Red teaming: How and why cyber security experts must continually learn to hack the hackers

At annual conventions like DEF CON and Black Hat USA, the counterculture vibe of the hacker world has steadily become more consequential to the surging threat of cyberattacks.

Each year, these gatherings make real-world impact as throngs of cyber fanatics expose security weaknesses as a semi-pro sport.?The annual “Hack DHS” program at DEF CON, for example, expanded to Generative AI last year. Introduced in 2021, this federal bug bounty program vetted and welcomed hundreds of ethical hackers who, in its first year, found more than 122 vulnerabilities, of which 27 were determined to be critical.?

Part of the action at DEF CON this year will be a cyber security training from Deloitte’s Government and Public Services practice focusing on “Advanced Tunneling, Pivoting, and Redirection.” Participants will gain a baseline understanding of the tactics, techniques, and procedures an attacker uses to gain access to a network.

Diving deeper into the world of “red teaming” and why this strategy—developed by the military and intelligence community—grows more important to cyber and information security for all organizations, we sat down for a conversation with Deloitte’s Eric Stride .

Eric is a cyber warfare leader who supported highly technical cyber ops in the US Air Force, National Security Agency, and US Cyber Command while on active duty. He currently serves as a Reserve Colonel at the 67th Cyberspace Wing.

?

Cyber awareness and resilience, especially in this period of increasing AI influence, gains more crucial each day. How and when did you first become interested in cyber security?

Eric Stride: My interest started young, as I was one of those inquisitive types that would take devices apart to better understand how they worked; and sometimes the device would still work when I put it back together.?

This expanded to learning about “phone phreaking” (hacking the telephone system) and my dad telling me stories about how he used to make free phone calls at telephone booths. This is probably what inspired me to discover how it was possible to make free long distance phone calls from the emergency phones outside the dorms at my summer camp.?

The underlying problem was that those systems were not designed to appropriately handle users with mischievous intent—a problem that still plagues us today. Only today, it’s not about teens and their shenanigans; there are people with malign intent trying to attack systems every day. I use my hacker skills for good to help defend against them.

?

When DEF CON started back in the ‘90s, it was place for underground computer network prodigies where the game “Spot the Fed” became a favorite past time. But in the decades since, the government has leaned into this community and has even actively recruited from the conference. Why are governments and organizations so interested in hiring hackers?

Eric Stride: The rate and intensity our systems are being attacked requires the government’s cyber talent and engagement aperture to open wider. Divergent thinking—from teams of people with diverse backgrounds and experiences—is needed to understand what’s around corners others don’t even know exist.

With four days of presentations, after-hours networking, and a few dozen conference villages where you can engage, learn and interact with various technologies, it’s clear to anyone attending DEF CON that the cybersecurity landscape is too broad and varied for any one organization to succeed alone. Agencies should look to attract a more eclectic talent pool, leverage non-traditional engagement methods, and collaborate with industry to strengthen cybersecurity and resilience.

?

Why is it important for professionals to learn red teaming and the techniques adversaries use to hide from detection and gain access to private networks?

Eric Stride: Red teaming is essentially wargaming—getting into the minds of your adversaries to predict and emulate their moves so you can prepare and protect against them. The term “hacker” does not apply only to the bad guys; it also applies to the good guys with a “hacker mindset” who figure out ways to make things work (or break them) in ways that weren’t originally conceived. Organizations need ethical hackers to assess their cybersecurity posture and improve their resilience. By simulating realistic threat scenarios, we can discover weaknesses in systems, networks, applications, and human interactions, to demonstrate what works for the defenders.

Deloitte also offers training in network service and application layer exploitation because these tactics can involve highly sophisticated techniques and should be tested by a red team.

But DEF CON training is not only for super-cyber-security types. Courses at DEF CON range from beginner level (e.g., learning to use software defined radios) to intermediate courses such as hacking Kubernetes clusters and incident response in the cloud. Last year at DEF CON, the Deloitte cyber team conducted a two-day introductory training course in Cyber Threat Intelligence Analysis (CTIA). This course teaches network defenders how to collect, analyze, and apply targeted cyber intelligence to defensive operations to proactively act on and adapt to sophisticated attacks by cyber adversaries. This course applies the intelligence cycle to the full-spectrum exercise of proactive network defense.

?

Why is cyber awareness and training important to communities in general?

Eric Stride: All the plans in the world won’t do any good if people don’t know or understand them. Convening stakeholders for regular cyber training and exercises is a critical step in moving communities toward greater cyber resilience. Ultimately, building a resilient society depends on broad participation.

According to the 2024 Verizon Data Breach Investigation Report, 68% of breaches involved a human element, like social engineering, user errors, or misuse. DEF CON’s “Wall of Sheep” calls out attendees who have sent unencrypted sensitive information over the Wi-Fi network during the conference. The Wall of Sheep is a friendly way to shame users and, more importantly, invite them to learn how to better protect their information.

Over the years, conference organizers have seen plenty of usernames and passwords sent unencrypted, but also some surprising activity, including someone filing their taxes while at DEF CON, and others engaging in private conversations they didn’t intend to be public. Cyber experts have been teaching users for years to only use an encrypted connection when conducting sensitive activity, and to not click suspicious links in emails. It used to be easy to detect certain phishing emails because of the poor grammar.? However, now attackers are using Gen AI to develop realistic-sounding phishing emails that are able to trick even sophisticated users. The ability of attackers to herd users onto unprotected comms, compromised sites, or malicious imposter sites is getting better. Bottom line: even the most tech savvy professionals need to always keep their guard up to avoid falling victim.

?

This posting contains general information only, does not constitute professional advice or services, and should not be used as a basis for any decision or action that may affect your business. Deloitte shall not be responsible for any loss sustained by any person who relies on this posting.

As used in this blog, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see?www.deloitte.com/us/about?for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

?

Copyright ? 2024 Deloitte Development LLC. All rights reserved.