Red Teaming & Jazz: Creativity as a Service

Foreword

I had been missing on this blog for a bit and I told myself it was time to go back to writing something.
If in the previous article (here is the link) I wanted to make a sort of small professional contribution to the sector, in this case it is a further customization of certain concepts, or how to be able to balance creativity and professionalism in a world as “cold” apparently as that of Cybersecurity
But let’s go step by step.

>>Perfect soundtrack for the article here <<

The challenge

These last few years have been enlightening from a professional point of view: the possibility of being able to practice the art of Red Teaming and to constantly experiment, as this type of planning forces me to do, always keeps me on the alert and motivated.
For us ethical hackers, on the other hand, it is natural to get excited when it comes to Red Teaming projects and, on the wave of enthusiasm, we are often convinced that the importance of throwing oneself into this type of simulation is so obvious that in short, it will not be a problem to gain consensus and, in simple terms, sell large amounts of tests.
But it is not always so trivial.

What courses and books do not teach – and cannot teach – is how to deal with reality. A reality in which still too often the real fuel that feeds companies’ budgets is mere compliance.
“I have to do the VA and the PT because I am a critical subject and this is written in the Regulations”;
“The budget I have is for mandatory activities.”

It is therefore clear that a great ability and dialectic is really needed in being able to guide a company towards the test that is most useful, without going through “the salesperson who wants to sell it”.
And here we begin to enter the path I would like to follow.
Yes, because it is a matter of finding a way to unhinge a series of resistances that are no longer economic (we mentioned those above) but technical and cultural.
“Yes, ok, if I give you a VPN account, everyone is capable”
“I pay for a SOC, so I expect attacks on the internal network to never happen”
“I put MFA on all* accounts”
“I have XDR on all* servers anyway” (*where all = almost all)

But the sermon on “Yes, ok, but we need to verify it with an audit” will not start now.
In this phase, in which the interlocutor – even sometimes ignoring your experience on the topic – is reluctant to proceed, snubs the topic and precisely resists, being a know-it-all on duty and strongly opposing it leads to nothing but stress.

I would therefore like to tell how, over the years, I have developed an empathic mechanism towards those who could become Trusted Agents in the future.

My PoV

Here we are.
In the transition from technician to manager, I initially made the most classic of mistakes, that is, believing (as it should be) that the reason is always on the objective data and in the scientific method; that if you have studied how to do something, that’s how you do it, period.
But life has given me over time the opportunity to broaden my horizons: it is not always a “good versus bad”, it is perhaps just a matter of point of view.

And so I started to ask myself “What if these guys are right? What if they can’t really see any added value?”
I have always been convinced that, in a Red Teaming project, the strong motivation of all parties involved is basically what makes the test a success (or a great failure, if it is missing). It is not a question of really achieving the objectives of the Threat Actor (Becoming a Domain Admin: YES/NO; Exfiltrate confidential data: YES/NO) but perhaps to have given the impression, to those who are commissioning a work, of having interpreted the task in the best possible way and above all of having given the opportunity to be able to answer some questions and perhaps even to have debunked some myths. I always thought it should be like hiring a Threat Actor when needed.
It is therefore not the stubbornness in following the “Young Red Teamer’s Handbook”, but perhaps empathizing with the customer and creating an experience together.
And so, it’s ok to be the biggest nerdy geek with an average of 40 CVE/month, but it may not be enough. Something else is also needed.

Creativity

I want to open a further personal parenthesis. And I apologize to the readers: this article is almost more of a stream of consciousness, but I really wanted to write it like this.

Those who know me know that I don’t fit the typical profile of the one who turned into Offensive Security. If I had to describe what Roberto is like, I would perhaps say that he has a rather exuberant personality, a ready joke, and a boundless love for music. And yes, even for video games.

When I entered the world of work, 10 years ago, it was evident how – especially in buttoned-up contexts and large large clients – I was forced to keep my rebellious spirit at bay by force. I was required to be the expert, the one who knows the frameworks and standards, certainly not a joker with crazy ideas. And instead…. And instead, the greatest revenge is to be able to make these things coexist, right?
Why not make sure that a feature cannot become a distinctive and unique element? That magic that creates precisely that human bond, which breaks a barrier of mistrust, and ignites emotionality and the cursed passion.

Everything is beautiful, but after all this preaching we are still far from having said something useful.

Improvvisando

How could I have ignited a flame, an emotion and a sense of credibility, in the distrustful interlocutor to whom I am about to propose a Red Teaming, End-to-End or Assumed Breach project?

First of all, listening.
We are faced with people who very often have no way of fully expressing what they think. And it is by leaving freedom of expression that we can basically collect a series of elements and grasp the key points of the next phase. Because if the interlocutor tells, then he can only like those who listen to him.

At that point the improvisation inevitably starts. And we arrogantly reconnect with my passion and in some way with my musical career. How nice to improvise. But I don’t mean “Inventing random words hoping that those who listen to me don’t know anything”.

I mean in the musical sense, as in jazz, gospel, funk: it is possible to improvise only by having an enormous technical knowledge and rules and an impressive ability to constantly relate to the environment (the drummer, the bassist, the guitarist, the saxophonist, the other voices… the public!!).

Basically, I am saying that it is unlikely that the Red Teaming test plan that will be written at the end of the preliminary meeting will actually be similar to what was conceivable before it; and that therefore each project is substantially unique.

As is every performance, when you improvise.

Everyone wants to play Jazz – semicit.

We used the musical ingredient, but we still haven’t mentioned the piece of gaming.

A touch of gamification

And that’s where my gamer side comes in.

Over time I realized that one of the most effective ways to make a Red Teaming project engaging and memorable is to turn it into a real challenge, structured in levels, objectives and achievements. Again, it’s not just about “taking a test”, but about having an experience.
Imagine breaking down the blueprint into missions, each with specific conditions (e.g. a given amount of hours), tactical objectives, and a score.

For example:

Mission 1: Recon & Initial Access

Scenario: You found a post-it with these credentials
Goal: Login obtained without further information given
Condition: <24 hours to identify the login path; <48 hours to bypass the MFA

Mission 2: Privilege Escalation
Scenario: You are in, but just a standard user
Goal: Login obtained as a Financial user
Condition: <48 hours to bypass the access control or obtaining another entry point

Mission 3: Identify the Crown Jewels
Scenario: Ok, now you have the rights… but where is the confidential data?
Goal: Crown Jewels found
Condition: <48 hours to identify and collect all the confidential data

Mission 4: Kiss & Fly
Scenario: it’s time to make some money with this attack
Goal: Exfiltrate confidential data without produce any alert
Condition: <24 hours to exfiltrate as much as you can

This structure not only makes the project more understandable for the client, but also engages them emotionally, turning the test into a narrative. And when the customer feels part of the story, he is no longer just a recipient of the final report, but a protagonist.

Gamification also allows you to better measure and communicate the results, avoiding the classic “we took the Domain Admin in 3 days” and replacing it with a progression that shows how and why certain goals were achieved (or not).
Thanks to this approach, it is often possible to unhinge those preconceptions and certainties that we have in the IT world, especially when we talk about Security through Obscurity. And then if the Red Team succeeds in its intent, manages to overcome the challenge then, wow, all the experience takes a different turn, like a sort of acquired confidence.
And why not, it helps the tester not to “get lost” in the infinite sea of possibilities for action (especially when it is not a question of emulating a specific Threat Actor).

Conclusion

In short, my final suggestion is to abound with creativity, with ideas, and constantly pursue improvement and experimentation.
And yes, there is room for improvisation even in such a rigid world as Cybersecurity.

Because even Red Teaming can be… jazz.

Author

Roberto Chiodi, born in 1990, in Yarix since 2017 and Head of Red Team since 2020