1. Red Teaming and the Supply Chain
.. proportional red teaming assessments of the supply chain
NCC Group Security Assurance Europe
2. But first…
"We may be at the point of diminishing returns by trying to buy
down vulnerability"
"maybe it’s time to place more emphasis on coping with the
consequences of a successful attack, and trying to develop
networks that can ‘self-heal’ or ‘self-limit’ the damages inflicted
upon them”
Gen. Michael Hayden (USAF-Ret.) ex NSA and CIA head
February, 2012
3. Today’s common approach to cyber
• Governance & compliance
• Risk strategy and management
• Education
• Technical discovery, measurement and validation
• Management
• Technical counter measures
• Security operations
• Response
4. Today’s common problems with cyber
We have data… we struggle to get information
We have risk models …we struggle with accuracy
We have technical counter measures … we have people
We have finite
resource!
15. Red Teaming & Defense: Reality…
We often only need one control failure or mistake to gain
an internal foothold
.. then we are an insider! ..
16. Red Teaming: Provides Insight
• Is education / security culture effective?
• Are the technical counter measures working?
• Can your security operations detect?
• How does your incident response work in reality?
• Are the risk models accurate?
.. proportional to attacker profile/capabilities
18. Red Teaming: Supply Chain Insight
• Are they capable as they say they are?
• Are they doing what they say they are?
• Is my exposure what I expect it to be?
• Can I detect misuse?
… plus the other insights
19. Today’s Cyber Risk Reality
• We often look at ‘things’ in isolation
• We rarely consider subtle interplays or interconnects
• Supply chains work due to pooled aggregated effort
• Real-world cyber security is more nuanced than our
models reflect
… it’s hard ...
20. Our Most Mature Clients Concerns..
Confidence they are getting information from their data
.. thus not being able to feed their risk models
.. thus not understanding their true exposure
.. thus not having confidence in their ability to detect
.. thus wavering on their ability to respond
.. thus concern risk/exposure/liability is excessive
.. thus poor ROI from current spend
21. ..
Red teaming is a real-world end-to-end assessment
with scaled representative threat attacker capabilities
Red teaming the supply chain can be the next step on the
maturity model for some organizations
NCC Group continues to invest heavily to facilitate
Threat/Open Source Intelligence – ex police and government team
Piranha – phishing platform
Hive – command and control
EDG – exploit development group and implant development
22. Closing Thoughts..
2015 Information Security Breaches Survey
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/432413/bis-15-303_information_security_breaches_survey_2015-executive-eummary.pdf
23. Europe
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Milton Keynes
Amsterdam
Copenhagen
Munich
Zurich
North America
Atlanta
Austin
Chicago
Mountain View
New York
San Francisco
Seattle
Australia
Sydney
Thanks! Questions?
Blog:
https://www.nccgroup.trust/uk/about-
us/newsroom-and-events/blogs/
Twitter:
@NCCGroupInfoSec
Ollie Whitehouse
ollie.whitehouse@nccgroup.trust