DeepSec 2020 Talk: RedTeamOps – Mert Can Coskuner, Caglar Cakici
Red team operations involve many skills, the operation requires a lot of monitoring, consolidating and caution. In order to perform red team operations faster and stealthier, without thinking about the infrastructure, every team has its’ own habits and standards. However, there is a problem with those habits and standards:
- There are tons of tools but no operation management,
- No aggregation between these tools,
- When OPSEC fails due to problems above or any other reason, it’s essential to possess the capability of maintaining robust infrastructure which can be recreated if discovered, and more importantly, without any issues upon deployment.
In this talk, infrastructure challenges we face as a red teamer will be discussed. Along with challenges, a solution will be proposed based on DevOps practices such as:
- Design your infrastructure based on the standards and habits which your team has
- Create playbooks which suit your needs based on your design
- Create CI pipeline to test and maintain your playbooks
We asked Mert and Caglar a few more questions about their talk.
Please tell us the top 5 facts about your talk.
- Tailored red team operations, over time, become hard to maintain.
- Manual procedures prone to human error.
- As-code practice keeps infrastructure in check.
- Automation removes human element and make infrastructure testable.
- OPSEC fails often occur due to infrastructure misconfiguration.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
We were performing red team engagements and based on what a situation needs we were changing our infrastructure per engagement, sometimes per scenario. As these changes became regular we felt that we should automate it in a testable and documented way.
Why do you think this is an important topic?
As red team engagements are evolving and becoming a regular service for companies, companies should evolve not only their methods but also how they operate due to the OPSEC factor of the real threat actors.
Is there something you want everybody to know – some good advice for our readers maybe?
Always automate, document and test your procedures and do them “as-code” if you are able to.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
What comes next could be a platform, like a vulnerability management platform for red teamers, which does automation for them in a way.
Mert Can Coskuner is a Security Engineer at Trendyol. He is publishing a security blog at medium.com/@mcoskuner. In his free time Mert Can is performing malware, red team and threat intelligence research.
Çağlar Çakıcı is a lead security engineer at Trendyol. He has 16 years experience in cyber security. In his free time Çağlar performs red team research and vulnerability research.