Christopher: Hey, this is Chris and we are going to check out another medium article today on the recent release of Ghostwriter. I really like Ghostwriter. It's an awesome tool for keeping track of, operational notes. It's free and it connects to a lot of really good apps that teams probably are using already.
Medium: When performing any offensive assessment work, you are likely to trigger an alert or generate anomalous logs that will get someone's attention. If the system owner cannot identify you as the source, they will likely reach out to you to deconflict the event.
Christopher: Deconfliction is very huge because you don't wanna waste somebody's time.
There's the difference between training with the operation and wasting a team's time. And from most of the research I've done, I've discovered that most blue teams or most defenders , are usually understaffed. They have the capability, but they don't have the capacity. We need to be able to train the blue team without harming the company by wasting somebody's time.
Now, how does this get to things like deconfliction? That's important because if the blue team doesn't know what's going on and they spend 12 hours chasing down an alert that should take no more than 30 minutes, it's important to make sure that red and blue isn't wasting their time
The article points us out that deconflictions can be a waste of time. And if , the defenders are going after the red team and they think that it's an actual event, they may be missing like a real event.
Offensive security teams have to keep in mind at some point, there's gonna cross that threshold where you're harming. You're wasting their time.
Medium: You can now record deconfliction events under a project's deconfliction tab. Each recorded event appears as a card like so de conflictions are time sensitive. Delayed or inconclusive responses can mean wasted effort and frustration for defenders. Once you have responded, you can update the status to reflect if the event was or was not related to your work. And the card will show how much time has passed between receiving the deconfliction request and the final.
It can also reveal potential gaps and weaknesses in monitoring strategies. For example, suppose several hours have passed between the alert timestamp and the client contacting you. In that case, that could indicate defenders not receiving timely notifications or dealing with a lot of noise and a backlog of notifications.
[00:02:06] Christopher: That's really cool. Because it'll track the time. I guess you could do it in Jira too, but if you're inviting the defenders to come to Ghostwriter and say, Hey, was this you?
Here's the activity. You can keep everything all in one place. And by tracking the time, you'd be able draw some of those boring metrics. Excuse my emotive language metrics that are all about numbers. They are great and they tell a story of how quickly can we deconflict, like how quickly did they respond? When was the alert generated? How quickly did the red team respond? How much time did they waste?
I see a lot of defenders have these capabilities on paper, but then in practice, in reality, they don't work as well as they should. And it creates these sorts of procedural blind spots where a company thinks that they're covered by something because it says so on paper.
But when they go to execute those techniques, they don't work. And that can be really bad when it's needed the most during, a critical or live incident
Medium: In an operational test, a client may issue a white card for various reasons, such as if a system is too fragile or critical to risk attempting to exploit it, or if there is a need or desire to bypass exploitation due to time constraints the latter may be the most common white card today. We commonly refer to assessments with this white card as a assumed breach with such a white card. The assessment begins as if the team has successfully exploited an external system or gained access or credentials through other means.
For example, phishing this white card and other simulated events must be documented and tracked. Each white card has a date and time the client issued it, A descriptive title or headline field, and a freeform field for more thorough or detailed descriptions. These fields make it simple to include these in a Ghost Writer report template as a list or table of white cards system health monitoring.
Christopher: White cards are used quite often in engagements. Red teamers, they don't really like to use the white cards because it feels like it's cheating, but when you think about the context of what this Ghostwriter post is trying to address, which is don't waste time, then white cards can be very important, right?
There's no point in wasting the red team's time on testing, a defensive mechanism that isn't measured by the blue team. So if the red team spends three days trying to break into an application, but the blue team doesn't have any logging or monitoring set up to even measure those things, the only thing that the red team is proving is that they can break in, but they're not
spending any additional time training or uplifting the blue team because at that point with that mitigation, the blue team isn't ready for it.
White cards can be good. I would caution red teams to don't always go with white card. Don't always go with assume breach. At some point you are gonna have to test the external footprint, the procedures because what exists on paper may not be what exists in reality when it comes time for an external breach. So as the red team, you probe do what you can and test that those blind spots test to see if they know the blind spots are there. Test to see if they don't know. The red team could be spending their time noting a blind spot is good enough sometimes Hey, there is a blind spot here figure out how to fix it.
From my perspective as a, red team manager, hacker manager leader, whatever you wanna call it, the deconfliction tab and the white card those accomplish so much from a business perspective.
And often I see red teams forget that they're there at the behest of the business, right? That's business leaders have to make decisions based on the data that the red team finds. And as a wise, CISO once told me, the red team always wins. If you think about it. The red team's always gonna find something. Always. They always find something.
Being able to white card and bring in additional resources, like Ghostwriter it's just gonna make those things quicker, right? It's gonna go boom. It's gonna be quicker. You're gonna get in and out, you're gonna do more ops. Metrics are gonna be better.
But more than that, like we know that we're not gonna waste the defender's time. And also if the defenders are always submitting deconfliction requests, and the red team hasn't done anything to warrant a deconfliction request, that's a pattern of repeated behavior that needs to be addressed because it means the blue team isn't confident in their skills.
And they're trying to gamify their own training. So there, there's a fine balance to go back and forth with, but having tools like this will make. We'll invite people to the table to have those conversations and figure those problems out. If you're running a red team and you haven't used Ghostwriter or you have, you wanna build your relationship with the Blue team, it may be worth it just to stand up, Ghostwriter. Even if it's just for the deconfliction tab having this almost like case management platform for free where the red and blue can talk to each other and say, Hey, was this you?? And monitor the metrics and measure that, that, the time it takes to, for the alert and the response, you can build a really good story around that.
And stories are important.