AV TOKYO 2017（http://ja.avtokyo.org/）の講演資料を公開します。

1. What is Red Team Service?
~Latest Penetration Test Trends in U.S.~
TOMOHISA ISHIKAWA
scientia.admin@gmail.com
www.scientia-security.org

2. $$ WHO AM I ?
 Tomohisa Ishikawa
• Security Consultant (9 years experience)
• Specialized Area
• Penetration Test, IR, Security Consultation, Vulnerability Management, Awareness,
Training, Global Security Management…
• Various Speaker Experience
• SANSFIRE 2011 & 2012, DEF CON 24 SE Village, LASCON 2016, BSides Philly 2017
• Certification Junkie
• CISSP, CSSLP, CISA, CISM, CFE, GPEN, GWAPT, GXPN, GWEB, GSNA, GREM, GCIH

3. Objective
 Sharing One Year Experience in security team of U.S.
insurance company
 Understanding difference of Methodology
• Traditional “Penetration Test” vs. “Red Team”

4. 皆様の会社（組織）、ペネトレーションテスト
やっていますか？
Do you have penetration test in your organization??

9. 日本で言うペネトレーションテストって…
Penetration Test in Japan is …
 某L社とか某N社のページを見てみると..
Let’s see HP of N company, L company, M company…
• Webセキュリティ診断サービス (Web Application Testing)
• プラットフォーム診断サービス (Platform Testing)
• 標的型攻撃診断サービス（メール訓練サービス・出口対策検証）
• 無線LAN診断サービス
• DDoS体制検証サービス
 安全第一！！
Safety of system is First Priority.
 ※ ちなみにセキュリティ診断とペネトレーションテストをほぼ同じ意味で使いますが、宗教上の
理由でこの二つを一緒に語ることが許せない人とは適当に読み替えてください。

10. 米国に行くと…
意外とペネトレーションテスターって
言わない人が多い？
Only few people said “I am a penetration tester”

11. 「ペネトレーションテスト」ってダサい？
“Penetration Test” is tacky???

13. What is “Red Team”?
 もともと、諜報機関で生まれた概念
Originally, it is from intelligence community
 敵の観点から作戦を検証したり、取得した情報の信憑性を批判的に
検証するチームのこと
Verify strategies or information from adversary view point
• Devil‘s Advocate（悪魔の弁護人）
• CIA Red Cell

14. What is the difference btw “Red Team” and “Pen Test”?
⇒ Coverage is different!!
Digital
Physical Social
• Web Application Testing
• Platform Testing
• APT Simulation
• APT Mail Awareness training
• Vishing（Voice Phishing）
• OSINT
• Tail Gating
• Impersonation
• ID Card Cloning
• Physical Access to box
• Elevator Hacking
• Physical Control Bypass

17.  According to Gartner…
• Long Term Challenge (NOT point-in-time assessment)
• より長期的にテストを実施。実施時間も２４時間いつでも実施する.
• Defense Coordination
• Blue Teamの機能も含めて評価を行い、改善につなげる。
• Adversary Simulation
• 攻撃者そのものの観点から実施する。（３つの観点の融合）
• Controlled but Real Intrusion
What is the difference btw “Red Team” and “Pen Test”?
⇒ Different Feature

18. Case 1: Physical Penetration Test

19.  Objective
• どこまで内部侵入して情報が取れるのか？
Is it possible to bypass physical access control?
 Methodology
• Breaking Lock (Picking, impassioning, Bypassing)
• Elevator Hacking
• RFID Cloning
• Social Engineering
Physical Penetration Test

20. Case 2: APT Adversary Simulation Service

21.  SLA of APT Adversary Simulation Service is following.
• Awareness Phishing
• Penetration Test Phishing
• Red Team Phishing
標的型攻撃サービス
APT Adversary Simulation Service

22.  Attempting attacks as same as “Japan Pension Service”
• Following Cyber Kill Chain
• OSINT & SOCMINT
• Selecting 2~3 targets, and sending attached email
• Exploitation
• Using “Fresh” vulnerability & Exploit
• Post Exploitation with PowerShell
• Password Cracking with GPU
• Lateral Movement & Reaching out “Treasures”
Red Team Phishing

23. OSINT Example
 Check LinkedIn and find out target
 Analyzing Twitter with SOCMINT Tools
• Target has a tendency to buy shoes in apparel shop
• Sending Coupon by pretending as appeal shop

24. TOOLS
 OSINT
• Maltago https://www.paterva.com/web7/
• FOCA https://www.elevenpaths.com/labstools/foca/index.html
• SpiderFoot http://www.spiderfoot.net/
• Discovery Script https://github.com/leebaird/discover
• Recon-ng https://bitbucket.org/LaNMaSteR53/recon-ng
• Cymon https://cymon.io/
• WeLink https://welink.com/dashboard/
• GEOFEEDIA https://geofeedia.com/
• ECHOSEC https://www.echosec.net/

25. TOOLS
 OTHER TOOLS (Part of them is experimental)
• GoPhish https://getgophish.com/
• Social Engineering Toolkit in Kali Linux
• Cobalt Strike https://www.cobaltstrike.com/
• Mimikatz https://github.com/gentilkiwi/mimikatz
• Responder https://github.com/SpiderLabs/Responder
• IPMI http://fish2.com/ipmi/remote-pw-cracking.html
• MITM Framework https://github.com/byt3bl33d3r/MITMf
• Spray WMI https://github.com/trustedsec/spraywmi

29. TOOLS
 PowerShell Tools
• PowerShell Empire https://github.com/EmpireProject/Empire
• EmPyre (Python) https://github.com/EmpireProject/EmPyre
• PowerSploit https://github.com/PowerShellMafia/PowerSploit
• Including PowerView・Invoke-Mimikatz・PowerUp
• Veil Framework https://www.veil-framework.com/
• Nishang https://github.com/samratashok/nishang
• Invoke-Obfuscation https://github.com/danielbohannon/Invoke-Obfuscation
• PS Attack https://github.com/jaredhaight/psattack
• NaishoDeNusumu https://github.com/3nc0d3r/NaishoDeNusumu
• BloodHound https://github.com/BloodHoundAD/BloodHound

32. Resource
 Great Presentation
• AD Security https://adsecurity.org/
• All presentation is awesome
• Adversarial Post-Exploitation: Lessons From The Pros
• https://www.youtube.com/watch?v=x3crG-hM9sc
• A Year in the Empire
• https://www.youtube.com/watch?v=ngvHshHCt_8
• PowerShell Secrets and Tactics
• https://www.youtube.com/watch?v=EQv4bJnCw8M
• Introducing PowerShell into your Arsenal with PS>Attack
• https://www.youtube.com/watch?v=mPckt6HQPsw
• Invoke-Obfuscation: PowerShell obFUsk8tion Techniques
• https://www.youtube.com/watch?v=P1lkflnWb0I

33. From Blue Team Side
 以下が本当に重要！！
• Full Spectrum Visibility (完全な可視化)
• Targeted Containment (標的型封じ込め)
 EDR (Endpoint Detection & Response)
• Ex) Tanium, Fidelis, Carbon Black, FireEye, Crowd Strike, Red Cloak, Cyber
Reason…

34. Wrap-Up
 “Red team” is U.S. trends
 Focus on comprehensive test

35. Thank You!!
 If you have any questions, please feel free to contact me
Contact Info
• Email scientia.admin@gmail.com
• JP Blog www.scientia-security.org

36. Bonus Session

37. Digital Penetration Test Certification
 Certification for Penetration Tester
• CEH (by EC-Council)
• GIAC (by SANS)
• OSCP (by Offensive Security)