11. Purpose of a Red Team Engagement
Holistically test your organization against a real world breach scenario
Driven from real world threats Focus on Depth and not Breadth Exercise your Blue Team
People Process
Technology
https://www.flaticon.com/free-icon/team_476700
https://www.flaticon.com/free-icon/settings_126472
https://www.flaticon.com/free-icon/laptop_114734
17. Some of our Achievements
• We get to work with some awesome clients
• We have an extremely high success rate in reaching objectives
18. Some of our Achievements
• We get to work with some awesome clients
• We have an extremely high success rate in reaching objectives
https://www.flaticon.com/free-icon/bank_1066122
https://www.flaticon.com/free-icon/medical-history_1685819
https://www.flaticon.com/free-icon/benefits_1369921
https://www.flaticon.com/free-icon/family_1396773
19. Tales from the Trenches
I’m going to walk you through a red team engagement we did for a
stock exchange
20. Tales from the Trenches
Disclaimer:
Some areas have been replaced with fictitious people, other areas
are heavily redacted to protect the identity of the Client and their
employees …
21. Engagement Particulars
Client: Large Stock Exchange
Objective: Integrity of Real Time Trading System (TS)
Assessment: Threat Intelligence
Scenario 1: External Threat
Scenario 2: Insider Threat
Assessment: Detection and Response Capabilities
24. Threat Intelligence: Recon
If I had 8 hours to chop down a tree, I would spend 6 of those
hours sharpening my axe
Many, many, many tools ...
25. Threat Intelligence: Finding Targets to Phish
• In-house developed,
publicly available tool
• Checks HIBP for breaches
• Name, email, title, etc
26. Threat Intelligence: Building Pretext
• Find target employees who work with TS
• Senior Trader at Stock Company
• Works with TS
• A+ candidate to phish!
28. Threat Intelligence: Building Pretext
Priority Target at Stock
Exchange
Position Pretext from LinkedIn
1 Rey Oakley Senior Trader Joseph Thompson – Capital Ventures
2 Mike Cortes IT Support Sarah Cho – Computer Stop
3 Karen Hayes Database Admin John Smith – DevShop
4 Stacy Chan Project Manager Mike Jacklin – Logistics R Us
• Don’t stop at one, maximize your chances.
33. External Threat: Delivery and Execution
• Pretext: Recruitment and Career Opportunities
• Delivery: Targeted Phishing (4 users)
• Objective: Impact the Integrity of TS
0
1
2
3
4
5
Users Targeted Emails Confirmed Opened Links Clicked Command and Control Obtained
Targeted Phishing Statistics
34. External Threat: Execution
Execution? Target at Stock
Exchange
Position Pretext from LinkedIn
ý Rey Oakley Senior Trader Joseph Thompson – Capital Ventures
ý Mike Cortes IT Support Sarah Cho – Computer Stop
þ Karen Hayes Database Admin John Smith – DevShop
þ Stacy Chan Project Manager Mike Jacklin – Logistics R Us
• Who’s workstation are we on?
36. External Threat: Acting on Objectives
þ Know where TS Lives
þ Know users who access TS
Karen Hayes
Global File Share TS Documents
Active Directory TS Users
48. Detection and Response Assessment Outcomes
Blue Team had many chances to see what we did. What did they
actually see?
1. Ascertain timeline of detected events
49. Detection and Response Assessment Outcomes
Blue Team had many chances to see what we did. What did they
actually see?
1. Ascertain timeline of detected events
2. How repeatable was the detection method and response?
3. Formal reporting to stakeholders
4. Tools and techniques used in response
5. Lessons learned
50. Detection and Response Assessment Outcomes
1. Attempt to identify weaknesses in people, processes and
most importantly technology which is constraining the
detection process
2. Identify areas of strength and significant capability
3. Work together to implement and test these changes
52. Conclusion
• Test people processes and technology
• Test Blue Teams ability to respond to a threat
• Not a replacement for penetration testing
• Assurance activities should be continuous
• Improve security posture
56. Purpose of a Red Team Engagement
Holistically test your organisation against a real world breach scenario
Strong / Weak
Security Posture
PROCESS
PEOPLE
TECHNOLOGY
56
• Measure IR/EDR Capability (Blue Team)
• Focus on Depth and not Breadth
• Driven from Real World Threats