Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Adversary simulation

1,603 views

Published on

sec.mn presentation on redteaming

Published in: Technology
  • Be the first to comment

Adversary simulation

  1. 1. ADVERSARY SIMULATION “RED CELL” APPROACHES TO IMPROVING SECURITY
  2. 2. Talk Background Introduction and overview of Red Teaming Organization challenges & Opportunities Redteaming / Red Cell effectiveness • Meeting the defenders where they are at -Adversary simulation • Emulating Tactics Techniques and Procedures • Being the Adversary Resources
  3. 3. $whoami • Chris Hernandez • RedTeamer • Former: • Pentester • Vuln/ Patch Mgmt • Sysadmin • Bug bounty hunter • Irc handle= piffd0s • Blog= Nopsled.ninja • @piffd0s
  4. 4. Introduction to Red Teaming • What is “Red Teaming”? • Origins of “Red Team” • Examples of Red Teaming Failures • Examples of Red Team Successes
  5. 5. What is Red Teaming? • Both Approach, Mindset and Tactics • Takes many forms, Tabletop Exercises, Alternative analysis, computer models, and vulnerability probes. • Critical Thinking • A Therapist…
  6. 6. What are its origins? • Originated in the 1960’s military war-game exercises • Red Team was meant to emulate the soviet union • 1963 - First historical example was a redteam exercise structured around procuring a long range bomber. • Most early examples are structured around determining soviet unions capability
  7. 7. Red Team Failures: Operation Eagle Claw • Failed mission to rescue 52 diplomats held captive in the US Embassy in Tehran. • Operation was “need to know” not Red Teamed • Operation was initiated without enough planning and foresight into potential challenges / obstacles
  8. 8. Unified Vision ‘01 & Millennium Challenge ‘02 • Millenium challenge ’02 • Red Cell Is highly restricted in its actions • Red Cell pre-emptively attacks US navy fleet with all of their air and sea resources sinking 21 Navy Vessels • White Cell “refloats” sunken navy vessels • Unified Vision ’01 • White Cell informs Red Cell that Blue Team has destroyed all of their 21 hidden ballistic missile silos • Blue Team commander never actually new the location of any of the 21 silos
  9. 9. RedTeam Success Stories • New York Marathon, NYPD and New York Roadrunners • Cover scenarios like: • How do you identify tainted water sources • How to respond if drones show up in specific locations • Race can be diverted at any point • Israeli Defense Force – “Ipcha Mistabra” • The opposite is most likely • Small group in the intelligence branch • Briefs Officials and Leaders on opposite explanations for scenarios
  10. 10. Organizational Challenges • Overcoming Groupthink • Maintaining Divergent thought • Remaining Skeptical • Assimilation into culture • Communicating risk effectively • Metacognition • Leadership buy in • “Gaming” the Op
  11. 11. Red Cell Effectiveness • Ex. 57th adversary tactics group • Only Highly skilled pilots are allowed to become “aggressors” • Allowed only to use known adversary tactics and techniques depending on who they are emulating • Same should apply to all red teams • Adversary emulation is key to realistic simulations
  12. 12. Red Cell Effectiveness • Effective adversary emulation can mean being a “worse” threat actor • Tests defenders “post- compromise” security posture. Aka “assumed breach model” • Post compromise / foothold can also save valuable time and money.
  13. 13. Adversary Skill and Detection Model 0 1 2 3 4 5 6 Ignorance Detection Proactive Pre-emptive Difficulty Difficulty ScriptKiddie Criminal(s) APT
  14. 14. What are the benefits of an effective Red Cell? • Train and measure IR teams detection and response. • MSFT measures this as MTTD MTTR Mean time to detect, and Mean Time to Recovery • Validates investment in very expensive security products, services, and subscriptions
  15. 15. An example red cell exercise • Build a relevant threat model based on your industry threats, or competitors breaches / news events • Story board the attack • Determine where IR should detect and respond • Use Red Team to validate story board • What went well / what went wrong – postmortem analysis • Debrief Tactics
  16. 16. Putting it all together – Adversary simulation • Emulate realistic threat actors TTPs • Assume breach model • Model attacker activity to your story board • Information exchange between red and blue teams* • Protect Red Team culture • Repeat in a reasonable amount of time
  17. 17. Example Adversary Simulation – TTPs – “Deep Panda” After seeing how these indicators were being applied, though, I came to realize something very interesting: almost no one is using them effectively. - Pyramid of Pain
  18. 18. ADDITIONAL RESOURCES Books: Red Team – Micah Zenko Applied Critical Thinking Handbook – UFMCS Online: Microsoft Enterprise Cloud Redteaming Whitepaper 2015’s Redteam Tradecraft / Adversary Simulation – Raphael Mudge The Pyramid of Pain – David Bianco Veris Group - Adaptive Threat Devision – Will Shroeder and Justin Warner The Adversary Manifesto - Crowdstrike

×