More Related Content
What's hot
What's hot (20)
Similar to Red Team P1.pdf
Similar to Red Team P1.pdf (20)
Recently uploaded
Recently uploaded (20)
Red Team P1.pdf
- 1. Red Team P1 )Adversary Emulation( سینداد ارتباط امن مهندسی شرکت s i n d a d s e c . i r
- 2. Whoami Soheil Hashemi Ms.c Network Computers Penetration Testing | Red Teaming | Purple Teaming Security Course Instructor 1 sindadsec.ir
- 3. Agenda sindadsec.ir • What’s Red Team • APT / APT Group • Ransomware Gangs Vs APT Groups • Red Team Methodologies • Red Team vs Penetration Testing • Red Team Infrastructure • Adversary Emulation platforms • Red Team Tools • Consequence of Data Breach • Defeat APT attacks 2
- 4. What’s Red Team (Adversary Emulation) sindadsec.ir ۲ • The Process of Emulation APT Attacks • Invented on 19th Century by German Army • Used on DOD during COLD war 1960 3
- 5. APT Attacks sindadsec.ir Advanced Persistence Threat • Advanced = Goal • Persistence = Week, Month, Year ( APT29 - nobelium SolarWinds ) • Threat = espionage, Sabotage 4
- 6. ۷ sindadsec.ir Attribution • https://attack.mitre.org/groups/ • https://www.mandiant.com/resources/insights/apt-groups • Attribution model, Diamond model • The countries of America, China, North Korea, Europe, Russia and Iran have cyber armies that carry out cyber attacks on other countries for governmental purposes, therefore some APT groups have also been attributed to these countries. • APT’s Target military for Confidential Documents, Hospitals for health info, Science and technology companies for steal Documents and etc. APT Groups 5
- 7. Methodology for Red Teaming? Cyber kill chain MITRE Attack Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration Impact ۸ sindadsec.ir APT Groups Attribution or Delegation 6
- 8. APT Groups 7
- 9. APT Groups 8
- 10. Each APT Group have their Target, Their Goals for example APT29 since 2008 attribute to SVR and Target USA, Germany, Uzbekistan, South Korea Some of APT Groups have their Exploit for initial Access They Use Custom Techniques for each Steps like Privilege Escalation, Backdoor and Etc. ۱۰ sindadsec.ir Ransomware Gangs Ransomware Gangs and Other Cyber Criminals Groups Goals are just money from stealing data encrypting data or DDOSING business Most of them Use public Exploit for initial Access and C2 Ransomware Gangs vs APT Groups Hacktivist Hacktivist Groups like Anonymous Group Goal’s are leak Information and Denial of service Governments. APT Groups 9
- 11. ۷ sindadsec.ir Red Team Methodologies • Methodologies ( MITRE, Cyber KillChain attack) 10
- 12. Methodology for Red Teaming? Cyber kill chain MITRE Attack Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration Impact ۸ sindadsec.ir https://attack.mitre.org/ MITRE Attack 11
- 13. Methodology for Red Teaming? Cyber kill chain MITRE Attack Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration Impact ۸ sindadsec.ir The Cyber Kill chain https://www.lockheedmartin.com/en- us/capabilities/cyber/cyber-kill- chain.html 12
- 14. ۱۰ sindadsec.ir Penetration Testing Penetration Testing VS Red Teaming Red Teaming • Offensive Security : Penetration Testing, Red Teaming, Bug Bounty Hunting • Penetration Testing Steps [Scope, Type (Black, White, Gray BOX), Social Engineering not Allowed] Red Teaming Steps ( Whole Business are SCOPE, Type Black box, Social Engineering allowed, Any kind of Offensive is allowed, Physical Initial Access) 13
- 15. Red Team Infrastructure ۷ sindadsec.ir • Resource and Development ( Domain, Mail Server, Smtp relay, C2 server, Forwarder) • For building Infrastructure Using Terraform IAC on AWS,AZURE,... • Weaponize CVE • Keep FUD payloads • Social Media Accounts and one time sim card for OSINT 14
- 16. ۱۰ sindadsec.ir Attack Emulation Attack Emulation VS Simulation Attack Simulation Adversary Emulation plans are the way to model adversary behavior based on a particular set of TTP in MITRE ATT&CK. Red Team can use AEPs to develop an Attack simulation and execute it against your enterprise security infrastructure for identify and tune gaps in defense before the actual adversary strikes. 15
- 17. Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration Impact ۸ sindadsec.ir Adversary Emulation Platforms Open Source • Caldera - MITRE ATT&CK https://github.com/mitre/caldera • Atomic Red Team - Red Canary - https://github.com/redcanaryco/atomic-red-team • Hunter Forge’s Mordor • Metta - https://github.com/uber-common/metta • APTSimulator - https://github.com/NextronSystems/APTSimulator • Red Team Automation (RTA) - MITRE ATT&CK - https://github.com/endgameinc/RTA • Infection Monkey - https://github.com/guardicore/monkey • AutoTTP - https://github.com/jymcheong/AutoTTP • RedHunt OS - Red Team TOOLS 16
- 18. Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration Impact ۸ sindadsec.ir Adversary Emulation Platforms Commercial • Cobalt strike • Brute Ratel • AttackIQ FireDrill • Cymulate 17
- 19. Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration Impact ۸ sindadsec.ir Red Team Tools • Meterpreter vs cobalt strike beacon detection rate • HTTP / HTTPs / TCP / UDP Detection rate • Macro • C2: Cobalt strike Brute Ratel Covenant Metasploit Merlin Mythic PoshC2 Empire 18
- 20. sindadsec.ir COST of a Data Breach Report 2202(IBM Security) 4.35 million USD Average total cost of a data breach 4.82 million USD Average cost of a critical infrastructure data breach 4.54 million USD Average cost of a ransomware attack, not including the cost of the ransom itself 1 million USD Average difference in cost where remote work was a factor in causing the breach versus when it wasn’t a factor 2.66 million USD Average cost savings associated with an incident response (IR) team and regularly tested IR plan 4.35 million USD Global average total cost of a data breach 4.91 million USD Average cost of data breach with a phishing initial attack vector 5.57 million USD Average cost of a breach for organizations with high levels of compliance failures 19
- 21. sindadsec.ir Defeat APT Attack First Step You Should Know Your Enemies [APT Groups, Ransomware Gangs] = CTI You Should Have Continues Practice for Evaluating your The level of preparedness to face the threats. After Extracting TTP Assign Emulation to red Team = Purple Teaming Security In Depth It requires proper network design. You should know using security equipment on right place = Security is process not product. 20