7 Habits of Highly Effective Adversaries

By Joe Gray

Elevator Pitch

As someone who spent their whole career on the blue team, I am working on moving to the red team. This presentation talks about the TTPs to be successful as an adversary, whether operating as a penetration tester or red team operator while leveraging blue team experience.

Description

Abstract Despite having undergone a renaissance in terms of refining methods of both offense and defense from a professional sense over the years, there is still much disparity in terms of career navigation. Even from the sense of malicious adversaries, their TTPs evolve alongside the defense techniques. How does one get into this frame of mind and what should they do to improve and innovate?

As someone who spent their whole career on the blue team, I am working on moving to the red team. This presentation talks about the tools, techniques, and procedures (TTP) to be successful as an adversary, whether operating as a penetration tester or red team operator while leveraging blue team experience.

Detailed outline:

• Intro (2:00)

• Transitioning from Blue to Red (10:00)

o The dichotomy of Blue vs Red (Not Black hat versus white hat or good versus evil; more of mentalities)

o Useful Blue Team Skills for Offensive roles

o Blue Team jumping off points and Red Team Transitions

 Reverse Engineer to Exploit Development

 Threat Intelligence to Offensive OSINT

 Application Security to Penetration Tester or Exploit Development

• Habit 1: Recon and more Recon. Did I mention Recon? (16:00)

o Through my informal research, leading professionals in adversarial roles estimate between 40-65% of their time on an engagement doing OSINT

• Habit 2: Enumerate^3 (24:00)

o Just because the client said that the environment is 100% Windows doesn’t mean that you shouldn’t enumerate and verify. You may also find missing patches or insecure services or configurations.

• Habit 3: Live off the Land (30:00)

o You don’t need to bring in a whiz-bang solution. Python or Powershell can be just as (if not more) “lethal.”

• Habit 4: You don’t have to be a “Nation State” (36:00)

o You don’t need to be complicated. Read the Zen of Python.

o If you can do the following, you’re likely in business:

 Install a program

 Email something to yourself

 Use TOR

 Communicate with social media via an API or web and upload pictures

• Habit 5: Don’t Forget Social Engineering (41:00)

o Technology typically doesn’t fail, people do – exploit that (respectfully)

• Habit 6: Study Blue Team techniques (46:00)

o What is the point in being a 1337 attacker if you do not understand what your opposition is doing to defend against your tactics?

o Learning what is keeping them up at night or how they will strike you dead in your tracks may be the difference between DA and N/A

• Habit 7: Remain adventurous and curious (50:00)

o Never stop learning

• Questions (55:00)