This document introduces Red Team Framework, a new approach to security testing created by Adrian Sanabria and Joe Gray. It summarizes some of the perceived flaws in traditional pen testing and proposes alternatives focused on emulating realistic adversaries. Key aspects of Red Team Framework include scoping engagements based on identified threat models, establishing security baselines, iterative execution and measurement of outcomes, and involvement of purple teams to improve defenses. The document also provides information on upcoming speaking engagements and training from Adrian and Joe on related topics like OSINT and recon tools.
2. About Adrian
Defender - 9 years
Financial Services
Consultant - 5 years
Pen Testing, PCI
Industry Analyst - 4 years
451 Research
Research, Vendor Strategy - 2 years
Savage Security, Threatcare, NopSec,
Thinkst
@sawaba
3. • Senior Security Architect
• 2017 DerbyCon Social Engineering Capture the Flag (SECTF) winner
• On 3rd Place Team at 2018 & 2019 NOLACon OSINT CTF (Password Inspection Agency)
• On 2nd Place Team at 2019 BSides OSINT CTF (Password Inspection Agency)
• Served in the US Navy, Navigating Submarines
• CISSP-ISSMP, GSNA, GCIH, OSWP
• Forbes Contributor
• Currently Authoring Social Engineering and OSINT Book, Securing the Human Element with No
Starch Press
• Maintained blog and podcast at https://advancedpersistentsecurity.net
• Just started offering OSINT training (OSINTion; formerly OSINT Associates)
About Joe
4. Why Create a New Framework?
What do these words mean to you?
Red Team
Purple Team
Pen Testing
Vuln Assessment
WebApp Assessment
5. What’s wrong with pen testing/red teaming?
● The design is flawed and can’t fulfill expectations
○ Not an indicator of an organization’s risk
○ Doesn’t simulate adversaries
○ Tries to prove/disprove a persistent negative
● The execution is inefficient; lots of room for improvement
○ Consulting industry ‘cash cow’ – why change?
○ Lack of automation; process improvement; feedback loops
○ Better alternatives are sold as ‘advanced’, to more mature orgs
● It isn’t what clients need to improve
6. Pen Test vs Red Team Engagement
Pen Test
• Pwnage based
• Largely for compliance
• Incorrectly helps management
sleep better (digital melatonin)
Red Team
• Objective based
• Emulates a specific actor or TTP
• Seeks to measure various
metrics that actually matter
(Penetration capability,
detection, etc)
11. Myth #5
Black box testing is the most comprehensive method
of applied security testing
12. Red Teaming Process
Scoping
ID the
Threat
Model
Baseline
Security
Rescoping Learning
Execution Measurement Debriefing Retesting
Purple
Team
13. Scoping
• Define the objective(s)
• Define success
• Scope the following:
• Time
• Money
• Number of systems
• Rules of Engagement
• IOCs/TTPs to utilize
14. Identification of Threat Model
• Based on several variables
• Client base
• Geographic Location
• Line of business
• Government affiliations
• Sector/Industry
15. Baseline Security Model
• Are you tall enough to ride the proverbial ride?
• Frameworks like Centre for Internet Security Critical Security
Controls
• Minimum of the Top 5
• Vulnerability Management
• Previous Testing
• DFIR/Monitoring Capabilities?
• NIST SP 800-53
16. Rescoping
• Refine the objective(s)
• Focus the scope the following:
• Time (time frame and allocated hours to complete)
• Money
• Refine Number of systems (likely a lower number than in scoping)
• Rules of Engagement
• Social Engineering, Web, Exploit Development
• IOCs/TTPs to utilize
• Potentially solicit input from an ISAC
17. Learning
• “Simulated Dwell Time”
• Access to and/or data from:
• SEIM
• Previous Reports
• PCAPs, Netflow, other monitoring tools
• Diagrams
• Configurations
• Interviews
19. Measurement
• I see you, do you see me?
• Data points:
• Time to detect
• Quality of report
• Accuracy of the report
• Actions taken
• Efficacy of actions taken
22. Purple Teaming
• Similar to retesting, but the adversary is in the room/in
communication with the defensive team
• Allows the adversaries to allow detection attempts or announce actions to
teach detections
• More efficient that turning the noise up or Thunderstrucking or Rick Rolling
23. Supporting Frameworks
● Pen Test Execution Standard
○ http://www.pentest-standard.org/index.php/Main_Page
● Social Engineering Framework
○ https://www.social-engineer.org/framework/general-discussion/
● Mitre ATT&CK
○ https://attack.mitre.org/
● NIST SP 800-115 (Technical Guide to Information Security Testing
and Assessment)
○ https://csrc.nist.gov/publications/detail/sp/800-115/final
● More here:
https://www.owasp.org/index.php/Penetration_testing_methodologies#Technical_Guide_to_Information_Security_Testing_and_Asses
sment_.28NIST800-115.29
26. Upcoming OSINT Training Opportunities
•In-Person
•All with details TBD (unless otherwise noted):
• Louisville (around the time of DerbyCon
• Atlanta (around the time of HackerHalted)
• Maybe Dallas, Philadelphia, and Boston in 2019
•Online:
• More upcoming, watch Twitter and LinkedIn
27. Hacker Halted 2019
• October 10-11
• Atlanta, GA USA
• Free Admission
• Coupon Code: Joe100
or https://hackerhalted2019.eventbrite.com?discount=Joe100
• Discount on Training
• Coupon Code: JJHHTRN (15% off training)
• Register at: - https://hackerhalted2019.eventbrite.com
28. Recon-ng Training
• August 29
• 6-8 PM (Eastern Time)
• Coupon Code: 13BSIDESLV37
• August 31
• 1-3 PM (Eastern Time)
• Coupon Code: 13BSIDESLV37
• Register for either here:
• https://bit.ly/2YVqyJu