It's interesting to see the development of Red team tooling over the last couple of years.
It's obviously necessary for red teamers to continue to advance to be able to cope with improving Blue team technology.
However Red Team tech. is, by it's nature, dual-use. It's equally useful for "real" attackers to have these capabilities as it is for people emulating real attackers. The nature of open source makes these capabilities quickly distributable.
So these capabilities will help "real" attackers in the same way they help red teams...
Terminology - Red Team - Set of security professionals who emulate "real world" attackers in an attempt to find exploitable flaws in organizations systems. Blue Team - defensive security professionals who's job it is to detect and respond to attack from real atteckers and red teamers.
As someone who has spent their entire life on the blue team, I've used some of these red team tools to assess my effectiveness. I can remember using Metasploit to make as much noise as possible to test my team's responsiveness to our SIEM going crazy with alerts. We've used Burp and similar tools to perform security audits of the company's custom code, and audits of software we're doing a PoC with to ensure quality.
I've never once worried that the tools I'm using would end up in the hands of more sophisticated hackers. If anything, I'm glad for the basic red team tools because it makes script kiddies easier to find. They're not going to do custom exploits anymore when Metasploit exists. On the other side, it's almost always a safe bet that the actual bad guys are going to skip the off-the-shelf tools...
... assuming, of course, you have a decent enough security posture as-is. If script kiddies and ransomware and Zeus can get into your network unnoticed, you've got a much larger problem on your hands. Unfortunately, most companies still fall into this category because even companies that spend tens of millions of dollars on security don't take basic security seriously.
So as a Blue teamer your perspective makes sense, as presumably you only work in organizations who can afford dedicated blue teams :)
Where I think most of the re/mis-use of red team tools would be effective is in the many organizations who are not yet mature enough to staff a dedicated blue team capability...
> So these capabilities will help "real" attackers in the same way they help red teams...
They do. However if you do not enable the Red Teams with this capacity, it does not follow that the real attackers do not have it. It's a bit like guns. If the police don't have guns, the bad guys still do. The answer isn't to distribute military weapons and tanks to everyone but at least have them as an option for SWAT.
yeah it's a tricky question, I mean Red Teams can never fully emulate all classes of attacker as they're still constrained by laws, but more realistic red teams provide more realistic tests :)
What seems to be the case is that lower end attackers who don't have the skills to create fully custom setups (or high end attackers who don't want to risk their own tooling getting discovered) will use "pentesting" or red team tools to enable their attacks.
So the line (if there is one) is how much do you release in that direction. Some/Many people draw the line at dropping 0-Day others might draw it lower or higher...
"Dropping 0-day" usually refers to the act of releasing an exploit for a previously unknown security vulnerability, prior to the product owner being able to deliver a patch for it.
Am I alone in seeing a trend of Corporations really tooling up their security? I realize that in the age of digital transformation, securing your digital infrastructure is critical. And you have to do it, or your business is at a serious risk... but it keeps getting bigger, additionally so much of security is also physical.
I guess my concern is if you combine this with the longer term trend of the dominance of corporations in our lives in that they seem to be increasingly becoming small nation states of their own. it just seems like we're a few steps away from corporations having their own standing armies, digital and physical... and all the potential problems associated with that.
I've spent a decade in information security and I've been working as a consultant from a security vendor for the past few years, and yeah there's been a big outpouring of cash for security. Unfortunately it's almost never spent right and most of it goes to waste. So you don't need to worry about a corporation having a standing army when it comes to information security, because that army doesn't have guns and isn't allowed to engage the enemy. An army, yes, but they're defending the Maginot Line [1]
I have a customer whose SIEM generates several hundred high severity alerts every month, and they've told me that those alerts are 90% accurate and it's a real actual high severity security incident on every true positive. We've tried to get them to put controls in place to prevent the activity rather than merely responding to the incident after it was detected, but doing so would cause a workflow change for some business units, and they can't do that. All they can do is detect and respond, not prevent. To compensate, they hired more security analysts to respond faster, and bought more tools to detect quicker... but they're still just responding after the fact. The security incident already happened. Millions of dollars per year wasted. And this isn't uncommon.
Companies are absolutely increasing their investment in security. You're seeing a response to the number of large security breaches over the last few years, and the increase in compliance requirements such as GDPR. More companies have adopted compliance programs, which means that their vendors need a compliance program. If you talk to anyone in enterprise sales, you'll hear that more people ask for their SOC2 and other compliance docs.
TLDR: highly sophisticated tools for cyber security analysts.
Yeah had the same reaction. It takes some background to get what they are taking about.
Red Team: A team that try to exploit an organisation to find weakness before black hackers find them. [1]
Blue Team: A team that tries to protect the org from the red team and fix the exploits. [2]
SIEM: Security Information and Event Management. Usually used by Blue teams. [3]
>The page is written with the philosophy: if you don't know what all these terms are, you don't belong here. Which is fine for a random Github repo.
It's also fine for a page meant for a specific audience. It's not like they want to attract random developers working outside security.
Whenever someone says something akin to "Hey that project's page didn't explain/market their offering well enough for me!", an obvious counter question is "and who said their intention was to promote it to you?".
Sometimes the complain is legitimate (e.g. a programming language or project that wants wide adoption should explain what it is clearly and attractively in its webpage). Other times it's just that not everybody is the intended audience, and they explain what they do well already if you're the intended audience (in which case you know the terms the use, etc).
>I'd be curious to know about HN's sorting algorithms, this topic seems such a niche thing that I'm amazed this page reached #1...
Perhaps enough people know about this stuff already and voted it as soon as they saw it? I didn't know what Red/Blue teams are, but there are several security people here that do.
I actually assumed it was from the GitHub blog from the front page link, so assumed it was from former colleagues / friends (I worked at GH, and know many of the fine people there).
Then I realized it was just a random GH repo and some sort of security tools software. And even then, was full of its own jargon -- blue team / red team / white team. So I could only ask wtf is this even doing here. Like how does this particular security software impact my life as a generalist software developer, or even if I was just some random technologist person.
I work in information security and do you know the number of articles I see here on a daily basis that have their own jargon and doesn't help my life I wonder WTF is this doing here? This is a big forum with lots of people who do lots of things. This isn't "Rsanheim News", not everything needs to be custom tailored to your desires.
Since you work in the tech industry, you should be aware that Google exists and you can very quickly find out what a SIEM is (if you don't do log management you should look into it) and what a red team is (if you don't do security audits you should look into it) and hey, now you know what the subject is.
There are a lot of security experts on HN and I personally find it an interesting topic even though I have very little knowledge of that industry. Since the guidelines are "anything that could be of interest to hackers" and security research consists of creative use of low level software and hardware, I don't see how it's a strange topic for HN at all. I'm sure there are many other articles here that don't intersect with a generalist software developer's area of expertise.
HN often contains very specialized articles that would not make much sense to people not involved in the technology. That doesn't prevent such articles from being upvoted. There are enough specialists within various domains in HN to be interested in such articles. This is not a typical generalist-software-developer-only forum.
People like to play cool. Everybody here is a wannabe top hacker, or wannabe unicorn startup founder, or a wannabe James Bond. Nothing is inherently wrong or unusual with that.
I was legitimately asking why i should care about this piece of software, or why I would consider in my day to day to life at work or play. Nothing wrong with that.
It's obviously necessary for red teamers to continue to advance to be able to cope with improving Blue team technology.
However Red Team tech. is, by it's nature, dual-use. It's equally useful for "real" attackers to have these capabilities as it is for people emulating real attackers. The nature of open source makes these capabilities quickly distributable.
So these capabilities will help "real" attackers in the same way they help red teams...
Terminology - Red Team - Set of security professionals who emulate "real world" attackers in an attempt to find exploitable flaws in organizations systems. Blue Team - defensive security professionals who's job it is to detect and respond to attack from real atteckers and red teamers.