Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[AVTOKYO 2017] What is red team?

3,925 views

Published on

AV TOKYO 2017(http://ja.avtokyo.org/)の講演資料を公開します。

Published in: Technology
  • Be the first to comment

[AVTOKYO 2017] What is red team?

  1. 1. What is Red Team Service? ~Latest Penetration Test Trends in U.S.~ TOMOHISA ISHIKAWA scientia.admin@gmail.com www.scientia-security.org
  2. 2. $$ WHO AM I ?  Tomohisa Ishikawa • Security Consultant (9 years experience) • Specialized Area • Penetration Test, IR, Security Consultation, Vulnerability Management, Awareness, Training, Global Security Management… • Various Speaker Experience • SANSFIRE 2011 & 2012, DEF CON 24 SE Village, LASCON 2016, BSides Philly 2017 • Certification Junkie • CISSP, CSSLP, CISA, CISM, CFE, GPEN, GWAPT, GXPN, GWEB, GSNA, GREM, GCIH
  3. 3. Objective  Sharing One Year Experience in security team of U.S. insurance company  Understanding difference of Methodology • Traditional “Penetration Test” vs. “Red Team”
  4. 4. 皆様の会社(組織)、ペネトレーションテスト やっていますか? Do you have penetration test in your organization??
  5. 5. 日本で言うペネトレーションテストって… Penetration Test in Japan is …  某L社とか某N社のページを見てみると.. Let’s see HP of N company, L company, M company… • Webセキュリティ診断サービス (Web Application Testing) • プラットフォーム診断サービス (Platform Testing) • 標的型攻撃診断サービス(メール訓練サービス・出口対策検証) • 無線LAN診断サービス • DDoS体制検証サービス  安全第一!! Safety of system is First Priority.  ※ ちなみにセキュリティ診断とペネトレーションテストをほぼ同じ意味で使いますが、宗教上の 理由でこの二つを一緒に語ることが許せない人とは適当に読み替えてください。
  6. 6. 米国に行くと… 意外とペネトレーションテスターって 言わない人が多い? Only few people said “I am a penetration tester”
  7. 7. 「ペネトレーションテスト」ってダサい? “Penetration Test” is tacky???
  8. 8. What is “Red Team”?  もともと、諜報機関で生まれた概念 Originally, it is from intelligence community  敵の観点から作戦を検証したり、取得した情報の信憑性を批判的に 検証するチームのこと Verify strategies or information from adversary view point • Devil‘s Advocate(悪魔の弁護人) • CIA Red Cell
  9. 9. What is the difference btw “Red Team” and “Pen Test”? ⇒ Coverage is different!! Digital Physical Social • Web Application Testing • Platform Testing • APT Simulation • APT Mail Awareness training • Vishing(Voice Phishing) • OSINT • Tail Gating • Impersonation • ID Card Cloning • Physical Access to box • Elevator Hacking • Physical Control Bypass
  10. 10.  According to Gartner… • Long Term Challenge (NOT point-in-time assessment) • より長期的にテストを実施。実施時間も24時間いつでも実施する. • Defense Coordination • Blue Teamの機能も含めて評価を行い、改善につなげる。 • Adversary Simulation • 攻撃者そのものの観点から実施する。(3つの観点の融合) • Controlled but Real Intrusion What is the difference btw “Red Team” and “Pen Test”? ⇒ Different Feature
  11. 11. Case 1: Physical Penetration Test
  12. 12.  Objective • どこまで内部侵入して情報が取れるのか? Is it possible to bypass physical access control?  Methodology • Breaking Lock (Picking, impassioning, Bypassing) • Elevator Hacking • RFID Cloning • Social Engineering Physical Penetration Test
  13. 13. Case 2: APT Adversary Simulation Service
  14. 14.  SLA of APT Adversary Simulation Service is following. • Awareness Phishing • Penetration Test Phishing • Red Team Phishing 標的型攻撃サービス APT Adversary Simulation Service
  15. 15.  Attempting attacks as same as “Japan Pension Service” • Following Cyber Kill Chain • OSINT & SOCMINT • Selecting 2~3 targets, and sending attached email • Exploitation • Using “Fresh” vulnerability & Exploit • Post Exploitation with PowerShell • Password Cracking with GPU • Lateral Movement & Reaching out “Treasures” Red Team Phishing
  16. 16. OSINT Example  Check LinkedIn and find out target  Analyzing Twitter with SOCMINT Tools • Target has a tendency to buy shoes in apparel shop • Sending Coupon by pretending as appeal shop
  17. 17. TOOLS  OSINT • Maltago https://www.paterva.com/web7/ • FOCA https://www.elevenpaths.com/labstools/foca/index.html • SpiderFoot http://www.spiderfoot.net/ • Discovery Script https://github.com/leebaird/discover • Recon-ng https://bitbucket.org/LaNMaSteR53/recon-ng • Cymon https://cymon.io/ • WeLink https://welink.com/dashboard/ • GEOFEEDIA https://geofeedia.com/ • ECHOSEC https://www.echosec.net/
  18. 18. TOOLS  OTHER TOOLS (Part of them is experimental) • GoPhish https://getgophish.com/ • Social Engineering Toolkit in Kali Linux • Cobalt Strike https://www.cobaltstrike.com/ • Mimikatz https://github.com/gentilkiwi/mimikatz • Responder https://github.com/SpiderLabs/Responder • IPMI http://fish2.com/ipmi/remote-pw-cracking.html • MITM Framework https://github.com/byt3bl33d3r/MITMf • Spray WMI https://github.com/trustedsec/spraywmi
  19. 19. TOOLS  PowerShell Tools • PowerShell Empire https://github.com/EmpireProject/Empire • EmPyre (Python) https://github.com/EmpireProject/EmPyre • PowerSploit https://github.com/PowerShellMafia/PowerSploit • Including PowerView・Invoke-Mimikatz・PowerUp • Veil Framework https://www.veil-framework.com/ • Nishang https://github.com/samratashok/nishang • Invoke-Obfuscation https://github.com/danielbohannon/Invoke-Obfuscation • PS Attack https://github.com/jaredhaight/psattack • NaishoDeNusumu https://github.com/3nc0d3r/NaishoDeNusumu • BloodHound https://github.com/BloodHoundAD/BloodHound
  20. 20. Resource  Great Presentation • AD Security https://adsecurity.org/ • All presentation is awesome • Adversarial Post-Exploitation: Lessons From The Pros • https://www.youtube.com/watch?v=x3crG-hM9sc • A Year in the Empire • https://www.youtube.com/watch?v=ngvHshHCt_8 • PowerShell Secrets and Tactics • https://www.youtube.com/watch?v=EQv4bJnCw8M • Introducing PowerShell into your Arsenal with PS>Attack • https://www.youtube.com/watch?v=mPckt6HQPsw • Invoke-Obfuscation: PowerShell obFUsk8tion Techniques • https://www.youtube.com/watch?v=P1lkflnWb0I
  21. 21. From Blue Team Side  以下が本当に重要!! • Full Spectrum Visibility (完全な可視化) • Targeted Containment (標的型封じ込め)  EDR (Endpoint Detection & Response) • Ex) Tanium, Fidelis, Carbon Black, FireEye, Crowd Strike, Red Cloak, Cyber Reason…
  22. 22. Wrap-Up  “Red team” is U.S. trends  Focus on comprehensive test
  23. 23. Thank You!!  If you have any questions, please feel free to contact me Contact Info • Email scientia.admin@gmail.com • JP Blog www.scientia-security.org
  24. 24. Bonus Session
  25. 25. Digital Penetration Test Certification  Certification for Penetration Tester • CEH (by EC-Council) • GIAC (by SANS) • OSCP (by Offensive Security)

×