I Answered The ToughestLearning And Development In Organisations Question So You Don't Have To (But You Might Want To)
How Nairobi Women's Hospital milked patients dry in crazy revenue game
Sunday January 26 2020
The Race: 9:33pm, June 24, 2018: From Nairobi, Dr Felix Wanjala texts on a work WhatsApp group: “Team, let’s ensure we don’t let the team down … let’s meet our target.”
Without context, this might appear like a harmless motivational speech from a boss to his subordinates. But here is the context: Dr Wanjala is the CEO of Nairobi Women’s Hospital (NWH). In the message immediately before that, he had forwarded a text listing the admission numbers across all the hospital’s branches in the country. “We have the numbers as follows at this hour,” the CEO wrote to his employees, and then listed admissions totalling 288 across the hospital group.
The target, and the context of the war cry not to let the rest of the team down, he went on, was to get 22 more admissions.
To do this, the CEO recommended that his team, based at the Nairobi Women’s Hospital Branch in Nakuru (called Nakuru Hyrax) should “start with looking for referrals”, not miss “any opportunity (to admit)”, and be “very vigilant in casualty”.
In multiple texts covering different days in 2018, the WhatsApp group resembles a trading floor, with Dr Wanjala and his Chief Operations Officer Eunice Munyingi pushing employees to work harder and increase admissions. On the first day of July, for example, Ms Munyingi wrote in response to the nurse in charge of the hospital chain: “Let us increase speed; two admissions against 13 discharges at this hour is not good.”
Two minutes later, the CEO added: “It’s our striking time. Let’s intensify our effort … replace all discharges by 6pm.” Five days later, at 7:28pm, the COO told the Nakuru branch staff to “get three admissions by 9pm”.
Interviews with whistle-blowers who shared the screenshots paint the picture of a corporate culture of being pushed to meet admission targets. “Although it was not said explicitly,” one former member of the NWH told this writer, “the implication was that doctors and nurses in particular had to find reasons to admit patients to meet the hourly and daily targets, even if those reasons were an absolute lie.”
Another added that there was a financial reward paid to clinical officers for each admission; and they had to write down why they were admitting each patient. This meant, several former staff members said, that they had to get creative to meet targets, both personal ones and those of their employer.
The Founder: Founded two decades ago by Dr Sam Thenya, a young gynaecologist, Nairobi Women’s Hospital began with a unique specialisation. The focus of its first branch, in Hurlingham, was solely obstetrics and gynaecology services, meaning its primary clients were women. It particularly became known for its Gender Violence Recovery Centre, a charitable arm that serves survivors of sexual and domestic violence.
“I was working in a hospital and I had pitched this idea to the CEO of that hospital, but he wasn’t very keen on the idea of taking in abused women for free,” the hospital’s founder told the Business Daily in November 2016. “One time he told me that if I thought the idea would work then I should go ahead and open my own hospital because it wasn’t going to work at that hospital, and right there I thought to myself, ‘Why not?"
So at 31, Dr Sam Thenya followed his boss’s advice.
What drove him to start the hospital when he had no money, he told the interviewer, was a “certain trigger, madness or passion”. That singular focus to his goal, despite challenges almost as soon as he started, built one of the most familiar, respected private hospitals in the capital city.
In 2003, the hospital’s banker, Daima Bank, collapsed. Dr Thenya, still in the early years of his project, heard the devastating news while refuelling his vehicle at a petrol station. “We had just issued suppliers’ cheques,” he said in the interview.
Despite other challenges, Dr Thenya and the hospital he built surged on. In a scenario that exemplifies the fine line between private healthcare as a business and a service, Dr Thenya had to fight with politicians, including President Uhuru Kenyatta, and technocrats who demanded the release of patients over bills.
Once, he told the interviewer, the President called him and told him someone had sent him an email lamenting that the body of his or her mother was being held hostage by NWH over unpaid bills. “Sam, what do we do?” the President asked. “Your Excellency, the bill has to be paid,” Dr Thenya answered.
After the President said he would pay the bill, and asked the body be released while he did it, Dr Thenya replied: “I need some proof of payment. If you want me to release it today, then pay today.”
By the time this was happening, a lot had changed. Dr Thenya had transformed from a practising gynaecologist to an entrepreneur as the hospital grew. He had also sold it, and was on his way out as the founding CEO.
Born in Nyakihai, Murang’a, in 1968, a much younger Sam Thenya had wanted to be a pilot. But he became a doctor instead. As a young doctor in training, he led a strike at Nyeri Provincial General Hospital in the early 1990s. The issue, which was fixed because of the strike, was bad work conditions for medical practitioners.
“I am not one who stands by and watches things deteriorate,” he told an interviewer in 2011.
What finally drove him to ask his boss to start a wing for victims of sexual violence, and doing it himself when he was challenged, was meeting the victim of a brutal gang rape. Battered, violated and in need of urgent medical care, she did not have money to pay for admission.
“I paid for her admission and closely monitored her progress.”
The Past: As a young doctor on a mission in the early 2000s, Dr Thenya was unstoppable in his mission to build Nairobi Women’s Hospital. In October 2000, a facility called Hurlingham Hospital was being auctioned off for unpaid debts. Dr Thenya approached the auctioneers with a promise to buy the hospital. It was an attractive deal for both sides: the auctioneers would get rid of an asset, and the young doctor would not have to start a hospital from scratch. But there was one problem, a big one. He had no money on him.
Nairobi Women's Hospital Adams branch. PHOTO | JEFF ANGOTE| NATION MEDIA GROUP
The most he could raise was half a million shillings, which he did by selling his wife’s car. He needed Sh17 million more, so he got other investors to put in the money and take a share of the repainted hospital’s ownership.
In the world of modern finance, this seemingly brilliant financing strategy has a name. It is called a leveraged buyout (LBO). It works exactly how Dr Thenya did it: You buy a company by taking in debt and giving up equity, which means you do not need a single coin to start whatever enterprise you want to start.
The most famous LBO in the world is the hostile takeover of American company RJR Nabisco. In 1989, the executives of the conglomerate, which sold tobacco and food, started an unstoppable process to acquire the entire company at $75 a share.
The events that followed that ignition are covered in Barbarians at the Gate: The Fall of RJR Nabisco, a book by two American journalists that later became a movie. It covers the executives’ plan to buy out other shareholders, and the marathon that began when other groups of people joined in on the sudden race to acquire one of the biggest companies in the world. One of them finally won, by offering a price higher, by $15, than the management team’s offer.
But the best part of this story is that none of them, even the executives who wanted to buy a company for $25 billion, actually had the money, and they didn’t need to.
The gist is to start what is called, in modern finance, a fundless fund. Simply, a corporate body that on the one hand promises to and negotiates to buy something, while asking for money from those who have it to complete the deal. For investors with vast amounts of money, this is an investment for which they expect to see profits.
Dr Thenya gave up 40 per cent of NWH’s ownership to the investors who gave him Sh50 million to buy the assets of Hurlingham Hospital and rebuild it anew as Nairobi Women’s Hospital. As the hospital grew, on the back of its reputation as a niche healthcare provider, Dr Thenya bought out the investors, and by the late 2000s, owned the entire thing.
In 2009, he acquired Masaba Hospital in Adams Arcade, and turned it into the second Nairobi Women’s Hospital branch. By the end of the next decade, there would be a total of nine branches of Nairobi Women’s Hospital: four in the capital city and the metropolis; two in Nakuru; and one each in Naivasha, Meru and Mombasa.
From a single hospital in Hurlingham, Nairobi Women’s Hospital was one of the fastest-growing hospital chains in Kenya by the mid-2010s. But things had changed. In the first decade, Dr Thenya had quit practising to concentrate on the business side of his hospital.
“I realised that I was not giving my patients full attention because I was often caught up in strategy meetings,” he said, “(so) I had to choose between expanding the hospital and practising.”
And in several transactions beginning in 2010, he had progressively sold his ownership stake in the hospital to the successor of leveraged buyouts in modern finance; a similar but differently named structure called a private equity fund.
The Present: A private equity (PE) firm is a leveraged buyout by any other name. Simply, you get money from wealthy individuals and organisations and invest it in attractive companies. Then you restructure the company by cutting costs and expanding as fast as possible, and then you sell the now bigger company for a profit.
The basis of this model of financing is to buy and sell, as opposed to keeping an investment in perpetuity. So PE firms strip their new companies of any sellable assets, change the management, reduce costs by firing professionals and employing cheaper labour, pay executives bonuses for meeting targets, and once the company is attractive enough on paper, sell it to someone else. That new buyer is often just another PE firm.
Dr Sam Thenya founded Nairobi Women’s Hospital with a unique specialisation. The focus of its first branch, in Hurlingham, was solely obstetrics and gynaecology services, meaning its primary clients were women. PHOTO | FILE | NATION MEDIA GROUP
In the complicated structures of global commerce, private equity funds are used to finance rapid expansion, which increases the value of the assets. Investors, who include funds of funds — where one investment fund invests in another investment fund — expect a return on investment. And investment funds get money by promising exactly that.
PE funds make money in two ways: by charging an annual management fee of the money they have been trusted with, calculated as a percentage, and by taking a cut of the profits they make when they sell the companies they buy. So their primary motivation is to get more investor money, and to restructure companies as fast as possible to attract a higher price than they bought it for.
One of the things PE funds do when they acquire a company is to transition it from a founder-run company into a corporate body that can attract a higher price. This is exactly what happened at Nairobi Women’s Hospital from the first founding round in 2010, where Dr Thenya’s ownership systematically diminished as the new owners’ stake increased.
In the midst of the “Africa Rising” narrative, and from the ashes of the 2008 global crisis, US billionaires and institutional investors turned their investment focus on Africa. The continent’s young population offered an attractive proposition for a profit-making venture; it was expected that not only would these younger Africans be richer than their parents, and willing to spend more on everything, but that there were no modern legal or regulatory structures in place to halt corporate raids of existing companies. And by the time they came, several rounds of investors would have already made enough profits.
In 2010, Dr Thenya got $2.66 million for part of his stake in the hospital. The buyer, The Abraaj Group, which would collapse in 2018 amid investigations that it had stolen investor funds, was founded by a Pakistani and based in Dubai. In addition to Nairobi Women’s, it also acquired all or parts of other Kenyan companies: Java House (100 per cent), Brookside Dairy (10 per cent), and Seven Seas Technologies (21 per cent).
But its most prominent purchase was in private healthcare, where it bought 18 clinics and 10 major hospitals. In addition to its stake in Nairobi Women’s, it also bought part of Avenue Group Hospital, Ladnan Hospital, and Metropolitan Hospital.
Three years later, Abraaj bought more of Nairobi Women’s with a partner PE firm called Swedfund. The Swedish government describes Swedfund, which it funds and owns, as a “development financier and development cooperation actor”; but it works in basically the same way privately owned PE firms operate.
“The objective of the Africa Health Fund is to increase access to affordable and quality health related goods and services for those at the bottom of the income pyramid,” Swedfund said in a press release dated November 22, 2013, “At the same time it hopes to provide investors with good long-term financial returns.”
This dual purpose fit into Dr Thenya’s founding principles, which had been to build a hospital that offered services to abused women for free, while offering other medical and surgical services at a fee. Swedfund, which said it “put a high emphasis on environmental, social and governance issues”, and other investors were pumping money into the hospital to fund its expansion.
From a single branch in the 2000s, Nairobi Women’s Hospital had expanded to three hospitals: one in Adams founded in 2009, another in Ongata Rongai founded in 2011, and the Nakuru branch that followed a year later.
It also had two medical centres in Kitengela and Eastleigh, both opened in 2012, and two more branches, in Mombasa and Kisumu, on the way. This was all, the Swedish state investor said, “part of the grand plan to expand further in the country and the Eastern African region by 2016; and subsequently into the rest of Africa.”
The Through Pass: While the source of Swedfund’s finances is obvious, the source of The Abraaj Group’s funds is a more interesting story because it led to its death in 2018 and the arrest of its top executives. Because PE funds run multiple projects at any one time, they structure them as independent funds with their own fund managers.
The specific one that invested in private healthcare in Kenya beginning in the late 2000s was called The Abraaj Growth Markets Health (Africa) Fund. It got its $1 billion to invest in Kenya from multiple sources, the most prominent being the Bill & Melinda Gates Foundation and the World Bank’s private equity fund, the International Finance Corporation (IFC).
This second deal was worth $6.5 million.
The Dubai-based Abraaj Group, founded a year after Dr Thenya started Nairobi Women’s, was a renowned investor in multiple sectors across the continent. By the time it collapsed in 2018 amid a dispute with its investors — the Bill & Melinda Gates Foundation initiated an audit into how its money in the healthcare fund had been used — it had invested an estimated Sh320 billion in 80 transactions across Africa.
Through the fund, $1 billion of which the PE firm’s founder, a Pakistani man called Arif Naqvi, was accused of misusing, Abraaj owned private hospitals in Kenya, Nigeria and Pakistan. In April 2018, around the same time the screenshots of the Nairobi Women’s Hyrax WhatsApp group appeared, Naqvi was arrested in Britain on a US warrant.
While he had resigned from Abraaj the month before, investigators had found evidence that he had defrauded investors in two main ways: by inflating the price of assets, which included Nairobi Women’s Hospitals and several other Kenyan private healthcare providers, and misappropriating the fund.
The scandal made headlines around the world, as many other similar investment structures had ridden on the Africa Rising wave and bought many companies, in many countries, on the continent.
Meanwhile, The Abraaj Group was closed and its assets stripped for parts by other PE firms. A British firm took over its stakes in Brookside Dairy and Java; and an American PE firm called TPG acquired the healthcare fund, which counted among its assets several Kenyan hospitals. TPG then renamed the fund the Evercare Health Fund to avoid the negative reputation of its former name and manager and acquired Nairobi Women’s Hospital and several other private hospitals in Kenya.
Meanwhile, Arif Naviq remains in the UK, and not by choice. Last May, after spending a year in custody, he was granted a record $20 million bail. By October, he was also being investigated for bribing Pakistani politicians.
A theatre room at Nairobi Women’s Hospital in Nairobi on August 24, 2010. Medical officers and other specialists who have worked at the hospital described multiple instances of being pushed to keep patients for longer than necessary. PHOTO | FILE | NATION MEDIA GROUP
While this complicated game of international finance was happening, the private hospitals in Kenya were still operational, and working to make profits for the fund.
In a text forwarded to the Nakuru Hyrax staff on September 11 2018, CEO Felix Wanjala outlined the revenues so far, and the targets he expected them to contribute to that same day.
The Nairobi Women’s Hospital group was making Sh12.81 million a day against a target of Sh15.47 million, and cumulatively was Sh33 million off a total target of Sh136 million.
“Team, this revenue is too low for the numbers that we have, are we billing?” he posed to the staff.
As part of the shift from Dr Thenya’s ownership to the new owners, the PE funds had launched what was typical corporate behaviour after acquiring a new asset. Nairobi Women’s Hospital had, over time, stopped hiring doctors, professionally known as medical officers (MOs), most of whom were postgraduate students or specialists in training, to serve outpatient patients. It had instead turned to hiring young clinical officers (COs), who only had a diploma earned after three years of training, to do the job.
To staff its rapid expansion, Nairobi Women’s was now depending on COs to serve patients who were not already admitted in the hospital. It was also encouraging them, according to multiple insiders, to meet admission and revenue targets, which were analysed every hour of every day, day and night.
While the hospital still hired doctors, it hired fewer than it required because MOs would get better salaries, and gave clinical officers the job of determining which patient needed to be admitted.
It also gave the COs a financial incentive, at one point Sh710 for every patient they admitted. This structure meant that, while COs would find and push for admissions, even (and especially when) they were unnecessary, more qualified medical officers would only encounter the patients when they had already been admitted, and were already paying for the bed, food, tests and medicines.
They were already, in lingo used frequently in the leaked WhatsApp group messages, “customers”.
Once they were in the hospital, the top management of Nairobi Women’s encouraged the staff, everyone in the WhatsApp group, medical and non-medical staff included, to keep them admitted for longer.
In another text, for example, CEO Wanjala asked his staff: “How did we end up at 18 discharges from 10 planned?” The text included an emoji of a sad face, suggesting he was unhappy with the situation.
His COO Eunice Munyingi then asked someone called Victoria to answer the CEO. Victoria then passed the question to two other people, before the CEO responded “Vikki calm down … we expect better performance in future. Obviously this is not good for us.”
Medical officers and other specialists who worked at Nairobi Women’s at the time describe multiple instances of being pushed to keep patients for longer than necessary. In a text sent at 8:04am on November 11, 2018, COO Munyingi told the staff to “lock discharges at seven” and to “kindly start now”.
This meant that if you were admitted at this particular Nairobi Women’s Hospital, and should have been released to go home, the decision of whether to let you go was based on revenue and admission targets, and not your health.
In the texts, the senior executives ask staff to post hourly updates of the branch’s status, specifically how many people and how much money they had brought in, and cheer them on in a language a media practitioner described as “better suited for a trading floor than a hospital management team”.
The comparison to a trading floor is poignant, because insiders describe an internal system that fits on the script of the popular TV series “Billions”, with a similar dynamic to that of the characters Bobby Axelrod and Mike “Wags” Wagner have in the show.
The similarities with a fictional TV show do not end there, because the two characters run a ruthless private equity firm that buys companies, restructures them by any means necessary, legal or otherwise, and sells them over for a profit.
Like a PE firm, the top management of Nairobi Women’s also kept tabs on its reputation. In one screenshot from 2017, the then clinical services in-charge, Victoria Wawira, posted a screenshot of a Facebook post written by a woman who had commented on their hurry to admit her child. Whenever she took her daughter to the hospital, “the doc sees her and immediately its admission; no second thought about medication,” she’d written on the Nakuru County Mums group on Facebook.
In follow-up messages, Victoria told two clinical officers that the post was “trending on FB” and that they should “vet admissions”. In any other context, this would mean that the two COs should make sure they were admitting only patients who needed to be admitted. But in this particular context, it meant one thing: that they should check that they didn’t admit potentially problematic patients who would be suspicious of the need for them to move from outpatient to inpatient.
Bad publicity meant not just harm to reputation, but could also hurt the bottom line if future buyers found the posts and figured out how Nairobi Women’s was achieving its spectacular service and revenue targets.
The chaos, and reasons we seek medical attention, meant patients caught up in this great game of corporate greed, and trusting their doctors to know what was best to restore their health, did not know better.
They would sell assets, sacrifice savings, hold fundraisers both online and offline, and do whatever was necessary to pay their hospital bills, without ever knowing that they had been unknowing victims of the vagaries of modern finance, and the sudden focus on Africa that followed the 2008 mortgage crisis.
Additional reporting by Angela Oketch and Nasibo Kabale
What I’ve Learned in Over a Decade of “Red Teaming”
Historically, most of my posts have been technical in nature (and can be found on the MDSec blog — normal service will resume shortly). This time round though I’m going to have a stab at something less technically focussed and share some of my musings around “red teaming”, as well as my experiences in getting in to it (and infosec in general) and building out a red team service offering at MDSec.
You’re probably reading this and thinking, “great, exactly what the Internet needs is another debate over what red teaming is” and I totally agree (you can stop reading now :)); in general infosec has a bit of a problem around nomenclature.
What brought about this post was reading the following story by Florian Roth which I personally felt showed a fundamental misunderstanding of what a real red team operation was and what it was trying to achieve. The TLDR that I took away from the story was his view of red teaming was there should be more breadth and depth and red teamers should “dumb down” their techniques to closer simulate the TTPs of “known threat groups”:
Just recently I stumbled over a Twitter poll created by Andrew Thompson asking if defenders (blue team) should show the…
medium.com
Emulation, simulation, operation, red, purple, white, black and gold; it can all be a little confusing so it’s no wonder we have a nomenclature problem.
The subject of what constitutes a red team seems to be particularly nuanced, depending on who you ask, you will get a variety of answers. Certainly the impression I get from talking to people based in the US and listening to the many security related podcasts/talks, is that many consider red teaming to be much more focussed around physical assessment. In my experience, this is very infrequently the case.
Rather than trying to explain exactly what I consider a red team to be, I’m going to suggest that this is already a somewhat answered question, or at least in Europe. Sometime back in 2014, Bank of England released a framework called CBEST which outlined an approach for conducting “cyber resilience” simulations. This was shortly followed by similar frameworks, TIBER-NL in 2016 and the pan-european TIBER-EU in 2018; these were backed by De Nederlandsche Bank and European Central Bank respectively.
These frameworks provide a threat intelligence (TI) driven approach, for performing red team operations. The implementation guides are public domain and referenced above, but to summarise the premise is that TI is used to define a number of scenarios that are most likely to be leveraged by an adversary when attacking an organisation. The focus of the engagements is always directed against a set of objectives, typically orientated around the critical functions that underpin the institutions continuity. During the engagements, there is always only a very limited subset of the organisation that is aware that it is on-going, and one of the key concepts is to remain undetected as long as possible. There is also always the opportunity to “dechain” and assume breach by introducing a foothold if the red team is unable to reliably achieve or consistently maintain initial access.
The scenarios should be tailored to the organisation and backed by intelligence; that is there should be something actionable highlighting that the specific adversary or adversaries uses these tactics to attack its targets. At a high-level, the scenarios will almost always include tactics like spear phishing, compromise through perimeter/cloud infrastructure, insider threats or physical access. They may also go as specific to outline the specific people, technology and processes each scenario should focus on or include common pre-texts or preferred victim profiles used by the most likely adversaries. The execution of the scenarios then typically follows the traditional kill-chain like approach through reconnaissance, delivery, exploitation, lateral movement and action on objectives.
As previously mentioned, the operational objectives are typically focussed on the critical functions of the organisation; some of the things we’ve been asked to achieve in the past include gaining access to payment systems such as SWIFT or Faster Payments, compromising ATM infrastructure, PCI zones, POS networks or television broadcast infrastructure and in many cases demonstrating impact, for example by modifying an in transit payment or showing access to cardholder data. It is not typically focussed around the business support technology or privilege; for example (as mentioned by Florian Roth) we don’t normally care about obtaining domain admin, unless it’s a route we absolutely have to walk to achieve the overall objective of compromising the function. Indeed, in many cases walking that path might increase your chances of detection.
The benefit of the frameworks are they provide a well structured approach to executing the engagement, outlining the expected deliverables and steps in the process; for example the recommended approach to a TIBER-EU test is:
Red team test steps taken from TIBER-EU framework guide
Although it’s required in the framework driven exercises, I personally don’t necessarily agree that the threat intelligence phase is always an essential component, and without getting in to a debate on the value of threat intelligence, in many cases I feel an experienced operator can loosely define the most appropriate scenarios and tactics by consuming publicly available intelligence such as through MITRE ATT&CK or the many publicly available breach reports. That said, if the provider gets it right and the organisation is able to supplement this through insight in to their own visibility of the attacks they see day to day, it can be a useful asset.
The purpose of the exercise is two-fold, firstly it provides the organisation with an opportunity to gauge their readiness to an organised and planned out cyber-attack. The output of the operation will typically demonstrate one or more attack paths to achieving the agreed objectives and highlighting what failures occurred along the way. Secondly, it provides the organisation with the opportunity to exercise their detection, prevention and response capabilities. This part is slightly more contentious, if the objective is to also remain undetected then you may not always provide full value here as the two concepts are contradictory. Typically, what we do for many engagements is to bring our “A game” up to the point we’ve completed all of our objectives, then if we’re still undetected and if agreeable, we weaken our tradecraft to see how far we need to go to be detected and when we are, we let the response playbooks play out. On completion of the operation we almost always try and work with the relevant stakeholders from the blue team to walkthrough a re-enactment of each step of the operation, comparing what telemetry they got to what they could have and where possible helping them improve detection rules. The goal here is knowledge transfer and to hopefully put the organisation in a better position to increase their maturity than they were beforehand.
The exercise is not intended to provide breadth and depth, I personally believe that this can be addressed much better through Purple Team assessments. During these assessments we would run through as many TTPs at each step of the kill chain, often with alignment to ATT&CK and work with the blue team to see which TTPs they spot and if they don’t, how can their resources be better tuned to do so based on either the telemetry they have or could get.
I’ve seen many of the self-proclaimed red team thought leaders making statements like “Only companies with mature blue teams need a red team”. I understand this perspective and it’s partly accurate, but I personally think the question is a little more complex. I’ve performed red teams for many different types of companies with varying maturity, in some cases they have not even had a dedicated blue team. Yes, in most of these cases it was like kicking a puppy – however the company has still had value out of it because demonstrating the art of the possible will almost always achieve board level impact; one client called us the hammer to finally nail home the issues that had been disregarded for so long. In another case, a CISO called me a week after the project to thank me that it had opened so many eyes he’d been able to get a sit down with the CEO for the first time and it had caused the purse strings to be loosened to get him the much needed investment to build a detection and prevention capability. So personally, I don’t think it’s as black and white as, “you must have had X pentests” or “you must have a mature blue team”, there can be value for most organisations in knowing what impact a determined and equipped adversary might have. However, I do concede that the most value will certainly be obtained from the more mature organisations and personally I find the challenge of working against and with a blue team at the top of their game much more rewarding than slicing through a company’s defences like a knife through butter.
In the interests of full disclosure, before I dive in to this aspect it’s only fair to acknowledge that I have skin in the game as I work for @MDSecLabs and one of our core services is red team assessments.
However, I felt this to be a fairly important topic to discuss on the basis that I’ve heard so many first hand horror stories (from client’s past experiences) of “different” approaches to red teams. These have included things like sending consultants onsite and irresponsibly throwing USBs around or firing responder, metasploit and Nessus hail marys, as well broadcasting the pentest vendors name all over the network because they named their laptop -. The latter gave the blue team a good chuckle by all accounts. A proper red team engagement is not cheap, and I’d argue in the cases I just mentioned what they actually got was a pentest at best. Unfortunately, because the term is so poorly defined and every shop is offering their variant of a “red team”, this has also really started to devalue it.
The aforementioned CBEST and TIBER frameworks actually also released procurement guides ( CBEST and TIBER). They outline the core concepts for evaluation criteria for your red team provider including amongst other things, reputation, expertise in the domain, certification and accreditation, staff competence and the key one for me, R&D capability.
As a fast evolving and innovative subject area, providers at the top of their game will be backed by a competent R&D capability, with custom tools, novel tradecraft and innovation. If I was personally procuring a vendor for a red team, asking them to demonstrate the quality of their R&D contributions (and of course the ability to use these researchers in the project) would form the foundation of my decision making. If they were unable to show any research, or their highlight was a guide to installing bloodhound, then I might think twice about what value I’m getting from them.
As mentioned, there’s a large variety in quality in this space, however in my opinion there are a number of providers that not only have my respect but I believe “get it” in terms of what a red team is. This is evident in their contributions to community and public research efforts. While I’m sure there are also many more, the ones that have immediately spring to mind in no particular order are:
It might sound unusual to go to the lengths of calling out specific competing vendors, but it’s also good to recognise those that are contributing to the evolution of the trade.
A question I get asked a lot is, how do I become a red teamer? I’m sure there’s number of possible paths, but I’ll start of by talking about the one that worked for me.
I spent quite a few years dabbling in security, doing some exploit and tool development while working in sysadmin and software dev roles before taking my first step in to a professional pentest role at the start of 2006. The first 4 years or so I spent the majority of my time travelling to customer sites performing internal infrastructure pentests. These were typically blackbox domain compromise style engagements. This was a great learning ground for honing my skills, getting exposed to a wide range of technologies and environments. After some time I had pretty much perfected my approach so I started to try and bring more value by focusing on demonstrating impact; for example by gaining access to specific environments or critical systems. Oftentimes, the compromises were quite trivial, so I then started to try and push myself, for example by only living off the land or trying to operate without tripping any alerts. This was never done with a particular view to becoming a red teamer, but when I look back I think the skills I learned during this time gave me the foundation knowledge to step in to it. I would strongly recommend any budding red teamers do some time performing internal pentests and if you’re already doing that, don’t let yourself stagnate, try and push yourself, can you do the same thing without using metasploit? only from Linux? over a pivot? etc etc.
Some time around 2010 I was working at NGSSoftware and we started to receive requests for “APT Simulations” off the back of a spate of high profile breaches by the Elderwood Group. The nature of these breaches had really created a lot of noise and many clients were concerned if the same thing could happen to them. Being one of the senior infrastructure guys and having done some client side exploitation work, I threw my hat in the ring to tackle these. By current standards the first one we did was a bit of a shambles, there were no real publicly available implants at the time and no Cobalt Strike or equivalents you could just easily acquire so I spent most of the first week furiously developing a c++ implant and making sure it was safe against the popular AV engines. Most of the code was written in the early hours and it was incredibly basic, it simply retrieved commands every 10 seconds from a PHP API and executed them on the command line then posted back the response; it would not fair well in today’s defences and I would release the code but it might stir the offsec tools debate further and thinking back I was still in my 20s working at 3am so it’s doubly contentious! Fortunately for us, at the time there were also a lot of Java exploits floating around and click to play was yet to be a thing so we repurposed some recent Java exploits and got them to drop and execute my little implant. This worked pretty well and we got our shell on almost the first phish and although the implants features were basic, we were able to live off the land as well introduce tools to the environment using WebDAV.
This brings me to my second recommendation on becoming a red teamer, spend some time developing tools, build your own implants and appreciate how they work. This will really help you not only develop custom tooling when the situation requires it, but also get a better understanding of how the tools you’re using actually work under the hood.
After this is it became a semi-frequent request from clients and each time my tradecraft improved. Around 2015 following the release of the regulator driven frameworks, we witnessed a significant spike in the demand and since then it’s been almost back to back red team work.
That was my pathway in to red teaming, as I mentioned I’m sure there are many others, this is just what worked for me. In my mind, there’s two types of skills required for red teamers and some people may only possess one or the other, but both skills are in my opinion required within the team for a successful red team engagement; operational skills and development skills.
Let’s look at some topics for each of these you might want to learn, alongside some of the resources that might help you plug any gaps:
Operational:
Development:
Finally, as with many other disciplines a pathway to getting the career you’re looking for can be assisted with certification. As someone in a hiring position, I recognise that certification is not the be all and end all, indeed many of the best people I’ve worked with in the past have had no formal certification. However, it can certainly do you no harm in differentiating yourself from other candidates or at least helping you get your foot in the door. The certifications in the red team space are fairly sparse, although you may want to consider the CREST CSAS, CREST CSAM or Pentester Academy Red Team Expert.
Reality Check: Your questions answered
Image copyright Getty Images
It is more than four months since the UK voted to leave the European Union. For Radio 4's PM, the BBC's Europe correspondent Kevin Connolly and assistant political editor Norman Smith, are working with the BBC's Reality Check team to answer your questions about what Brexit means.
Adrian Wallis runs a small electronics company and wants to know about export tariffs after Brexit, and what they'd mean for his business.
Kevin Connolly says:
As long as Britain has been in the EU we haven't really talked much about tariffs. That's because all trade within the European Economic Area is tariff-free. On top of that the EU has trade agreements with 52 other countries as well.
After Brexit, Britain is going to have to negotiate new deals all on its own. That's both a problem and an opportunity.
For example you can use tariffs against foreign imports to protect businesses you care about, as the EU does with agricultural produce, but you do then run the risk of retaliation from your trading partners.
The key body in all of this is the World Trade Organisation and at the moment the UK is only a member via its membership of the EU.
Image copyright Thinkstock
One bit of good news is that the UK will automatically become a member in its own right as soon as it leaves the EU.
That matters because in the period when the UK is negotiating a new trade deal with the EU, and that could take years, trade would be conducted under WTO rules.
At the moment, for non-food items, that implies an average tariff of about 2.3%
But suppose the EU were to impose a 10% tariff on UK car imports, for example. Well, then the UK could impose the same tariff on German and French cars.
In theory, an economist would say that creates a situation where everyone has an incentive to sort out a better deal for their consumers.
The snag is that these things take years, if not decades. They tend to be done on a country-by-country and sector-by-sector basis.
So if Adrian is waiting to find out the implications for his business, then I'm afraid he's going to have to be patient.
Maybe very, very patient.
Eric Degerland asks when UK passports are going to change.
Kevin Connolly says:
This takes us to the heart of an issue that lots of people really care about. It will be a real and palpable sign of Brexit when there is a new UK passport without the words "European Union" on the front cover.
Sadly, the short answer is we don't really know when the change will come about.
Image copyright Getty Images
But we can say that the cheapest thing for the government to do would be to phase in the new passports as people's old ones expire.
So if you're looking forward to getting back that blue hard-back passport we had in the old days, you may have a long time to wait.
What impact will leaving the European Union have on our long term political influence in Europe, asks Peter Hoare.
Norman Smith says:
There are basically two views on what will happen in terms of our clout when outside the EU.
View one is that we project power and influence in the world, working through organisations such as the EU and that on our own we'll be a much diminished force.
View two is that unencumbered by the other 27 members, we can get on with things and start adopting a much more independent, self-confident, assertive role on the world stage.
My take is that not much is probably going to change.
Image copyright Getty Images
I say that because we'll still be a member of significant organisations such as the UN and Nato, and we'll still be co-operating with our EU partners. For example, we'll still have close ties on defence with the French.
We'll still be the same old Britain, we'll still have significant military force, we'll still be a wealthy country and we'll still be a nuclear power, so I don't think people will suddenly think we're an entirely different country.
If we think of ourselves as a smaller, more inward-looking, less confident country, then that will probably impact on how people view us.
On the other hand, if we think we're doing okay and that we're outward-looking and optimistic, then that will probably be reflected in how people view us and our place on the world stage.
How will the cost of goods be affected, asks Brian Turner.
Norman Smith says:
In the short term, it is blindingly obvious to everyone that the pressure in the shops is for prices to go up because the pound is taking a hammering, largely because of a wobble over the British economy and what life is going to be like outside the EU.
Secondly, there may well be pressure on prices if we get into the whole business of tariffs, and because we import more that we export that too will hit prices in the shops.
On the other hand, you could argue that free of EU regulations and rulings maybe British businesses will become leaner, meaner and more competitive and that will drive down prices.
Image copyright BEN STANSALL/AFP/Getty Images
I think, bluntly, it is all going to depend on what happens to UK plc.
If the British economy does well then the pound strengthens, therefore we can all buy things more cheaply and we can go on summer holidays without paying a fortune.
On the other hand, if the British economy struggles post-Brexit, then I am afraid it is quite likely that prices in our shops will continue to go up because of a weak pound.
Are other countries likely to leave the EU and if so could we start a new free trade area, asks David John.
Kevin Connolly says:
Funnily enough, I was discussing this question just the other day with a French politician, a conservative and a real Europhile, and he said he thought if there was a free vote in France tomorrow, as the right wing National Front would like, that the French would vote to leave.
But generally speaking I can't see much prospect of a tidal wave of insurrectionist, exitism sweeping the continent.
When a country like Ireland has a spat with the EU about tax, for example, it does annoy Irish politicians, but most mainstream leaders in the Europe have grown up with the idea that the EU has brought peace and prosperity for decades.
Lots of them see plenty that irritates them about the European Union, but they mainly argue that the benefits hugely outweigh the irritations.
And in countries where you do find euroscepticism, such as Poland and Hungary, there is also a healthy awareness that there are huge financial benefits to membership.
Image copyright Thinkstock
As for the future, we will see.
If England were to get a fantastic Brexit deal then maybe others would be tempted to go.
But the truth is, lots of European politicians want the EU to be tough with Britain precisely to stop other countries from following it through the door.
As to Britain forming its own free trade area, I think it seems an awfully long shot and on balance it is unlikely, not least because there are not that many free countries around available to recruit into another free trade area.
Britain could perhaps join the Free Trade Association along with Norway, Lichtenstein and Switzerland.
But of course it would be joining under existing rules, so the likeliest future for a post-Brexit UK, I think, is a future where it tries to do the best deal possible with the EU and then looks around for other free trade deals.
But that would fall short of creating a free trade area based on the UK itself.
What evidence is there that European leaders will be willing to compromise on the single market, asks Matthew Wilde.
Kevin Connolly says:
I think Matthew has identified one of the toughest issues facing the Brexit negotiating team.
European leaders talk all the time about the four freedoms of movement: goods, services, capital, and people, and they generally portray them as indivisible.
And I think you have to understand they are not just seen as economic propositions either.
Enthusiastic supporters of the EU would argue that they are cornerstones of peace, prosperity and stability.
Image copyright EMMANUEL DUNAND/AFP/Getty Images
If the UK wants to stay in the free-market for goods, services and capital, but opt out of the free movement of people because of fears about migration, then it is going to be seen as wanting the benefits of membership without paying the price.
And EU leaders such as Angela Merkel and Jean-Claude Juncker have been queuing up to say you can't have one without all of the others.
You could argue that is a starting point for negotiations on their side, but I think it might well end up become a sticking point in talks too.
And I have heard the same sort of thing being said in France, Slovakia, Poland and Spain in just the last few weeks.
What will happen to the borders in Gibraltar and Northern Ireland, asks Nigel May.
Kevin Connolly says:
I think the question of what is going to happen to difficult borders after Brexit is one of the most difficult of the lot.
Since 1985 when Spain joined the EU, it has basically been prevented from closing the border with Gibraltar as a way of applying pressure to the British territory.
In fact, 12,000 Spanish people cross into the territory to work every day and the area of Spain around Gibraltar is a pretty depressed area so they are important jobs.
On the other hand, the Spanish have talked openly about this being an opportunity to get Gibraltar back. Jose Manuel Garcia-Margallo, its minister of foreign affairs, said in September the UK's vote to leave the EU was "a unique historical opportunity in more than three hundred years to get Gibraltar back".
But at a minimum, as things stand, it looks to me as though they could certainly re-impose border controls if they chose to.
Image copyright Getty Images
The situation with Ireland's border is more complex.
For those of us for whom Northern Ireland is home, the total disappearance of military check points on the border is one of the most tangible daily reminders of the end of the troubles and no one wants a border like that back.
But, when the day comes when Ireland is in the EU and the UK is not, then the Irish border of course is also going to be the UK's land border with the European Union.
The prime minister has said we don't see a return to the borders of the past, but the reality is that if Britain leaves the common customs area, then presumably some sort of checks are going to be necessary on that border.
And if the UK wants to stop Polish or Romanian migrant workers using Dublin airport as a back door into the UK, then it is going to have to do something about that too.
Of course, what it will all mean for towns and villages like Belleek and Belcoo in County Fermanagh, which more or less straddle the border, is hard to imagine.
How much has Brexit cost so far and how much will it cost by the end, asks Simon Johnston.
Norman Smith says:
I think the truth is, no one truly knows what the costs will be of leaving the EU.
That is in part because it is at the very centre of the whole row over Brexit, so if you talk to Brexiteers then they assume we will be "quids in" by leaving the EU, if you talk to Remainers then they assume it is going to be a catastrophe.
We simply don't know because we don't know what is going to happen to the economy, whether it is going to prosper or whether it is going to flounder.
We don't know whether we are going to face tariffs or whether we will have continued free trade, what sort of deals we might get with other countries in different parts of the world and what is going to happen to the City.
In short, we do not know what is going to happen to the economy and therefore we can't honestly say what are going to be the true costs of Brexit.
Image copyright Getty Images
What we can perhaps get some sense of is the administrative costs of making Brexit happen, because we do know the government has already set up a new Brexit department under David Davis, situated in number 9 Downing Street and already they have got around 200 staff, so their salaries will of course have to be paid for.
Many of them have been transferred from other government departments, predominantly the Foreign Office, but presumably those posts will have to be backfilled, so you have to pay for the setting up of a new department.
Already they are busy preparing the ground work for Brexit, they have responded to around 235 written questions in the House of Commons, but in terms of their overall budgets so far they simply say that detailed work is underway over the scale of their budgets, so even there we do not know.
But there will be the cost of an additional government department to manage Brexit.
How will EU sponsorship of university research be affected, asks Christopher Lindop.
Kevin Connolly says:
I think this is a really interesting issue and I know there is a lot of fear around this area, and there has even been some talk that European researchers at the moment are being put off applying for funding for joint projects with British partners.
At the moment, EU research funding is organised under a programme called Horizon 2020 and of course Britain, with a long scientific tradition, is a big player in all of that.
Image copyright DANIEL LEAL-OLIVAS/AFP/Getty Images
Perhaps for that reason it is also one of those areas where the government has already done something, essentially it said it would pick up the tab for any EU research funding that is agreed before Britain leaves the EU.
So if you secure funding in 2017 that stretches on to 2025 then that funding is guaranteed.
Again, a lot is going to depend precisely on what deal the UK can negotiate, but if you look at Horizon 2020, Israel for example has associate membership through a long-standing agreement.
I suppose there is no reason to think, in the end, that the EU would offer something to Israel that it wouldn't also offer to a post-Brexit UK.
How will access to healthcare change for expats living in the EU, asks Veronique Bradley, who lives in Italy.
Kevin Connolly says:
Healthcare is one of those issues that remains relatively simple as long as the UK remains in the EU.
It is just part of a range of citizens' rights that apply across the entire union. After Brexit, I suppose there will be two possibilities.
The first and easiest would be that the negotiators come up with a reciprocal deal that keeps the current arrangements, or something a bit like them, in place.
If they don't, the situation will depend on the individual country where you live.
Image copyright Thinkstock
For the Bradleys in Italy, for example, residents from non-EU countries, and that will soon include the Brits, will have to finalise their resident status, acquire an Italian identity card and then apply for an Italian health insurance card.
If they visit the UK at the moment, access to the NHS for non-resident Brits is not straightforward unless you have a European health insurance card.
The right to treatment is based on residency, not on your tax status.
So, even if you live abroad and pay some British tax on a buy-to-let property for instance, you might find yourself getting a bill for any NHS treatment you end up getting while you are back in the UK.
What will happen to EU nationals who lived and worked in the UK and now receive a British state pension, asks Peter Barz, a German citizen living in the UK.
Norman Smith says:
If you are an EU national and you get a British state pension, nothing much should change, because the state pension is dependent not on where you come from, but on how long you have paid National Insurance contributions in the UK.
So it doesn't matter whether you come from Lithuania or Latvia or Transylvania or Timbuktu, what counts is how much you have paid in terms of National Insurance contributions.
Image copyright Getty Images
There is one wrinkle though and that is that you have to have paid in for at least 10 years.
Under the current rules, if you are an EU citizen and haven't paid in for 10 years, you can point to any contributions you have made in your native country and say, "I paid in there", and that will count.
That works for EU countries and another 16 countries with which the UK has social security agreements.
Once we have left the EU, you will no longer be able to do that unless we negotiate new reciprocal agreements.
If we don't then potentially, if you have paid in fewer than than 10 years' worth of National Insurance contributions, you will not get a British state pension.
Is it possible to be both an EU citizen and not an EU citizen, asks Declan O'Neill, who holds an Irish passport.
Kevin Connolly says:
I should probably declare some sort of interest here as a dual Irish and British national myself.
Of course, anyone born in Northern Ireland has an absolute right to carry both passports.
Image copyright Getty Images
Declan might be happy to know that this is one of the few questions where I can't see a downside as long as you are happy and comfortable carrying both passports.
The Irish document means you continue to enjoy the benefits of EU citizenship, and the British passport will give you full rights in the UK at the same time.
Call it one of the clear joys of coming from Northern Ireland, alongside the rolling hills, rugged coastline and enjoyable breaks between the showers.
All you have to do is remember to carry the Irish passport when you are joining the EU citizens-only queue at the airport in future.
When will we stop sending the EU our subscription fee, asks Colin Spikesley.
Norman Smith says:
The honest answer is we probably won't stop sending money to the EU anytime soon.
Why? Well, because we are going to be a member of the EU until at least 2019, so at least until the spring of 2019 we are going to be paying our annual subs of around £9bn a year.
But even after we have left we may still be tied in to certain arrangements we signed up to, for example, to fund research or economic development projects in the EU, and just like with any other contract, once you have signed on the dotted line you have to fulfil it.
Image copyright THIERRY CHARLIER/AFP/Getty Images
So we could still be paying money into the EU for those sorts of projects and there is the possibility that, should we choose, we could decide to keep paying money into the EU to ensure continued access to the single market.
In other words, the idea has been mooted in Whitehall that maybe we ought to slip the EU a few billion quid to allow us to continue to trade freely with the single market.
So in short, the idea we are going to stop handing money over to the EU anytime soon is probably a bit wide of the mark.
What will happen to expats living in the EU but receiving their pensions, asks Dr Denise Burman, who has been living in France for 20 years.
Kevin Connolly says:
I think lots of the concerns that people are raising are about the fate of British people who have settled elsewhere in the European Union during British membership.
There are about a million of them and, of course, for people who retired to France or Italy or Spain or Germany, in theory that means state pensions.
At the moment, Brits living anywhere in the European Economic Area, which is the EU plus a few others, get pension increases in line with inflation, and there are a few other countries where Britain has reciprocal arrangements so the same sort of deal applies.
Image copyright Thinkstock
If you retire to a country where Britain hasn't negotiated such a deal, including a few surprising ones such as Australia, then your pension is frozen either at the level you first received it or the level on the day you emigrated.
Britain did have bilateral deals with some countries that are in the EU, including France, before it joined the European Community, so it is possible new deals could be negotiated. But unless the rights of expat pensioners are protected in the long years of negotiations to come, it is possible that you will see pensions frozen.
Correction 23 November 2016: This section has been amended to correct a suggestion that the existence of historical bilateral deals made it likely that pension increases would continue in those countries. However, any future deals will be dependent on the outcome of Britain's EU exit negotiations.
Is there a get-out clause for Article 50, asks Gillian Coates.
Norman Smith says:
I think the honest answer is you would have to be a legal eagle to answer this.
But my take on it is that legally it looks like once we trigger Article 50 we are locked in, and that is certainly how the European Parliament reads it.
And there is a view that if we were in this two-year process after triggering Article 50 and we wanted to get out of it, then ultimately that would be a decision for the European Court of Justice.
Image copyright Thinkstock
However, in the real world I think it is likely to be rather different, whatever the legal protocol.
I think the truth is, if we were trundling along and decided it was all going to be catastrophic and we have got to pull up the handbrake pretty sharpish, a lot of other EU countries would be probably be laughing at us, but I think at the same time they would probably be quite pleased we weren't going.
Certainly, if you listened to the president of the European Council, Donald Tusk, earlier this month, he was saying yes, the UK could change its mind and he would be delighted if we did.
So I think the short answer is: legally, it doesn't look so good if you want to get out of it, but politically, it probably can be done with the support of other European leaders.
Kevin Connolly and Norman Smith will continue to answer your Brexit questions on BBC Radio 4's PM programme every day this week from 1700 GMT.
Comments
Post a Comment