 If you were in the room before, you may have heard part of this, but Wayne was the very first ever SECTF contestant 10 years ago in the RIV, the very first person to ever get in our booth and compete in the SECTF. Yeah, I think that deserves a round of applause right there. And we became real good friends after that. And Wayne, I don't want to go too much into it, I think I'll talk about it, but Wayne does real red teaming. So we're not talking like one day engagements, we're talking like going to live in a hotel or in a gully for like 90 days and disrupt your supply chain and stuff like that. So this talk about red teaming, to me it's really important for this industry because we need real red teamers like last night we had Mike Ozenko, real red teamers, we need him to come and talk to us about what that means, especially if you're looking to break into this industry. So we have someone with many, many years of experience about to talk about that. So if you would help me, welcome Wayne Lallison, all the way from down under. Alrighty, can all hear me? Awesome. So as Chris said, red teaming. So I just want to get something out there what I think red teaming is. Red teaming is not pen testing, it is one little part of red teaming. Red teaming is looking at a company from a holistic view, the whole thing about the company, understanding how the business works, understanding how their competitors work, understanding how their supply chain works, understanding what ethics they have in place in their organization, understanding if they're a global organization because a company in the U.S. can operate actually quite differently to a company that's in Australia and if you're going to red team the office in Australia and then red team the office in the U.S., it can be very different. So you have to understand those whole things about the company. So what I'm going to do today is I'm going to go through, I don't have a huge amount of time, 30 minutes, so it could be as quick as I can. But I'm going to go through a one little part of a large red team over three and a half months it was. So there's one little part but it has lots of little pieces in it that kind of layer together is quite nice for, I guess, for a presentation like this. So who am I? I work at Loop Secure, as Chris said, I competed in the first DEF CON. It was actually quite interesting. Chris forgot to leave that one little part. I walked up on Thursday morning at 10 o'clock and I signed my name in and he said, are you the guy from Australia? I went, yeah. He went, you're the only international competitor we've made you go first. Suck on that. Yeah, I know. So then I got in the booth and I made my phone call and I actually got all the flags and when I walked out to Chris I said, suck on that and we've been friends ever since. So I guess, to be honest with you, red teaming, the actual word red teaming has been used and abused in the industry that we're all in to the point now that I actually come with another term now called adversary simulation because red teaming just shits me, to be honest. Sorry, Chris. I've started running the redteams.net blog so I don't know if anyone goes here at all, redteams.net but a really experienced red teamer was running that blog for the last nine years and was having a rest. So I'm looking after that at the moment and I'm the developer of Overwatch Offensive which no one in this room will know what it is. You'll see it later. So what kind of team do you have for red teaming? People ask me this all the time, how do I get into red teaming? What do I have to do? And I say in a team, everyone in that team has to have different life experiences. You can't have the same people doing the same job, same life experiences. It just doesn't work because you can look at the business in a very similar way. So you need to be able to work with your team and ask them what do you think about this? And they ask you what do you think? And you can give honest and clear answers of what you believe is the best way to go about attacking this organization. Work solo. So everyone in the team needs to be able to work solo but at the same time they also need to be able to work in a team and then at the same time they need to be a leader and then at some times they need to be led. And they need to have no ego because a lot of leaders have egos and they don't like being led but in a red team that can't happen because you all have to bounce off each other. And sometimes some people in your team are just better at doing other things than you are and you just have to accept that. You have to be able to work under pressure. And the thing is that that means that you can be one day there's no pressure and then in 10 seconds later the pressure is right on where you actually can't make mistakes. You have to be really careful with how you go about doing your operation. The other thing too is that I tell my team is that experiences in one or more things. So like yes, we need somebody that can do digital stuff like hacking things. We also need somebody that can do physical stuff. We also need somebody that understands psychology. Like how many people have worked in a red team that's had a psychologist? Are we like attacking people? Who's the best person to know people? Psychologists. That's their job. So they should be in a red team. So when you're sending that phishing email, they can read it and go, can you tell me a bit about this person? You show them the profile that you've put together and they go, you know what? Maybe you should change it like this. Because that's their job. The other things I've had in red teams, I've had doctors in red teams. Not to help us if we fall off a building. They're there for that as well. No, but they have a different view of people. They have a different view of a business. And that's what red teaming is all about. So the target, a worldwide defense contractor. Why? They wanted us to simulate a real world attack on their organization globally. They wanted us to test the business as a whole. So everything. Everything you can think of, they wanted us to test it. The scope, whatever the adversary real life scoping is, we're going to do, apart from murder and kidnapping. I tried to get that in the scope, but they said no. So the one little part I'm going to talk about is executives. So in Australia, we have executives. They get paid a shitload of money. And apparently they're supposed to work harder than everyone else. I don't know if that's true. My boss is sitting over there. That's to him. But honestly, job role is time reduced, right? So their job role is really time reduced. And executives are on the front line, just like normal staff as well. But they have a little bit more access. Deceived by potential adversaries as having access to business information and customer employee data and financial data or ability to move money. But they also have other business intelligence, like where the business is moving in the next month, where the business is moving in the next year, who are they looking to buy out? Maybe there's someone looking to buy them out. Have they told their shareholders about that? Maybe, maybe not. How should that information be released? Should it be released by them or be released by someone that actually compromises their environment and finds out about that? They're also interactive supply chain. Now, supply chain is an interesting one because it's like a lot of people say to me, how do you test a supply chain? Well, it's actually pretty easy. When you have your client and they're doing procurement, you tell them that when they sign someone up, supply chain, that when you have a pen test, when you have an anniversary simulation, that if they want to be part of your supply chain, they have to do that as well. It's the way that I sell it. They get a free assessment and you know they're good at secure supply chain. So I give you an idea of this. So I had a defense contractor and their supply chain was the people that look after their WAN, so their external firewalls. And the guy, my client, who have a really good relationship was, he said to me, I want you to see if you can change any rules on those firewalls. And I said, are you sure? He said, yep, I'm pretty confident it won't happen. I'm like, okay, cool. So on a Thursday night, after doing lots and lots of research, I found out there were 24 seven and you could ring up. So I rang up and I said to the person on the phone, look, I'm from this particular company. I need to change some firewall rulesets. What's the process for that? I haven't done it before. And the guy goes, I need an email from you and I need an email from your boss. I'm like, okay, I'll get that to you in a minute. This is at 12 30 a.m. in the morning. So it's really late. So what do I do? I quickly hang the phone up, jump on my computer, and because of what it registered, a bunch of URLs that are very similar to the organization, I just send one email from me. I cc'd the boss in. I don't know how to jump on the other email. Sent an email from the boss, cc'd me in. Some other people just for touch. And then 20 minutes later, I got an email that gave me the ticket number for the firewall changes. And I changed firewall ruleset 3389, which is remote desktop. In and out to a large defense contractor. So could you imagine at 2 a.m. in the morning, here I am, RDPing into servers from the internet because of the supply chain. It just shows you how valuable supply chain break is. You know what I mean? It can take you out. Right, executive profiling. We're in the social engineering village because we all like open source intelligence. We all like to, you know, be able to get somebody to do something that they shouldn't do, but they do give you information. So executive profiling is one of my favorites because I love looking at what kind of car an executive has, which is not hard because a lot of them put them on Facebook and all kinds of things. I actually saw one LinkedIn profile that said, I drive a BMW. Yep. What kind of motor transport do they have? What social clubs they involved in? Now social clubs is important because I had a gentleman who was playing squash and he was quite good. And I went to the squash court and his partner wasn't there to play with him. And I said, how about me? And he went, do you play? I didn't. I went, yeah, sure, not a problem. Just let me get a chance to get my shorts and my T-shirt on and get the squash rack and off we go. What he didn't know at the time though was that two of my guys were in the back there opening his locker and putting malware on his phone. And the worst thing is, is that I beat him at squash and he was pissed. Physical locations are really important because like take a defense contractor. Usually their area where they work, their facility is very secure. It's very hard to get into. You can't just walk through the door. Yeah, in some places you walk through the door, they say, what are you doing here? You can't give a really good reason and they pull their guns and then you have to really explain yourself very quickly. So you have to be very careful of how you go about it. That's why physical locations are really important. Public information, we all know how important public information is and how you supply that public information. What information do you give? I had an executive who had no social footprint whatsoever but his wife and his kids did. And by using their profiles, I was able to gather all the profile about him. I would never target kids and family because I'm supposed to be the good guy but that doesn't mean that bad guys aren't. True? So we gotta be careful. So this particular network, it had one internet facing thing and it was Citrix, that's all it had. The whole defense contractor, that's the only point of access to their environment. One portal. It's pretty good, right? And it was two-factor authenticated. One portal. So we were looking at this because obviously we wanna get business intelligence and this is the way for us to go about it for this particular client because they live in Fort Knox so we can't just go in there. So not me but one of my team members, so one of my team members who was better at this stuff than me and before a particular tool came out that could do this, he wrote and intercepted the two-factor authentication to Citrix. We've told Citrix about this now. And when we sent this phishing email, our target clicked on it and we bypassed the two-factor authentication. The interesting thing about this was is that when we did this, it didn't write a single log in their sock and they have 25 people in their sock. Pretty interesting. Like, I can't read that, it's a bit small but it says we are currently in the process of applying critical patches to address recently published security issues affecting Intel processors. This process will unfortunately require short outages across infrastructure used by a number of internal services. During this weekend, Citrix remote access services were temporarily made unavailable by patches were applied and it goes on and on. You can see it's quite a nice written phishing email directed to three executives and that was it. So this person clicked on it and allowed us to now start looking for business intelligence. How can we start to expand what we're really, really after? So you've got share drives, you've got documents, you've got applications, you've got emails, you've got passwords, and then you've got calendar. Calendar is the second place that I go. Do you know where the first place I go when I get into email? I get the little bar and I drag it all the way down to the bottom for when they first join the organization and I get the welcome pack. No one ever deletes that welcome pack. I open the welcome pack up and I have everything about their organization. Where all their portals are. Sometimes I have usernames and passwords which gives me links to them, tells me how they are. The other place that I go though is the calendar because the calendar for me and my team is incredibly important because it tells me what they're doing. And on this particular time when I logged in and I looked at the calendar, I looked and then I looked again. And I looked at the guy, my mate next to me who's working with me and another person I had and I said, is that, do you reckon that's true? And they're like, yeah, it is. They had a meeting that was gonna discuss where the company was going to go in the next 10 years. And there was 12 executives in this meeting. They decided that they did not want to stay in the organization in that facility because the food tastes like crap. So they decided to go to another place where they can order wine, they can have beers, they can have spirits and they can get their meal given to them downstairs in a nice room. That is broke every policy and procedure that their organization put in place. All 12 of them. And looking at their emails, they even laughed about it. Yeah, laughing bit was interesting. So the social part first, got them calendar meeting. We've got an offsite itinerary allowed us to plan. So I have the itinerary, exactly what's happening because I posted it in the email. All right, so I know that. I can do human intelligence. So I wanna do human espionage actions against the executive leadership team. So now I'm taking it up a notch, right? Now we're going nation state, state sponsored, even criminal organization. Let's see these people. Let's have a look and see who they are. And luckily Microsoft has allowed us to do that because for this organization in Outlook, every employer has a picture. So I knew every executive that was going and what they looked like. So I have like a printout, all their pictures on it. Getting ready to do what we're about to do next. The other thing was, is that I knew where the meeting was. They were gonna be there all day for two days actually. So I rang up this place and I said, I'm looking for a meeting for a bunch of people, the size of 12. What room's the best room for that? They're like, oh, the one upstairs. I'm like, fantastic. Can I have it on this date? She goes, oh no, someone's already here for those two days. I'm like, hmm, well I'm in town then. Is it possible I can come past and just jump up and have a quick look in that room, just take a photo for my boss? She's like, yeah, sure. I'm like, so what, after they're finished or actually can I come in and have lunch and then while they're having lunch, I can go upstairs? She's like, that's a great idea. I'm like, I'm glad you thought of it, thank you. So upon this, obviously we do a whole bunch of prereconistence of the place. So we know what we're looking at, right? We go there, we have a look at where people have to park. We have a look at how long parking is for. We have a look around the area. We're looking to see what people wear around the area, how they act, where the shops are, you know what I mean? What's happening there? Because I want to be able to blend in. I want my team to be able to blend in. It's gonna be a long day. So this is, I'm up. That is me on the bridge. Because when I went there, there was lots of people on that bridge taking photos. It's kind of a beautiful place. And all the people taking photos with it now and thinking you're gonna find it, if you do, well done. The car park was very interesting because that car park only allows four hour parking. So that means they all have to come down at least once during the day and move their car. That gives us a little bit more of an advantage. Because we know we're gonna see them again. You'll see how that plays out in a minute. Plus, my old job was doing surveillance. So that's kind of my bread and butter. Wish you start to get things like this. I look very happy, don't I? And this. So, they all turn up. And as they're turning up, I'm going target one, target two, target three. And I hear across one of the guys rings me and he says, Wayne, can you stop doing that? I'm like, why? He's like you're counting dead bodies. And I go, I am. So I had a pre-booked meeting at lunchtime. I waited until the executives have been seated for lunch downstairs. I watched them all come down. I watched them all go in there. They're all having a great time, which is good. I introduced myself at the front desk, told the staff member who I was, and she took me upstairs. When I went upstairs, I nearly fell on the floor. That's what I saw. And then she said to me, it's a really confidential meeting up here. I'm not supposed to bring you up here. I said, oh, what does confidential mean? She goes and explains it to me. I said, oh, thank you. Okay, do you mind if I take one photo for my boss? She says, just one, right back there. I can do that. So I walk on down the end of the room, take a picture with my phone, and I walk out. As I'm exiting the building, I wait about two minutes, and then I run in as fast as I can through the door, puffing. I said, oh, I'm so sorry. But when I took a photo of the room, I took it off myself and I show her a photo of myself. The worst selfie ever. She goes, I'm really busy now. I said, look, we've met. You can see that I know nothing about anything. I just gotta get these pictures for my boss. She goes, look, if you go upstairs, just be really quick for me. I will. I got one of my guys on the phone. He can hear me in my earpiece, and he's like, he's like, are you kidding me? Then I can hear the other guy go, you owe me 20 bucks. And then I say, you should have doubled it, you dickhead. Anyway, so I made my way upstairs. Now, I've deliberately darkened this picture for obvious reasons, and it's only a little picture, but I'm gonna give you a rundown. So I walk upstairs. I have a quick look around, and there's 12 laptops on the table all open, not locked. The presentation laptop is on the presentation stand, not locked. All their notes they've taken by handwriting are all open on the desk. There is USBs all on the desk. So I'm in a bit of a situation here, aren't I? Whose computer do I pick first? Like, I didn't wanna be judgmental. You know, I don't wanna pick on someone, not pick on someone else. So I just owned all 12. And the presentation laptop too. Cause I didn't wanna get the feel out of, you know, left out. I took photos of all the notes. I put malware or implants on their USB sticks, plus copied them all. And I did this all in about 15 minutes, 20 minutes. Was I nervous? Yes, of course I was. How long I've been doing this for? 15 years plus. I always get nervous. Cause I do so much hard work, and I don't want it to get ruined because I'm making a mistake or some person walks up. Anyway, I'm in the middle of just putting my stuff back away. I'm making sure that I leave everything the way that I've seen it. So I'm not touching anything, I'm just making sure I leave all the way it is. And the girl that originally showed me up comes up and she goes, oh, you're still up here? I'm like, oh yeah, I'm still figuring out how to take photos. But I got a good one. She's like, oh, that's good. Then she says to me, oh, we're looking forward to seeing you for your conference thing. And I'm like, yes, not a problem, be great. And I exited. Four hours is turning up and someone has to move their car. So that's where their car's parked after they move it. And I'm like, I'm back over here somewhere looking through my revision mirror, watching this guy park his car. And I'm thinking to myself, man, that is like the perfect place. Like, if anyone's gonna ever drop a USB stick, that's it. I dropped it right by his door. Thinking to myself, there is no way that he is gonna plug that in. So, he did. And it's actually really silly that this still works, right? It's quite crazy that this still works till today. It just shows us that the way we're maybe educating people is not working and we need to change it. And I've actually found a really good way to change that is to actually show the company things like this. So, he plugged it in nearly time. And then we get digital access. So, and then it stores a custom implant. So what I'm gonna do now is just quickly, I'm gonna show you a quick demo of this. I'm gonna jump across to this mic. Just bear with me. Got any questions? Ask me now. What's my password? Password, escalation mark. It actually is. I'm simulating other people. It's suspicious and called multiple authorities. Right, really good question. Excellent question. So, all this looks fun and well, right? But in the depths of what's going on, I have a really good contact with inside the organization. And I'm actually telling that person in organization exactly what's happening the whole time. Like, I am keeping them in the loop 100% the whole time, exactly what's going on. And sometimes I'm actually getting cues from them of things that they want us to do. Like, I'll go, do you really want me to do that? And then you're like, yes, do it. So yeah, so I definitely on the phone with them all the time in relation to like law and policing and stuff like that. If any policeman or any authority comes up to me, apart from a security guard, I will have a conversation with them first, depending on how that conversation goes. So the conversation might go, who are you, what are you doing? And I give them my pretext. If that works, we're good. They question me again. I'll let the cat out of the bag. Right, because the first thing that's a priority is safety of my team and myself and the client. All right, there's no, you know what I mean? If that happens, that's good, right? Someone's question, what's happened? The only time that it's gone the other way, come and tell me and I'll tell you a funny story. When I spent eight hours being interrogated on the anti-terrorism laws in Australia. So this is an implant, I'm just going to simulate it. I just want to show you what. You see in red teaming, I believe that in these particular jobs, you want to show a true adversary. You want to give the organization a true adversary and that means from a physical, a digital, a social, a supply chain, all those ways. So yes, we use other tools that other people have made, but also design custom tools because we want to see if they're sock, that will they detect that? Will they see that? How long does it take them to see that? How long does it take them to detect if somebody's computer got stolen? What do they do? What are their policies and procedures for that? Do you know what I mean? If I just give them normal everyday software, attacking software, chances are they're going to detect it and it doesn't give them a real live view of actually really being attacked. So I made this tool called Overwatch Offensive. As you can see, the implant's called home and it's very simple. You just click here and go, I want to get the OS version and click submit and it puts a task in over here and it will run that task. What we can also do is let's close this. Let's make a new folder. Let's go back across here. Click that, let's get a screenshot and now we just sit back and wait. Not very long. So the idea of this is that I want to give them something different to see. I want to understand, and this goes from a digital also, but it also goes from a physical perspective as well. Like, if I'm physically entering into their property and they have CCTV, which most places do, how long does it take them to go, somebody unauthorized, entered into the facility, we can see them on CCTV? How often does the organisation view that? The bomb just, it's about to go off. Do you know what I mean? Like, how long does it take? You know, like, I was doing social engineering call the other day and I made four calls to the help desk and I had all those four people go to the website I wanted them to go to. When I made the fifth call, the guy said to me straight away, I'm not going there, man, you think I'm stupid? I said the four people before you were. So if we refresh this now, we'll see that it starts to come through. It starts to trickle in. So it's Microsoft Windows 10 Enterprise and we should get a screenshot that'll come through. But what I'm going to do, because we are tight on time, I'm going to actually just load up a VM for you that shows you what it looks like just so you get the idea, because I want you to see what it's like. Where's my, I actually overwatch doesn't move laterally. It's a good question. So I deliberately made it not move laterally because I only use overwatch for special people. Overwatch sits on their environment for a very long time gathering business intelligence over a very long period of time. The callback on overwatch is usually from 48 hours to 72 hours and sometimes it can even be longer. So yeah, does that kind of answer your question? Cool. What's the question? Oh, sorry. The question was, am I using overwatch instead of Cobalt Strike? And the answer was no. I'm using overwatch as an extra piece of equipment to be able to gather business intelligence on particular targets over a long period of time. Because for me there wasn't anything that really did that for me to a degree, if that makes sense. Hey man, look, they're all listening. I know, I'm about to finish right now. So you get your screenshot. As you can see, and the best part that I like is you can play the audio. So I think that's kind of fun. Executives like that when you show them and you show them the conversations they've been having. Done.