red team “you keep using that word, i do not think it means what you think it means” – inigo...
TRANSCRIPT
Red Team“You keep using that word, I do not think it means what you think it means” – Inigo Montoya
Intro - Greg HuffCISSP
Sr. Engineer – Red Team
Co-founded Red Team for Fortune 50
Why do we do security testing? Industry compliance
PCI FIPS
Government regulations HIPAA GLBA FISMA
Number 1 reason why??: Because we have to!
Vulnerability AssessmentFully automated
Can be scheduled
Real-time detections
Interpretation of results requires some technical knowledge.
Detects presence of public exploits, misconfigurations, outdated patch levels, default credentials, etc.
Vulnerability Assessment (cont.)
Commonly used tools:
Nessus Configurations, patch levels, public exploits
Burp Suite Web applications, API’s
Nexpose Similar to Nessus, browser-based checking
Penetration TestingCombination of automated and manual testing
Results of vulnerability scan may lend to successful penetration into an environment.
Exploitation of known vulnerabilities
Privilege escalation
Generally not designed to be stealthy or test response plans and defensive capabilities
Penetration Testing (cont.)
Commonly used tools
Often the same as vulnerability scan tools
Exploitation frameworks
Usually targeted against specific infrastructure/applications
Red TeamReal-world attack simulation
Significant reconnaissance effort
Penetration into environment
Avoidance of security monitoring
Persistence maintained
Red Team (cont.)
Wide variety of attacks Advanced social-engineering
Physical attacks
Custom exploit development
Act as aggressors to test defensive capabilities and response
More deliberate, paced compared to a standard pen test
Will adapt to countermeasures, maintain persistence, and continue attacks
Goal/scenario-based testing
Testing Comparison
10
Level of Effort, Cost and Time
Att
ack
Sophis
tica
tion
Vulnerability Assessment
Penetration Testing
Red Team
Unsophisticated Threats• Misconfigurations• Default creds
Largest Threat Landscape• Hactivists• Script Kiddies• Identity Theft
High Capability Threats (Nation States, Organized Crime, APT)
Should I have an internal Red Team?Need vs. want
Org sizeRegulatory
requirementsSecurity fundingIndustry
Do I want to know what I don’t?
Org socializationMission
statementService catalogPartnerships
with HR, legal, etc.
Learning opportunities
First question to ask…
IamA Red Teamer AMA!