This document discusses approaches to improving security through "red teaming" or adversary simulation. It defines red teaming as taking both an adversarial approach and mindset through tactics like computer simulations and vulnerability probes. The origins of red teaming in military war games from the 1960s are described. Examples of both red team failures, like a failed hostage rescue mission due to lack of planning, and successes, like security tests by the NYPD, are provided. The document outlines challenges to effective red teaming like overcoming groupthink and communicating risk. It stresses the importance of emulating realistic adversary tactics, techniques and procedures to provide useful security evaluations. Overall resources on red teaming techniques and a hypothetical red team exercise are presented.

1. ADVERSARY SIMULATION
“RED CELL”
APPROACHES TO
IMPROVING SECURITY

2. Talk Background
Introduction and overview of Red Teaming
Organization challenges & Opportunities
Redteaming / Red Cell effectiveness
• Meeting the defenders where they are at
-Adversary simulation
• Emulating Tactics Techniques and Procedures
• Being the Adversary
Resources

3. $whoami
• Chris Hernandez
• RedTeamer
• Former:
• Pentester
• Vuln/ Patch Mgmt
• Sysadmin
• Bug bounty hunter
• Irc handle= piffd0s
• Blog= Nopsled.ninja
• @piffd0s

4. Introduction to Red Teaming
• What is “Red Teaming”?
• Origins of “Red Team”
• Examples of Red Teaming Failures
• Examples of Red Team Successes

5. What is Red Teaming?
• Both Approach, Mindset and Tactics
• Takes many forms, Tabletop Exercises, Alternative
analysis, computer models, and vulnerability probes.
• Critical Thinking
• A Therapist…

6. What are its origins?
• Originated in the 1960’s military war-game exercises
• Red Team was meant to emulate the soviet union
• 1963 - First historical example was a redteam exercise structured
around procuring a long range bomber.
• Most early examples are structured around determining soviet
unions capability

7. Red Team Failures: Operation Eagle Claw
• Failed mission to rescue 52
diplomats held captive in the
US Embassy in Tehran.
• Operation was “need to know”
not Red Teamed
• Operation was initiated
without enough planning and
foresight into potential
challenges / obstacles

8. Unified Vision ‘01 & Millennium Challenge ‘02
• Millenium challenge ’02
• Red Cell Is highly restricted in
its actions
• Red Cell pre-emptively attacks
US navy fleet with all of their
air and sea resources sinking
21 Navy Vessels
• White Cell “refloats” sunken
navy vessels
• Unified Vision ’01
• White Cell informs Red Cell
that Blue Team has destroyed
all of their 21 hidden ballistic
missile silos
• Blue Team commander never
actually new the location of
any of the 21 silos

9. RedTeam Success Stories
• New York Marathon, NYPD and New York Roadrunners
• Cover scenarios like:
• How do you identify tainted water sources
• How to respond if drones show up in specific locations
• Race can be diverted at any point
• Israeli Defense Force – “Ipcha Mistabra”
• The opposite is most likely
• Small group in the intelligence branch
• Briefs Officials and Leaders on opposite explanations for scenarios

10. Organizational Challenges
• Overcoming Groupthink
• Maintaining Divergent thought
• Remaining Skeptical
• Assimilation into culture
• Communicating risk effectively
• Metacognition
• Leadership buy in
• “Gaming” the Op

11. Red Cell Effectiveness
• Ex. 57th adversary tactics group
• Only Highly skilled pilots are
allowed to become “aggressors”
• Allowed only to use known
adversary tactics and techniques
depending on who they are
emulating
• Same should apply to all red
teams
• Adversary emulation is key to
realistic simulations

12. Red Cell Effectiveness
• Effective adversary emulation
can mean being a “worse”
threat actor
• Tests defenders “post-
compromise” security posture.
Aka “assumed breach model”
• Post compromise / foothold
can also save valuable time
and money.

13. Adversary Skill and Detection Model
0
1
2
3
4
5
6
Ignorance Detection Proactive Pre-emptive
Difficulty
Difficulty
ScriptKiddie
Criminal(s)
APT

14. What are the benefits of an effective Red Cell?
• Train and measure IR teams detection and response.
• MSFT measures this as MTTD MTTR Mean time to
detect, and Mean Time to Recovery
• Validates investment in very expensive security
products, services, and subscriptions

15. An example red cell exercise
• Build a relevant threat model based on your industry
threats, or competitors breaches / news events
• Story board the attack
• Determine where IR should detect and respond
• Use Red Team to validate story board
• What went well / what went wrong – postmortem analysis
• Debrief Tactics

16. Putting it all together – Adversary simulation
• Emulate realistic threat actors TTPs
• Assume breach model
• Model attacker activity to your story board
• Information exchange between red and blue teams*
• Protect Red Team culture
• Repeat in a reasonable amount of time

17. Example Adversary Simulation – TTPs – “Deep Panda”
After seeing how these indicators were being applied, though, I came to realize
something very interesting: almost no one is using them effectively. - Pyramid
of Pain

18. ADDITIONAL RESOURCES
Books:
Red Team – Micah Zenko
Applied Critical Thinking Handbook – UFMCS
Online:
Microsoft Enterprise Cloud Redteaming Whitepaper
2015’s Redteam Tradecraft / Adversary Simulation – Raphael Mudge
The Pyramid of Pain – David Bianco
Veris Group - Adaptive Threat Devision – Will Shroeder and Justin Warner
The Adversary Manifesto - Crowdstrike