Presentation on theme: "Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya."— Presentation transcript:
Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya
Intro - Greg Huff CISSP Sr. Engineer – Red Team Co-founded Red Team for Fortune 50
Why do we do security testing? Industry compliance PCI FIPS Government regulations HIPAA GLBA FISMA Number 1 reason why??: Because we have to!
Vulnerability Assessment Fully automated Can be scheduled Real-time detections Interpretation of results requires some technical knowledge. Detects presence of public exploits, misconfigurations, outdated patch levels, default credentials, etc.
Vulnerability Assessment (cont.) Commonly used tools: Nessus Configurations, patch levels, public exploits Burp Suite Web applications, API’s Nexpose Similar to Nessus, browser-based checking
Penetration Testing Combination of automated and manual testing Results of vulnerability scan may lend to successful penetration into an environment. Exploitation of known vulnerabilities Privilege escalation Generally not designed to be stealthy or test response plans and defensive capabilities
Penetration Testing (cont.) Commonly used tools Often the same as vulnerability scan tools Exploitation frameworks Usually targeted against specific infrastructure/applications
Red Team Real-world attack simulation Significant reconnaissance effort Penetration into environment Avoidance of security monitoring Persistence maintained
Red Team (cont.) Wide variety of attacks Advanced social-engineering Physical attacks Custom exploit development Act as aggressors to test defensive capabilities and response More deliberate, paced compared to a standard pen test Will adapt to countermeasures, maintain persistence, and continue attacks Goal/scenario-based testing
Testing Comparison 10 Level of Effort, Cost and Time Attack Sophistication Vulnerability Assessment Penetration Testing Red Team Unsophisticated Threats Misconfigurations Default creds Largest Threat Landscape Hactivists Script Kiddies Identity Theft High Capability Threats (Nation States, Organized Crime, APT)
Should I have an internal Red Team? Need vs. want Org size Regulatory requirements Security funding Industry Do I want to know what I don’t? Org socialization Mission statement Service catalog Partnerships with HR, legal, etc. Learning opportunities First question to ask…