Next level red teaming: Working behind enemy lines
The term “hacker” calls forth both positive and negative mental pictures, but I can bet that there are not many people, even in the infosec community, to whom the term generates the image of a guy running through the jungle with a laptop and an automatic weapon.
This is the story about one such person: a member of a red team and contractor that goes by the handle Deepquest (for understandable reasons, he prefers that I not use his real name for this article).
How I met Deepquest
I met him a long time ago, in an era before smartphones or tablets, when Windows XP was considered a cutting edge operating system. It was 2002 and my first time in Paris, attending the RSA Conference. But the real fun was all around town, as we were wardriving in a small car, armed with ORiNOCO Gold wireless cards and an endless supply of curiosity.
We certainly did not imagine that 14 years later I would be writing a profile about his experiences working as a contractor around the world… But, given his journey over the years, his current job makes perfect sense.
The early days
Infosec is a huge industry that offers a myriad of different jobs that require different skillsets. Still, there are not many jobs within it that demand a wider variety of skills than the job of a red team member. A red team assesses an organization’s physical and digital security posture in order to improve it. Yes, they are the guys and girls that you pay to break into your building at night, and tell you all about it the next day in a nicely formatted report.
The job is anything by predictable, and this is what drew Deepquest to it.
Deepquest’s obsession with the inner workings of technology began when he was just nine years old, and his parents got him a Texas Instruments TI 99/4A home computer. Typing hundreds of lines of BASIC code in order to see some 2D animation got old fast, and he was more interested in breaking the system. Remember, there was no Internet at the time, so he was entirely on his own.
Wanting to be a navy pilot, he chose military school, and already at 17 he was getting rides in a Fouga CM.170 Magister jet trainer. But the school event that ended up starting the chain of choices that led him to red teaming was getting trained by an authentic fighter, a member of the French Foreign Legion.
Deepquest never became a navy pilot, and his passion for technology drove him to information security. After more than a decade in IT security with a large consulting company, he became the Chief of Security for the Stock Exchange in Paris, and ultimately created his own company, Code511, right after DEF CON 8 in 2000.
The early days of Code511 in Paris
“At the time I understood the scene, I cultivated many close relationships, and I was tired to see friends like Sk8, JimJones or Shadow Crew getting busted. There was a gold mine of unexploited talent that didn’t fit in a cubicle, on a 9-to-5 office time. I’m proud that many trusted me because we had the same vision – hack a system, and get paid for doing it,” he says.
They signed up lots of important clients working in the defense, healthcare and banking sectors, and secured several well-funded startups in Europe, Asia, and Africa.
Four years later, the big guys took notice, and the company was acquired. Deepquest got his check, and spent the next few months traveling and thinking about what comes next.
“I wanted to stay my own boss, and keep working with the people that trusted me to reach this success in the first place. Slowly, the idea to offer a fusion of electronic and physical services was born,” he recalls.
His future was cemented after he was introduced to the founder of one of the most prestigious SWAT-like units in Europe. Given his background, Deepquest was offered to participate in a mission taking place in Africa, and his job was dealing with GSM interception.
“After that assignment, I knew what I was going to do in the future. No more endless meetings and presenting reports to clueless executives. This was another level, an adrenaline rush with no budget restrictions.”
Red teaming for fun and profit
Soon enough, it was back to business, and a new company was born: Bradford. In his quest to prepare for what was on the horizon, Deepquest got his PPLH (Private Pilot License Helicopter), and finished the PHTLS (Pre-hospital Trauma Life Support) course.
“Nowadays, my work consist of protecting assets and clients who are potential targets due to their position or wealth. I have to emphasize that while I do engage in highly sensitive assignments, I don’t work for people involved in illegal activities,” he explained to me.
A typical client is an oil company with expats located in sensitive zones such as Africa or the Middle East. “When you work in these areas you don’t worry just about physical security, you have to keep an eye out on competitors who are willing to pay a lot of money to see what you’re doing, and who you’re talking to. Securing information during negotiations is critical.”
Tools of the trade
Leading a team of contractors
The main difference between a typical information security role – one that mostly takes place behind a keyboard in an air conditioned office – and working in a red team like this one is the heavy stress. When you’re in the jungle or the desert, the game is on an entirely different level. Sometimes it’s not about win or lose, but reaching the end of the day alive.
“This line of work requires passion, constant skill development, and modesty. No matter what you do, be the hardest working person in the room, and never let money blur your mind,” he says.
The electronic side requires a permanent thirst for knowledge – what you learn today could expire tomorrow. The physical security side is different, but you need to be able to work under heavy pressure. “When I say pressure, I don’t mean fighting a deadline or your boss shouting at you, but making sure the client is safe while you’re taking fire, and not leaving anyone behind, at any cost,” he clarifies.
Being part of a red team means you have to be able to break any boundaries and constantly think outside the box. There’s a firewall with a tight DMZ? Focus on desktop users or power supplies. There are electrical fences around the compound? Be the pizza delivery guy and try to get physical access.
You also need to keep in mind that you are paid to break-in to optimize security – every aspect of it. To many of his clients money is no object, the only thing that matters are the results. The client needs intelligence that will help them make informed decisions across the board.
When money is no object, private jets can allow you to avoid cargo checks
Staying under the radar
Finding work and staying under the radar at the same time could seem like a problem, but for him it’s not an issue. “We don’t sell software or muscle, but knowledge based on our experience at the state level. Since our focus is on tailor-made solutions, we don’t look for customers, they find us by way of recommendation.”
When working, anonymity is certainly important, but spreading fake information is crucial. Nowadays, with access to massive amounts of data, including information on individual’s emails and social media activities, governments can cross match intel to find someone quickly. Deepquest has one simple rule: Never work in the country you live in.
Recon plays a major part of preparing for a job. Team members come to the target country as tourists to get a feel for the environment, read the people, get near the location and observe.
“We always adapt technologies and tools based on the location, and the equipment we use is always destroyed after every mission, regardless of the costs involved,” he says.
When it comes to communication, codes are more effective that crypto, since encryption is an immediate red flag in certain countries. “When in a hostile environment, it’s easier to stay unnoticed if you pass a coded message on Weibo than a PGP-encrypted email on QQ,” he explains.
When in a highly monitored environment, he often creates a new email account and sends to it a link to a basic PHP page with some keywords that might attract attention, located on a server under his control. The idea is to see how many times the link has been clicked – and you would be surprised of the volume of clicks in certain countries.
Danger as a way of life
Inexperienced penetration testers regularly worry about taking down a production server during a test, but when you’re in a red team your perception of a dangerous situation is on a wholly different level. Oftentimes, just getting to or from a job requires very steady nerves.
When I asked him about a dangerous situation he found himself in, he simply said: “Crossing a mine field in the jungle on purpose, at the border of Burma and Thailand, after a 57 km training session spanning three days.”
On assignment in the jungle
Yes, please, tell me more!
“A recent contract, in Central America, had us recovering 22 million dollars for a customer, while also keeping the customer safe and managing a CSO transition. From the physical security side, it was one of my largest contracts: I had an exiting team of 120 bodyguards, a whole dedicated building, and a private shooting range,” he recounted.
“The recovery of the money was a purely electronic task, but challenging. Some crook managed to get $22 millions in fake investments and vanished. The objective was to locate this person, the assets and recover them. Recovering these assets was hard, as we had to deal with offshore accounts and companies. But we ended up recovering about 70% of the stolen amount by focusing our approach not on the stolen assets, but on the human side (our target’s background).”
A souvenir from Angola
“As for the dangerous side: a few weeks before the end, I randomly followed one of teams escorting the client to a restaurant. We had two people inside the restaurant, a driver for each of the two cars, plus two others and me waiting outside of it. The inside team asked us a clear to go as the client was about leave, so we did the usual procedure: check the surroundings, start both cars. When the client reached the first outside steps, we heard a shooting sequence of two rounds. We rushed the client into the second vehicle, I took a seat in front on the passenger side, and we drove off. The client was in shock and we were rushing him to a safe house. A few minutes into the drive, I felt blood drops on my face and shirt – I’ve been hit! But, luckily for me, the bullet just grazed by head. Once at the safe house, I started to get cold and started shaking a bit – a normal post-traumatic reaction. Eating a candy bar helped,” he concluded, unfazed.