Your SlideShare is downloading. ×
0
Seeing red in
your future?
Ian Amit
Director of Services, IOActive
Hello
whoami?
$ id
uid=501(iamit) gid=20(ioactive) groups=12(hack),
33(research),61(dev),79(red_team),80(sexy_defense),
81(exil)...
So, you think you can red team...
As in get your organization a proper red team assessment
First things first.
What is a “Red Team Test”?
!pentest
!social_engineering
“A red team is an independent group that challenges
an organization to improve its effectiveness”
wikipedia
But wait! what about security?
Right... that’s part of the deal...
Security is PART of running an organization!
So how do we go about it?
Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (t...
Map
Map
CISO CIO
CFO CRO
Compliance
Audit General
Counsel
Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (t...
Identify
Identify
Identify
Identify
Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (t...
Recruit
Audit
Recruit
Six SigmaSix Sigma
Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (t...
Target
How do I look from the outside?
How do I look from the outside?
Legal
How do I look from the outside?
Legal
Research & Development
How do I look from the outside?
Legal
Research & Development
Procurement
How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
Human Resources
How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
Human Resources
...
How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
Human Resources
...
Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (t...
Assemble
Skillz!
Electronic Social
Physical
Electronic Social
Physical
Electronic Social
Physical
Electronic Social
Physical
Electronic Social
Physical
Electronic Social
Physical
Electronic Social
Physical
Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (t...
Scope
Threat model
Threat model
Assets
Threat model
Assets
Processes
Threat model
Assets
Processes
Controls
Threat model
Assets
Processes
Controls
People
Threat model
Assets
Processes
Controls
People
Technology
Threat model
Assets
Processes
Controls
People
Technology
Location
Threat model
Assets
Processes
Controls
People
Technology
Location
Culture
Threat model
Assets
Processes
Controls
People
Technology
Location
Culture
Adversaries
Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (t...
Monitor
Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (t...
Execute
Execute
Can you hear me now?
Yes
Whazzzzzzup?
Whazzzzzzzzzzuuuuuppp?
What are you wearing?
Hello?
Still there?
Stay in control
of the escalation processes...
Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (t...
Pre-report
IDS
IDS
System Logs
IDS
System Logs
Firewalls
IDS
System Logs
Firewalls
Access controls
IDS
System Logs
Firewalls
Access controls
Call records
IDS
System Logs
Firewalls
Access controls
Call records
Web traffic
IDS
System Logs
Firewalls
Access controls
Call records
Web traffic
DNS
IDS
System Logs
Firewalls
Access controls
Call records
Web traffic
DNS
Social Media
Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (t...
Gap
Example 1: Dumpster Diving Olympics
Example 1: Dumpster Diving Olympics
Example 1: Dumpster Diving Olympics
•Personnel training
Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
•Change management
Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
•Change management
•R&D pract...
Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
•Change management
•R&D pract...
Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
•Change management
•R&D pract...
Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (t...
Fix
Example 2: Incident Response from Hell
Process:
Incident response kicks in on any malware with a
signature from the past w...
Example 3: Eager Sales
Example 3: Eager Sales
Organization is a security contractor (build big guns).
Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales...
Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales...
Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales...
Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales...
Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales...
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
...
map
identify
recruit
target
assemble
scope
monitor
execute
pre-report
gap
fix
map
identify
recruit
target
assemble
scope
monitor
execute
pre-report
gap
fix
map
identify
recruit
target
assemble
scope
monitor
execute
pre-report
gap
fix
RED TEAM READINESS
This isn’t rocket science
It’s not about who’s got the biggest one...
It’s about challenging
an organization to improve its effectiveness
It’s about challenging
an organization to improve its effectiveness
yourself
It’s about challenging
an organization to improve its effectiveness
yourself
your peers
It’s about challenging
an organization to improve its effectiveness
yourself
your peers
your assumptions
It’s about challenging
an organization to improve its effectiveness
yourself
your peers
your assumptions
...
There is no certificate at the end :-(
There is no certificate at the end :-(
no CPEs
There is no certificate at the end :-(
no CPEs
no medals
There is no certificate at the end :-(
no CPEs
no medals
Just hard work :-)
And a better ROI than any other test/engagement the
organization has ever gone through before
until the next red team...
Questions? Discussion!
map
identify
recruit
target
assemble
scope
monitor
execute
pre-report
gap
fix
Questions? Discussion!
ThankYou!
Ian Amit
@iiamit
ian.amit@ioactive.com
Seeing Red In Your Future?
Seeing Red In Your Future?
Seeing Red In Your Future?
Seeing Red In Your Future?
Seeing Red In Your Future?
Upcoming SlideShare
Loading in...5
×

Seeing Red In Your Future?

545

Published on

Derbycon 2013 - Seeing Red in Your Future?
This talk is designed to complement the “Fifty Shades of Red” talk tomorrow, and provide context for organizations who either think about engaging in a red team test, or have been doing red teaming and want to see more value out of it. In this talk we’ll cover some of the basic elements of what red teaming is, and specifically how it benefits an organization engaging in such a practice. Red teaming by itself is a high-interaction test. Unlike many other tests (namely penetration testing, compliance engagements, vulnerability assessments and other IT related practices), red team is not limited to the technical scope of the organization’s security infrastructure. As such, it is imperative to be able to extract as much value out of a red team engagement as possible, and see return on that investment in as many different areas of the organization as possible. Based on years of experience in conducting red team tests, training and helping organizations improve their security through red teaming, these insights will be applicable to everyone who is seeing red in their future (and you all should in order to really address security in an organization that has people working in it and not just machines).

Published in: Business, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
545
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Seeing Red In Your Future?"

  1. 1. Seeing red in your future? Ian Amit Director of Services, IOActive
  2. 2. Hello
  3. 3. whoami? $ id uid=501(iamit) gid=20(ioactive) groups=12(hack), 33(research),61(dev),79(red_team),80(sexy_defense), 81(exil),98(idf),100(dc9723),204(/dev/null)
  4. 4. So, you think you can red team...
  5. 5. As in get your organization a proper red team assessment
  6. 6. First things first. What is a “Red Team Test”?
  7. 7. !pentest
  8. 8. !social_engineering
  9. 9. “A red team is an independent group that challenges an organization to improve its effectiveness” wikipedia
  10. 10. But wait! what about security?
  11. 11. Right... that’s part of the deal... Security is PART of running an organization!
  12. 12. So how do we go about it?
  13. 13. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  14. 14. Map
  15. 15. Map CISO CIO CFO CRO Compliance Audit General Counsel
  16. 16. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  17. 17. Identify
  18. 18. Identify
  19. 19. Identify
  20. 20. Identify
  21. 21. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  22. 22. Recruit Audit
  23. 23. Recruit Six SigmaSix Sigma
  24. 24. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  25. 25. Target
  26. 26. How do I look from the outside?
  27. 27. How do I look from the outside? Legal
  28. 28. How do I look from the outside? Legal Research & Development
  29. 29. How do I look from the outside? Legal Research & Development Procurement
  30. 30. How do I look from the outside? Legal Research & Development Procurement Information Sources
  31. 31. How do I look from the outside? Legal Research & Development Procurement Information Sources Supply Chain
  32. 32. How do I look from the outside? Legal Research & Development Procurement Information Sources Supply Chain Human Resources
  33. 33. How do I look from the outside? Legal Research & Development Procurement Information Sources Supply Chain Human Resources Sales
  34. 34. How do I look from the outside? Legal Research & Development Procurement Information Sources Supply Chain Human Resources Sales Financials
  35. 35. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  36. 36. Assemble
  37. 37. Skillz!
  38. 38. Electronic Social Physical
  39. 39. Electronic Social Physical
  40. 40. Electronic Social Physical
  41. 41. Electronic Social Physical
  42. 42. Electronic Social Physical
  43. 43. Electronic Social Physical
  44. 44. Electronic Social Physical
  45. 45. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  46. 46. Scope
  47. 47. Threat model
  48. 48. Threat model Assets
  49. 49. Threat model Assets Processes
  50. 50. Threat model Assets Processes Controls
  51. 51. Threat model Assets Processes Controls People
  52. 52. Threat model Assets Processes Controls People Technology
  53. 53. Threat model Assets Processes Controls People Technology Location
  54. 54. Threat model Assets Processes Controls People Technology Location Culture
  55. 55. Threat model Assets Processes Controls People Technology Location Culture Adversaries
  56. 56. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  57. 57. Monitor
  58. 58. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  59. 59. Execute
  60. 60. Execute
  61. 61. Can you hear me now? Yes Whazzzzzzup? Whazzzzzzzzzzuuuuuppp? What are you wearing? Hello? Still there?
  62. 62. Stay in control of the escalation processes...
  63. 63. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  64. 64. Pre-report
  65. 65. IDS
  66. 66. IDS System Logs
  67. 67. IDS System Logs Firewalls
  68. 68. IDS System Logs Firewalls Access controls
  69. 69. IDS System Logs Firewalls Access controls Call records
  70. 70. IDS System Logs Firewalls Access controls Call records Web traffic
  71. 71. IDS System Logs Firewalls Access controls Call records Web traffic DNS
  72. 72. IDS System Logs Firewalls Access controls Call records Web traffic DNS Social Media
  73. 73. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  74. 74. Gap
  75. 75. Example 1: Dumpster Diving Olympics
  76. 76. Example 1: Dumpster Diving Olympics
  77. 77. Example 1: Dumpster Diving Olympics •Personnel training
  78. 78. Example 1: Dumpster Diving Olympics •Personnel training •Process changes
  79. 79. Example 1: Dumpster Diving Olympics •Personnel training •Process changes •Technical controls
  80. 80. Example 1: Dumpster Diving Olympics •Personnel training •Process changes •Technical controls •Change management
  81. 81. Example 1: Dumpster Diving Olympics •Personnel training •Process changes •Technical controls •Change management •R&D practices
  82. 82. Example 1: Dumpster Diving Olympics •Personnel training •Process changes •Technical controls •Change management •R&D practices •3rd party sw security
  83. 83. Example 1: Dumpster Diving Olympics •Personnel training •Process changes •Technical controls •Change management •R&D practices •3rd party sw security •Physical security routines
  84. 84. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  85. 85. Fix
  86. 86. Example 2: Incident Response from Hell Process: Incident response kicks in on any malware with a signature from the past week, or with a generic/ heuristic detection. In meantime, malware (APT!?) is left to run (actually ok...) Problem: High number of incidents in a short time can create a queue. Queue is predictable if IR analysis consists of C&C traffic as well :-) Queue can be exploited...
  87. 87. Example 3: Eager Sales
  88. 88. Example 3: Eager Sales Organization is a security contractor (build big guns).
  89. 89. Example 3: Eager Sales Organization is a security contractor (build big guns). R&D, production, testing, management, sales, all in the same location (HQ).
  90. 90. Example 3: Eager Sales Organization is a security contractor (build big guns). R&D, production, testing, management, sales, all in the same location (HQ). Sales are global, controlled from HQ.
  91. 91. Example 3: Eager Sales Organization is a security contractor (build big guns). R&D, production, testing, management, sales, all in the same location (HQ). Sales are global, controlled from HQ. Extreme perimeter security, high-end physical security.
  92. 92. Example 3: Eager Sales Organization is a security contractor (build big guns). R&D, production, testing, management, sales, all in the same location (HQ). Sales are global, controlled from HQ. Extreme perimeter security, high-end physical security. Sales... few targeted emails, reverse shell home. Network is done. DA on production machines (mfg.), sales ledgers, major diplomatic incident potential...
  93. 93. Example 3: Eager Sales Organization is a security contractor (build big guns). R&D, production, testing, management, sales, all in the same location (HQ). Sales are global, controlled from HQ. Extreme perimeter security, high-end physical security. Sales... few targeted emails, reverse shell home. Network is done. DA on production machines (mfg.), sales ledgers, major diplomatic incident potential... Process breakdown from physical security (USB drops), through separation of duties, network segmentation, egress data management.
  94. 94. Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  95. 95. map identify recruit target assemble scope monitor execute pre-report gap fix
  96. 96. map identify recruit target assemble scope monitor execute pre-report gap fix
  97. 97. map identify recruit target assemble scope monitor execute pre-report gap fix RED TEAM READINESS
  98. 98. This isn’t rocket science
  99. 99. It’s not about who’s got the biggest one...
  100. 100. It’s about challenging an organization to improve its effectiveness
  101. 101. It’s about challenging an organization to improve its effectiveness yourself
  102. 102. It’s about challenging an organization to improve its effectiveness yourself your peers
  103. 103. It’s about challenging an organization to improve its effectiveness yourself your peers your assumptions
  104. 104. It’s about challenging an organization to improve its effectiveness yourself your peers your assumptions ...
  105. 105. There is no certificate at the end :-(
  106. 106. There is no certificate at the end :-( no CPEs
  107. 107. There is no certificate at the end :-( no CPEs no medals
  108. 108. There is no certificate at the end :-( no CPEs no medals Just hard work :-)
  109. 109. And a better ROI than any other test/engagement the organization has ever gone through before
  110. 110. until the next red team...
  111. 111. Questions? Discussion!
  112. 112. map identify recruit target assemble scope monitor execute pre-report gap fix Questions? Discussion!
  113. 113. ThankYou! Ian Amit @iiamit ian.amit@ioactive.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×