Cybersecurity: How Facebook's red team is pushing boundaries to keep your data safe

Facebook's red team has to think outside the box in order to keep the social media giant safe from hacking and other malicious attacks.

Under half of CISOs are ready to respond to a cyberattack Only 49% of CISOs and other senior executives are fully confident that their organisation could deal with the fallout of a hacking incident or data breach right now, and most think the threat from cyberattacks will get worse.

Facebook has detailed some of the red team security techniques it uses to keep hackers from attacking its systems.

The social-media giant has a 10-strong red team – security experts who try to think like the hackers who want to infiltrate its networks – with the aim of allowing Facebook to pre-empt the strategies of actual attackers and defend its data better.

By testing networks using real-life techniques and tactics, the red team can provide the company with a better picture of its cybersecurity – and point it towards areas that need improving.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Amanda Rousseau, offensive research engineer at Facebook, who was formerly a malware researcher and a computer forensic examiner, detailed how the red teaming at Facebook works – and the challenges it involves – at the Black Hat Europe 2019 cybersecurity conference in London.

"The adversarial mindset is a term we use a lot. It's what I like to describe as thinking outside the box activity," she said. "We're challenging assumptions; we're challenging what exists in the space that we're working in – and we're doing it freely, thinking outside the box, all different types of ideas to get around a specific problem."

Rousseau posed a question to the audience: how would you get pancakes for free from a chain restaurant? The job of the red team would be to think of ways to do this from the trivial to the dramatic.

The simplest option: eat the food and run away, or a complex path could involve paying with fake currency or impersonating a member of staff. Then there's the extreme way of getting the pancakes – by pulling a fire alarm or threatening violence.

"It's extreme, but you're accounting for those scenarios," Rousseau explained – and this way of thinking also applies to securing the Facebook website, app, messaging services, products, and even campus.

"Playing that devil's advocate helps engineers build security better in the thing that they're making – there's so many engineers at our company that they're making something new everyday," Rousseau told ZDNet.

While the nature of the job means there's no such thing as a typical day for the Facebook red team, typically it'll be working towards testing or improving the security of products, networks, perhaps even buildings.

The offensive nature of the role means that there are members of the team who examine the latest forms of malware and look to emulate them in order to test if Facebook could protect against that particular attack.

For example, when cryptocurrency-mining malware attacks suddenly spiked, the red team decided to examine how prepared Facebook was to defend against cyber criminals who wanted to infect their servers and abuse the vast amounts of processing power to generate Bitcoin.

"We take cues from where we see trends happening. For example, the cryptocurrency mining, we've been hearing stories about how peoples browsers are being compromised by botnets to do mining," said Rousseau.

"But what if we take this a step further and what if we wanted to abuse the CPU power of Facebook? That was us taking it up a notch. We need to do our research to see what's plausible and going to occur – and that can be tough," she explained.

"A lot of it is about how much we can push the boundaries: and when we discover we can push them super far we find that super-interesting," said Rousseau. "So when we push it really far and we're innovating at that point, that's really exciting; because we're trying to do things that others haven't seen".

SEE: Wikipedia's Jimmy Wales has quietly launched a Facebook rival social network

The goal of these attacks is to help improve the security of Facebook – and in the cases where the blue team can't detect the red team, rather than being combative about not discovering the red team actions, they embrace learning about the new operations.

"It ultimately helps them. It's amazing that when we do operations, the blue team loves us – they can't believe what we thought of, but they change the way they're doing detections. I find that really positive in how I'm helping make change with the things they're doing," Rousseau said.

"Technology is exponentially changing faster – that's what's making it harder for us because it's moving the goalposts all the time," Rousseau said.

MORE ON CYBER SECURITY