Red Teams and the Value of Open Source PoC Exploits

Red Teams are a necessary part of a good cybersecurity program. The Red Team is offensive security, explained Richard Tychansky, a security researcher speaking at (ISC)2 Security Congress. During the Red Team process, Tychansky said there are several stages to follow:

• The organization and the Red Team (whether in-house or externally contracted) will agree on a goal for the exercise.
• The Red Team will perform reconnaissance to map the target system(s), including network services, web apps and employee portals.
• Vulnerabilities within the target system are identified, typically leveraged by using phishing techniques or cross-site scripting (XSS).
• Once valid access tokens are secured, the Red Team will use that access to probe for further vulnerabilities. • If further vulnerabilities are found, the Red Team will escalate their level of access to the required level to access the target.
• Once this is achieved, the target data or asset is reached.

Getting Started with Red Teaming

In Red Teaming, you need to understand your adversary, whether in the cloud or on-premises, and then mimic that adversary. The Red Team, said Tychansky, like an adversary, wants your data. But to know if Red Team processes can be successful, you need a proof-of-concept (PoC)—the ability to show that hackers can take advantage of a security flaw.

“The dark web marketplaces are one source [for PoC sources],” said Tychansky. “GitHub is another great source if you just type in CWE and proof-of-concept. You’d be surprised what you can find.” Reddit, Twitter, and Exploit Database are other good sources for PoC; the reason being that people want to become known for the common weakness enumeration (CWE) and PoCs they create.

“When talking to security researchers, when you’re developing your inputs for all of your open source intelligence analysis, you want to look at all of these different sources,” Tychansky explained. You also want to look at all the different libraries and frameworks that you’re using so you can find anything related to security. If you are building a Red Team, these are the things that need to be on your radar, something you’re looking at on a daily basis.”

Going to the Dark Web

There are commercial sources that offer PoCs and that will provide the intelligence analysis you need to conduct your Red Team operations, but open source is the better option here, Tychansky said. Tychansky said he considered it a form of tradecraft where you are better off building your own tools for an advanced adversarial advantage.

It seems like an oxymoron to use the dark web to find security tools, but Tychansky said the top dark web marketplaces are actually built with security in mind; all use two-factor authentication (2FA) and require upfront payments.

However, Tychansky admitted he is seeing fewer and fewer PoCs offered for sale on the dark web lately. More vendors are going a la carte with their exploit offerings. Nation-state buyers are going in and buying up exploits and vulnerabilities, taking over these marketplaces and making it more difficult for ethical hackers and security researchers to get access.

“That’s why you hear of more nation-states being more successful in planting their malware,” Tychansky explained. And why it is harder for Red Teams to get the tools they need.

“We do offensive testing, and we need to use the latest and greatest that’s out there,” he said. As the dark web becomes a less valuable source for PoC exploits, GitHub has become the gold standard for open source PoCs that actually work.

“You need to find that security researcher who didn’t get paid or someone said no to them,” Tychansky said. So instead, they are going to publish their CWE or CVE so everyone can see it and has access to it.

The point of Red Teams and red teaming is to find the vulnerabilities and weaknesses in a system before the bad guys do. By relying on open source PoC tools, security researchers can build a collaborative community to share information about flaws and stay ahead of the threat actors and nation-states.

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba