🏹 Intro
Let’s take a look at how to build out safe and resilient red team infrastructure from the ground up, step by step.
You may be familiar with Tim MalcomVetter’s blog post on Safe Red Team Infrastructure
, where he lays out the high level overview of how to make a safe red team operational network. That post changed my life, but it did lack the technical details on how to do this process in a practical sense.
Safe Red Team Infrastructure
This is a quick follow-up to “ Responsible Red Teams.“ This walks at a high-level through creating a safe red team infrastructure that is hosted in your company’s protected data center (firewalls, IPS, logging, packet capture, environmentals, door locks, man traps, cameras, locks, armed guards, concrete planters, tank/car bomb traps, violent yard gnomes, what-have-you).
malcomvetter.medium.com
So I wanted to write this as an answer to that blog post and combine some other wisdom I’ve picked up over the years. People like RastaMouse and byt3bl33d3r have shaped my understanding of this task.
byt3bl33d3r’s take on this task makes it into a CI/CD containerized swarm high-availability dream that scales infinitely. Rasta uses Terraform and Ansible to command cloud assets at the press of a button. They both end up with extremely impressive solutions and my HuskyHat goes off to them for it.
But for me, well, my brain is a bit more on the smooth side. My brain is so smooth you could skip it across a pond at sunrise while you meditate on your life’s choices.
So I’ll be taking the long road. My implementation has a larger footprint and takes a bit longer to set up. But it does step through each part of the setup and point out security considerations along the way.
This post should be interpreted as an instructional session for building your infrastructure. It is not all-encompassing and can probably be improved in several ways. But here, as with all things:
Understand first; automate second.
I am a fan of automation/containerization for this task, but only after understanding the major security considerations at play.
By the end of this note, if you follow the steps, you will have a small POC-sized network of red team infrastructure that can support operations. This small network will be able to scale infinitely on a mesh overlay VPN called Nebula.
Most importantly, this infrastructure will be safe and responsible from a red teaming perspective. It will minimize the risk to your client’s data as it is siphoned from their environment in a calculated fashion.
In future posts, I will write on how you can make it swat down prying eyes that try to examine your infrastructure with a little help from Nginx.
Let’s get it
This is from Tim MalcomVetter’s original blog post. We will use this as a reference point, but we will make several iterations and improvements on this as we go.
The following sections are collapsed into toggles for organizational purposes, but they should be followed in order.