h1

Red Team Training at BlackHat USA

May 2, 2013

Before developing Cobalt Strike, I conducted interviews with several penetration testing practitioners. I wanted to dig into their process, the tools they used, the gaps they saw, etc. Three folks from the Veris Group sat down with me for three hours to go over these very questions. It was at this time, I became familiar with David McGuire and Jason Frank.

Our relationship has evolved, to the point where they advise on Cobalt Strike, teach the product, and Veris Group is also a Cobalt Strike customer.

At BlackHat USA, Veris Group will teach two courses: Adaptive Penetration Testing and Adaptive Red Team Tactics. These two offerings grew out of their Adaptive Penetration Testing course which they’ve taught at BlackHat USA the past few years.

Last year, David and Jason approached me and offered to include Cobalt Strike on the DVD they provide to the students of their course. This then evolved to including a lab with Cobalt Strike. Which then evolved to them opting to use Cobalt Strike as the platform to demonstrate their Adaptive Penetration Testing process.

I have my own course offerings, but my offerings are focused only on my toolset. These courses will give you the foundation to setup a complete red team and penetration testing assessment process using Cobalt Strike and other tools. Their perspective is available once a year at BlackHat USA, I highly recommend that you take advantage of it.

slide9

To give you some more insight into these courses, I’d like to share an interview I conducted with Jason and David on their BlackHat courses:

1. How many times have you taught at Black Hat and what made you want to teach there?

David and Jason: We’ve had the opportunity to teach the class twice at Black Hat USA and once at Black Hat UAE. Black Hat provides smaller independent trainers like us, who don’t do this full time, with a great venue to reach a broad potential audience. They handle all the logistical work (such as securing a venue, billing and marketing) so we can focus on delivering quality course material that benefits our students. We are very appreciative of the opportunity they give small trainers and the working relationship we’ve been able to establish.

2. In your words, what are the differences between the Adaptive Penetration Testing and Adaptive Red Team Tactics courses?

David and Jason: The focus of Adaptive Penetration Testing (APT) is to provide students with a framework for providing comprehensive assessments with the objective of demonstrating the risk, in terms of business impact, of potential system breeches. The end goal is for students to be able to take the techniques, procedures, and methodologies we have developed through our experience and implement them in their own operational environments. Assessments utilizing the methodology we discuss in APT are targeted to take one to two weeks to execute effectively.

slide341

Adaptive Red Team Tactics (ARTT) is meant as a follow on to APT and focuses on emulating a more advanced threat. This course covers more advanced tactics, techniques and procedures (TTPs) that enable our students to provide a more realistic assessment of defense, detection, and response capabilities in organizations with mature IT security programs. Red Team assessments generally have an extended assessment window and incorporate techniques for providing a more covert, “low and slow,” assessment with a heavy focus on intelligence gather and long term post-exploitation activities. Stealth, evasion, robust persistence, and data exfiltration are some of the main themes of ARTT.

slide550

3. What is the secret sauce of your courses? What will you teach that students can’t get elsewhere?

David and Jason: We focus heavily on the tools, techniques and methodologies that we have developed through our experience performing assessments and building internal penetration testing programs for our customers. While we thought there was some really great training out there, we felt there was an opportunity for us to fill a legitimate need in the industry by offering training that focuses on how to effectively conduct assessments in operational environments. In our courses, we want to make sure students understand the entire process of executing a Penetration Test or Red Team assessment, including everything from scoping to exploiting systems to delivering a comprehensive report.  We structure and deliver our course material so students walk away from the course with something they can easily use as a reference when conducting their own assessments. We also include templates and other material that offer students a foundation for creating a program/service from the ground up.

slide69

We think another big differentiator in our courses is our incorporation of Cobalt Strike. We feel that one of the gaps in a lot of training out there is that they do not effectively cover the professional tools that can assist in delivering efficient, effective, and repeatable assessments. Cobalt Strike is a full-fledged toolset we use every day in our penetration tests and red team assessments. It enables us to save a lot of time in execution and have quick access to some powerful capabilities. We believe that when testers are in the middle of an assessment, they should be able to focus on assessing the risk/business impact of breeches for their customer, not wrestling with their tools. Tools don’t make the tester, but knowing which tools can best augment your capabilities is often as important as knowledge of great penetration testing techniques.

Raphael: *cough* *cough* Last year, I spent some time with David and Jason at the Veris Group headquarters. Jason constantly rolled his eyes at David and I. Apparently, when we sit down together, we’re like two Furbies going into an infinite loop. Once we broke out of our chat routine, I sat down to go through their labs. I couldn’t do them. David and Jason kept providing hints, but I really did not know. The labs were related to lateral movement and abusing trust relationships. This is a topic that I don’t feel is well covered in other places and their courses both address this topic with a lot of depth.

slide476

4. Why isn’t this material taught in other places?

David and Jason: Many courses seem to focus either on foundational knowledge of penetration testing, or technical intricacies of various advanced techniques. While a lot of these are really great courses, we felt they often didn’t leave students with the ability to go execute well-planned and comprehensive assessments on their own. We designed APT for students who don’t need more foundational knowledge, but do need to run effective assessments to add value for their customers. Many course also focus on tools and techniques that are freely available, but operational penetration testing teams use the most effective tools for the job, whether freely available or commercial. We wanted to train on tools and techniques that students would actually use in the field.

When it comes to ARTT, we felt there are few advanced penetration testing courses available, especially relative to the number of courses that teach the fundamentals. Those that are available typically focus on techniques such as exploit development, but few seem to focus on emulating the techniques of the advanced threats that are actually targeting organizations today. We bring our experience in conducting red team assessments for the Federal government, where the objective is to analyze systems the way an adversary would versus utilizing the latest and greatest exoteric technique.

slide512

5. How did Cobalt Strike end up in your courses?

David and Jason: When we first developed the APT course, we faced the same limitations most courses do in many of the tools we were teaching weren’t the ones we actually used on assessments. One of the only tools that came close to something we could use operationally was Armitage. As Cobalt Strike was a natural progression from Armitage, when it was released, we found it was the perfect fit to move to for our primary penetration testing platform. In keeping with our objective of training for operational testing, we also thought this was a great opportunity to showcase the capabilities a professional toolset can provide. We found Raphael had much of the same mindset for penetration testing and training we did and was enthusiastic about assisting us in improving our training offering. Cobalt Strike was exactly what the course intended to provide, a turn-key approach to accomplish common, sometimes tedious, tasks so the assessor can spend more time performing effective threat emulation.

Way to sell them on buying Cobalt Strike guys -- Raphael

Way to sell them on buying Cobalt Strike guys — Raphael

Cobalt Strike was actually one of the primary reasons we were able to offer the ARTT course this year. One of the significant barriers to teaching (and conducting) red team assessments is the specialized toolsets red teams use. These toolsets are generally highly specialized, require a significant amount of support, and are almost never released. These issues make training red team tactics much more difficult. However, over the past year Raphael added many red team capabilities to Cobalt Strike. While Cobalt Strike is great for enabling a standard penetration testing team to emulate more advanced threats, it also gave us the opportunity to train on many of the more advanced tactics we use in our red team assessments.

Raphael: I know the real story. A few years ago, David and Jason were teaching Adaptive Penetration Testing. One of their students used Armitage to chewed through their entire exercise environment, like it was nothing (this is a very common Armitage story–in many classrooms). This is what got their attention and it’s part of what got us talking in the first place. 🙂

6. Who should take your courses?

David and Jason:

  • Penetration testers and/or managers with prior knowledge/training/experience who are looking to maximize their programs
  • Individuals interested in starting a penetration testing capabilities
  • Penetration testers and/or managers with prior knowledge and experience with penetration testing tools and techniques interested in emulating a more sophisticated threat capability
  • Individuals who would like a better understanding of the tactics, techniques and procedures of more advanced adversaries

Raphael: If you’re a prospective (or active) Cobalt Strike user, I highly recommend signing up for one of these courses. If you’re planning to use Cobalt Strike in a variety of engagements, take Adaptive Penetration Testing. If you’re primarily focused on threat emulation and red teaming, take Adaptive Red Team Tactics. David and Jason are very experienced in the subject matter they’re teaching. They know Cobalt Strike and we view threat emulation and penetration testing through the same lens.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s