Our Red Teaming expert Hugo van den Toorn explains the key elements of a red team operations, what companies can expect from the assessment and how to benefit from the ‘moment of truth’

1. Improving your organisation’s security
24/04/2019
Red teaming: Going beyond pen testing

2. Kiwicon III Poster, kiwicon.org
Hackers don’t care

3. Never bring a knife to a gunfight
The Untouchables (1987), Paramount Pictures

4. The world ain't all sunshine and rainbows
Rocky (1976), Chartoff-Winkler Productions

5. Red teaming: Going beyond pen testing
5
Experience
• 6 years of Information Security experience.
• OP24’s Offensive Security team Ghost Labs.
• Specializes in Social Engineering and OSINT:
• Phishing
• Physical penetration testing
• Intelligence Gathering
• Masters of Science (MSc) - Information Studies.
• Bachelor of ICT (BICT) – IT Management.
• CISM & ISO27001 Foundation certified.
Hugo van den Toorn
Manager OffSec | Ethical Hacker | Red Teamer

6. “A bug is never just a mistake. It represents
something bigger. An error of thinking that makes
you who you are.”
- Elliot, Mr Robot
Reality of hacking

7. Security breaches last year
Red teaming: Going beyond pen testing
7
Patterns in used attack vectors leading up incidents
Verizon Data Breach Investigations Report 2018

8. Security breaches last year
Red teaming: Going beyond pen testing
8
Web applications involved in breaches per industry
Verizon Data Breach Investigations Report 2018

9. What is a hacker?
Red teaming: Going beyond pen testing
Definition by Bruce Schneier (Secrets and Lies, 2000)
A hacker is someone who thinks outside the box. It's
someone who discards conventional wisdom, and does
something else instead. It's someone who looks at the
edge and wonders what's beyond. It's someone who sees
a set of rules and wonders what happens if you don't
follow them. A hacker is someone who experiments with
the limitations of systems for intellectual curiosity.

10. Blackhat Grayhat Whitehat

11. Hacking is never ‘just’ cyber
Red teaming: Going beyond pen testing
Human
Physical Cyber

12. Hacking is never ‘just’ cyber
Red teaming: Going beyond pen testing
Human
Physical Cyber
Hackers
Ransomware
Malware
Espionage
Alarm systems
Access Controls
Camera systems
Domotics/smart systems
Phishing
Social engineering
Bribery/blackmail
Disgruntlement

13. Hacking is never ‘just’ cyber
Red teaming: Going beyond pen testing
Human
Physical Cyber
Red Teaming Objective based Attack scenarios

14. Hacking is never ‘just’ cyber
Red teaming: Going beyond pen testing
Human
Physical Cyber
Red Teaming Objective based Attack scenarios
Threat IntelligenceAdversarial TTPs Blue Team Defences

15. Understanding your adversary
Red teaming: Going beyond pen testing
Telling Showing Involving
Threat Intel SecOps Red vs Blue

16. Kiwicon III Poster, kiwicon.org
Hackers don’t care

17. The goal here isn't 100% perfect security, but rather
adequate security at a reasonable cost.
- Bruce Schneier (Secrets and Lies, 2000)
Reality of life

18. There are known knowns: there are things we know we know.
We also know there are known unknowns; that is to say we know there are some
things we do not know.
But there are also unknown unknowns – the ones we don't know we don't know.
- Donald Rumsfeld, United States Secretary of Defense
Reality of life

19. Reality of life
Unless you can predict the future…

20. Rear Admiral Harry E. Yarnell demonstrated in 1932 the effectiveness
of an attack on Pearl Harbor almost exactly showing how the tactics of
the Japanese would destroy the fleet in Harbor nine years later.
Reality of life

21. Rear Admiral Harry E. Yarnell demonstrated in 1932 the effectiveness
of an attack on Pearl Harbor almost exactly showing how the tactics of
the Japanese would destroy the fleet in Harbor nine years later.
Fleet Problem XIII
“It is doubtful if air attacks can be launched against Oahu in the face of
strong defensive aviation without subjecting the attacking carriers to
the danger of material damage and consequent great losses in the
attack air force.”
Reality of life

22. Reality of (Cyber) Security
Attacks are becoming
more sophisticated and
attack surfaces grow
Compliance is driving
security requirements as
breaches increase
‘Unknown unknowns’
are a concern, but
difficult to identify
Attackers will not limit
themselves to ‘cyber’
elements of the target

23. Reality of (Cyber) Security
Attacks are becoming
more sophisticated and
attack surfaces grow
Compliance is driving
security requirements as
breaches increase
‘Unknown unknowns’
are a concern, but
difficult to identify
Attackers will not limit
themselves to ‘cyber’
elements of the target
Vulnerability management & pen testing is just the beginning

24. Lets play a game!
Settlers of Catan game, Dailydot.com

25. Red teaming: Going beyond pen testing
Crown
Jewels
StaffData
Center
Branches
& Stores
Network Computers
Office
Building
Ext. Staff
PhoneWi-Fi
Web App
Peripherals‘The Cloud’

26. The world ain't all sunshine and rainbows
Rocky (1976), Chartoff-Winkler Productions

27. 100% security?
Red teaming: Going beyond pen testing
27
• Secure development
• Web application testing
• Responsible disclosure
• Updates
• Vulnerability Scanning
• Preventing physical access
• Always the weakest link (no patches)
• Security awareness training
• Get missing knowledge
VulnerabilityManagement
RedTeaming
Testing assumptions
PentestConfigReviewAwareness
PatchingPatching
Policies

28. 100% security?
Red teaming: Going beyond pen testing
28
• Secure development
• Web application testing
• Responsible disclosure
• Updates
• Vulnerability Scanning
• Preventing physical access
• Always the weakest link (no patches)
• Security awareness training
• Get missing knowledge
VulnerabilityManagement
RedTeaming
Testing assumptions
PentestConfigReviewAwareness
PatchingPatching
Policies

29. 100% security?
Red teaming: Going beyond pen testing
29
• Secure development
• Web application testing
• Responsible disclosure
• Updates
• Vulnerability Scanning
• Preventing physical access
• Always the weakest link (no patches)
• Security awareness training
• Get missing knowledge
VulnerabilityManagement
RedTeaming
Testing assumptions
PentestConfigReviewAwareness
PatchingPatching
Policies

30. 100% security?
Red teaming: Going beyond pen testing
30
• Secure development
• Web application testing
• Responsible disclosure
• Updates
• Vulnerability Scanning
• Preventing physical access
• Always the weakest link (no patches)
• Security awareness training
• Get missing knowledge
VulnerabilityManagement
RedTeaming
Testing assumptions
PentestConfigReviewAwareness
PatchingPatching
Policies

31. 100% security?
Red teaming: Going beyond pen testing
31
• Secure development
• Web application testing
• Responsible disclosure
• Updates
• Vulnerability Scanning
• Preventing physical access
• Always the weakest link (no patches)
• Security awareness training
• Get missing knowledge
VulnerabilityManagement
RedTeaming
Testing assumptions
PentestConfigReviewAwareness
PatchingPatching
Policies

32. Red teaming: Going beyond pen testing
Crown
Jewels
StaffData
Center
Branches
& Stores
Network Computers
Office
Building
Ext. Staff
PhoneWi-Fi
Web App
Peripherals‘The Cloud’

33. Red teaming: Going beyond pen testing
Crown
Jewels
StaffData
Center
Branches
& Stores
Network Computers
Office
Building
Ext. Staff
PhoneWi-Fi
Web App
Peripherals‘The Cloud’
Physical
Pentest
Social
Engineer.
Phishing
Wi-Fi
Test
WebApp
Pentest
Vishing/
Smishing
Network
Exploit.
Cloud
Assess.
Config
Review
Vuln.
Mgmt

34. Red teaming: Going beyond pen testing
Crown
Jewels
StaffData
Center
Branches
& Stores
Network Computers
Office
Building
Ext. Staff
PhoneWi-Fi
Web App
Peripherals‘The Cloud’
Physical
Pentest
Social
Engineer.
Phishing
Wi-Fi
Test
WebApp
Pentest
Vishing/
Smishing
Network
Exploit.
Cloud
Assess.
Config
Review
Vuln.
Mgmt
Threat
hunting
Security
Awareness
Physical
Security
IDS
IPS
Secure
Develop.
Endpoint
Security
Threat
Intel

35. How do we become more secure?
Red teaming: Going beyond pen testing
35
• How to take security to the next level?
• Value of paper based compliance?
• Can we identify unknown unknowns?
• How secure are we really?
Red Teaming == Testing your assumptions
Initial
Established
Self-Assessed
Integrated
Vanguard
Security level Assumptions
Based on Community Cyber Security Maturity Model (CCSMM)
http://cias.utsa.edu/the-ccsmm.html
Organization’s security maturity level
Security Operations, Monitoring, IR, Red Teaming
Policies
Ad-hoc Security Awareness, Vulnerability Assessment
Security promotion, Business continuity, Penetration testing
Formal (security) processes, Continuous testing

36. Never bring a knife to a gunfight
The Untouchables (1987), Paramount Pictures

37. Legislation (to punish and/or aid us)
Red teaming: Going beyond pen testing
EU wide GDPR is a driver to perform more (in-depth)
testing.
37
In addition to the impact of a potential breach, GDPR also
means a fine can be sanctioned if insufficient security
measures are taken. Organizations in breach of GDPR can be
fined up to 4% of annual global turnover or €20 million
(whichever is greater). (EU GDPR)

38. Legislation (to punish and/or aid us)
Red teaming: Going beyond pen testing
EU wide GDPR is a driver to perform more (in-depth)
testing.
UK: CBEST (Bank of England)
NL: TIBER (Dutch National Bank)
EU: TIBER (European Central Bank)
38
Threat Intelligence-Based Ethical Red Teaming
“In collaboration with institutions comprising the Dutch financial
core payment infrastructure, DNB has prepared a guide for
further improvement of the sector's protection against
cyberattacks by means of red team testing.
(…)
Its purpose is to enhance our country's financial core
institutions' cyber resilience by learning from each other's best
practices.”
- Dnb.nl (16 November 2017)

39. How do we become more secure?
Red teaming: Going beyond pen testing
39
It is not necessarily about being secure or
compliant, but about:
• Being proactive;
• Being able to withstand and respond;
• Understanding your key risk areas;
• Risk appetite;
• Applying the right measures.
• “The goal here isn't 100% perfect security, but
rather adequate security at a reasonable cost.”
Secure yourself,
Protect your customers,
Be the best at what you do (securely),
Make the world a better place.

40. How do we become more secure?
Red teaming: Going beyond pen testing
40
It is not necessarily about being secure or
compliant, but about:
• Being proactive;
• Being able to withstand and respond;
• Understanding your key risk areas;
• Risk appetite;
• Applying the right measures.
• “The goal here isn't 100% perfect security, but
rather adequate security at a reasonable cost.”
Secure yourself,
Protect your customers,
Be the best at what you do (securely),
Make the world a better place.

41. How do we become more secure?
Red teaming: Going beyond pen testing
41
Accept that:
• You might not like the results.
• You hire experts to help your organization.
• With growth comes pain.
• A Red Team will see you at your worst.
Secure yourself,
Protect your customers,
Be the best at what you do (securely),
Make the world a better place.

43. Hackers never bring sunshine and rainbows