's definitely not the fastest way. It's rarely the fastest way into the building unless you have an absolute Pro, or specialized tools beyond what a normal lockpick set might have. I don't know, I guess, how are you at lockpicking? I don't think

Travis 45:32
I have a set and I've never used it, that I'm bringing so much shame on myself.

Shawn 45:37
No, you're totally good. I can send you like, like my favorite set, I think there's like one through six. And I get really stumped. Like four I can do with regularity now, but like five and six are hard. And it's just how many pins are in each. But But like, again, it's it's kind of the thing people think of when they think of physical red teaming. But it's also a small percent of how we actually get into buildings, like if there's a padlock and a door. Or if someone's kind enough to leave a combination, lock, key lockbox outside. Those are, those are great. Like being able to open those are easy. And there's tons of videos online that could show anyone how to do those. But spending time and being decent at those kind of five areas, the lockpicking social engineering Oh, synth packs the access control system. And bypassing like getting decent at those is important. But you don't need to be phenomenal at any one of them to be a physical red Teamer. And then the last one, the third category is just employment skills. That's going to be knowing laws and ethics around red teaming like were Can you bribe a security guard? Is that ethical? Is it legal? Can you sneak through a co tenant space? If you're trying to break into a company A? Can you sneak through a company B's space to get it? The answer's no. But a red teamer should know that. So they don't end up in trouble. Figuring out like how to manage risk of red teams. And then more importantly, like than not, more importantly, equally as important is report writing and being able to actually communicate and show the end user what you did, showing why you did it, right. You can say like, Hey, we did this, it's vulnerable all day. But if it's not relevant, if they're like, Well, yes, but but no one would do that to us. If you don't have kind of Intel behind why you're doing what you're doing. You're just there for fun. And you're not really benefiting the end user. So being able to communicate. So I think an often under valued skill in red teaming isn't the employment side. And not everyone's amazing at writing or a lot of red teamers are not comfortable with communicate, like with talking, presenting public speaking things like that, that is perfectly fine. But being able to articulate even why you're doing something in a report or some type of format, and understanding kind of why you're doing what you're doing, and what the risks are, like, many places have armed security or have police that respond to certain alarms if they get pressed or go off. And if you're going to be interacting with someone with a firearm, there's certain things that you should and should not do. Like reaching for a letter of authorization, if you have it in your back pocket will be interviewed by someone who's really nervous because they just caught you climbing a fence. And so like there's a lot of basics and things that that you should think through and have some experience or have some learning before you kind of hit the field and lead your first physical red team. But those are the three categories. And there's no academic program and there's no good way to learn them besides. And I like this is an issue with the field like red teaming as physical red teaming as a profession doesn't have a robust education or training kind of system that covers all of this. It's kind of piecemeal, and in order to get experience you need to find a firm that does some of this. You ought to find a firm that does it well and legally like you can a lot a lot of red teamers broken to construction sites or buildings and did urban exploring when they were younger and like they have that experience. But that's not going to help you on a resume. And it's not going to speak to a client. And so being able to build some of those, that experience is really important. And there's a couple of routes to do that. But it's not that as I like to think of Osen as a profession that's come into its own in the last couple of years. Like, it wasn't tired. I think you've had some awesome people on and we've talked about like, oh, send in generally, it used to be a little bit of what a bunch of people do insecurity that you are investigations are law enforcement, like you were able to track people. And now there's companies that focus on it. There's educational programs, there's departments in the government that focus on it, it's, it's really coming to its own as a profession. And Red Teaming is many years behind from that perspective, but it's a good, good example to like, look at and learn from, as red teaming starts to mature I see more and more job descriptions and people talking about physical red teaming.

Travis 51:07
Yeah, there's, I don't know, there's so much I want to talk about there. So you mentioned the technical skills, which, of course, I think a lot of people listening like they could, they could figure out a way where they could get better at their public speaking or their written communications or like some of these more broad business skills. And then for like, the more technical like the sexy things to learn, like lock picking bypass tools, getting around, like cloning cards for a card reader or credentials, that type of thing. Are there any particular resources online? That you would go to to learn more about some of these different things? Or is it really they're really not any, like single sources? Any there's no library that you could go to to learn about red teaming? What do you think?

Shawn 52:06
Yeah, there's not a single phenomenal source. There's like cybersecurity red teaming has awesome like Red Team guy for guide, I forget what it what it is. But there's some really good sources, but they don't cover physical. And so there's a training program I've done from Red Team Alliance, they have a couple physical and I'm biased, because I know the guys and work with them. And they're awesome. But they do like surveillance course and covert methods of entry, where you actually learn the one literally the ones and zeros of reading a badge and trying to convert it with a different technology, and then clone the badge with a Proxmark, or a flip or zero or kind of whatever, whatever it's possible. So they have some cool classes. But that doesn't exist, like one place, I can tell you. Ana, who is my kind of business partner and builds the the physical red team at betta. We were trying to write as much down as possible as we go and consult and learn. And so we were trying to get everything in one place. And we're writing in like locks and leaks. You're welcome to look it up. But it's, yeah, there's no single physical Red Team guide, you kind of have to piece it together. But there's increasing interest. The U of M is discussing a red team course. I think it'd be the first academic course that touches on and actually gets hands on from a physical red team standpoint. That could be really exciting. If that lands, carts the Center for Advanced red teaming, they focused on analytical red teaming with the University of Albany. I liked them a lot. They're They're awesome, folks. But it's not physical, red teaming. But it's all very relevant if you're looking for definitions of red teaming and whatnot. So yeah, there's no good answer. I know my answer is long. It's because it doesn't exist. And I'm slowly working on trying to get things on paper. So it does more. But yeah, there's lots of avid red teamers. But the one thing I'll say, if anyone's listening, if you're new to Red Teaming and trying to learn, knowing that there's no single resource that exists, you should build it like as you learn the best perspective for new kind of new students and learners is from people that are actively learning or recently learned it. And so as you learn, and build your career and physical red teaming, like write things down, build a guide or kind of a link Tree or think Travis, you have a really good one. Forget the website that you use. Yeah. start.me. Yes, yeah, I love that. So like someone should build a start.me for physical red teaming. And so if someone listening is interested, please jump in and contributed kind of build, build this profession into more of a standalone profession. There's a few people that do it full time and a lot of people that do it part time as part of another role, but I think it absolutely can be a standalone profession of the people involved start to make it. So that's my pitch.

Travis 55:40
Yeah, I think, yeah, that would be a really cool resource to build. And I think it's not just it's not just red teaming. It's really all physical security. If you compare any of the educational or self directed learning programs that are cyber versus physical, it is like night and day like, I just did, Professor Messrs. Security Plus course. And he probably has, I forget, we'll say 20 hours of lectures, but there's no physical security equivalent, that has high quality lectures like his about physical security. Like I think there's definitely, there's a lot of catching up for us on the physical security side, because everything cyber is, you know, generally it's very mature compared to the alternative. That's something that I've definitely seen.

Shawn 56:36
Yeah, I think we were in agreement on like physical as a lot of room for more academic approach, at times are saying, like, I'm a big fan of the scientific approach, because that's what we do. We go in and we test, we run experiments to see what what works. But that was just research in general to run to make our decisions based off of data and kind of science versus assumptions and assumptions are the best like not to completely crap on that assumptions are the best that we have in a lot of regards of the moments, like vendor promises that something works a certain way, etc, or combining a bunch of complicated systems to and hoping that they work a certain way. But ultimately, there's a lot of room I think, in physical security, specifically to kind of build and mature that.

Travis 57:32
Yeah. And you also mentioned, like the different types of red teaming, I forgot the word that you used about the one from University of Albany. But I remember analytical Yeah, analyticals. So one of the first red teaming books at ever read, like, of course, I go pick up a book on red teaming, I think it's about like, some of the cool technical sexy stuff. And I picked up the book, it was the red team handbook. I think it's by the US Army. It's like the Army's guide to making better decisions. And as I started reading, I was like, Wait, this is just a bunch of like, yeah, it's like structured analytical techniques, or like group facilitation exercises to get people to, I don't know, think more critically about their business strategy or to challenge you know, what an alternative might look like, if they use this to address their problem. Like when I was reading it, I was like, this is totally not what I expected. But it's all like, all this comes back to pretty much like psychology and critical thinking. So it was really interesting, but it was completely not what I was expecting when I picked up the book.

Shawn 58:35
Yeah, that the UF MCs, the Army's handbook for red teaming, totally different type of red teaming from breaking in. But you're, you're challenging assumptions, and you're helping leaders make better decisions. And ultimately, like that is what all the types of red teaming are. It's just a different approach. But I used I mean, I've used that, like some of those techniques all the time. And I know some of the authors too, which is really cool. That that we've learned, like I've learned from them and had them kind of helped facilitate, larger, like, after a physical Red Team assessment. There's 15 people involved, and I have to then fix it. And so we'd sometimes use those techniques to help everyone brainstorm different ideas and think from different perspectives. And so that's like Red Team Inception at that point. But ultimately, ultimately, they like ultimately, it's helpful. So yeah, that is a free PDF online. Version 9.0 is, I think, the latest and the last version that they'll put out, but that that book specifically is available online. And then the other two I mentioned earlier, both talk about that one a lot, but they bring it to life a bit more with stories and talking about how different military drills and how they actually apply those to, to make different decisions. So, yeah, I'm passionate about that type of like, it's almost like business. And like you said, it's like business focus, critical thinking. But it absolutely focuses on making better just helping leaders make better decisions. So, so I'm saying,

Travis 1:00:20
yeah, very interesting book. And you mentioned a little bit about some of the training courses you've gone to that were useful. What courses or what training programs have you done over the past years that you that you feel like were that made like a significant addition to your ability to be a red Teamer? Are there any that really stand out what, whether they were security or something unrelated, that just happened to be like, something that helped build up your skill set

Shawn 1:00:51
conferences, so at this point, there's no single and the point of red teaming, like one of the premises is like, diverse perspectives lead to better decisions. And so if you're interested in getting into physical red teaming, like seek out training from different people and different types of training and acknowledged that will they might conflict or they might be different, like you are gaining knowledge about something from multiple perspectives and that's a good thing but but from a fast tracking that like go to some conferences like DEF CON. In Vegas, I always recommend it. I think red team Alliance usually puts on and that's I mentioned them like their covert methods of entry training, big fan of them, I'm bias all acknowledge that but they put out a like an event that typically has some kind of fun hands on practice. But at DEF CON, there is social engineering village where people sit in a soundproof booth and make calls in front of a large audience to different and they have targets and they have goals. And like, sometimes they're so successful that the organizers need to mute the phone because someone's reading their social security number and access code to a very secure building, to the person on the call. But it's a really cool experience watching people. And if you're interested, and you're, you're up for it, enter, enter the contest, see if you can join either as one of the teams or get in the booth and actually call the company or two and RIT. See if you can social engineer. There's also a lock picking village where you can learn to, to get out of handcuffs and pick locks and different bypass techniques. And DEF CON is chaos and a lot of fun. But conferences are the best way to like meet people talk talk about stuff. And and also get hands on a bit and learn and see people do stuff live like to me, that's the best training. And obviously, there's this talks each year that are pertinent to various types of red teaming, pen testing, and whatnot, but but I think that would be my advice. Seek out diverse training and opinions. And it doesn't all have to cost money. Like if you want to do lockpicking Reddit has a great subreddit where you can like pick different types of locks, I guess you have to pay a tiny bit for the lot and lockpicks from wherever you choose to get it but you can learn Yeah, learn how to lock pick and post your results. And then you get a different belts as you go up. And so lots of cheap and easy resources to like get better at the field without needing to pay for a super expensive training and, and whatnot.

Travis 1:03:56
Yeah, that's great advice. And I've never been to DEF CON, but it is on my list to go this year. And yeah, that seems like one like a very good opportunity for some of the more technical stuff. Okay, like the lock picking village and some of these. But yeah, also just being able to see someone live doing their social engineering exploits, or even something more technical, where they're looking at the audience's devices and that sort of thing. Yeah, I think just being Emerson and seeing someone do it live is just going to give you more ideas for when you're tackling your next project.

Shawn 1:04:33
Yeah, absolutely. And there's usually a line out the door for that one. So be prepared to wait a little bit to even get in the room. It's a very, very popular one. But I learned a lot got to see some colleagues like win a cool prize when I was there. So it was it was a lot of fun to be able to watch that and also some of the talks are about hacking badges or about hacking. turnstile machines are different ways to bypass them. So there's there's tons of useful information. But it is a hard conference to figure out. There's so much going on that if you're going on for the first time, my recommendation we find someone that's been an ask them some for some advice on what to go to. Because my first time was a little bit, it was a little bit chaotic. And by the end of it, I was like, Okay, I know how to do this. But if that's the route you decide to take, as you kind of learn physical red teaming, definitely talk to someone that's been and figure out which villages which talks to go to, if you want to focus on the less cyber more physical side of the house. Okay,

Travis 1:05:45
yeah, that's great advice. So I'll be texting you the week before DEF CON this coming year. Perfect.

Shawn 1:05:51
I will be there and I will gladly meet up and we can maybe make a social engineering team or something. Enter a contest or two, it'd be fun. But yeah,

Travis 1:06:00
I'd love to. That'd be cool. And then next, so obvious question. So if there's an aspiring practitioner out there, and they're like, well, this could be someone one of your grad put in your grad program that says, Shawn, this is my dream to be a red Teamer. How do I work? Where do I even get started?

Shawn 1:06:23
I go back to those three things. The employability the technical skills and understanding what Red Teaming is and the perspective focus on gaining kind of baseline skills in that area. And then, I think I think they wrote a an article about this at some point. But there's a couple of routes in to physical, red teaming. But at the moment, there's not like, there's not a ton of jobs that are posted that are specifically physical red teaming. So if you find a consultancy, that does a fair amount of red teaming, but they also do Osen. And they also do just general security consulting, you can usually find those with the right Google searches, like security consultant, plus red teaming, or pentesting. Try to get a job there. Sometimes they hire part time, sometimes they hire like 1090 nines, but try to connect with one of those companies say, here's, here's my goal, I understand I don't get to jump into this right away, because it's a kind of an niche field. But I'd love to consult and work with you guys. And if an opportunity comes up, awesome. I also have a GitHub, I've posted every physical, Red Team job description for the last five, six years on there. And so you can you can like just try to capture that because if someone wants to get into it, look at the job descriptions, make sure you have those skills, and that some of that experience as much as possible, and then be ready when the next one gets posted. Right. There's, there's not a lot of people in this field with experience. And so if you've made yourself if you've gone through the job descriptions, that historic ones, and you're kind of ready to pounce when the next one comes up, then you'll be at a huge advantage. But it's a long path. It's it's not a mature enough fields, like stand alone field where there's a job posting every other day and and you can probably get in with enough persistence, in plan on if that's your career path, plan on having a job and you're just new to it, like have a job in between today. And when you start red teaming and make sure that job is relevant to physical red teaming, or adjacent to it or allows you to kind of sneak in but with enough research, you can see the there's probably five or six firms. Actually, I think I list them as well, somewhere, like five or six firms that do a lot of physical red teaming. And then there's a few dozen that do red teaming on the side. And so you can definitely find those companies and try to get involved and once in a while, like UBS posted a physical red teaming job a few months back and Google had one a few years ago but like there's these jobs come up these like awesome dream jobs. Just be ready, be ready when they do that would be my advice is learn, prepare and get an interesting job in the meantime and kind of be ready with your connections and with your skills to pounce when it's available. Yeah,

Travis 1:09:41
that's a really good point when it comes to like combing through a lot of those past job descriptions just to have a like very concrete understanding of what specific skills, what credentials do I need. And then also, like, maybe even some of the more nice stuff like I'm at When I saw one posting, it was for logistics company that owns a lot of data centers. So it's like for stuff like that they might specifically want someone who has data center experience. So yeah, that that is a very good point of combing through those job descriptions and having a better understanding and then trying to position yourself in a place where you could grow all of those skills over time, and then eventually make that career change. And it does seem like consulting would be the ideal place, because likely you're going to get to interact with many diverse types of clients that you get to serve. So likely serving people in many different verticals, you're seeing many different types of challenges. You're seeing the security solutions deployed out there in the field, you're seeing how they're working, how they're not working, how maybe the vent, like, common challenges you see with very specific vendors. Yeah, I could see that being very interesting. And then also eventually setting you up for that, for that career move from something like consulting into red teaming.

Shawn 1:11:08
Yeah, no, I could not agree more. On the consulting side, like that you say, like consulting is probably a good route in I think it's, it's a really good route in I don't think it's the only like, if you work your way up in a company to like, I mean, if you're like even a security specialist or a manager, you might be able to, I know plenty of companies who have hard time physical security, red teams, or if you're in charge of the data center, you can do a little bit of red teaming, or hire a company to come and test it and embed with them. We do that a lot where, like, the best illustration of a company's like, to a leader of a company's gaps, or when you bring a someone from finance, like we're a security leader, along on a red team. And actually, they get to have some fun in the field. But they also get to see firsthand like, what works and what doesn't. But there are routes on the corporate side, what do you do like where you're a manager, and you also do some physical red teaming on the side or, like you your red team, your partner's data center, and the red team yours or something like that, like every quarter. But that also gives you a huge boost. Because a good red teamer, it's not necessary, but I think a good red teamer kind of background is also having spent time on the blue team. And so knowing the struggles, now, those are trying to implement security, how slow some of those chips sometimes turn in terms of like, changing, like, global change, like a red team can come in and be like, this doesn't work, this doesn't work, fix it, fix it, fix it. And these guys are like, there's a million reasons those things are the way they are, we can't just pivot on a dime like that. So spending time on the Blue Blue Team side is a good suggestion. But one other side route. And I'd also recommend if someone's interested, like if you're amazing at one of those skills that I mentioned earlier, for red teamers, like lock picking, or bypass if you're super creative, and a really good hands on engineer and a really good social engineer. If you are really good at kind of aggregating information and resources, like whatever your skill is, get really good at it and publish, publish videos, publish, how to guides, make a course, like I'm a huge kind of open source, give back to the community, type, person. And so to the extent that you can, like contribute to the physical security or physical security, Red Team, community do that. So you get recognized that is also another really good route in if you find your kind of focus on something that you can excel at. Or even if you're not the best at it, but you are learning, document your learning process and put it out there. And by taking the risk, you'll get feedback and recognition and just connect with other people like you and me and other people in the physical and red teaming community. And if it's something that you're passionate about, like you can definitely work your way into the field is a lot of fun. So highly recommended.

Travis 1:14:35
Yeah, that's a really good idea. Like really just being active online and sharing like the lessons that you're learning. And what comes to mind as you say that, like I could think of so many people who are like, Oh, synth gurus have pretty much done just that, basically just by sharing their learning experiences, creating different types of information all shareable. holes that they could put on LinkedIn on Reddit. Where have you? Yeah, it just demonstrates like a very high level of expertise. But then also they're giving back to the community. And I could definitely see even something like that opening up doors in terms of red teaming, because Osen is going to be one of the tools that red teamers use when they're doing their planning. Maybe there's more than they're doing their execution as well.

Shawn 1:15:24
Yeah, 100%. Like we, we have a, I like to think we have a really good network at my company. And so if we're doing a red team, we'll like reach out to someone that we know, like, regularly, there's a red team job that requires a specific skill or something along those lines. And if I don't have someone on speed dial, I might be like, you know, I saw someone post a really good tutorial on YouTube of how to do this. Like, I wonder if I can reach out and like, I wonder if they do consulting on the side. And so, like, we have found up and coming red teamers or just people interested in the field that can kind of come on for a job and get that experience and reference just because they're, they're out there, and they're posting. And so it's not only like a good way to get into the field, like you might get a call or a YouTube at some point being like, Hey, do you do this outside of on YouTube? And if so, do you want to kind of teach us how or if you're do some kind of you're a consultant, like, do you want to join us for a specific job that requires that and so like, that's not a not a guarantee, but it's definitely a way that we have found some some awesome partners in the past. That's

Travis 1:16:37
really interesting. Yeah, I hadn't considered that. Yeah, if someone's just out there nerding out on some very niche topic. Maybe it's flipper zero, or some other technical tool, or maybe something completely manual, not technical at all. Yeah, that could be that could be the door that opens for them. That's really interesting. Yeah,

Shawn 1:16:57
I can tell you like, the not so civil engineer, I don't, I haven't looked for a little bit. But his channel for years, like always posted, like, really awesome contents just about, like, here's a new way to bypass a door. And it would just be like this out of left field thing that like, I don't know that we would probably pay someone a lot of money for training. And they're putting it out there. And like being able to find folks like that that are like that's just a good example of someone that has given back and done a really good job of like publishing awesome tutorials, but it's that the bar is like you can easily meet that bar if you're interested in kind of getting your name out there and giving back and also as a side bonus, potentially getting recognition and or a job out of it. But if a big company opens up a physical, Red Team position, or if they subcontract out to like a third party, who then hires physical red teamers, some of the tech companies will will use third party like contracting contractors to bring in being able to say like, Hey, for the last two years, I've been publishing on this exact topic, and I'm somewhat you don't need to say this, but like, they'll be like, Oh, this guy is or gal, or whoever it is, like, they're somewhat known in the community. This is a perfect candidate. And so I've had that happen with a candidate before I'd be like, Oh, my god, that's amazing that this person that I've followed for a while applied for this job? Absolutely. Let's talk to them. So as someone that that hired for a while like, and that was one of the most exciting points to be like, they want to work for us. That's amazing. And they're probably having the same, the same experience. Like they want to talk to me. And so that's the best, kind of the best of both worlds. So I think that's a core app to be able to give that.

Travis 1:18:55
Yeah, that's a really cool idea. Yeah, just being able to share your learning online, and then that can lead to some really cool opportunities. And then also, you mentioned, like, getting some experience on the blue team side. And yeah, I think that part is so critical, because you understand, like, all of all of the different challenges of being the person who's walking around in khaki plant, khaki pants and a black polo, and you're, you're black, you're on your waist, yet. So just understanding like the points that are most vulnerable, or, you know, the person sitting in an operation center cannot possibly answer emails, phone calls, and watch CCTV for, you know, multiple sites all at the same time, or even just at the end of the shift, like how great is their attention span, and when they're at the end of an eight hour 12 hour shift, or like some of these some of the more nuanced psychological stuff, I think, too. It's just really important to understand or even the Ask specs have like in social engineering, like they often appeal to authority, right? But when you're someone who is a residential security agent, or you're just a, you're just a security agent working at the headquarters of any tech company, like, so these appeals to authority make a lot of sense. Because if you're not making a ton of money, you're working as a security officer and someone says, Well, don't you know who I am? Or like any of these, these types of appeals to authority or some of these other? Yeah, some of these other attempts just to exploit our weaknesses, it just makes a lot more sense when you've been the person on the other side, and you could understand their perspective, I think that's great advice as well.

Shawn 1:20:48
Yeah, coming at it, the way I always put that is like coming from a place of empathy instead of a gotcha. Like, if exactly how you just said it, if if you're showing up in big liquid we did, we were able to XYZ versus like, maybe these 1216 are like coming from a place of empathy, where like, you're understanding like the the length of the shifts, or the whatever and be like, you don't need to root cause it to a point where you will you point fingers, obviously, but approaching reports and approaching clients with an understanding of what it's like to be in their shoes. Like, even on the EP side, we've done a lot of executive like, we don't just break into offices, we're like, do executive protection programs because the the risk is high, and the ability to not be perfect is low, right? Like the expectation that everything works perfectly or almost perfectly is so high, I guess the And so helping to test and improve those programs.

understanding kind of the things that they're struggling with that the neighbor down the block already hates. The fact that there's an extra SUV parked wherever or like just not adding to people's pain points, and instead, giving them the information, sometimes giving them like media compelling stories, like maybe they've been saying the same thing to they're protecting you or their security leader. And it's not until they have a compelling story and a video of someone doing the thing they've been warning about in a fully controlled environment. So there's no actual risk there. But it's not until you have that where. So ultimately, like, the red team has a blue team in disguise. The red team's goal is better security, same as the blue team. They just take a roundabout way of getting there. And so the ability to know what the blue team does, what they struggle with what the budget trade offs are, is really, really helpful for any red teamer to have. So, I definitely, definitely agree on all counts of what you said about having some time spent there. Yeah, and that was a good point too, about empathy about really like teaching, any security officer, any security specialist after a mistake has been made. Because I think, really, like, if you go to the other extreme, where you just completely lack empathy. And you just completely disheartened some security specialist, some security officer, that's going to adversely affect the program to fully agree, yeah, the approach is essential, because you can, you can make people's lives harder. But your goal is to not only make their lives easier, but if if something bad's gonna happen, and if, if if a red team does it, people get credit for identifying and fixing it before anything happens. But if a true adversary does the same thing, then

there could be harm to people, there could be loss of jobs, there could be there could be real consequences. And so the our goal is to make the lives of the blue team easier.

And so being able to sit down right after and run through that. And ultimately, like the test of a good red team success is if partially if something was done based on the results, but partially if the decisions and the data are clear for the for the blue team, folks. So like we are a service for the blue team. I don't want to you know, people love the excitement of red teaming and I'm all for that it is exciting, but like from a perspective of like, where we sit in the the hierarchy, I don't want to get ahead of ourselves. We're like, we're this complete badass team that does whatever we want in the corner and nobody, nobody can stop us like ultimately our our existence is dependent on

Are utility like our use to the company, or our clients in this case. And so I think that making sure that is at the core of what we do, and then red teaming, and the fun stuff is kind of you still get to do that. But it's not the focus. It's just, you know, an extra awesome job perk that you get to talk about and do. Part of your job.

Travis 1:25:24
Yeah, and that's important, too, when it comes to, like building those relationships internally, or building those relationships with clients. Yeah. So that all of your really, so thank you get the absolute most out of like, all this hard work that you're putting into it. And, Shawn, so before we wrap things up, were there any other topics or any other ideas that you wanted to get into? Or maybe something we might have skipped over?

Shawn 1:25:54
I don't think so. I mean, the biggest thing is the net positive of red teaming. From a red team perspective, like, there's a lot of ethical conundrums about different things. And like, there's a lot of ways you can do things if there's the creativity side that you brought up. So I'm a big and there's a lot of disagreement on this specific point. But like, there's the the folks that'll send out phishing emails that say, you got a bonus, or you got fired, but ultimately, like, just click here to see it. But ultimately, it's just a phishing email. And in my, from my perspective, like, yes, it's unethical. But you know, you could justify it saying that a real adversary would do it. But to me, it's also uncreative, it's, it's like a cheat code, you can have the same effect, you can set send something else exciting out. That like your your feedback for the quarter from your managers available to view and like, people aren't going to be heartbroken or mad or upset, and it's not going to be in the news, like the other ones aren't like, you are not going to create risk for your company from where we're at, like, from a morale perspective, by doing it. And so, there's always ways to test like, we've tested lots of explosive detection and firearm related things. And like, there's ways to test really important hard things without actually creating risk by testing them. And you reduce risk by being confident that they either work in a certain way or knowing that they don't work for a certain thing. And so say, be creative, be ethical, as you go about it. And give back as much as possible. And I guess, as you learn, and then we're here to help the blue team. The I know, that's just a euphemism for the broader security team, the 98% of the security industry, I don't think I specified that upfront. I just kept saying this, the mystery mysterious blue team, but like, that is the security professionals, anyone protecting anything while is kind of the blue team because they keep things safe. And the red team tests things with the goal of keeping it safe. So no, I think that's it. I really, really appreciate you having me on. And clearly I care a lot. And I talk a ton about this. And I'm sorry for talking so much. But I love this stuff. So if someone's interested, reach out, come hang out with Travis and I are at Def Con this year. You're in Vegas during John August, right? First kind of eighth, if I remember correctly, or so. So that's really all I can think of. Awesome.

Travis 1:28:44
Well, Shawn, it was super fun chatting.....

Share this
Exit mobile version