Derbycon 2013 - Seeing Red in Your Future? This talk is designed to complement the “Fifty Shades of Red” talk tomorrow, and provide context for organizations who either think about engaging in a red team test, or have been doing red teaming and want to see more value out of it. In this talk we’ll cover some of the basic elements of what red teaming is, and specifically how it benefits an organization engaging in such a practice. Red teaming by itself is a high-interaction test. Unlike many other tests (namely penetration testing, compliance engagements, vulnerability assessments and other IT related practices), red team is not limited to the technical scope of the organization’s security infrastructure. As such, it is imperative to be able to extract as much value out of a red team engagement as possible, and see return on that investment in as many different areas of the organization as possible. Based on years of experience in conducting red team tests, training and helping organizations improve their security through red teaming, these insights will be applicable to everyone who is seeing red in their future (and you all should in order to really address security in an organization that has people working in it and not just machines).

1. Seeing red in
your future?
Ian Amit
Director of Services, IOActive

2. Hello

3. whoami?
$ id
uid=501(iamit) gid=20(ioactive) groups=12(hack),
33(research),61(dev),79(red_team),80(sexy_defense),
81(exil),98(idf),100(dc9723),204(/dev/null)

4. So, you think you can red team...

5. As in get your organization a proper red team assessment

6. First things first.
What is a “Red Team Test”?

7. !pentest

8. !social_engineering

9. “A red team is an independent group that challenges
an organization to improve its effectiveness”
wikipedia

10. But wait! what about security?

11. Right... that’s part of the deal...
Security is PART of running an organization!

12. So how do we go about it?

13. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)

14. Map

15. Map
CISO CIO
CFO CRO
Compliance
Audit General
Counsel

16. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)

17. Identify

18. Identify

19. Identify

20. Identify

21. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)

22. Recruit
Audit

23. Recruit
Six SigmaSix Sigma

24. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)

25. Target

27. How do I look from the outside?

28. How do I look from the outside?
Legal

29. How do I look from the outside?
Legal
Research & Development

30. How do I look from the outside?
Legal
Research & Development
Procurement

31. How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources

32. How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain

33. How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
Human Resources

34. How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
Human Resources
Sales

35. How do I look from the outside?
Legal
Research & Development
Procurement
Information Sources
Supply Chain
Human Resources
Sales
Financials

36. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)

37. Assemble

39. Skillz!

40. Electronic Social
Physical

41. Electronic Social
Physical

42. Electronic Social
Physical

43. Electronic Social
Physical

44. Electronic Social
Physical

45. Electronic Social
Physical

46. Electronic Social
Physical

47. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)

48. Scope

50. Threat model

51. Threat model
Assets

52. Threat model
Assets
Processes

53. Threat model
Assets
Processes
Controls

54. Threat model
Assets
Processes
Controls
People

55. Threat model
Assets
Processes
Controls
People
Technology

56. Threat model
Assets
Processes
Controls
People
Technology
Location

57. Threat model
Assets
Processes
Controls
People
Technology
Location
Culture

58. Threat model
Assets
Processes
Controls
People
Technology
Location
Culture
Adversaries

59. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)

60. Monitor

61. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)

62. Execute

63. Execute

65. Can you hear me now?
Yes
Whazzzzzzup?
Whazzzzzzzzzzuuuuuppp?
What are you wearing?
Hello?
Still there?

66. Stay in control
of the escalation processes...

67. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)

68. Pre-report

70. IDS

71. IDS
System Logs

72. IDS
System Logs
Firewalls

73. IDS
System Logs
Firewalls
Access controls

74. IDS
System Logs
Firewalls
Access controls
Call records

75. IDS
System Logs
Firewalls
Access controls
Call records
Web traffic

76. IDS
System Logs
Firewalls
Access controls
Call records
Web traffic
DNS

77. IDS
System Logs
Firewalls
Access controls
Call records
Web traffic
DNS
Social Media

78. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)

79. Gap

80. Example 1: Dumpster Diving Olympics

81. Example 1: Dumpster Diving Olympics

82. Example 1: Dumpster Diving Olympics
•Personnel training

83. Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes

84. Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls

85. Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
•Change management

86. Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
•Change management
•R&D practices

87. Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
•Change management
•R&D practices
•3rd party sw security

88. Example 1: Dumpster Diving Olympics
•Personnel training
•Process changes
•Technical controls
•Change management
•R&D practices
•3rd party sw security
•Physical security routines

89. Agenda
Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)

90. Fix

91. Example 2: Incident Response from Hell
Process:
Incident response kicks in on any malware with a
signature from the past week, or with a generic/
heuristic detection.
In meantime, malware (APT!?) is left to run (actually
ok...)
Problem:
High number of incidents in a short time can create a
queue. Queue is predictable if IR analysis consists of
C&C traffic as well :-)
Queue can be exploited...

92. Example 3: Eager Sales

93. Example 3: Eager Sales
Organization is a security contractor (build big guns).

94. Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales, all in the
same location (HQ).

95. Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales, all in the
same location (HQ).
Sales are global, controlled from HQ.

96. Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales, all in the
same location (HQ).
Sales are global, controlled from HQ.
Extreme perimeter security, high-end physical security.

97. Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales, all in the
same location (HQ).
Sales are global, controlled from HQ.
Extreme perimeter security, high-end physical security.
Sales... few targeted emails, reverse shell home. Network
is done. DA on production machines (mfg.), sales
ledgers, major diplomatic incident potential...

98. Example 3: Eager Sales
Organization is a security contractor (build big guns).
R&D, production, testing, management, sales, all in the
same location (HQ).
Sales are global, controlled from HQ.
Extreme perimeter security, high-end physical security.
Sales... few targeted emails, reverse shell home. Network
is done. DA on production machines (mfg.), sales
ledgers, major diplomatic incident potential...
Process breakdown from physical security (USB
drops), through separation of duties, network
segmentation, egress data management.

99. Preparing for a red team (map)
Locate business critical assets (identify)
Getting buy-in (recruit)
Defining goals (target)
Finding a team (assemble)
Define scenarios and RoE (scope)
Establish white/blue team (monitor)
Hang on tight (execute)
Analyze (pre-report)
Identify areas of improvement (gap)
Create plan for remediation (fix)

100. map
identify
recruit
target
assemble
scope
monitor
execute
pre-report
gap
fix

101. map
identify
recruit
target
assemble
scope
monitor
execute
pre-report
gap
fix

102. map
identify
recruit
target
assemble
scope
monitor
execute
pre-report
gap
fix
RED TEAM READINESS

103. This isn’t rocket science

104. It’s not about who’s got the biggest one...

105. It’s about challenging
an organization to improve its effectiveness

106. It’s about challenging
an organization to improve its effectiveness
yourself

107. It’s about challenging
an organization to improve its effectiveness
yourself
your peers

108. It’s about challenging
an organization to improve its effectiveness
yourself
your peers
your assumptions

109. It’s about challenging
an organization to improve its effectiveness
yourself
your peers
your assumptions
...

110. There is no certificate at the end :-(

111. There is no certificate at the end :-(
no CPEs

112. There is no certificate at the end :-(
no CPEs
no medals

113. There is no certificate at the end :-(
no CPEs
no medals
Just hard work :-)

114. And a better ROI than any other test/engagement the
organization has ever gone through before

115. until the next red team...

116. Questions? Discussion!

117. map
identify
recruit
target
assemble
scope
monitor
execute
pre-report
gap
fix
Questions? Discussion!

118. ThankYou!
Ian Amit
@iiamit
ian.amit@ioactive.com