3. Agenda
sindadsec.ir
• What’s Red Team
• APT / APT Group
• Ransomware Gangs Vs APT Groups
• Red Team Methodologies
• Red Team vs Penetration Testing
• Red Team Infrastructure
• Adversary Emulation platforms
• Red Team Tools
• Consequence of Data Breach
• Defeat APT attacks
2
4. What’s Red Team (Adversary Emulation)
sindadsec.ir
۲
• The Process of Emulation APT Attacks
• Invented on 19th Century by German Army
• Used on DOD during COLD war 1960
3
6. ۷ sindadsec.ir
Attribution
• https://attack.mitre.org/groups/
• https://www.mandiant.com/resources/insights/apt-groups
• Attribution model, Diamond model
• The countries of America, China, North Korea, Europe, Russia
and Iran have cyber armies that carry out cyber attacks on other
countries for governmental purposes, therefore some APT
groups have also been attributed to these countries.
• APT’s Target military for Confidential Documents, Hospitals for
health info, Science and technology companies for steal
Documents and etc.
APT Groups
5
7. Methodology for Red Teaming?
Cyber kill chain
MITRE Attack
Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration Impact
۸ sindadsec.ir
APT Groups
Attribution or Delegation
6
10. Each APT Group have their Target, Their Goals for example APT29
since 2008 attribute to SVR and Target USA, Germany, Uzbekistan,
South Korea
Some of APT Groups have their Exploit for initial Access
They Use Custom Techniques for each Steps like Privilege
Escalation, Backdoor and Etc.
۱۰ sindadsec.ir
Ransomware Gangs
Ransomware Gangs and Other Cyber Criminals Groups
Goals are just money from stealing data encrypting data
or DDOSING business
Most of them Use public Exploit for initial Access and C2
Ransomware Gangs vs APT Groups
Hacktivist
Hacktivist Groups like Anonymous Group Goal’s are leak Information
and Denial of service Governments.
APT Groups
9
14. ۱۰ sindadsec.ir
Penetration Testing
Penetration Testing VS Red Teaming
Red Teaming
• Offensive Security : Penetration Testing, Red Teaming,
Bug Bounty Hunting
• Penetration Testing Steps [Scope, Type (Black, White,
Gray BOX), Social Engineering not Allowed]
Red Teaming Steps ( Whole Business are SCOPE, Type
Black box, Social Engineering allowed, Any kind of
Offensive is allowed, Physical Initial Access)
13
15. Red Team Infrastructure
۷ sindadsec.ir
• Resource and Development ( Domain, Mail Server, Smtp
relay, C2 server, Forwarder)
• For building Infrastructure Using Terraform IAC on
AWS,AZURE,...
• Weaponize CVE
• Keep FUD payloads
• Social Media Accounts and one time sim card for OSINT
14
16. ۱۰ sindadsec.ir
Attack Emulation
Attack Emulation VS Simulation
Attack Simulation
Adversary Emulation plans are the way to model
adversary behavior based on a particular set of TTP
in MITRE ATT&CK.
Red Team can use AEPs to develop an Attack
simulation and execute it against your enterprise
security infrastructure for identify and tune gaps in
defense before the actual adversary strikes.
15
17. Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration Impact
۸ sindadsec.ir
Adversary Emulation Platforms
Open Source
• Caldera - MITRE ATT&CK https://github.com/mitre/caldera
• Atomic Red Team - Red Canary -
https://github.com/redcanaryco/atomic-red-team
• Hunter Forge’s Mordor
• Metta - https://github.com/uber-common/metta
• APTSimulator - https://github.com/NextronSystems/APTSimulator
• Red Team Automation (RTA) - MITRE ATT&CK -
https://github.com/endgameinc/RTA
• Infection Monkey - https://github.com/guardicore/monkey
• AutoTTP - https://github.com/jymcheong/AutoTTP
• RedHunt OS - Red Team TOOLS
16
20. sindadsec.ir
COST of a Data Breach Report 2202(IBM Security)
4.35 million USD Average total cost of a data breach
4.82 million USD Average cost of a critical infrastructure data breach
4.54 million USD Average cost of a ransomware attack, not including the cost of
the ransom itself
1 million USD Average difference in cost where remote work was a factor in
causing the breach versus when it wasn’t a factor
2.66 million USD Average cost savings associated with an incident response (IR)
team and regularly tested IR plan
4.35 million USD Global average total cost of a data breach
4.91 million USD Average cost of data breach with a phishing initial attack vector
5.57 million USD Average cost of a breach for organizations with high levels of
compliance failures
19
21. sindadsec.ir
Defeat APT Attack
First Step You Should Know Your Enemies [APT Groups, Ransomware Gangs] = CTI
You Should Have Continues Practice for Evaluating your The level of preparedness to face
the threats. After Extracting TTP Assign Emulation to red Team = Purple Teaming
Security In Depth It requires proper network design. You should know using security
equipment on right place = Security is process not product.
20