Seeing Red In Your Future?

806 views
758 views

Published on

Derbycon 2013 - Seeing Red in Your Future?
This talk is designed to complement the “Fifty Shades of Red” talk tomorrow, and provide context for organizations who either think about engaging in a red team test, or have been doing red teaming and want to see more value out of it. In this talk we’ll cover some of the basic elements of what red teaming is, and specifically how it benefits an organization engaging in such a practice. Red teaming by itself is a high-interaction test. Unlike many other tests (namely penetration testing, compliance engagements, vulnerability assessments and other IT related practices), red team is not limited to the technical scope of the organization’s security infrastructure. As such, it is imperative to be able to extract as much value out of a red team engagement as possible, and see return on that investment in as many different areas of the organization as possible. Based on years of experience in conducting red team tests, training and helping organizations improve their security through red teaming, these insights will be applicable to everyone who is seeing red in their future (and you all should in order to really address security in an organization that has people working in it and not just machines).

Published in: Business, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
806
On SlideShare
0
From Embeds
0
Number of Embeds
43
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Seeing Red In Your Future?

  1. 1. Seeing red in your future? Ian Amit Director of Services, IOActive
  2. 2. Hello
  3. 3. whoami? $ id uid=501(iamit) gid=20(ioactive) groups=12(hack), 33(research),61(dev),79(red_team),80(sexy_defense), 81(exil),98(idf),100(dc9723),204(/dev/null)
  4. 4. So, you think you can red team...
  5. 5. As in get your organization a proper red team assessment
  6. 6. First things first. What is a “Red Team Test”?
  7. 7. !pentest
  8. 8. !social_engineering
  9. 9. “A red team is an independent group that challenges an organization to improve its effectiveness” wikipedia
  10. 10. But wait! what about security?
  11. 11. Right... that’s part of the deal... Security is PART of running an organization!
  12. 12. So how do we go about it?
  13. 13. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  14. 14. Map
  15. 15. Map CISO CIO CFO CRO Compliance Audit General Counsel
  16. 16. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  17. 17. Identify
  18. 18. Identify
  19. 19. Identify
  20. 20. Identify
  21. 21. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  22. 22. Recruit Audit
  23. 23. Recruit Six SigmaSix Sigma
  24. 24. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  25. 25. Target
  26. 26. How do I look from the outside?
  27. 27. How do I look from the outside? Legal
  28. 28. How do I look from the outside? Legal Research & Development
  29. 29. How do I look from the outside? Legal Research & Development Procurement
  30. 30. How do I look from the outside? Legal Research & Development Procurement Information Sources
  31. 31. How do I look from the outside? Legal Research & Development Procurement Information Sources Supply Chain
  32. 32. How do I look from the outside? Legal Research & Development Procurement Information Sources Supply Chain Human Resources
  33. 33. How do I look from the outside? Legal Research & Development Procurement Information Sources Supply Chain Human Resources Sales
  34. 34. How do I look from the outside? Legal Research & Development Procurement Information Sources Supply Chain Human Resources Sales Financials
  35. 35. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  36. 36. Assemble
  37. 37. Skillz!
  38. 38. Electronic Social Physical
  39. 39. Electronic Social Physical
  40. 40. Electronic Social Physical
  41. 41. Electronic Social Physical
  42. 42. Electronic Social Physical
  43. 43. Electronic Social Physical
  44. 44. Electronic Social Physical
  45. 45. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  46. 46. Scope
  47. 47. Threat model
  48. 48. Threat model Assets
  49. 49. Threat model Assets Processes
  50. 50. Threat model Assets Processes Controls
  51. 51. Threat model Assets Processes Controls People
  52. 52. Threat model Assets Processes Controls People Technology
  53. 53. Threat model Assets Processes Controls People Technology Location
  54. 54. Threat model Assets Processes Controls People Technology Location Culture
  55. 55. Threat model Assets Processes Controls People Technology Location Culture Adversaries
  56. 56. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  57. 57. Monitor
  58. 58. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  59. 59. Execute
  60. 60. Execute
  61. 61. Can you hear me now? Yes Whazzzzzzup? Whazzzzzzzzzzuuuuuppp? What are you wearing? Hello? Still there?
  62. 62. Stay in control of the escalation processes...
  63. 63. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  64. 64. Pre-report
  65. 65. IDS
  66. 66. IDS System Logs
  67. 67. IDS System Logs Firewalls
  68. 68. IDS System Logs Firewalls Access controls
  69. 69. IDS System Logs Firewalls Access controls Call records
  70. 70. IDS System Logs Firewalls Access controls Call records Web traffic
  71. 71. IDS System Logs Firewalls Access controls Call records Web traffic DNS
  72. 72. IDS System Logs Firewalls Access controls Call records Web traffic DNS Social Media
  73. 73. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  74. 74. Gap
  75. 75. Example 1: Dumpster Diving Olympics
  76. 76. Example 1: Dumpster Diving Olympics
  77. 77. Example 1: Dumpster Diving Olympics •Personnel training
  78. 78. Example 1: Dumpster Diving Olympics •Personnel training •Process changes
  79. 79. Example 1: Dumpster Diving Olympics •Personnel training •Process changes •Technical controls
  80. 80. Example 1: Dumpster Diving Olympics •Personnel training •Process changes •Technical controls •Change management
  81. 81. Example 1: Dumpster Diving Olympics •Personnel training •Process changes •Technical controls •Change management •R&D practices
  82. 82. Example 1: Dumpster Diving Olympics •Personnel training •Process changes •Technical controls •Change management •R&D practices •3rd party sw security
  83. 83. Example 1: Dumpster Diving Olympics •Personnel training •Process changes •Technical controls •Change management •R&D practices •3rd party sw security •Physical security routines
  84. 84. Agenda Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  85. 85. Fix
  86. 86. Example 2: Incident Response from Hell Process: Incident response kicks in on any malware with a signature from the past week, or with a generic/ heuristic detection. In meantime, malware (APT!?) is left to run (actually ok...) Problem: High number of incidents in a short time can create a queue. Queue is predictable if IR analysis consists of C&C traffic as well :-) Queue can be exploited...
  87. 87. Example 3: Eager Sales
  88. 88. Example 3: Eager Sales Organization is a security contractor (build big guns).
  89. 89. Example 3: Eager Sales Organization is a security contractor (build big guns). R&D, production, testing, management, sales, all in the same location (HQ).
  90. 90. Example 3: Eager Sales Organization is a security contractor (build big guns). R&D, production, testing, management, sales, all in the same location (HQ). Sales are global, controlled from HQ.
  91. 91. Example 3: Eager Sales Organization is a security contractor (build big guns). R&D, production, testing, management, sales, all in the same location (HQ). Sales are global, controlled from HQ. Extreme perimeter security, high-end physical security.
  92. 92. Example 3: Eager Sales Organization is a security contractor (build big guns). R&D, production, testing, management, sales, all in the same location (HQ). Sales are global, controlled from HQ. Extreme perimeter security, high-end physical security. Sales... few targeted emails, reverse shell home. Network is done. DA on production machines (mfg.), sales ledgers, major diplomatic incident potential...
  93. 93. Example 3: Eager Sales Organization is a security contractor (build big guns). R&D, production, testing, management, sales, all in the same location (HQ). Sales are global, controlled from HQ. Extreme perimeter security, high-end physical security. Sales... few targeted emails, reverse shell home. Network is done. DA on production machines (mfg.), sales ledgers, major diplomatic incident potential... Process breakdown from physical security (USB drops), through separation of duties, network segmentation, egress data management.
  94. 94. Preparing for a red team (map) Locate business critical assets (identify) Getting buy-in (recruit) Defining goals (target) Finding a team (assemble) Define scenarios and RoE (scope) Establish white/blue team (monitor) Hang on tight (execute) Analyze (pre-report) Identify areas of improvement (gap) Create plan for remediation (fix)
  95. 95. map identify recruit target assemble scope monitor execute pre-report gap fix
  96. 96. map identify recruit target assemble scope monitor execute pre-report gap fix
  97. 97. map identify recruit target assemble scope monitor execute pre-report gap fix RED TEAM READINESS
  98. 98. This isn’t rocket science
  99. 99. It’s not about who’s got the biggest one...
  100. 100. It’s about challenging an organization to improve its effectiveness
  101. 101. It’s about challenging an organization to improve its effectiveness yourself
  102. 102. It’s about challenging an organization to improve its effectiveness yourself your peers
  103. 103. It’s about challenging an organization to improve its effectiveness yourself your peers your assumptions
  104. 104. It’s about challenging an organization to improve its effectiveness yourself your peers your assumptions ...
  105. 105. There is no certificate at the end :-(
  106. 106. There is no certificate at the end :-( no CPEs
  107. 107. There is no certificate at the end :-( no CPEs no medals
  108. 108. There is no certificate at the end :-( no CPEs no medals Just hard work :-)
  109. 109. And a better ROI than any other test/engagement the organization has ever gone through before
  110. 110. until the next red team...
  111. 111. Questions? Discussion!
  112. 112. map identify recruit target assemble scope monitor execute pre-report gap fix Questions? Discussion!
  113. 113. ThankYou! Ian Amit @iiamit ian.amit@ioactive.com

×