Speaker: Wayne Ronaldson, First-ever SEC CTF contestant (10 years ago), Real Red Teamer
Background: Specializes in long-term red team engagements (90+ days), supply chain disruption, adversary simulation
Key Focus: Real-world red teaming vs. penetration testing, holistic organizational assessment
Introduction & Background
Wayne Ronaldson was the first-ever SEC CTF contestant ten years ago at DEF CON. He specializes in real red teaming - not one-day engagements but extended operations lasting 90+ days involving supply chain disruption and comprehensive organizational assessment.
Critical Distinction: "Red teaming is not pen testing. Red teaming looks at a company from a holistic view - understanding how the business works, their competitors, supply chain, ethics, and global operations."
Professional Background:
- First international SEC CTF competitor at DEF CON
- Runs redteam.net blog (taking over after 9 years)
- Developer of Overwatch Offensive (custom red team tool)
- Specializes in adversary simulation rather than traditional "red teaming"
- Extensive experience with global defense contractors
Building an Effective Red Team
Team Composition Philosophy:
- Requires diverse life experiences - can't have same people with same backgrounds
- Team members must be able to work solo AND in teams
- Must be able to both lead and be led (no ego)
- Ability to work under pressure with zero-error tolerance
- Experience in multiple domains: digital, physical, psychological
Unique Team Roles: "How many people have worked in a red team that's had a psychologist? We're attacking people - who's the best person to know people? Psychologists! That's their job."
Specialized Team Members:
Psychologists
Review phishing emails, analyze target profiles, provide psychological insights for social engineering
Doctors
Provide different perspectives on people and business operations, not just medical support
Diverse Backgrounds
People from various industries and life experiences to approach problems from multiple angles
Red Team Advantage: Most organizations build homogeneous security teams. Diverse red teams with psychologists and other specialists can identify vulnerabilities that technical-only teams would miss.
Case Study: Global Defense Contractor Engagement
Engagement Overview:
- Target: Worldwide defense contractor
- Objective: Simulate real-world attack globally
- Duration: 3.5 months
- Scope: Everything except murder and kidnapping
- Focus Area: Executive compromise
Executive Targeting Rationale:
- Executives have time-reduced job roles (busy schedules)
- Access to critical business information and customer data
- Ability to move money and make financial decisions
- Possess business intelligence (future plans, acquisitions, mergers)
- Interact with supply chain partners
Executive Vulnerability: Time-poor executives often bypass security controls for convenience, making them prime targets for sophisticated attacks.
Supply Chain Attack: Firewall Compromise
The Attack:
- Identified third-party managing client's external firewalls
- Called their 24/7 support at 12:30 AM
- Claimed to be from client company needing firewall rule changes
- Support requested: "Email from you and email from your boss"
- Used pre-registered similar domains to send fake emails
- Received ticket number for firewall changes within 20 minutes
- Changed rule 3389 (Remote Desktop) to allow external access
Impact: "At 2:00 AM, I was already prying into servers from the internet because of the supply chain. It shows how valuable supply chain break is."
Supply Chain Testing Strategy: When clients sign new supply chain partners, require they participate in security assessments as part of the contract. This provides "free" security testing and ensures supply chain integrity.
Executive Profiling & Physical Intelligence
Profiling Techniques:
Vehicle Identification
Many executives post car details on social media (LinkedIn, Facebook)
Social Clubs
Identify membership in squash, golf, or other clubs for physical access opportunities
Family Profiling
When executives have no social footprint, target family members' social media
Squash Court Operation:
- Target was regular squash player
- Partner didn't show up for scheduled game
- Offered to play as substitute
- While playing, team members accessed target's locker
- Installed malware on phone in locker
- Bonus: Actually beat the target at squash
Physical Social Engineering: Social activities provide perfect cover for physical access operations. People let their guard down in recreational settings.
Citrix Two-Factor Bypass
Network Environment:
- Single internet-facing entry point: Citrix portal
- Two-factor authentication enabled
- Team member developed custom tool to intercept 2FA
- Sent targeted phishing email to three executives
- One clicked, bypassing 2FA completely
- Critical Finding: No logs generated in SOC
Phishing Email Approach: Disguised as IT patching notification: "We are currently in the process of applying critical patches to address recently published security issues affecting Intel processors..."
Logging Blindspots: Even organizations with 25-person SOC teams can have critical logging gaps. Custom tools often bypass standard detection mechanisms.
Calendar Intelligence & Off-Site Operation
Initial Access Strategy:
- First action: Scroll to bottom of email for welcome pack (often contains credentials and system information)
- Second priority: Calendar review for meeting intelligence
Executive Off-Site Discovery:
- Found meeting discussing company 10-year strategy
- 12 executives attending
- Location: External venue (violating company policy)
- Emails showed executives joking about policy violation
- Complete itinerary available in emails
- Outlook photos provided facial recognition for all attendees
Policy Violation Exploitation: Executives who knowingly violate security policies become high-value targets. Their behavior indicates willingness to bypass controls for convenience.
The Physical Operation: Conference Room Infiltration
Pre-Operation Reconnaissance
Scouted location, identified parking limitations (4-hour parking requiring car movement), studied local attire and behavior patterns
Venue Infiltration
Posed as potential customer, scheduled viewing during executive lunch, staff member provided unauthorized access to confidential meeting room
Device Compromise
Found 12 unlocked laptops, unlocked presentation laptop, handwritten notes, USB drives. Compromised all devices in 15-20 minutes.
USB Drop Follow-up
Planted USB near parked car, target picked it up and plugged it in, providing persistent access
Operational Reality: "I always get nervous because of so much hard work. I don't want to get ruined because I'm making a mistake or someone walks up."
Physical Security Testing: Even in 2024, basic social engineering and USB drops remain effective. This indicates fundamental issues with security awareness training effectiveness.
Overwatch Offensive: Custom Red Team Tool
Tool Philosophy:
- Purpose-built for long-term business intelligence gathering
- 48-72 hour callback intervals (sometimes longer)
- Does NOT move laterally automatically
- Designed to avoid standard detection mechanisms
- Used alongside tools like Cobalt Strike, not as replacement
Key Capabilities:
OS Intelligence
Gather system information without triggering alerts
Screenshot Capture
Visual intelligence of target activities
Audio Monitoring
Record conversations for business intelligence
Custom Tool Advantage: Off-the-shelf tools are easily detected. Custom tools provide realistic adversary simulation and test true detection capabilities.
Operational Security & Ethics
Safety Protocols:
- Maintain constant communication with client liaison
- Immediate disclosure to law enforcement if challenged
- Priority: Team safety > Client safety > Operation success
- Clear rules of engagement established upfront
Ethical Boundaries: "I would never target kids and family because I'm supposed to be the good guy - but that doesn't mean the bad guys aren't."
Client Communication Strategy:
- 100% transparency with designated client contact
- Real-time updates on operation progress
- Client-driven additional testing requests
- Immediate cessation if safety concerns arise
Key Takeaways for Security Teams
Critical Lessons:
- Red teaming requires holistic business understanding, not just technical skills
- Diverse team composition is essential for comprehensive assessment
- Supply chain vulnerabilities can be more critical than direct attacks
- Executives remain high-value targets due to access and behavior patterns
- Physical and digital operations must be integrated for realistic testing
- Custom tools provide more realistic adversary simulation
- Security awareness training needs fundamental redesign
Industry Problem: "The word 'red teaming' has been used and abused in our industry to the point that I now use the term 'adversary simulation' instead."
Red Team Evolution: True red teaming involves understanding business operations, psychology, physical security, and supply chains - not just technical penetration testing.