Facebook has detailed some of the red team security techniques it uses to keep hackers from attacking its systems.
The social-media giant has a 10-strong red team – security experts who try to think like the hackers who want to infiltrate its networks – with the aim of allowing Facebook to pre-empt the strategies of actual attackers and defend its data better.
By testing networks using real-life techniques and tactics, the red team can provide the company with a better picture of its cybersecurity – and point it towards areas that need improving.
Amanda Rousseau, offensive research engineer at Facebook, who was formerly a malware researcher and a computer forensic examiner, detailed how the red teaming at Facebook works – and the challenges it involves – at the Black Hat Europe 2019 cybersecurity conference in London.
"The adversarial mindset is a term we use a lot. It's what I like to describe as thinking outside the box activity," she said. "We're challenging assumptions; we're challenging what exists in the space that we're working in – and we're doing it freely, thinking outside the box, all different types of ideas to get around a specific problem."
Rousseau posed a question to the audience: how would you get pancakes for free from a chain restaurant? The job of the red team would be to think of ways to do this from the trivial to the dramatic.
The simplest option: eat the food and run away, or a complex path could involve paying with fake currency or impersonating a member of staff. Then there's the extreme way of getting the pancakes – by pulling a fire alarm or threatening violence.
"It's extreme, but you're accounting for those scenarios," Rousseau explained – and this way of thinking also applies to securing the Facebook website, app, messaging services, products, and even campus.
"Playing that devil's advocate helps engineers build security better in the thing that they're making – there's so many engineers at our company that they're making something new everyday," Rousseau told ZDNet.
While the nature of the job means there's no such thing as a typical day for the Facebook red team, typically it'll be working towards testing or improving the security of products, networks, perhaps even buildings.
The offensive nature of the role means that there are members of the team who examine the latest forms of malware and look to emulate them in order to test if Facebook could protect against that particular attack.
For example, when cryptocurrency-mining malware attacks suddenly spiked, the red team decided to examine how prepared Facebook was to defend against cyber criminals who wanted to infect their servers and abuse the vast amounts of processing power to generate Bitcoin.
"We take cues from where we see trends happening. For example, the cryptocurrency mining, we've been hearing stories about how peoples browsers are being compromised by botnets to do mining," said Rousseau.
"But what if we take this a step further and what if we wanted to abuse the CPU power of Facebook? That was us taking it up a notch. We need to do our research to see what's plausible and going to occur – and that can be tough," she explained.
"A lot of it is about how much we can push the boundaries: and when we discover we can push them super far we find that super-interesting," said Rousseau. "So when we push it really far and we're innovating at that point, that's really exciting; because we're trying to do things that others haven't seen".
The goal of these attacks is to help improve the security of Facebook – and in the cases where the blue team can't detect the red team, rather than being combative about not discovering the red team actions, they embrace learning about the new operations.
"It ultimately helps them. It's amazing that when we do operations, the blue team loves us – they can't believe what we thought of, but they change the way they're doing detections. I find that really positive in how I'm helping make change with the things they're doing," Rousseau said.
"Technology is exponentially changing faster – that's what's making it harder for us because it's moving the goalposts all the time," Rousseau said.
MORE ON CYBER SECURITY
- How Dropbox's red team discovered an Apple zero-day exploit chain by accident
- Chris Wylie, whistleblower: 'Under a microscope for the entire world' CNET
- Warning to Facebook and Google: Block political adverts ahead of UK general election
- Facebook data privacy scandal: A cheat sheet TechRepublic
- How Panasonic is using internet honeypots to improve IoT device security