Red Team program conference talk FS-ISAC 2019

1. Building an Effective Red Team Program
Saeid Atabaki
Abeer Banerjee
10 July 2019

2. 2
Saeid Atabaki, Red Team Lead
– Hacker and programmer since the age of 9
– 12+ years in the field
– Obtained major relevant certificates in industry
• CREST Infrastructure Tester (CCT-INF, CRT, CPSA)
• Offensive Security (OCEE, OSCE, OSCP)
• Certified Information Security Professional (CISSP)
• eLS Penetration Testing Extreme
• Pen-tester Academy Red Team Professional
• Certified product specialist of Citrix, McAfee, Carbon
Black, Fortinet, TrendMicro, Skybox, NetIQ, BalaBit
Introduction

3. 3
Introduction
Abeer Banerjee, Red Team Operator
– 9+ years in the industry
– CREST, Offensive Security, EC-Council certification
• Key focus on penetration testing and red teaming
projects
• SME in network, web and mobile security topics
• IT Security Consultant for clients in IT Services,
e-commerce, banking, finance, gaming,
insurance and automotive industry

4. 4
Overview
1. What is Red Teaming?
2. Red Teaming vs. Penetration Testing
3. Value of In-house Red Team vs. Third Party
4. Steps to Form an In-house Red Team
5. Red Team Program Development Pitfalls
6. Q&A

5. 1. What is Red Teaming?

6. 6
1. What is Red Teaming?
1. Originally a military term used for strategic decision-making
a) Attempting to predict the movements of an adversary by using
alternative analysis
b) Foreseeing what will happen in a particular scenario, and then creating
and simulating the worst case
2. Red Teams are highly skilled SME and
growing in popularity
a) Have become a strategy evaluation and
decision-making technique
b) Used by many different industries

7. 2. Red Teaming vs. Penetration Testing (RT vs. PT)

8. 8
2. Red Teaming vs. Penetration Testing
Main characteristics of PT
1. Primary objective is to identify as many
vulnerabilities as possible
2. Limited to asset-based technical
assessment
3. Made known to all the stakeholders
Technology
Process
People

9. 9
Main characteristics of RT
1. Primary objective is to enhance detect
and response capabilities
2. Goal-oriented adversary simulation
3. Covert, only selected senior executives
is aware of the exercise
Process
People
Technology
2. Red Teaming vs. Penetration Testing

10. 3. Value of In-house Red Team vs. Third Party

11. 11
In-house Third Party
Advantages
1. Sensitive information never leaves
the organisation
2. Knowledge of the internal systems
3. When not engaged in a project, the
team can help to deliver other
valuable outcomes
4. Cheaper than external
1. A fresh pair of eyes
Disadvantages
1. May be biased
2. Needs full-time human resource
management
1. The company needs to expose
sensitive information to the
third-party contractor
2. Needs to understand the inner
working of systems
3. Expensive
3. Value of In-house Red Team vs Third Party

12. 12
Organization Category Value Proposition
Small
Smaller company can benefit from periodical
penetration testing with clear scopes from an
external contractor. (E.g.10-49 employees)*
Medium
As the technical and/or operational landscape
becomes complex, demand for adversarial attack
simulation rises and eventually creates Red Team.
(E.g. 50 to 200 employees)*
Large
For large companies, in-house RT is a win-win
situation and the ROI is much better than using an
external contractor. (E.g. 200+ employees)*
3. In-house RT in Small, Medium and Large Companies
*Deduced based on https://www.skillsconnect.gov.sg

13. 4. Steps to Form an In-house Red Team

14. 14
Developing
Red Team
Strategy
Organizational
Structure and
Staffing
Creating
Procedure
Managing
Risk
Performance
Measurement
Value
Delivery
Journey Starts
Here
1
2
3
6
5
4
4. Steps to Form an In-house Red Team

15. 15
In today’s rapidly shifting technological environment, long-term
strategic planning requires frequent revision, especially for companies
that heavily depend on technology or are influenced by rapid changes in
the market.
Develop
Vision and
Mission
Statement
Describe the
Current
Security
Environment
Develop the
Strategic Plan
Develop
RedTeam
Capability
Road Map
Engage
Stakeholders
Stages of Strategy Development
1 2 3 4 5
4. Steps to Form an In-house Red Team –
Developing Red Team Strategy

16. 16
1. Determine what is the overall
organization structure at the executive
level
2. Determine where is the team’s reporting
line
3. Develop the team’s organizational
structure, and identify roles and
responsibilities
Structuring an in-house Red Team is always a challenge, due to risk
management constraints and general knowledge of senior executives,
especially during the initial stages.
4. Steps to Form an In-house Red Team –
Organization Structure and Staffing

17. 17
Managerial
”Dan Vasile (https://bit.ly/2Mlqj57)”
4. Steps to Form an In-house Red Team Organization Structure
CEO
CSO
CISO
Red Team
Lead
Red Team
Operator
Red Team
Operator
Red Team
Developer
Project
Manager /
Coordinator
Exercise
Control
Group
Red Team
Lead
Red Team
Operator
Red Team
Operator
Red Team
Developer
Project
Manager /
Coordinator
Projectized

18. 18
Exercise Control Group (ECG) – A group of selected
senior executives are independent risk management of red
team activities.
Red Team Lead – Technical SME, who oversees and
works on all projects, distributes workload, translates
business needs into technical details, establishes short
and mid-term goals.
Project Manager / Coordinator – The organizer who
keeps track and manages projects.
Red Team Operator – The technical expert or hacker, who
actually performs the Red Team tasks. This is an
exceptional individual delivering security services.
Red Team Developer – The full-stack developer and
hacker who actually support operators by designing and
coding specific hacking tools.
”Dan Vasile (https://bit.ly/2Mlqj57)”
4. Steps to form an In-house Red Team Organization Structure
Exercise
Control
Group (ECG)
Red Team
Lead
Red Team
Operator
Red Team
Operator
Red Team
Developer
Project
Manager /
Coordinator
Projectized

19. 19
Characteristics
1. Curiosity and Interaction with other members
2. Good communication skills
3. Willing to share knowledge
Knowledge Set
1. Good overall knowledge in all areas of IT, e.g., Programming, Operating Systems,
Networks, Databases, Web and Mobile
Red Team Certifications
1. CREST Certified Infrastructure Tester, Attack Specialist
2. Offensive Security Certified Expert / Exploitation Expert
3. eLearn Security Penetration Testing Extreme
4. Other Certifications - SANS GXPN, Pen-tester Academy Red Team Certifications
4. Steps to Form an In-house Red Team –
Qualifications

20. 20
In-house Red Team
Framework
iCAST
CBEST
TIBER-
EU
Policies and procedures are designed to
influence and determine all major decisions
and actions, and all activities take place
within the boundaries set by them.
In-house Red Team procedure hints
1. Read international guidelines for
adversary simulations
2. Localize them based on organizational
culture and structure
3. Develop an Operational Model
4. Steps to Form an In-house Red Team –
Creating Procedures & Operational Model

21. 21
Procedure
People
Technology
RedTeam
Blue
Team
Exercise
Control
Group
After
Action
Review
Attack
4. Steps to Form an In-house Red Team – Sample Operational
Model

22. 22
1. Given the criticality of the target systems, people
and processes, there will inherently be elements of
risk associated with an RT assessment
2. A full risk and control framework has therefore
been designed into the Industrial Guidelines (e.g.,
CBEST) process
3. Risks are reduced by advanced planning, a clear
definition of scope and predefined escalation
procedures
4. Steps to Form an In-house Red Team – Managing Risk
Risk
Framework

23. 23
1. Given the criticality of the target systems, people
and processes there will inherently be elements of
risk associated with a RT assessment.
2. A full risk and control framework has therefore
been designed into the Industrial Guidelines (E.g.
CBEST) process.
3. Risks are reduced by advanced planning, clear
definition of scope and predefined escalation
procedures.
Risk
Framework
4. Steps to Form an In-house Red Team – Managing Risk
1. Comparing actual results against expected results to find out any
differences, then understanding and documenting why this occurred
2. Looking for abnormalities in the implementation of the original plan
3. Reviewing previous cycles around the loop in order to spot any
trends
4. The Firm/FMI remains in control of the exercise and at any time can
order a temporary halt if concerns are raised over damage (or
potential damage) to a system

24. 24
Exercise Control Group, business continuity and
disaster recovery teams may be involved
Business Continuity and
Operational Risk
Legal liabilities and contractual obligations should be
reviewed, especially for critical crown-jewel functions
Legal/Regulatory Risk
Interviews, background-checks, working experience,
training/certification
Insufficient Expertise of the
Attackers
Foresight, attack path evaluation, impact analysis with
mitigation of above-mentioned risks to be considered
Reputational Risk
Data Loss Prevention (DLP) policies, real-time access
to exercise logs, 4-eyes principle
Data Risk
4. Steps to Form an In-house Red Team – Types of Risk

25. 25
Hardened
C2 servers
Hardened log
server
Exercise
Control
Group (ECG)
Red Team
machines*
One-way tamper
proof logs transfer Real-time
log access
On-premise
Red Team server*
On-premise ECG
log server*
One-way tamper
proof logs transfer
Internal testing lab
(Sandbox) Optional
on-premise
setup
Real-time
log access
* All organization-wide security controls applicable.
TLS/VPN with 2FA
TLS Encryption
Firewall
4. Steps to Form an In-house Red Team – Data Risk

26. 26
In every organization, metrics can help verify each team’s performance.
Measuring an in-house Red Team outcome requires thorough consideration.
Hints on KPI Setting and Measurement
1. Use a Breach Calculator to see how a data breach could cost your
company and use that to measure the Red Team outcome
2. Red Team success is tagged to the value they deliver which becomes
their KPI. A similar measurement can be considered for Blue Team
successes in prevention and recovery
4. Steps to Form an In-house Red Team –
Value Delivery & Performance Measurement

27. 27
Estimated loss based on 50,000 stolen records of a bank in Singapore2
INCIDENT INVESTIGATION
CUSTOMER NOTIFICATION /
CRISIS MANAGEMENT
REGULATORY FINES & PENALTIES
PCI
CLASS ACTION LAWSUIT
TOTAL COST
PER RECORD COST
$145,000
$112,250
$33,300
$750,000
$568,000
$1,608,550
$32
2https://eriskhub.com/mini-dbcc
4. Steps to Form an In-house Red Team –
Value Delivery & Performance Measurements

28. 28
1. FI-relevant researches done by Red Team
2. 0-day vulnerabilities discovered
3. Training and talks by the team
4. Long and short-term engagement objectives
Other relevant metrics to Red Teams are …
The quantity of:
4. Steps to Form an In-house Red Team –
Value Delivery & Performance Measurements

29. 5. Red Team Program Development Pitfalls

30. 30
Red Team program development is expected to encounter
some resistance such as -
1. Resistance to adoption of adversarial
simulation methodologies.
2. Audit oriented approach towards findings in
adversary simulation leading to excessive
defensive response.
3. A perception that Red Team might impact
organization daily operations.
4. Risk of intended or unintended sensitive
data disclosure by Red Team.
5. Red Team Program Development Pitfalls

31. Saeid Atabaki -@bytecod3r
Abeer Banerjee - @bugasur
Q&A
Thank You!