Epic Fails and Heist Tales: A Red Teamer’s Journey to Deadwood

TL;DR: At Wild West Hackin' Fest in Deadwood, Alethe Denis shared hard-earned lessons from real-world Red Team engagements that revealed both surprising vulnerabilities and valuable opportunities for growth. 

Through storytelling, she highlights how each operation sharpened our offensive strategies while helping blue teams strengthen their defenses.

Visiting Deadwood, South Dakota, to present my talk, "Epic Fails and Heist Tales: Red Teaming Toward Truly Tested Security," at Wild West Hackin' Fest was an unforgettable experience. Deadwood itself, steeped in rich history and natural beauty, offered the perfect backdrop for reflecting on the lessons and stories I shared during the talk. Alongside the technical knowledge, opportunities to network and excitement of finding friends at the conference, I enjoyed the area's unique charm from encountering wild turkeys to marveling at the grandeur of Mount Rushmore. The historical allure of the town, with its Wild West ambiance, seemed to resonate perfectly with the themes of ingenuity and resilience central to hacking and Red Teaming.

But the heart of my trip was the conference and my chance to bring the audience into the world of Red Teaming from my perspective through storytelling. Wild West Hackin' Fest, renowned for its vibrant and approachable atmosphere, proved to be the perfect venue for sharing lessons learned from both triumphs and failures in offensive security.

The Journey of Red Teaming: Fails, Heists, and Humility

In my presentation, I invited the audience to journey with me into the nuanced and unpredictable world of Red Teaming. As a Senior Security Consultant on the Red Team at Bishop Fox, I’ve been part of engagements that have tested organizational security in ways both surprising and enlightening. Every engagement comes with its own set of challenges, lessons, and opportunities for growth for the Red Team and the blue team alike.

One of the pivotal stories I shared was a humbling moment during a physical penetration test. I was up against an exceptionally skilled blue team protector and the defenders of the organization who reported to them. They had anticipated my tactics through their experience both in the military and conducting Red Team operations of their own, fortified their defenses, and ultimately outmaneuvered me. In that moment, I had to make the difficult decision to surrender.

To help the audience understand this moment, I drew a parallel to the iconic scene in The Queen’s Gambit, where the protagonist learns about the significance of resigning in chess. It’s not a sign of defeat but an acknowledgment of respect for the other player’s skill and strategic brilliance. For me, this was a transformative moment as a Red Teamer. It underscored the importance of humility, adaptability, and learning from every engagement, whether we “win” or “lose.” Each loss is a steppingstone toward greater understanding and improvement.

It’s also an opportunity to show maturity and leadership skills by putting the client and vendor relationship ahead of the desire to persist at the risk of souring the relationship or creating a truly adversarial relationship with the client during the engagement. The client, after all, are people who you intend to build trust and rapport with when the engagement is over, and people who you will make recommendations to in hopes they will both receive and act upon. In this case, it led to a genuine friendship and repeat business, despite the momentary embarrassment.

Beyond the story of surrender, I shared tales of successful engagements—times when careful planning, creative thinking, and teamwork allowed us to bypass defenses and achieve our objectives within a matter of minutes while evading detection. These stories weren’t just about success; they were about deeper insights into how attackers think and operate, and how defenders can adapt to stay ahead.

The Red Teamer’s Arsenal: Packing for Success

Preparation is a cornerstone of any successful Red Team engagement. During my talk, I shared a detailed list of items every Red Teamer should pack when preparing for a physical penetration test. These items aren’t just tools; they’re the keys to blending in, adapting to unexpected challenges, and achieving objectives. The right gear can mean the difference between success and failure, especially when operating in high-stakes environments.

The packing list highlighted:

• Clothing for Various Looks: From casual to formal, the right attire can make or break a pretext. Layers and versatility are crucial for adapting to different scenarios.

• Accessories to Change Appearance: Sunglasses, hats, and wigs can be game changers for disguise and misdirection.

• Office Supplies for Red Team “Arts and Crafts”: Tape, Post-its, glue, and even markers may seem mundane but are indispensable for on-the-fly creativity and deception.

• Tech and Power: Cables, chargers, adapters, battery packs to keep everything running smoothly. Power failure is not an option.

• Physical Breach Tools: A can of air, under-the-door tool, double door tool, shims, and lockpicking equipment for physical bypass. Hand warmers and wire coat hangers for improvisation in maneuvering past request-to-exit sensors. These tools help overcome mechanical barriers quickly and efficiently.

• Props and Conversation Starters: Metal clipboards, badge holders, and equipment relevant to the pretext to build credibility and trust.

• Comfort and Practicality: Shoes that match the pretext but also allow for mobility; clothing that is comfortable and won’t impact the ability to operate within the assumed pretext. Coping mechanisms to reduce anxiety like items to hold to avoid fidgeting or gum to chew to absorb nervous energy.

Crafting Pretexts: The Art of Social Engineering

No Red Team engagement can succeed without meticulous OSINT (Open-Source Intelligence) and pretext development. Drawing from my previous talk, "Phishy Little Liars," I discussed the strategies and techniques that go into crafting believable scenarios. Whether it’s posing as an IT contractor, delivery person, or repair technician, the details matter. It’s about understanding the target, anticipating their reactions, and building trust in seconds.

Pretext creation often starts with extensive research, knowing your audience, their routines, and the organizational culture. The more you know, the more authentic and credible your interactions become. This process is both an art and a science, requiring creativity and analytical thinking as well as the ability to improvise and adapt in the moment.

Why Red Team Physical Penetration Testing Matters

As I wrapped up my talk, I emphasized the critical importance of Red Team physical penetration tests. These engagements are about more than just breaking in; they’re about revealing the gaps and weaknesses organizations may not even realize exist. Whether or not the Red Team achieves its objectives, the insights gained are invaluable. Physical security often overlaps with digital security, and weaknesses in one domain can compromise the other.

For instance, I shared examples of findings that have emerged from past engagements:

• Unencrypted Low Frequency Badge Data: A common vulnerability that attackers can exploit with minimal effort, scanning and then cloning badges of employees to gain access to building.

• Default Accounts and Keys: An oversight that provides easy access to critical systems, such as default pin codes left enabled on key-pad-secured doors.

• Physical Weaknesses: Door frame and double-door gaps that allow tools like the under-the-door-tool to bypass locks.

• Inconsistent Monitoring: Surveillance dead zones and lack of response protocols leave organizations exposed.

• Insufficient Document Destruction: Sensitive documents disposed of improperly can lead to data leakage.

• Insecure Document Storage: Leaving confidential information unprotected increases the risk of unauthorized access.

• Insecure Credential Storage: Weak practices in storing credentials create opportunities for compromise.

• Insecure Wi-Fi Network Setup: Poorly configured wireless networks can act as entry points for attackers.

• Lack of Bypass Detection: The absence of mechanisms to detect physical or technical bypass attempts.

Each of these vulnerabilities represents an opportunity for improvement. Addressing these issues doesn’t just protect against attackers; it builds a culture of security awareness that extends throughout the organization. And while it’s rewarding to succeed as a Red Teamer, the ultimate goal is to strengthen the client’s defenses against real-world threats.

Reflecting on Deadwood

My time in Deadwood wasn’t just about sharing stories; it was also about learning and connecting with a passionate community of security professionals. Between the sessions, I explored the local history, took in the breathtaking views, and even had a few moments of quiet reflection among the turkeys and pines. It reminded me of the resilience and ingenuity that define both the Wild West and the world of cybersecurity.

The conference itself was made even more special by the incredible environment fostered by Black Hills Information Security and Antisyphon Infosec Training. Their dedication to creating a fun and supportive space for knowledge sharing and networking among participants was evident throughout the event. The accessibility and camaraderie of the community stood out, making it an event that not only imparted knowledge but also strengthened professional connections.

As I left Deadwood, I felt inspired not only by the beauty of the Black Hills but also by the conversations and ideas sparked during the conference. Red Teaming is a journey of constant learning, adapting, and collaborating. And I’m grateful for every opportunity to share that journey with others. Events like Wild West Hackin' Fest remind us all that the heart of cybersecurity lies in community and the shared commitment to building a safer digital and physical world.

To hear my Red Teaming stories in full detail, watch my webcast – Epic Fails and Heist Tales: Red Teaming Toward Truly Tested Security