Downloaded 12 times
![۱۰ sindadsec.ir
Penetration Testing
Penetration Testing VS Red Teaming
Red Teaming
• Offensive Security : Penetration Testing, Red Teaming,
Bug Bounty Hunting
• Penetration Testing Steps [Scope, Type (Black, White,
Gray BOX), Social Engineering not Allowed]
Red Teaming Steps ( Whole Business are SCOPE, Type
Black box, Social Engineering allowed, Any kind of
Offensive is allowed, Physical Initial Access)
13](https://image.slidesharecdn.com/redteamp1-220825101101-fcfd5f50/85/Red-Team-P1-pdf-14-320.jpg)
![sindadsec.ir
Defeat APT Attack
First Step You Should Know Your Enemies [APT Groups, Ransomware Gangs] = CTI
You Should Have Continues Practice for Evaluating your The level of preparedness to face
the threats. After Extracting TTP Assign Emulation to red Team = Purple Teaming
Security In Depth It requires proper network design. You should know using security
equipment on right place = Security is process not product.
20](https://image.slidesharecdn.com/redteamp1-220825101101-fcfd5f50/85/Red-Team-P1-pdf-21-320.jpg)
Red Team P1.pdf
- 1. Red Team P1 )AdversaryEmulation( سینداد ارتباط امن مهندسی شرکت s i n d a d s e c . i r
- 2. Whoami Soheil Hashemi Ms.c NetworkComputers Penetration Testing | Red Teaming | Purple Teaming Security Course Instructor 1 sindadsec.ir
- 3. Agenda sindadsec.ir • What’s RedTeam • APT / APT Group • Ransomware Gangs Vs APT Groups • Red Team Methodologies • Red Team vs Penetration Testing • Red Team Infrastructure • Adversary Emulation platforms • Red Team Tools • Consequence of Data Breach • Defeat APT attacks 2
- 4. What’s Red Team(Adversary Emulation) sindadsec.ir ۲ • The Process of Emulation APT Attacks • Invented on 19th Century by German Army • Used on DOD during COLD war 1960 3
- 5. APT Attacks sindadsec.ir Advanced PersistenceThreat • Advanced = Goal • Persistence = Week, Month, Year ( APT29 - nobelium SolarWinds ) • Threat = espionage, Sabotage 4
- 6. ۷ sindadsec.ir Attribution • https://attack.mitre.org/groups/ •https://www.mandiant.com/resources/insights/apt-groups • Attribution model, Diamond model • The countries of America, China, North Korea, Europe, Russia and Iran have cyber armies that carry out cyber attacks on other countries for governmental purposes, therefore some APT groups have also been attributed to these countries. • APT’s Target military for Confidential Documents, Hospitals for health info, Science and technology companies for steal Documents and etc. APT Groups 5
- 7. Methodology for RedTeaming? Cyber kill chain MITRE Attack Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration Impact ۸ sindadsec.ir APT Groups Attribution or Delegation 6
- 8.
- 9.
- 10. Each APT Grouphave their Target, Their Goals for example APT29 since 2008 attribute to SVR and Target USA, Germany, Uzbekistan, South Korea Some of APT Groups have their Exploit for initial Access They Use Custom Techniques for each Steps like Privilege Escalation, Backdoor and Etc. ۱۰ sindadsec.ir Ransomware Gangs Ransomware Gangs and Other Cyber Criminals Groups Goals are just money from stealing data encrypting data or DDOSING business Most of them Use public Exploit for initial Access and C2 Ransomware Gangs vs APT Groups Hacktivist Hacktivist Groups like Anonymous Group Goal’s are leak Information and Denial of service Governments. APT Groups 9
- 11. ۷ sindadsec.ir Red TeamMethodologies • Methodologies ( MITRE, Cyber KillChain attack) 10
- 12. Methodology for RedTeaming? Cyber kill chain MITRE Attack Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration Impact ۸ sindadsec.ir https://attack.mitre.org/ MITRE Attack 11
- 13. Methodology for RedTeaming? Cyber kill chain MITRE Attack Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration Impact ۸ sindadsec.ir The Cyber Kill chain https://www.lockheedmartin.com/en- us/capabilities/cyber/cyber-kill- chain.html 12
- 14. ۱۰ sindadsec.ir Penetration Testing PenetrationTesting VS Red Teaming Red Teaming • Offensive Security : Penetration Testing, Red Teaming, Bug Bounty Hunting • Penetration Testing Steps [Scope, Type (Black, White, Gray BOX), Social Engineering not Allowed] Red Teaming Steps ( Whole Business are SCOPE, Type Black box, Social Engineering allowed, Any kind of Offensive is allowed, Physical Initial Access) 13
- 15. Red Team Infrastructure ۷sindadsec.ir • Resource and Development ( Domain, Mail Server, Smtp relay, C2 server, Forwarder) • For building Infrastructure Using Terraform IAC on AWS,AZURE,... • Weaponize CVE • Keep FUD payloads • Social Media Accounts and one time sim card for OSINT 14
- 16. ۱۰ sindadsec.ir Attack Emulation AttackEmulation VS Simulation Attack Simulation Adversary Emulation plans are the way to model adversary behavior based on a particular set of TTP in MITRE ATT&CK. Red Team can use AEPs to develop an Attack simulation and execute it against your enterprise security infrastructure for identify and tune gaps in defense before the actual adversary strikes. 15
- 17. Reconnaissance, Resource Development,Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration Impact ۸ sindadsec.ir Adversary Emulation Platforms Open Source • Caldera - MITRE ATT&CK https://github.com/mitre/caldera • Atomic Red Team - Red Canary - https://github.com/redcanaryco/atomic-red-team • Hunter Forge’s Mordor • Metta - https://github.com/uber-common/metta • APTSimulator - https://github.com/NextronSystems/APTSimulator • Red Team Automation (RTA) - MITRE ATT&CK - https://github.com/endgameinc/RTA • Infection Monkey - https://github.com/guardicore/monkey • AutoTTP - https://github.com/jymcheong/AutoTTP • RedHunt OS - Red Team TOOLS 16
- 18. Reconnaissance, Resource Development,Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration Impact ۸ sindadsec.ir Adversary Emulation Platforms Commercial • Cobalt strike • Brute Ratel • AttackIQ FireDrill • Cymulate 17
- 19. Reconnaissance, Resource Development,Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration Impact ۸ sindadsec.ir Red Team Tools • Meterpreter vs cobalt strike beacon detection rate • HTTP / HTTPs / TCP / UDP Detection rate • Macro • C2: Cobalt strike Brute Ratel Covenant Metasploit Merlin Mythic PoshC2 Empire 18
- 20. sindadsec.ir COST of aData Breach Report 2202(IBM Security) 4.35 million USD Average total cost of a data breach 4.82 million USD Average cost of a critical infrastructure data breach 4.54 million USD Average cost of a ransomware attack, not including the cost of the ransom itself 1 million USD Average difference in cost where remote work was a factor in causing the breach versus when it wasn’t a factor 2.66 million USD Average cost savings associated with an incident response (IR) team and regularly tested IR plan 4.35 million USD Global average total cost of a data breach 4.91 million USD Average cost of data breach with a phishing initial attack vector 5.57 million USD Average cost of a breach for organizations with high levels of compliance failures 19
- 21. sindadsec.ir Defeat APT Attack First Step You Should Know Your Enemies [APT Groups, Ransomware Gangs] = CTI You Should Have Continues Practice for Evaluating your The level of preparedness to face the threats. After Extracting TTP Assign Emulation to red Team = Purple Teaming Security In Depth It requires proper network design. You should know using security equipment on right place = Security is process not product. 20