Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rolling your own red team, and other approaches

Published byMartin Watkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Rolling your own red team, and other approaches"— Presentation transcript:

1 Rolling your own red team, and other approaches
Lawrence munro

2 About Me Director for SpiderLabs at Trustwave (EMEA and APAC)
Built and grown Penetration Testing Practices KPMG Head of Red Teaming and commercial Pen Testing Nebulas (Boutique) Director – B-Sides London Former Penetration tester / Social Engineer Advisor to various global enterprises on creating Red Teams Doing my Masters at Oxford University

3 Agenda Introduction to Red Teaming Why Simulate Attacks?
Threat Intelligence Why to ‘Roll’ Your Own Why Not to Roll Your Own Legal issues (in the UK) Execution The Importance of Closure

4 Introduction to Red Teaming
Simulated attacks Replicate realistic threats Specialisms Common approaches Cyber kill chain Threat Intelligence Planning Goals High level Broad scopes

5 Why Simulate Attacks Test your defences
Traditional pen testing is not realistic Post-exploit Test your IR capability and Playbooks As important as penetration Compliance CBEST in FS Everyone else is doing it (?)

6 Threat Intelligence What’s the concept?
Threat intelligence improves realism Quality threat intelligence improves realism Scenario-based approach Creation of scenarios based on TI Which providers offer all TI elements? Really? Generic? Your own data and TI Risk and threat models

7 Why to Roll Your Own – Key Points
Money Is it more expensive? Learning activities RT != PT Continuous assessment Test all the things, all the time? Blue Teams and collaboration Collaboration with IR / SOC Visibility See your network from an attacker’s viewpoint

8 Why to Roll Your Own Red Team Top Trumps – The Exploit Dev. Attributes
Specialist Often focused on a specific architectures Deeply technical Creativity – 6/10 Nerd Quotient – 8/10 ££££ / 5

9 Why to Roll Your Own Red Team Top Trumps – The App. Specialist
Attributes Often from a dev. background Will have some key languages and platform expertise Often has infrastructure skills too Creativity – 7/10 Nerd Quotient – 7/10 £££ / 5

10 Why to Roll Your Own Red Team Top Trumps – The All-rounder Attributes
Long tenure in the industry, seen it all Often useful for managerial responsibility Strategist Probably owns a ham radio Creativity – 6/10 Nerd Quotient – 7/10 ££££ / 5

11 Why to Roll Your Own Red Team Top Trumps – The Infra. Specialist
Attributes OS expert Network expert Often from architecture or net. background Often Mac or Linux zealot Creativity – 7/10 Nerd Quotient – 8/10 £££ / 5

12 Why to Roll Your Own Red Team Top Trumps – Out-of-the-box Thinker
Attributes Could be from anywhere Often an all-rounder Often very active in the community Risky hire (Sometimes) Creativity – 10/10 Nerd Quotient – 8/10 ££££ / 5

13 Why to Roll Your Own Red Team Top Trumps – The Social Engineer
Attributes Technical background Often a has another specialism Knowledge of NLP Creativity – 9/10 Nerd Quotient – 5/10 ££££ / 5

14 Why Not to Roll Your Own Budget and Value for Money Lack of knowledge
Belief that external providers have greater expertise Don’t see the benefit Lack of justification to business stakeholders

15 Legal Issues (In the UK)
I’m not a legal expert You should speak to a legal expert Computer Misuse Act (1990) Section 3a creation of malware Human Rights Act (1998) Article 8 – Right to respect for private and family life Data Protection Act (1998) – Principle 6 – right to claim compensation Principle 7 – data should be stored securely, ICO can fine Principle 8 – data not stored overseas The Police and Justice Act (2006) – Section 37 extends section 3a of CMA

16 Execution - RATs What are Implant Frameworks (RATs)
Implant Security Controls Removal (after time, manual) Encrypted comms channels Encrypted local data store Attribution and identification Logging Persistence controls (reboots) Stealthy, Beacon domains registered Delivery mechanism control

17 Execution Attack Vectors Social engineering Spearphishing
Physical entry Phone-based pretexting Common Vectors Watering hole attack Dead drops

18 The Importance of Closure
Lessons learned Report styles Remediation activity discussions Expect value from the Red Team Report reconciliation Stakeholders Who should benefit? Feedback into Threat and Risk models SOC SIEM alerts Patterns Update IR Playbooks

19 Questions?

Download ppt "Rolling your own red team, and other approaches"

Similar presentations

Support for the coordination of activities Joint Technology Initiatives: Background and Current State of Play Presentation to the Meeting of High-Level.

Support for the coordination of activities Joint Technology Initiatives: Background and Current State of Play Presentation to the Meeting of High-Level.
2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.

2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
GAMMA Overview. Key Data Grant Agreement n° 312382 Starting date: 1 st September 2013 Duration: 48 months (end date 31 st August 2017) Total Budget: 14.837.981.

GAMMA Overview. Key Data Grant Agreement n° Starting date: 1 st September 2013 Duration: 48 months (end date 31 st August 2017) Total Budget:
Solutions & Services to ‘Multiply your Business Performance’ 2013.

Solutions & Services to ‘Multiply your Business Performance’ 2013.
1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing

1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing
1www.skyboxsecurity.com Skybox Cyber Security Best Practices Three steps to reduce the risk of Advanced Persistent Threats With continuing news coverage.

1www.skyboxsecurity.com Skybox Cyber Security Best Practices Three steps to reduce the risk of Advanced Persistent Threats With continuing news coverage.
Cyber Metrics in the DoD or How Do We Know What We Don’t Know? John S. Bay, Ph.D. Executive Director.

Cyber Metrics in the DoD or How Do We Know What We Don’t Know? John S. Bay, Ph.D. Executive Director.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.

Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Strategy and Policy Unit: Current Activities and Future Tasks

Strategy and Policy Unit: Current Activities and Future Tasks
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
OU INFORMATION SECURITY & RISK MANAGEMENT ISA – February 4, 2015.

OU INFORMATION SECURITY & RISK MANAGEMENT ISA – February 4, 2015.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
1 Jon Whitfield Agency CEO Head of Government Internal Audit.

1 Jon Whitfield Agency CEO Head of Government Internal Audit.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Similar presentations

Ads by Google