Tom Van de Wiele gets paid to break into a company and steal their secrets. These secrets could be anything from sequenced genomes to trading algorithms to customer databases. But they all have one thing in common: they are of high-value to the organisation that owns them.
In the cybersecurity world, people that carry out these heists are known as red team professionals. Their goal is to test every conceivable weak point of a corporate system – with the permission of the corporation – so that they can fix weaknesses before an actual criminal breaks in and wreaks havoc.
But the methods of Van de Wiele and other red teamers do not stay in the cyber realm. In addition to sending phishing emails to employees, or leaving a malware-riddled USB in a company car park, red teamers attempt to break into the physical infrastructure of an office building.
This can involve all number of creative techniques, from using an air can to bypass a one-way automatic door to using sellotape to steal a fingerprint from a biometric scanner.
Van de Wiele is principal security consultant at Finnish cybersecurity firm F-Secure (you can find out what a typical day involves for him and his red team in our spin-off magazine, Verdict Encrypt).
Verdict visited the 20-year-old company’s headquarters in Helsinki to catch up with Van de Wiele to find out the best and worst security he’s encountered, how he stays on the right side of the law, and what happens when he gets caught.
Robert Scammell: What’s the sloppiest security you’ve ever seen?
Tom Van de Wiele: We had to break into the employee entrance of a… let’s call it a power plant. And they had lost the keys to the padlocks with which they were closing the gates. They had actually put a rubber band on the padlock so that when you’re passing it from a moving car it would look like it’s closed. But, if you would literally just cough on it, it would just spring open.
And a close second would be when we broke into a company and the IT department had just received a pallet of the replacements for all their network switches and desktops that they were going to install in a floor that had just been renovated. So that means that we could have backdoored [hacked] every single computer or appliance that was just left in the hallway. They were not behind lock and key, which you would expect. So yeah, those are maybe things to avoid.
RS: Do you ever get caught?
TVW: We do. But it’s usually once we’re already inside the network. And once we’ve already implanted whatever we need to implant to stay on the network. People usually think that we just walk into a company and then go ‘nee naw nee naw look, we got in!’ But we’re there to test the process. Maybe we came at a moment where we got lucky. So we try to do these attacks at least a few times, just to get an indication of whether this was a one-off.
When we get caught usually we have the guards asking us where our access card is. And then we say ‘it’s here’. And then we ask ‘where’s your access card?’ and then usually they’re the ones failing procedures, and they have to run to the car. And then we make our way out.
If we do get caught, we have a letter in our pocket called our ‘get out of jail free letter’. That has all the things on there that the customer needs to be able to validate that yes, we’re supposed to be here. But if we get caught, it’s really just to make sure that we can test the process and it’s usually late in the test. So, in the last few days or the last week of the test, our attacks will become a lot noisier just to be able to see how they are reacting to it. But it’s usually already after we’ve obtained the objectives.
RS: You mentioned the ‘get out of jail’ letter. Are there any other things that you do to ensure your break-in is ethical and on the right side of the law?
TVW: The scope needs to be crystal clear as far as what we’re allowed to do and what not. And yes, attackers will not tell you what they’re going to do. But we at least need to have a list of bullet points as far as what techniques are fair game. And we explain those techniques to our customers saying, ‘look, this will mean this, and hopefully on your end, you will see this’.
But of course, there are grey zones, where we have to tell our customer that we have very strict data policies. I might see your Facebook password, but I’m not going to log on to your Facebook. I want your cloud access, I want your customer database. Which also means that if you ask us to compromise a customer database, you know I don’t actually want your customer database – I want to be able to show you that I can access the customer database. And you give me a few numbers. And I’ll give you the representative of the customer records to prove to you that I have access.
“You draw a circle around it, you put a piece of pizza in your mouth, you have a sip of your beer, and you just start planning as much as you can.” – Tom Van de Wiele
But the customer wants to be able to test the full attack process. And the full attack process also means once you’ve exploited a particular thing, you need to get the data home, to exfiltrate the data. But again, I don’t want the real customer database. And so, what we’re going to do is we’re going to make a file that has the same characteristics, the same size. And we try to exfiltrate that one and see if they notice. So that’s shifting between tech simulation and emulation. We do all the things as far as whatever the attacker would do. But there’s no risk for a customer.
RS: What’s the toughest security you’ve had to crack?
TVW: It’s usually companies where the person or process that you’re trying to target only has a limited amount of technology or employees. For example, if you have a certain payment solution, and only five people have access. If you have a mainframe and only, again, five people have access, the phishing part probably is not going to work.
Or maybe it does, depending on what the relationship is between those people. But it does push you into a corner in that your attacks will have to come from a certain part where they’re expecting it. Now, of course, you want to test the process. But also, you want to come up with some attacks that they won’t expect. And that’s where our creativity comes in.
RS: What’s the most common mistake you see when testing an organisation’s security?
TVW: People or companies trying to buy their way out of bad security. If you want to build good security – to use an analogy – you’re going to build a wall. My point of view is that you cannot buy a wall, the only thing you can do is buy the bricks. But don’t get caught in the fallacy that just because the national bank bought this one solution doesn’t mean it’s okay for you to buy that same solution. It could be. But that will mean that their threat model is exactly the same as yours. And their security requirements are exactly the same as yours.
And I like to bet that that’s not the case. So, doing your own threat modelling, defining what the worst-case scenarios are, trying to make investments and training processes. And then in technology, depending on what you need to see, can we detect and prevent these scenarios, or at least bring them down to a level we can live with. That’s where your security should start.
RS: What’s the most enjoyable part of being a red teamer?
TVW: Probably planning the attack. Because you get to sit in a big room with a big screen with specialists all in their own domains. You write something on the whiteboard saying that’s our target. You draw a circle around it, you put a piece of pizza in your mouth, you have a sip of your beer, and you just start planning as much as you can and try to not only use all the tricks in your box of tricks, but also to come up with new ones. And that freedom to see what would stick and what wouldn’t, and just the general excitement of being able to try something new, knowing that this is your job. That’s probably the best part.
This interview has received minor edits for conciseness and clarity.