Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Red Teaming and the Supply Chain

1,041 views

Published on

A presentation given at a customer internal workshop around challenges we face and the value of red teaming in the supply chain.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Red Teaming and the Supply Chain

  1. 1. Red Teaming and the Supply Chain .. proportional red teaming assessments of the supply chain NCC Group Security Assurance Europe
  2. 2. But first… "We may be at the point of diminishing returns by trying to buy down vulnerability" "maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can ‘self-heal’ or ‘self-limit’ the damages inflicted upon them” Gen. Michael Hayden (USAF-Ret.) ex NSA and CIA head February, 2012
  3. 3. Today’s common approach to cyber • Governance & compliance • Risk strategy and management • Education • Technical discovery, measurement and validation • Management • Technical counter measures • Security operations • Response
  4. 4. Today’s common problems with cyber We have data… we struggle to get information We have risk models …we struggle with accuracy We have technical counter measures … we have people We have finite resource!
  5. 5. Today’s breach reality involving humans
  6. 6. Today’s breach reality involving humans 2015 Information Security Breaches Survey https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/432413/bis-15-303_information_security_breaches_survey_2015-executive-eummary.pdf
  7. 7. CBEST & STAR = Red Teaming Red Teaming = end-to-end assessment involving people, processes and technology plus the interactions
  8. 8. Security Testing Coverage & Depth
  9. 9. Red Teaming: Why? USB stick drops near physical offices or via post
  10. 10. Red Teaming: Why? Simple credential phishing
  11. 11. Red Teaming: Why? Simple Microsoft Office macros needs user interaction
  12. 12. Red Teaming: Why? Exploits against common desktop apps via e-mail attachments or links
  13. 13. Red Teaming: Why? Browser exploiting via second party websites
  14. 14. Red Teaming: Why? Hardware, software and services supply chains
  15. 15. Red Teaming & Defense: Reality… We often only need one control failure or mistake to gain an internal foothold .. then we are an insider! ..
  16. 16. Red Teaming: Provides Insight • Is education / security culture effective? • Are the technical counter measures working? • Can your security operations detect? • How does your incident response work in reality? • Are the risk models accurate? .. proportional to attacker profile/capabilities
  17. 17. Supply Chains..
  18. 18. Red Teaming: Supply Chain Insight • Are they capable as they say they are? • Are they doing what they say they are? • Is my exposure what I expect it to be? • Can I detect misuse? … plus the other insights
  19. 19. Today’s Cyber Risk Reality • We often look at ‘things’ in isolation • We rarely consider subtle interplays or interconnects • Supply chains work due to pooled aggregated effort • Real-world cyber security is more nuanced than our models reflect … it’s hard ...
  20. 20. Our Most Mature Clients Concerns.. Confidence they are getting information from their data .. thus not being able to feed their risk models .. thus not understanding their true exposure .. thus not having confidence in their ability to detect .. thus wavering on their ability to respond .. thus concern risk/exposure/liability is excessive .. thus poor ROI from current spend
  21. 21. .. Red teaming is a real-world end-to-end assessment with scaled representative threat attacker capabilities Red teaming the supply chain can be the next step on the maturity model for some organizations NCC Group continues to invest heavily to facilitate Threat/Open Source Intelligence – ex police and government team Piranha – phishing platform Hive – command and control EDG – exploit development group and implant development
  22. 22. Closing Thoughts.. 2015 Information Security Breaches Survey https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/432413/bis-15-303_information_security_breaches_survey_2015-executive-eummary.pdf
  23. 23. Europe Manchester - Head Office Cheltenham Edinburgh Leatherhead London Milton Keynes Amsterdam Copenhagen Munich Zurich North America Atlanta Austin Chicago Mountain View New York San Francisco Seattle Australia Sydney Thanks! Questions? Blog: https://www.nccgroup.trust/uk/about- us/newsroom-and-events/blogs/ Twitter: @NCCGroupInfoSec Ollie Whitehouse ollie.whitehouse@nccgroup.trust

×