red team mindset
TRANSCRIPT
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 1/35
RED TEAM MINDSET
Uri Fridman – [email protected]
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 2/35
TODAY
!
ATTACKERS BYPASS THE MOSTPARANOID SECURITY MEASURES.
Information is being extracted.
In most cases attackers leave without the
target ever knowing they were there.
#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 3/35
RED TEAMS
2
A red team is a group of highly skilled peoplethat continuously challenge the plans,
defensive measures and security concepts.
These exercises result in a betterunderstanding of possible adversaries and
help to improve counter measures againstthem and future threats.
#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 4/35
A RED TEAM views a
problem from an
ADVERSARY or attacker’s
PERSPECTIVE
3#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 5/35
“There is no such thing as
perfect security. Attackers
get smarter and changetactics all of the time.”
4#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 6/35
ADAPTABILITY
5#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 7/35
THE MINDSET OF AN ATTACKER
6
ADVERSARIES DON’T PLAY BY THE SAMERULES; IN FACT THEY DON’T HAVE RULES AT
ALL. THEY ADAPT.
In the scary cases, the attacker is a focusedadversary who is looking to steal sensitive data
or maintain a strategic foothold.
#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 8/35
“Red Teaming Law #11: Thesuperior red teamer discerns
webs of perception, intent, and
effect; others just see a cigar. Ofcourse, ‘sometimes a cigar is
just a cigar’ (or is it?)”
7
RED TEAM JOURNAL LAWS (http://redteamjournal.com/red-teaming-laws/)
#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 9/35
SITUATIONALAWARENESS
8#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 10/35
LOOKING AT THE PROBLEM
FROM THE ATTACKER’S SIDE
9:
SOMETIMES ALL IT TAKES IS A LOW-TECH
APPROACH TO DEFEAT A HI-TECH PROBLEM.
Adversaries can exploit any and all knownattack vectors. They will also create new ones.
attackers are very creative.
#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 11/35
WHAT IS THE REALWEAK LINK?
99#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 12/35
SOCIALENGINEERING
9!#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 13/35
“Amateurs hack systems,professionals hack people.”
92
BRUCE SCHNEIER
#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 14/35
THINKING
93
Just thinking like a securityconscious person won’t do. We need
LINEAR THINKING combined with
LATERAL THINKING and
RIDICULOUS THINKING.
#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 15/35
Having an understanding of who theadversary is and how it might exploit thesecurity holes will make the organization
better.
Reacting security is not the ideal securityposture; instead be proactive, try to go 2 or3 moves ahead of him. Place detection and
deception measures. Make a future attackharder.
94#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 16/35
SOFTWAREVULNERABILITIES
95#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 17/35
PLEASE NOTE
PATCHED # SECURE
96#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 18/35
DESIGNVULNERABILITIES
97#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 19/35
A word about
“OPSEC” &
“OSINT”
98#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 20/35
OPSEC & OSINT
!:
When people brag, OPSEC goes out thewindow. OSINT is your friend. spend time
developing good OSINT prior, during and afteran operation.
FOLLOW THE OPSEC RULES FOR YOUR
TEAM (SEE NEXT SLIDE)
#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 21/35
OPSEC RULES
!9
1- Never reveal your operational details2- Never reveal your plans3- Never trust anyone4- Never confuse recreation with work5- Never operate from your own safe house / HQ
6- Be proactively paranoid, it doesn't work retroactively7- Keep your personal life and work separated8- Keep your personal environment free of work related stuff9- Don't give anyone power over you10- ALWAYS VERIFY!
#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 22/35
THE PROBLEM WITH LACK OF OPSEC:
ROBIN SAGE
!!#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 23/35
THE MOST IMPORTANT
CONTROL IS…
Wait for it…
!2#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 24/35
US !3#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 25/35
INTELLIGENCE-DRIVEN
SECURITY IS THE NEWBLACK
!4#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 26/35
INTELLIGENCE-DRIVEN
ATTACKS THEN, ARETHE NEW WHITE
!5#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 27/35
“Develop the situation.
Don't let the situationdevelop itself.”
!6#$% &$'( )*+%,$- . /0* 10*%('+
PETE BLABER: THE MISSION, THE MEN AND ME
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 28/35
LEARN FROM
ATTACKS THATDIDN’T WORK
!7#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 29/35
DIGITAL SITUATIONAL
AWARENESS
!8
Identify patterns that link individual to systemsto networks to the full target.
BLEND IN.
#$% &$'( )*+%,$- . /0* 10*%('+
Create false trails. Develop a noisy attack andlet the target follow it. Have a secondary
stealthy one ready to perform the attack.
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 30/35
UNDERSTANDINGHOW THE
ATTACKERS THINK
IS KEY 2:#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 31/35
“7 P’s: Proper Planningand Preparation
Prevents Piss PoorPerformance.”
29#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 32/35
DRY RUNS
2!
Perform dry runs. Built a simulatedenvironment as close to the target’s as
possible.
Dry runs will show you in most caseswhat could work and what might not.Have contingencies for everything.
#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 33/35
Remember PACE:
Primary,
Alternate,Contingency, and
Emergency.
22#$% &$'( )*+%,$- . /0* 10*%('+
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 34/35
8/13/2019 Red Team Mindset
http://slidepdf.com/reader/full/red-team-mindset 35/35
THANK YOU CONTACT: [email protected]
24#$% &$'( )*+%,$- . /0* 10*%('+