seeing red in your future?
DESCRIPTION
Derbycon 2013 - Seeing Red in Your Future? This talk is designed to complement the “Fifty Shades of Red” talk tomorrow, and provide context for organizations who either think about engaging in a red team test, or have been doing red teaming and want to see more value out of it. In this talk we’ll cover some of the basic elements of what red teaming is, and specifically how it benefits an organization engaging in such a practice. Red teaming by itself is a high-interaction test. Unlike many other tests (namely penetration testing, compliance engagements, vulnerability assessments and other IT related practices), red team is not limited to the technical scope of the organization’s security infrastructure. As such, it is imperative to be able to extract as much value out of a red team engagement as possible, and see return on that investment in as many different areas of the organization as possible. Based on years of experience in conducting red team tests, training and helping organizations improve their security through red teaming, these insights will be applicable to everyone who is seeing red in their future (and you all should in order to really address security in an organization that has people working in it and not just machines).TRANSCRIPT
Seeing red in your future?
Ian AmitDirector of Services, IOActive
Hello
whoami?
$ id
uid=501(iamit) gid=20(ioactive) groups=12(hack),33(research),61(dev),79(red_team),80(sexy_defense),81(exil),98(idf),100(dc9723),204(/dev/null)
So, you think you can red team...
As in get your organization a proper red team assessment
First things first.
What is a “Red Team Test”?
!pentest
!social_engineering
“A red team is an independent group that challenges
an organization to improve its effectiveness”
wikipedia
But wait! what about security?
Right... that’s part of the deal...
Security is PART of running an organization!
So how do we go about it?
Agenda
Preparing for a red team (map)Locate business critical assets (identify)Getting buy-in (recruit)Defining goals (target)Finding a team (assemble)Define scenarios and RoE (scope)Establish white/blue team (monitor)Hang on tight (execute)Analyze (pre-report)Identify areas of improvement (gap)Create plan for remediation (fix)
Map
Map
CISO CIO
CFO CRO
Compliance
Audit GeneralCounsel
Agenda
Preparing for a red team (map)Locate business critical assets (identify)Getting buy-in (recruit)Defining goals (target)Finding a team (assemble)Define scenarios and RoE (scope)Establish white/blue team (monitor)Hang on tight (execute)Analyze (pre-report)Identify areas of improvement (gap)Create plan for remediation (fix)
Identify
Identify
Identify
Identify
Agenda
Preparing for a red team (map)Locate business critical assets (identify)Getting buy-in (recruit)Defining goals (target)Finding a team (assemble)Define scenarios and RoE (scope)Establish white/blue team (monitor)Hang on tight (execute)Analyze (pre-report)Identify areas of improvement (gap)Create plan for remediation (fix)
Recruit
Audit
Recruit
Six SigmaSix Sigma
Agenda
Preparing for a red team (map)Locate business critical assets (identify)Getting buy-in (recruit)Defining goals (target)Finding a team (assemble)Define scenarios and RoE (scope)Establish white/blue team (monitor)Hang on tight (execute)Analyze (pre-report)Identify areas of improvement (gap)Create plan for remediation (fix)
Target
How do I look from the outside?
How do I look from the outside?
Legal
How do I look from the outside?
Legal
Research & Development
How do I look from the outside?
Legal
Research & Development
Procurement
How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
Human Resources
How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
Human Resources
Sales
How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
Human Resources
Sales
Financials
Agenda
Preparing for a red team (map)Locate business critical assets (identify)Getting buy-in (recruit)Defining goals (target)Finding a team (assemble)Define scenarios and RoE (scope)Establish white/blue team (monitor)Hang on tight (execute)Analyze (pre-report)Identify areas of improvement (gap)Create plan for remediation (fix)
Assemble
Skillz!
Electronic Social
Physical
Electronic Social
Physical
Electronic Social
Physical
Electronic Social
Physical
Electronic Social
Physical
Electronic Social
Physical
Electronic Social
Physical
Agenda
Preparing for a red team (map)Locate business critical assets (identify)Getting buy-in (recruit)Defining goals (target)Finding a team (assemble)Define scenarios and RoE (scope)Establish white/blue team (monitor)Hang on tight (execute)Analyze (pre-report)Identify areas of improvement (gap)Create plan for remediation (fix)
Scope
Threat model
Threat model
Assets
Threat model
AssetsProcesses
Threat model
AssetsProcesses
Controls
Threat model
AssetsProcesses
Controls
People
Threat model
AssetsProcesses
Controls
People
Technology
Threat model
AssetsProcesses
Controls
People
Technology
Location
Threat model
AssetsProcesses
Controls
People
Technology
Location
Culture
Threat model
AssetsProcesses
Controls
People
Technology
Location
Culture
Adversaries
Agenda
Preparing for a red team (map)Locate business critical assets (identify)Getting buy-in (recruit)Defining goals (target)Finding a team (assemble)Define scenarios and RoE (scope)Establish white/blue team (monitor)Hang on tight (execute)Analyze (pre-report)Identify areas of improvement (gap)Create plan for remediation (fix)
Monitor
Agenda
Preparing for a red team (map)Locate business critical assets (identify)Getting buy-in (recruit)Defining goals (target)Finding a team (assemble)Define scenarios and RoE (scope)Establish white/blue team (monitor)Hang on tight (execute)Analyze (pre-report)Identify areas of improvement (gap)Create plan for remediation (fix)
Execute
Execute
Can you hear me now?
Yes
Whazzzzzzup?
Whazzzzzzzzzzuuuuuppp?
What are you wearing?
Hello?
Still there?
Stay in control
of the escalation processes...
Agenda
Preparing for a red team (map)Locate business critical assets (identify)Getting buy-in (recruit)Defining goals (target)Finding a team (assemble)Define scenarios and RoE (scope)Establish white/blue team (monitor)Hang on tight (execute)Analyze (pre-report)Identify areas of improvement (gap)Create plan for remediation (fix)
Pre-report
IDS
IDS
System Logs
IDS
System Logs
Firewalls
IDS
System Logs
Firewalls
Access controls
IDS
System Logs
Firewalls
Access controls
Call records
IDS
System Logs
Firewalls
Access controls
Call records
Web traffic
IDS
System Logs
Firewalls
Access controls
Call records
Web traffic
DNS
IDS
System Logs
Firewalls
Access controls
Call records
Web traffic
DNS
Social Media
Agenda
Preparing for a red team (map)Locate business critical assets (identify)Getting buy-in (recruit)Defining goals (target)Finding a team (assemble)Define scenarios and RoE (scope)Establish white/blue team (monitor)Hang on tight (execute)Analyze (pre-report)Identify areas of improvement (gap)Create plan for remediation (fix)
Gap
Example 1: Dumpster Diving Olympics
Example 1: Dumpster Diving Olympics
Example 1: Dumpster Diving Olympics
•Personnel training
Example 1: Dumpster Diving Olympics
•Personnel training•Process changes
Example 1: Dumpster Diving Olympics
•Personnel training•Process changes•Technical controls
Example 1: Dumpster Diving Olympics
•Personnel training•Process changes•Technical controls•Change management
Example 1: Dumpster Diving Olympics
•Personnel training•Process changes•Technical controls•Change management•R&D practices
Example 1: Dumpster Diving Olympics
•Personnel training•Process changes•Technical controls•Change management•R&D practices•3rd party sw security
Example 1: Dumpster Diving Olympics
•Personnel training•Process changes•Technical controls•Change management•R&D practices•3rd party sw security•Physical security routines
Agenda
Preparing for a red team (map)Locate business critical assets (identify)Getting buy-in (recruit)Defining goals (target)Finding a team (assemble)Define scenarios and RoE (scope)Establish white/blue team (monitor)Hang on tight (execute)Analyze (pre-report)Identify areas of improvement (gap)Create plan for remediation (fix)
Fix
Example 2: Incident Response from HellProcess:Incident response kicks in on any malware with a signature from the past week, or with a generic/heuristic detection.In meantime, malware (APT!?) is left to run (actually ok...)
Problem:High number of incidents in a short time can create a queue. Queue is predictable if IR analysis consists of C&C traffic as well :-)Queue can be exploited...
Example 3: Eager Sales
Example 3: Eager SalesOrganization is a security contractor (build big guns).
Example 3: Eager SalesOrganization is a security contractor (build big guns).R&D, production, testing, management, sales, all in the same location (HQ).
Example 3: Eager SalesOrganization is a security contractor (build big guns).R&D, production, testing, management, sales, all in the same location (HQ).Sales are global, controlled from HQ.
Example 3: Eager SalesOrganization is a security contractor (build big guns).R&D, production, testing, management, sales, all in the same location (HQ).Sales are global, controlled from HQ.Extreme perimeter security, high-end physical security.
Example 3: Eager SalesOrganization is a security contractor (build big guns).R&D, production, testing, management, sales, all in the same location (HQ).Sales are global, controlled from HQ.Extreme perimeter security, high-end physical security.
Sales... few targeted emails, reverse shell home. Network is done. DA on production machines (mfg.), sales ledgers, major diplomatic incident potential...
Example 3: Eager SalesOrganization is a security contractor (build big guns).R&D, production, testing, management, sales, all in the same location (HQ).Sales are global, controlled from HQ.Extreme perimeter security, high-end physical security.
Sales... few targeted emails, reverse shell home. Network is done. DA on production machines (mfg.), sales ledgers, major diplomatic incident potential...
Process breakdown from physical security (USB drops), through separation of duties, network segmentation, egress data management.
Preparing for a red team (map)Locate business critical assets (identify)Getting buy-in (recruit)Defining goals (target)Finding a team (assemble)Define scenarios and RoE (scope)Establish white/blue team (monitor)Hang on tight (execute)Analyze (pre-report)Identify areas of improvement (gap)Create plan for remediation (fix)
mapidentifyrecruittargetassemblescopemonitorexecutepre-reportgapfix
mapidentifyrecruittargetassemblescopemonitorexecutepre-reportgapfix
mapidentifyrecruittargetassemblescopemonitorexecutepre-reportgapfix
RED TEAM READINESS
This isn’t rocket science
It’s not about who’s got the biggest one...
It’s about challenging an organization to improve its effectiveness
It’s about challenging an organization to improve its effectivenessyourself
It’s about challenging an organization to improve its effectivenessyourselfyour peers
It’s about challenging an organization to improve its effectivenessyourselfyour peersyour assumptions
It’s about challenging an organization to improve its effectivenessyourselfyour peersyour assumptions...
There is no certificate at the end :-(
There is no certificate at the end :-(
no CPEs
There is no certificate at the end :-(
no CPEs
no medals
There is no certificate at the end :-(
no CPEs
no medals
Just hard work :-)
And a better ROI than any other test/engagement the organization has ever gone through before
until the next red team...
Questions? Discussion!
map
ide
nti
fyre
cru
itta
rge
tas
sem
ble
sco
pe
mo
nit
or
exe
cute
pre
-re
po
rtga
pfi
x
Questions? Discussion!