What is Red Team Service?~Latest Penetration Test Trends in U.S.~

TOMOHISA ISHIKAWA

scientia.admin@gmail.com

www.scientia-security.org

$$ WHO AM I ?

Tomohisa Ishikawa• Security Consultant (9 years experience)

• Specialized Area

• Penetration Test, IR, Security Consultation, Vulnerability Management, Awareness,

Training, Global Security Management…

• Various Speaker Experience

• SANSFIRE 2011 & 2012, DEF CON 24 SE Village, LASCON 2016, BSides Philly 2017

• Certification Junkie

• CISSP, CSSLP, CISA, CISM, CFE, GPEN, GWAPT, GXPN, GWEB, GSNA, GREM, GCIH

Objective

Sharing One Year Experience in security team of U.S.

insurance company

Understanding difference of Methodology• Traditional “Penetration Test” vs. “Red Team”

皆様の会社（組織）、ペネトレーションテストやっていますか？

Do you have penetration test in your organization??

日本で言うペネトレーションテストって…

Penetration Test in Japan is …

某L社とか某N社のページを見てみると..

Let’s see HP of N company, L company, M company…

• Webセキュリティ診断サービス (Web Application Testing)

• プラットフォーム診断サービス (Platform Testing)

• 標的型攻撃診断サービス（メール訓練サービス・出口対策検証）

• 無線LAN診断サービス

• DDoS体制検証サービス

安全第一！！Safety of system is First Priority.

※ちなみにセキュリティ診断とペネトレーションテストをほぼ同じ意味で使いますが、宗教上の理由でこの二つを一緒に語ることが許せない人とは適当に読み替えてください。

米国に行くと…

意外とペネトレーションテスターって言わない人が多い？

Only few people said “I am a penetration tester”

「ペネトレーションテスト」ってダサい？

“Penetration Test” is tacky???

What is “Red Team”?

もともと、諜報機関で生まれた概念Originally, it is from intelligence community

敵の観点から作戦を検証したり、取得した情報の信憑性を批判的に検証するチームのこと

Verify strategies or information from adversary view point

• Devil‘s Advocate（悪魔の弁護人）

• CIA Red Cell

What is the difference btw “Red Team” and “Pen Test”?⇒ Coverage is different!!

Digital

Physical Social

• Web Application Testing• Platform Testing• APT Simulation• APT Mail Awareness training

• Vishing（Voice Phishing）• OSINT• Tail Gating• Impersonation

• ID Card Cloning• Physical Access to box• Elevator Hacking• Physical Control Bypass

According to Gartner…• Long Term Challenge (NOT point-in-time assessment)

• より長期的にテストを実施。実施時間も２４時間いつでも実施する.

• Defense Coordination

• Blue Teamの機能も含めて評価を行い、改善につなげる。

• Adversary Simulation• 攻撃者そのものの観点から実施する。（３つの観点の融合）

• Controlled but Real Intrusion

What is the difference btw “Red Team” and “Pen Test”?⇒ Different Feature

Case 1: Physical Penetration Test

Objective• どこまで内部侵入して情報が取れるのか？

Is it possible to bypass physical access control?

Methodology• Breaking Lock (Picking, impassioning, Bypassing)

• Elevator Hacking

• RFID Cloning

• Social Engineering

Physical Penetration Test

Case 2: APT Adversary Simulation Service

SLA of APT Adversary Simulation Service is following.

• Awareness Phishing

• Penetration Test Phishing

• Red Team Phishing

標的型攻撃サービスAPT Adversary Simulation Service

Attempting attacks as same as “Japan Pension Service”

• Following Cyber Kill Chain

• OSINT & SOCMINT

• Selecting 2~3 targets, and sending attached email

• Exploitation

• Using “Fresh” vulnerability & Exploit

• Post Exploitation with PowerShell

• Password Cracking with GPU

• Lateral Movement & Reaching out “Treasures”

Red Team Phishing

OSINT Example

Check LinkedIn and find out target

Analyzing Twitter with SOCMINT Tools• Target has a tendency to buy shoes in apparel shop

• Sending Coupon by pretending as appeal shop

TOOLS OSINT

• Maltago https://www.paterva.com/web7/

• FOCA https://www.elevenpaths.com/labstools/foca/index.html

• SpiderFoot http://www.spiderfoot.net/

• Discovery Script https://github.com/leebaird/discover

• Recon-ng https://bitbucket.org/LaNMaSteR53/recon-ng

• Cymon https://cymon.io/

• WeLink https://welink.com/dashboard/

• GEOFEEDIA https://geofeedia.com/

• ECHOSEC https://www.echosec.net/

TOOLS

OTHER TOOLS (Part of them is experimental)• GoPhish https://getgophish.com/

• Social Engineering Toolkit in Kali Linux

• Cobalt Strike https://www.cobaltstrike.com/

• Mimikatz https://github.com/gentilkiwi/mimikatz

• Responder https://github.com/SpiderLabs/Responder

• IPMI http://fish2.com/ipmi/remote-pw-cracking.html

• MITM Framework https://github.com/byt3bl33d3r/MITMf

• Spray WMI https://github.com/trustedsec/spraywmi

TOOLS PowerShell Tools

• PowerShell Empire https://github.com/EmpireProject/Empire

• EmPyre (Python) https://github.com/EmpireProject/EmPyre

• PowerSploit https://github.com/PowerShellMafia/PowerSploit

• Including PowerView・Invoke-Mimikatz・PowerUp

• Veil Framework https://www.veil-framework.com/

• Nishang https://github.com/samratashok/nishang

• Invoke-Obfuscation https://github.com/danielbohannon/Invoke-Obfuscation

• PS Attack https://github.com/jaredhaight/psattack

• NaishoDeNusumu https://github.com/3nc0d3r/NaishoDeNusumu

• BloodHound https://github.com/BloodHoundAD/BloodHound

Resource Great Presentation

• AD Security https://adsecurity.org/

• All presentation is awesome

• Adversarial Post-Exploitation: Lessons From The Pros

• https://www.youtube.com/watch?v=x3crG-hM9sc

• A Year in the Empire

• https://www.youtube.com/watch?v=ngvHshHCt_8

• PowerShell Secrets and Tactics

• https://www.youtube.com/watch?v=EQv4bJnCw8M

• Introducing PowerShell into your Arsenal with PS>Attack

• https://www.youtube.com/watch?v=mPckt6HQPsw

• Invoke-Obfuscation: PowerShell obFUsk8tion Techniques

• https://www.youtube.com/watch?v=P1lkflnWb0I

From Blue Team Side

以下が本当に重要！！

• Full Spectrum Visibility (完全な可視化)

• Targeted Containment (標的型封じ込め)

EDR (Endpoint Detection & Response)• Ex) Tanium, Fidelis, Carbon Black, FireEye, Crowd Strike, Red Cloak, Cyber

Reason…

Wrap-Up

“Red team” is U.S. trends

Focus on comprehensive test

Thank You!!

If you have any questions, please feel free to contact me

Contact Info• Email scientia.admin@gmail.com

• JP Blog www.scientia-security.org

Bonus Session

Digital Penetration Test Certification

Certification for Penetration Tester• CEH (by EC-Council)

• GIAC (by SANS)

• OSCP (by Offensive Security)