“My name is Steffen Stepper, I’m 32 years old and I work as an IT security consultant. My employer, SySS GmbH, specializes in penetration tests. Their goal is to find technical weaknesses in IT infrastructures and our clients, that is large companies from almost every industry to make recommendations on how to fix these gaps. However, we also conduct Red Teaming Assessments. This method originated in the American military and is an exercise in which a Red Team, the attackers, and a Blue Team, the defenders, measuring their strength The Blue Team is part of the organization we’re testing.
For jobs and job offers in the IT industry, see also the job market on heise online:
In addition to the technical infrastructure, red teaming includes processes, the sensitivity and the know-how of the employees with regard to IT security in the attacks. I look for the vulnerabilities and try to exploit them. The customer sets us specific goals, for example: “Take over the Active Directory” or “Get access to the server room”. We determine in advance with the client whether all possible methods may be used or whether certain attack techniques are excluded.
Invaded locally and remotely
I carried out the last attack with a colleague. Hacking is teamwork. In the company, we gained access to the network through social engineering. One of us called the IT support hotline, pretended to be an employee and had “his” password reset. This gave us remote access to the network.
The other drove to the company and broke in. This works far less ruthlessly and destructively than it might sound. In fact, he and other employees walked past the reception desk through the open door into the building. Access to and stay at the company were very easy. So we had several options to persist in the network. As a result, we carried out attacks on the network in order to expand our privileges more and more. The Kerberos attack worked: We got sovereignty over the network. We were also able to show in other ways that we can get the entire IT in the company in our hands. Management was shocked. Within 25 days we had the company with several thousand employees in our hands.
During my computer science studies I attended a live hacking lecture by the SySS managing director. From then on I was interested in hacking. I then started at SySS five years ago. Today I lead the Red Teaming department, we are five people. We attack businesses using a variety of methods, from phishing to technical attacks to breaching physical building security. One of the team always leads an attack, the others support. This increases the chances of success.
Phishing almost always works
It is often difficult for us to get into a network from the Internet. This shows that the security level of publicly accessible systems is constantly improving. However, if processes and people are included in the attack, we find that phishing, i.e. fake e-mails, almost always works. However, weaknesses cannot be generalized. Therefore, our attack attempts depend on what we encounter. For example, if we could log into Office 365 with just a username and password without a second factor, then we launch a password guessing attack after we figure out the account naming structure. We try the same in network connections. If we don’t find an open door technically, we attack via people.
Social engineering uses human characteristics such as helpfulness, fear or respect for authority to manipulate people. This is a difficult ethical issue, so we created a code of ethics for our social engineering tests. It says that we don’t have a single person in mind, but always the entire company.
Don’t embarrass individuals
I try to do red teaming tests with as little personal contact with other people as possible. To get into a company, I simply follow a group of smokers. I move as inconspicuously as possible, firstly because that’s enough to get in and secondly because I don’t have to lie to or embarrass a single person. From a technical point of view, however, it is not necessary at all, because we want to provide the customer with results that he can use to make his company more secure against attacks. Telling him that employee XY is behaving incorrectly is of little help. If this person were fired, then the attack would be successful with another person. Creating safety awareness among all employees is much more effective than accusations or sanctions.
Although I regularly incorporate social engineering into my attacks, I need to understand IT first. I need to know how certain systems and technologies work, where their weak points are and how vulnerable they are. These are the essential skills of a security expert. The comparison with a detective describes my work quite well. Hackers have to look very closely, also very deeply, to find the solution to an attack – the gap in the system. I like to get stuck in a challenge and won’t let go until I find the solution. It helps me a lot in my work.”
This article is part of a series in the careers and job market section in which people present their current job.
(sigh)
