Derbycon 2013 - Seeing Red in Your Future?
This talk is designed to complement the “Fifty Shades of Red” talk tomorrow, and provide context for organizations who either think about engaging in a red team test, or have been doing red teaming and want to see more value out of it. In this talk we’ll cover some of the basic elements of what red teaming is, and specifically how it benefits an organization engaging in such a practice. Red teaming by itself is a high-interaction test. Unlike many other tests (namely penetration testing, compliance engagements, vulnerability assessments and other IT related practices), red team is not limited to the technical scope of the organization’s security infrastructure. As such, it is imperative to be able to extract as much value out of a red team engagement as possible, and see return on that investment in as many different areas of the organization as possible. Based on years of experience in conducting red team tests, training and helping organizations improve their security through red teaming, these insights will be applicable to everyone who is seeing red in their future (and you all should in order to really address security in an organization that has people working in it and not just machines).
13. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)
16. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)
21. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)
24. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)
29. How do I look from the outside?
Legal
Research & Development
30. How do I look from the outside?
Legal
Research & Development
Procurement
31. How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
32. How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
33. How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
Human Resources
34. How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
Human Resources
Sales
35. How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
Human Resources
Sales
Financials
36. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)
47. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)
59. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)
61. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)
67. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)
78. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)
84. Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
85. Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
•Change management
86. Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
•Change management
•R&D practices
87. Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
•Change management
•R&D practices
•3rd party sw security
88. Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
•Change management
•R&D practices
•3rd party sw security
•Physical security routines
89. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)
91. Example 2: Incident Response from Hell
Process:
Incident response kicks in on any malware with a
signature from the past week, or with a generic/
heuristic detection.
In meantime, malware (APT!?) is left to run (actually
ok...)
Problem:
High number of incidents in a short time can create a
queue. Queue is predictable if IR analysis consists of
C&C traffic as well :-)
Queue can be exploited...
93. Example 3: Eager Sales
Organization is a security contractor (build big guns).
94. Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales, all in the
same location (HQ).
95. Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales, all in the
same location (HQ).
Sales are global, controlled from HQ.
96. Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales, all in the
same location (HQ).
Sales are global, controlled from HQ.
Extreme perimeter security, high-end physical security.
97. Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales, all in the
same location (HQ).
Sales are global, controlled from HQ.
Extreme perimeter security, high-end physical security.
Sales... few targeted emails, reverse shell home. Network
is done. DA on production machines (mfg.), sales
ledgers, major diplomatic incident potential...
98. Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales, all in the
same location (HQ).
Sales are global, controlled from HQ.
Extreme perimeter security, high-end physical security.
Sales... few targeted emails, reverse shell home. Network
is done. DA on production machines (mfg.), sales
ledgers, major diplomatic incident potential...
Process breakdown from physical security (USB
drops), through separation of duties, network
segmentation, egress data management.
99. Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)