Our Red Teaming expert Hugo van den Toorn explains the key elements of a red team operations, what companies can expect from the assessment and how to benefit from the ‘moment of truth’
3. Never bring a knife to a gunfight
The Untouchables (1987), Paramount Pictures
4. The world ain't all sunshine and rainbows
Rocky (1976), Chartoff-Winkler Productions
5. Red teaming: Going beyond pen testing
5
Experience
• 6 years of Information Security experience.
• OP24’s Offensive Security team Ghost Labs.
• Specializes in Social Engineering and OSINT:
• Phishing
• Physical penetration testing
• Intelligence Gathering
• Masters of Science (MSc) - Information Studies.
• Bachelor of ICT (BICT) – IT Management.
• CISM & ISO27001 Foundation certified.
Hugo van den Toorn
Manager OffSec | Ethical Hacker | Red Teamer
6. “A bug is never just a mistake. It represents
something bigger. An error of thinking that makes
you who you are.”
- Elliot, Mr Robot
Reality of hacking
7. Security breaches last year
Red teaming: Going beyond pen testing
7
Patterns in used attack vectors leading up incidents
Verizon Data Breach Investigations Report 2018
8. Security breaches last year
Red teaming: Going beyond pen testing
8
Web applications involved in breaches per industry
Verizon Data Breach Investigations Report 2018
9. What is a hacker?
Red teaming: Going beyond pen testing
Definition by Bruce Schneier (Secrets and Lies, 2000)
A hacker is someone who thinks outside the box. It's
someone who discards conventional wisdom, and does
something else instead. It's someone who looks at the
edge and wonders what's beyond. It's someone who sees
a set of rules and wonders what happens if you don't
follow them. A hacker is someone who experiments with
the limitations of systems for intellectual curiosity.
11. Hacking is never ‘just’ cyber
Red teaming: Going beyond pen testing
Human
Physical Cyber
12. Hacking is never ‘just’ cyber
Red teaming: Going beyond pen testing
Human
Physical Cyber
Hackers
Ransomware
Malware
Espionage
Alarm systems
Access Controls
Camera systems
Domotics/smart systems
Phishing
Social engineering
Bribery/blackmail
Disgruntlement
13. Hacking is never ‘just’ cyber
Red teaming: Going beyond pen testing
Human
Physical Cyber
Red Teaming Objective based Attack scenarios
14. Hacking is never ‘just’ cyber
Red teaming: Going beyond pen testing
Human
Physical Cyber
Red Teaming Objective based Attack scenarios
Threat IntelligenceAdversarial TTPs Blue Team Defences
17. The goal here isn't 100% perfect security, but rather
adequate security at a reasonable cost.
- Bruce Schneier (Secrets and Lies, 2000)
Reality of life
18. There are known knowns: there are things we know we know.
We also know there are known unknowns; that is to say we know there are some
things we do not know.
But there are also unknown unknowns – the ones we don't know we don't know.
- Donald Rumsfeld, United States Secretary of Defense
Reality of life
20. Rear Admiral Harry E. Yarnell demonstrated in 1932 the effectiveness
of an attack on Pearl Harbor almost exactly showing how the tactics of
the Japanese would destroy the fleet in Harbor nine years later.
Reality of life
21. Rear Admiral Harry E. Yarnell demonstrated in 1932 the effectiveness
of an attack on Pearl Harbor almost exactly showing how the tactics of
the Japanese would destroy the fleet in Harbor nine years later.
Fleet Problem XIII
“It is doubtful if air attacks can be launched against Oahu in the face of
strong defensive aviation without subjecting the attacking carriers to
the danger of material damage and consequent great losses in the
attack air force.”
Reality of life
22. Reality of (Cyber) Security
Attacks are becoming
more sophisticated and
attack surfaces grow
Compliance is driving
security requirements as
breaches increase
‘Unknown unknowns’
are a concern, but
difficult to identify
Attackers will not limit
themselves to ‘cyber’
elements of the target
23. Reality of (Cyber) Security
Attacks are becoming
more sophisticated and
attack surfaces grow
Compliance is driving
security requirements as
breaches increase
‘Unknown unknowns’
are a concern, but
difficult to identify
Attackers will not limit
themselves to ‘cyber’
elements of the target
Vulnerability management & pen testing is just the beginning
24. Lets play a game!
Settlers of Catan game, Dailydot.com
25. Red teaming: Going beyond pen testing
Crown
Jewels
StaffData
Center
Branches
& Stores
Network Computers
Office
Building
Ext. Staff
PhoneWi-Fi
Web App
Peripherals‘The Cloud’
26. The world ain't all sunshine and rainbows
Rocky (1976), Chartoff-Winkler Productions
27. 100% security?
Red teaming: Going beyond pen testing
27
• Secure development
• Web application testing
• Responsible disclosure
• Updates
• Vulnerability Scanning
• Preventing physical access
• Always the weakest link (no patches)
• Security awareness training
• Get missing knowledge
VulnerabilityManagement
RedTeaming
Testing assumptions
PentestConfigReviewAwareness
PatchingPatching
Policies
28. 100% security?
Red teaming: Going beyond pen testing
28
• Secure development
• Web application testing
• Responsible disclosure
• Updates
• Vulnerability Scanning
• Preventing physical access
• Always the weakest link (no patches)
• Security awareness training
• Get missing knowledge
VulnerabilityManagement
RedTeaming
Testing assumptions
PentestConfigReviewAwareness
PatchingPatching
Policies
29. 100% security?
Red teaming: Going beyond pen testing
29
• Secure development
• Web application testing
• Responsible disclosure
• Updates
• Vulnerability Scanning
• Preventing physical access
• Always the weakest link (no patches)
• Security awareness training
• Get missing knowledge
VulnerabilityManagement
RedTeaming
Testing assumptions
PentestConfigReviewAwareness
PatchingPatching
Policies
30. 100% security?
Red teaming: Going beyond pen testing
30
• Secure development
• Web application testing
• Responsible disclosure
• Updates
• Vulnerability Scanning
• Preventing physical access
• Always the weakest link (no patches)
• Security awareness training
• Get missing knowledge
VulnerabilityManagement
RedTeaming
Testing assumptions
PentestConfigReviewAwareness
PatchingPatching
Policies
31. 100% security?
Red teaming: Going beyond pen testing
31
• Secure development
• Web application testing
• Responsible disclosure
• Updates
• Vulnerability Scanning
• Preventing physical access
• Always the weakest link (no patches)
• Security awareness training
• Get missing knowledge
VulnerabilityManagement
RedTeaming
Testing assumptions
PentestConfigReviewAwareness
PatchingPatching
Policies
32. Red teaming: Going beyond pen testing
Crown
Jewels
StaffData
Center
Branches
& Stores
Network Computers
Office
Building
Ext. Staff
PhoneWi-Fi
Web App
Peripherals‘The Cloud’
33. Red teaming: Going beyond pen testing
Crown
Jewels
StaffData
Center
Branches
& Stores
Network Computers
Office
Building
Ext. Staff
PhoneWi-Fi
Web App
Peripherals‘The Cloud’
Physical
Pentest
Social
Engineer.
Phishing
Wi-Fi
Test
WebApp
Pentest
Vishing/
Smishing
Network
Exploit.
Cloud
Assess.
Config
Review
Vuln.
Mgmt
34. Red teaming: Going beyond pen testing
Crown
Jewels
StaffData
Center
Branches
& Stores
Network Computers
Office
Building
Ext. Staff
PhoneWi-Fi
Web App
Peripherals‘The Cloud’
Physical
Pentest
Social
Engineer.
Phishing
Wi-Fi
Test
WebApp
Pentest
Vishing/
Smishing
Network
Exploit.
Cloud
Assess.
Config
Review
Vuln.
Mgmt
Threat
hunting
Security
Awareness
Physical
Security
IDS
IPS
Secure
Develop.
Endpoint
Security
Threat
Intel
35. How do we become more secure?
Red teaming: Going beyond pen testing
35
• How to take security to the next level?
• Value of paper based compliance?
• Can we identify unknown unknowns?
• How secure are we really?
Red Teaming == Testing your assumptions
Initial
Established
Self-Assessed
Integrated
Vanguard
Security level Assumptions
Based on Community Cyber Security Maturity Model (CCSMM)
http://cias.utsa.edu/the-ccsmm.html
Organization’s security maturity level
Security Operations, Monitoring, IR, Red Teaming
Policies
Ad-hoc Security Awareness, Vulnerability Assessment
Security promotion, Business continuity, Penetration testing
Formal (security) processes, Continuous testing
36. Never bring a knife to a gunfight
The Untouchables (1987), Paramount Pictures
37. Legislation (to punish and/or aid us)
Red teaming: Going beyond pen testing
EU wide GDPR is a driver to perform more (in-depth)
testing.
37
In addition to the impact of a potential breach, GDPR also
means a fine can be sanctioned if insufficient security
measures are taken. Organizations in breach of GDPR can be
fined up to 4% of annual global turnover or €20 million
(whichever is greater). (EU GDPR)
38. Legislation (to punish and/or aid us)
Red teaming: Going beyond pen testing
EU wide GDPR is a driver to perform more (in-depth)
testing.
UK: CBEST (Bank of England)
NL: TIBER (Dutch National Bank)
EU: TIBER (European Central Bank)
38
Threat Intelligence-Based Ethical Red Teaming
“In collaboration with institutions comprising the Dutch financial
core payment infrastructure, DNB has prepared a guide for
further improvement of the sector's protection against
cyberattacks by means of red team testing.
(…)
Its purpose is to enhance our country's financial core
institutions' cyber resilience by learning from each other's best
practices.”
- Dnb.nl (16 November 2017)
39. How do we become more secure?
Red teaming: Going beyond pen testing
39
It is not necessarily about being secure or
compliant, but about:
• Being proactive;
• Being able to withstand and respond;
• Understanding your key risk areas;
• Risk appetite;
• Applying the right measures.
• “The goal here isn't 100% perfect security, but
rather adequate security at a reasonable cost.”
Secure yourself,
Protect your customers,
Be the best at what you do (securely),
Make the world a better place.
40. How do we become more secure?
Red teaming: Going beyond pen testing
40
It is not necessarily about being secure or
compliant, but about:
• Being proactive;
• Being able to withstand and respond;
• Understanding your key risk areas;
• Risk appetite;
• Applying the right measures.
• “The goal here isn't 100% perfect security, but
rather adequate security at a reasonable cost.”
Secure yourself,
Protect your customers,
Be the best at what you do (securely),
Make the world a better place.
41. How do we become more secure?
Red teaming: Going beyond pen testing
41
Accept that:
• You might not like the results.
• You hire experts to help your organization.
• With growth comes pain.
• A Red Team will see you at your worst.
Secure yourself,
Protect your customers,
Be the best at what you do (securely),
Make the world a better place.