SlideShare a Scribd company logo

When is a Red Team a Red Team

Sanjiv Kawa
Sanjiv Kawa

NY Information Security Meetup - May - 2019

Technology
1 of 58
Download to read offline
When is a Red Team a Red Team? M AY 2 0 1 9
Agenda [+] Introductions 1m [+] Setting the Stage 5m [+] Tales from the Trenches 13m [+] Conclusion 1m
> whoami • Sanjiv Kawa • Penetration Tester and Red Teamer • I Lead Nettitude's Penetration Testing Team kawabungah skahwah
> whois Nettitude • 160 security professionals • Global presence • Significant Industry Influence
Nettitude’s Research and Zero Days
Setting the Stage
Confusion • What is Red Teaming? • Who is it for? • What does it achieve? • Why is it important?
The Current State of Technical Assurance
The Current State of Technical Assurance
What is a Red Team Engagement? PenTest+
Purpose of a Red Team Engagement Holistically test your organization against a real world breach scenario Driven from real world threats Focus on Depth and not Breadth Exercise your Blue Team People Process Technology https://www.flaticon.com/free-icon/team_476700 https://www.flaticon.com/free-icon/settings_126472 https://www.flaticon.com/free-icon/laptop_114734
What Does a Red Team Engagement Look Like?
What Does a Red Team Engagement Look Like?
What Does a Red Team Engagement Look Like?
Why is Red Teaming Important? Exercise Your Blue Team People Process Technology
Tales from the Trenches
Some of our Achievements • We get to work with some awesome clients • We have an extremely high success rate in reaching objectives
Some of our Achievements • We get to work with some awesome clients • We have an extremely high success rate in reaching objectives https://www.flaticon.com/free-icon/bank_1066122 https://www.flaticon.com/free-icon/medical-history_1685819 https://www.flaticon.com/free-icon/benefits_1369921 https://www.flaticon.com/free-icon/family_1396773
Tales from the Trenches I’m going to walk you through a red team engagement we did for a stock exchange
Tales from the Trenches Disclaimer: Some areas have been replaced with fictitious people, other areas are heavily redacted to protect the identity of the Client and their employees …
Engagement Particulars Client: Large Stock Exchange Objective: Integrity of Real Time Trading System (TS) Assessment: Threat Intelligence Scenario 1: External Threat Scenario 2: Insider Threat Assessment: Detection and Response Capabilities
Threat Intelligence Mitre ATT&CK Group ID: G0032 AKA: Lazarus Group North Korea
Threat Intelligence: Lazarus Group Based on TI: Initial entry is going to be a targeted phish
Threat Intelligence: Recon If I had 8 hours to chop down a tree, I would spend 6 of those hours sharpening my axe Many, many, many tools ...
Threat Intelligence: Finding Targets to Phish • In-house developed, publicly available tool • Checks HIBP for breaches • Name, email, title, etc
Threat Intelligence: Building Pretext • Find target employees who work with TS • Senior Trader at Stock Company • Works with TS • A+ candidate to phish!
Threat Intelligence: Building Pretext
Threat Intelligence: Building Pretext Priority Target at Stock Exchange Position Pretext from LinkedIn 1 Rey Oakley Senior Trader Joseph Thompson – Capital Ventures 2 Mike Cortes IT Support Sarah Cho – Computer Stop 3 Karen Hayes Database Admin John Smith – DevShop 4 Stacy Chan Project Manager Mike Jacklin – Logistics R Us • Don’t stop at one, maximize your chances.
Handover At this point, the TI Team hands over a “target pack” to the Red Team
External Threat: Delivery
External Threat: Delivery
External Threat: Weaponization
External Threat: Delivery and Execution • Pretext: Recruitment and Career Opportunities • Delivery: Targeted Phishing (4 users) • Objective: Impact the Integrity of TS 0 1 2 3 4 5 Users Targeted Emails Confirmed Opened Links Clicked Command and Control Obtained Targeted Phishing Statistics
External Threat: Execution Execution? Target at Stock Exchange Position Pretext from LinkedIn ý Rey Oakley Senior Trader Joseph Thompson – Capital Ventures ý Mike Cortes IT Support Sarah Cho – Computer Stop þ Karen Hayes Database Admin John Smith – DevShop þ Stacy Chan Project Manager Mike Jacklin – Logistics R Us • Who’s workstation are we on?
External Threat: Acting on Objectives Karen Hayes
External Threat: Acting on Objectives þ Know where TS Lives þ Know users who access TS Karen Hayes Global File Share TS Documents Active Directory TS Users
External Threat: Acting on Objectives Compromised Workstation Trader Workstation
External Threat: Acting on Objectives Karen Hayes Karen Hayes Active Directory
External Threat: Acting on Objectives Karen Hayes Karen Hayes Citrix User
CVE-2018-6857: Sophos Safeguard Priv Esc 0-day
External Threat: Acting on Objectives Karen Hayes Citrix Administrator Workstation Administrator Other Citrix Servers
External Threat: Acting on Objectives Compromised Workstation Trader Workstation
External Threat: Acting on Objectives Compromised Workstation Trader Workstation Workstation Administrator
External Threat: Acting on Objectives Trader Workstation
Now What?
Detection and Response Assessment
Detection and Response Assessment Outcomes Blue Team had many chances to see what we did. What did they actually see? 1. Ascertain timeline of detected events
Detection and Response Assessment Outcomes Blue Team had many chances to see what we did. What did they actually see? 1. Ascertain timeline of detected events 2. How repeatable was the detection method and response? 3. Formal reporting to stakeholders 4. Tools and techniques used in response 5. Lessons learned
Detection and Response Assessment Outcomes 1. Attempt to identify weaknesses in people, processes and most importantly technology which is constraining the detection process 2. Identify areas of strength and significant capability 3. Work together to implement and test these changes
Conclusion
Conclusion • Test people processes and technology • Test Blue Teams ability to respond to a threat • Not a replacement for penetration testing • Assurance activities should be continuous • Improve security posture
Thank You
INTENTIONALLY BLANK
TITLE Insert content Insert Content • Insert Content
Purpose of a Red Team Engagement Holistically test your organisation against a real world breach scenario Strong / Weak Security Posture PROCESS PEOPLE TECHNOLOGY 56 • Measure IR/EDR Capability (Blue Team) • Focus on Depth and not Breadth • Driven from Real World Threats
External Threat: Acting on Objectives
Why is Red Teaming Important? A few examples where People, Process, and Technology fell down… 58

Recommended

2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Countering the Cyber Threat
Countering the Cyber ThreatCountering the Cyber Threat
Countering the Cyber ThreatOllie Whitehouse
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?Iftach Ian Amit
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
The difference between Penetration Testing and Red Team
The difference between Penetration Testing and Red TeamThe difference between Penetration Testing and Red Team
The difference between Penetration Testing and Red TeamNimrod Levy
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleanerJohn Stauffacher
 

Recommended

2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Countering the Cyber Threat
Countering the Cyber ThreatCountering the Cyber Threat
Countering the Cyber ThreatOllie Whitehouse
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?Iftach Ian Amit
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
The difference between Penetration Testing and Red Team
The difference between Penetration Testing and Red TeamThe difference between Penetration Testing and Red Team
The difference between Penetration Testing and Red TeamNimrod Levy
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleanerJohn Stauffacher
 
War Games -Simulating cyber incidents for fun and profit
War Games -Simulating cyber incidents for fun and profitWar Games -Simulating cyber incidents for fun and profit
War Games -Simulating cyber incidents for fun and profit🍁Steve Davies
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
Breach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsBreach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsPaul W. Taylor
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Core Security
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Secure 360 adversary simulation
Secure 360 adversary simulationSecure 360 adversary simulation
Secure 360 adversary simulationChris Hernandez
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Huntingnathi mogomotsi
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Brian Andrzejewski
 
Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021KharimMchatta
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
Sexy defense
Sexy defenseSexy defense
Sexy defenseIftach Ian Amit
 
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the UnknownAllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the UnknownAaron Rinehart
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
2021 CNCERT International Partnership Conference: Increasing cybersecurity pr...
2021 CNCERT International Partnership Conference: Increasing cybersecurity pr...2021 CNCERT International Partnership Conference: Increasing cybersecurity pr...
2021 CNCERT International Partnership Conference: Increasing cybersecurity pr...APNIC
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team FrameworkAdrian Sanabria
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconBlack Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconDEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 

More Related Content

Similar to When is a Red Team a Red Team

War Games -Simulating cyber incidents for fun and profit
War Games -Simulating cyber incidents for fun and profitWar Games -Simulating cyber incidents for fun and profit
War Games -Simulating cyber incidents for fun and profit🍁Steve Davies
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
Breach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsBreach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsPaul W. Taylor
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Core Security
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Secure 360 adversary simulation
Secure 360 adversary simulationSecure 360 adversary simulation
Secure 360 adversary simulationChris Hernandez
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Huntingnathi mogomotsi
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Brian Andrzejewski
 
Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021KharimMchatta
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the UnknownAllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the UnknownAaron Rinehart
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
2021 CNCERT International Partnership Conference: Increasing cybersecurity pr...
2021 CNCERT International Partnership Conference: Increasing cybersecurity pr...2021 CNCERT International Partnership Conference: Increasing cybersecurity pr...
2021 CNCERT International Partnership Conference: Increasing cybersecurity pr...APNIC
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 

Similar to When is a Red Team a Red Team (20)

War Games -Simulating cyber incidents for fun and profit
War Games -Simulating cyber incidents for fun and profitWar Games -Simulating cyber incidents for fun and profit
War Games -Simulating cyber incidents for fun and profit
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Breach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsBreach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good Governments
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
Secure 360 adversary simulation
Secure 360 adversary simulationSecure 360 adversary simulation
Secure 360 adversary simulation
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Hunting
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
 
Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 
Sexy defense
Sexy defenseSexy defense
Sexy defense
 
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the UnknownAllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
2021 CNCERT International Partnership Conference: Increasing cybersecurity pr...
2021 CNCERT International Partnership Conference: Increasing cybersecurity pr...2021 CNCERT International Partnership Conference: Increasing cybersecurity pr...
2021 CNCERT International Partnership Conference: Increasing cybersecurity pr...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 

More from Sanjiv Kawa

Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconBlack Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconDEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
Abusing MS SQL Using SQLRecon
Abusing MS SQL Using SQLReconAbusing MS SQL Using SQLRecon
Abusing MS SQL Using SQLReconSanjiv Kawa
 
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithThe world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithSanjiv Kawa
 
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithThe world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithSanjiv Kawa
 
Crafting tailored wordlists with Wordsmith
Crafting tailored wordlists with WordsmithCrafting tailored wordlists with Wordsmith
Crafting tailored wordlists with WordsmithSanjiv Kawa
 

More from Sanjiv Kawa (6)

Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconBlack Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
 
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconDEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
 
Abusing MS SQL Using SQLRecon
Abusing MS SQL Using SQLReconAbusing MS SQL Using SQLRecon
Abusing MS SQL Using SQLRecon
 
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithThe world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
 
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithThe world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
 
Crafting tailored wordlists with Wordsmith
Crafting tailored wordlists with WordsmithCrafting tailored wordlists with Wordsmith
Crafting tailored wordlists with Wordsmith
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Recently uploaded (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

When is a Red Team a Red Team

  • 1. When is a Red Team a Red Team? M AY 2 0 1 9
  • 2. Agenda [+] Introductions 1m [+] Setting the Stage 5m [+] Tales from the Trenches 13m [+] Conclusion 1m
  • 3. > whoami • Sanjiv Kawa • Penetration Tester and Red Teamer • I Lead Nettitude's Penetration Testing Team kawabungah skahwah
  • 4. > whois Nettitude • 160 security professionals • Global presence • Significant Industry Influence
  • 7. Confusion • What is Red Teaming? • Who is it for? • What does it achieve? • Why is it important?
  • 8. The Current State of Technical Assurance
  • 9. The Current State of Technical Assurance
  • 10. What is a Red Team Engagement? PenTest+
  • 11. Purpose of a Red Team Engagement Holistically test your organization against a real world breach scenario Driven from real world threats Focus on Depth and not Breadth Exercise your Blue Team People Process Technology https://www.flaticon.com/free-icon/team_476700 https://www.flaticon.com/free-icon/settings_126472 https://www.flaticon.com/free-icon/laptop_114734
  • 12. What Does a Red Team Engagement Look Like?
  • 13. What Does a Red Team Engagement Look Like?
  • 14. What Does a Red Team Engagement Look Like?
  • 15. Why is Red Teaming Important? Exercise Your Blue Team People Process Technology
  • 16. Tales from the Trenches
  • 17. Some of our Achievements • We get to work with some awesome clients • We have an extremely high success rate in reaching objectives
  • 18. Some of our Achievements • We get to work with some awesome clients • We have an extremely high success rate in reaching objectives https://www.flaticon.com/free-icon/bank_1066122 https://www.flaticon.com/free-icon/medical-history_1685819 https://www.flaticon.com/free-icon/benefits_1369921 https://www.flaticon.com/free-icon/family_1396773
  • 19. Tales from the Trenches I’m going to walk you through a red team engagement we did for a stock exchange
  • 20. Tales from the Trenches Disclaimer: Some areas have been replaced with fictitious people, other areas are heavily redacted to protect the identity of the Client and their employees …
  • 21. Engagement Particulars Client: Large Stock Exchange Objective: Integrity of Real Time Trading System (TS) Assessment: Threat Intelligence Scenario 1: External Threat Scenario 2: Insider Threat Assessment: Detection and Response Capabilities
  • 22. Threat Intelligence Mitre ATT&CK Group ID: G0032 AKA: Lazarus Group North Korea
  • 23. Threat Intelligence: Lazarus Group Based on TI: Initial entry is going to be a targeted phish
  • 24. Threat Intelligence: Recon If I had 8 hours to chop down a tree, I would spend 6 of those hours sharpening my axe Many, many, many tools ...
  • 25. Threat Intelligence: Finding Targets to Phish • In-house developed, publicly available tool • Checks HIBP for breaches • Name, email, title, etc
  • 26. Threat Intelligence: Building Pretext • Find target employees who work with TS • Senior Trader at Stock Company • Works with TS • A+ candidate to phish!
  • 28. Threat Intelligence: Building Pretext Priority Target at Stock Exchange Position Pretext from LinkedIn 1 Rey Oakley Senior Trader Joseph Thompson – Capital Ventures 2 Mike Cortes IT Support Sarah Cho – Computer Stop 3 Karen Hayes Database Admin John Smith – DevShop 4 Stacy Chan Project Manager Mike Jacklin – Logistics R Us • Don’t stop at one, maximize your chances.
  • 29. Handover At this point, the TI Team hands over a “target pack” to the Red Team
  • 33. External Threat: Delivery and Execution • Pretext: Recruitment and Career Opportunities • Delivery: Targeted Phishing (4 users) • Objective: Impact the Integrity of TS 0 1 2 3 4 5 Users Targeted Emails Confirmed Opened Links Clicked Command and Control Obtained Targeted Phishing Statistics
  • 34. External Threat: Execution Execution? Target at Stock Exchange Position Pretext from LinkedIn ý Rey Oakley Senior Trader Joseph Thompson – Capital Ventures ý Mike Cortes IT Support Sarah Cho – Computer Stop þ Karen Hayes Database Admin John Smith – DevShop þ Stacy Chan Project Manager Mike Jacklin – Logistics R Us • Who’s workstation are we on?
  • 35. External Threat: Acting on Objectives Karen Hayes
  • 36. External Threat: Acting on Objectives þ Know where TS Lives þ Know users who access TS Karen Hayes Global File Share TS Documents Active Directory TS Users
  • 37. External Threat: Acting on Objectives Compromised Workstation Trader Workstation
  • 38. External Threat: Acting on Objectives Karen Hayes Karen Hayes Active Directory
  • 39. External Threat: Acting on Objectives Karen Hayes Karen Hayes Citrix User
  • 41. External Threat: Acting on Objectives Karen Hayes Citrix Administrator Workstation Administrator Other Citrix Servers
  • 42. External Threat: Acting on Objectives Compromised Workstation Trader Workstation
  • 43. External Threat: Acting on Objectives Compromised Workstation Trader Workstation Workstation Administrator
  • 44. External Threat: Acting on Objectives Trader Workstation
  • 45.
  • 48. Detection and Response Assessment Outcomes Blue Team had many chances to see what we did. What did they actually see? 1. Ascertain timeline of detected events
  • 49. Detection and Response Assessment Outcomes Blue Team had many chances to see what we did. What did they actually see? 1. Ascertain timeline of detected events 2. How repeatable was the detection method and response? 3. Formal reporting to stakeholders 4. Tools and techniques used in response 5. Lessons learned
  • 50. Detection and Response Assessment Outcomes 1. Attempt to identify weaknesses in people, processes and most importantly technology which is constraining the detection process 2. Identify areas of strength and significant capability 3. Work together to implement and test these changes
  • 52. Conclusion • Test people processes and technology • Test Blue Teams ability to respond to a threat • Not a replacement for penetration testing • Assurance activities should be continuous • Improve security posture
  • 56. Purpose of a Red Team Engagement Holistically test your organisation against a real world breach scenario Strong / Weak Security Posture PROCESS PEOPLE TECHNOLOGY 56 • Measure IR/EDR Capability (Blue Team) • Focus on Depth and not Breadth • Driven from Real World Threats
  • 57. External Threat: Acting on Objectives
  • 58. Why is Red Teaming Important? A few examples where People, Process, and Technology fell down… 58