NEW YORK — Grab a bagel, drive to work, hack into your company’s core financial databases, call your kids, and maybe hack some more. It’s just another typical day on Yahoo’s red team.
Chris Rohlf heads up the company’s four-person “offensive engineering” unit, tasked with launching cyberattacks at Yahoo’s products, networks, and systems.
Rohlf explained when we met at his New York office earlier this year that his red team’s findings help the “blue team” patch the company’s defenses, so the company can better protect against “zero day” flaws, phishing expeditions, or even nation state attackers down the line.
No matter how strong your defenses, the red-team should always win.
“On the offensive side, I have an easy job,” said Rohlf. “Things are completely on the attacker’s side.”
Rohlf wouldn’t say how many attacks the company faces every year, but said that every hacker group has finite resources. Anything the company’s defense can do to raise the cost to the attacker, such as two-factor authentication or patching software can make the attacker think twice about their own investment.
“Even the most well-resourced groups, they’ll only deploy against you what they need to,” he said.
The logic of using a red team is that if you understand your attacker, you’re better able to copy their work and to defend against them when the real attackers come.
Many security researchers had long focused on small-time hackers, or advanced persistent threats. But there was one threat that many hadn’t yet come to terms with — their own government.
In late-2013, a highly-classified intelligence gathering program leaked by whistleblower Edward Snowden detailed exactly that. The “Muscular” program was the National Security Agency’s (NSA) effort to secretly tap the unencrypted links between Yahoo’s and Google’s data centers — effectively vacuuming up millions of users’ data as it flowed across the wire.
“The Snowden revelations shook a lot of companies up… even Google was caught-off guard,” said Rohlf.
Google’s own engineers weren’t so forgiving. “F**k these guys,” said Brandon Downey in a social post after the news broke. “I’ve spent the last ten years of my life trying to keep Google’s users safe and secure from the many diverse threats Google faces,” he said.
Hostile nation states, like China and Russia, had always been a concern, but nobody expected an all out offensive from within.
“A lot of those things weren’t assumed to be possible, and would require such a privileged position on the network that it would just be difficult to do from a legal standpoint, and a technical standpoint,” said Rohlf.
That’s tough from a red team perspective, he said. “Trying to put yourself in the shoes of that attacker is extremely difficult.”
That “collect it all” mentality coined by the NSA showed that nobody was off limits. “We have customers all over the world,” he said, “and their governments sit in very privileged positions on the network.”
There was a silver lining. After the NSA was dubbed an “advanced persistent threat” against the US tech industry, there was an eruption in counter-surveillance efforts by Silicon Valley giants to bolster their security defenses on a scale not seen in living memory. It led to a roll-out of encryption on every Yahoo property, as well as the data center links that were first targeted.
It also led to an end-to-end encrypted email plugin, not too dissimilar from PGP encryption, which Rohlf said the company is “still working towards getting into mail,” but has no timeline for when it might make it into the final product.
The threat landscape may have changed, but the work of the red team never stops.
“We can crush bugs all day, but when you apply different attack chains to your entire company, that’s when you get an idea of how strong or weak your defense is,” he said.
In other words, a company’s best defense is a good offense.