SlideShare a Scribd company logo

Red Team Framework

👀 Joe Gray

Presented at the DEFCON27 Red Team Offensive Village on 8/10/19. From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors. In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.

Related slideshows

Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
1 of 31
Red Team Framework Adrian Sanabria Joe Gray
About Adrian Defender - 9 years Financial Services Consultant - 5 years Pen Testing, PCI Industry Analyst - 4 years 451 Research Research, Vendor Strategy - 2 years Savage Security, Threatcare, NopSec, Thinkst @sawaba
• Senior Security Architect • 2017 DerbyCon Social Engineering Capture the Flag (SECTF) winner • On 3rd Place Team at 2018 & 2019 NOLACon OSINT CTF (Password Inspection Agency) • On 2nd Place Team at 2019 BSides OSINT CTF (Password Inspection Agency) • Served in the US Navy, Navigating Submarines • CISSP-ISSMP, GSNA, GCIH, OSWP • Forbes Contributor • Currently Authoring Social Engineering and OSINT Book, Securing the Human Element with No Starch Press • Maintained blog and podcast at https://advancedpersistentsecurity.net • Just started offering OSINT training (OSINTion; formerly OSINT Associates) About Joe
Why Create a New Framework? What do these words mean to you? Red Team Purple Team Pen Testing Vuln Assessment WebApp Assessment
What’s wrong with pen testing/red teaming? ● The design is flawed and can’t fulfill expectations ○ Not an indicator of an organization’s risk ○ Doesn’t simulate adversaries ○ Tries to prove/disprove a persistent negative ● The execution is inefficient; lots of room for improvement ○ Consulting industry ‘cash cow’ – why change? ○ Lack of automation; process improvement; feedback loops ○ Better alternatives are sold as ‘advanced’, to more mature orgs ● It isn’t what clients need to improve
Pen Test vs Red Team Engagement Pen Test • Pwnage based • Largely for compliance • Incorrectly helps management sleep better (digital melatonin) Red Team • Objective based • Emulates a specific actor or TTP • Seeks to measure various metrics that actually matter (Penetration capability, detection, etc)
Myth #1 Penetration tests are accurate measurements of an organization’s security
Myth #2 Penetration testing emulates adversarial behavior
Myth #3 Penetration tests serve no purpose in a mature organization’s environment
Myth #4 Penetration testing is synonymous with red teaming
Myth #5 Black box testing is the most comprehensive method of applied security testing
Red Teaming Process Scoping ID the Threat Model Baseline Security Rescoping Learning Execution Measurement Debriefing Retesting Purple Team
Scoping • Define the objective(s) • Define success • Scope the following: • Time • Money • Number of systems • Rules of Engagement • IOCs/TTPs to utilize
Identification of Threat Model • Based on several variables • Client base • Geographic Location • Line of business • Government affiliations • Sector/Industry
Baseline Security Model • Are you tall enough to ride the proverbial ride? • Frameworks like Centre for Internet Security Critical Security Controls • Minimum of the Top 5 • Vulnerability Management • Previous Testing • DFIR/Monitoring Capabilities? • NIST SP 800-53
Rescoping • Refine the objective(s) • Focus the scope the following: • Time (time frame and allocated hours to complete) • Money • Refine Number of systems (likely a lower number than in scoping) • Rules of Engagement • Social Engineering, Web, Exploit Development • IOCs/TTPs to utilize • Potentially solicit input from an ISAC
Learning • “Simulated Dwell Time” • Access to and/or data from: • SEIM • Previous Reports • PCAPs, Netflow, other monitoring tools • Diagrams • Configurations • Interviews
Execution • Reference technical frameworks: • Pen Test Execution Standard • Social Engineering Framework • Mitre ATT&CK
Measurement • I see you, do you see me? • Data points: • Time to detect • Quality of report • Accuracy of the report • Actions taken • Efficacy of actions taken
Debriefing • Presentation including: • TTPs • Findings • Statistics from Measurement Phase • Recommended Actions • Qualitative Score
Retesting • Allow the organization to retrain, adjust, and retry
Purple Teaming • Similar to retesting, but the adversary is in the room/in communication with the defensive team • Allows the adversaries to allow detection attempts or announce actions to teach detections • More efficient that turning the noise up or Thunderstrucking or Rick Rolling
Supporting Frameworks ● Pen Test Execution Standard ○ http://www.pentest-standard.org/index.php/Main_Page ● Social Engineering Framework ○ https://www.social-engineer.org/framework/general-discussion/ ● Mitre ATT&CK ○ https://attack.mitre.org/ ● NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) ○ https://csrc.nist.gov/publications/detail/sp/800-115/final ● More here: https://www.owasp.org/index.php/Penetration_testing_methodologies#Technical_Guide_to_Information_Security_Testing_and_Asses sment_.28NIST800-115.29
Joe’s Upcoming Speaking Engagements • 9/26-27: DefendCon (Seattle) • 10/10-11: HackerHalted (Atlanta, GA) • 10/22: Wild West Hackin Fest
Adrian’s Upcoming Speaking Engagements Virus Bulletin 2019 in London: Closing Keynote with Haroon Meer
Upcoming OSINT Training Opportunities • In-Person •All with details TBD (unless otherwise noted): • Louisville (around the time of DerbyCon • Atlanta (around the time of HackerHalted) • Maybe Dallas, Philadelphia, and Boston in 2019 •Online: • More upcoming, watch Twitter and LinkedIn
Hacker Halted 2019 • October 10-11 • Atlanta, GA USA • Free Admission • Coupon Code: Joe100 or https://hackerhalted2019.eventbrite.com?discount=Joe100 • Discount on Training • Coupon Code: JJHHTRN (15% off training) • Register at: - https://hackerhalted2019.eventbrite.com
Recon-ng Training • August 29 • 6-8 PM (Eastern Time) • Coupon Code: 13BSIDESLV37 • August 31 • 1-3 PM (Eastern Time) • Coupon Code: 13BSIDESLV37 • Register for either here: • https://bit.ly/2YVqyJu
Questions?
Contacting Us • Contacting Adrian: • @sawaba • Contacting Joe: • @C_3PJoe | @advpersistsec | @hackingglass • @TheOSINTion |@valhallainfos3c • Facebook.com/theOSINTion • LinkedIn.com/in/JoeGrayInfosec
Red Team Framework

More Related Content

Red Team Framework

  • 1. Red Team Framework Adrian Sanabria Joe Gray
  • 2. About Adrian Defender - 9 years Financial Services Consultant - 5 years Pen Testing, PCI Industry Analyst - 4 years 451 Research Research, Vendor Strategy - 2 years Savage Security, Threatcare, NopSec, Thinkst @sawaba
  • 3. • Senior Security Architect • 2017 DerbyCon Social Engineering Capture the Flag (SECTF) winner • On 3rd Place Team at 2018 & 2019 NOLACon OSINT CTF (Password Inspection Agency) • On 2nd Place Team at 2019 BSides OSINT CTF (Password Inspection Agency) • Served in the US Navy, Navigating Submarines • CISSP-ISSMP, GSNA, GCIH, OSWP • Forbes Contributor • Currently Authoring Social Engineering and OSINT Book, Securing the Human Element with No Starch Press • Maintained blog and podcast at https://advancedpersistentsecurity.net • Just started offering OSINT training (OSINTion; formerly OSINT Associates) About Joe
  • 4. Why Create a New Framework? What do these words mean to you? Red Team Purple Team Pen Testing Vuln Assessment WebApp Assessment
  • 5. What’s wrong with pen testing/red teaming? ● The design is flawed and can’t fulfill expectations ○ Not an indicator of an organization’s risk ○ Doesn’t simulate adversaries ○ Tries to prove/disprove a persistent negative ● The execution is inefficient; lots of room for improvement ○ Consulting industry ‘cash cow’ – why change? ○ Lack of automation; process improvement; feedback loops ○ Better alternatives are sold as ‘advanced’, to more mature orgs ● It isn’t what clients need to improve
  • 6. Pen Test vs Red Team Engagement Pen Test • Pwnage based • Largely for compliance • Incorrectly helps management sleep better (digital melatonin) Red Team • Objective based • Emulates a specific actor or TTP • Seeks to measure various metrics that actually matter (Penetration capability, detection, etc)
  • 7. Myth #1 Penetration tests are accurate measurements of an organization’s security
  • 8. Myth #2 Penetration testing emulates adversarial behavior
  • 9. Myth #3 Penetration tests serve no purpose in a mature organization’s environment
  • 10. Myth #4 Penetration testing is synonymous with red teaming
  • 11. Myth #5 Black box testing is the most comprehensive method of applied security testing
  • 12. Red Teaming Process Scoping ID the Threat Model Baseline Security Rescoping Learning Execution Measurement Debriefing Retesting Purple Team
  • 13. Scoping • Define the objective(s) • Define success • Scope the following: • Time • Money • Number of systems • Rules of Engagement • IOCs/TTPs to utilize
  • 14. Identification of Threat Model • Based on several variables • Client base • Geographic Location • Line of business • Government affiliations • Sector/Industry
  • 15. Baseline Security Model • Are you tall enough to ride the proverbial ride? • Frameworks like Centre for Internet Security Critical Security Controls • Minimum of the Top 5 • Vulnerability Management • Previous Testing • DFIR/Monitoring Capabilities? • NIST SP 800-53
  • 16. Rescoping • Refine the objective(s) • Focus the scope the following: • Time (time frame and allocated hours to complete) • Money • Refine Number of systems (likely a lower number than in scoping) • Rules of Engagement • Social Engineering, Web, Exploit Development • IOCs/TTPs to utilize • Potentially solicit input from an ISAC
  • 17. Learning • “Simulated Dwell Time” • Access to and/or data from: • SEIM • Previous Reports • PCAPs, Netflow, other monitoring tools • Diagrams • Configurations • Interviews
  • 18. Execution • Reference technical frameworks: • Pen Test Execution Standard • Social Engineering Framework • Mitre ATT&CK
  • 19. Measurement • I see you, do you see me? • Data points: • Time to detect • Quality of report • Accuracy of the report • Actions taken • Efficacy of actions taken
  • 20. Debriefing • Presentation including: • TTPs • Findings • Statistics from Measurement Phase • Recommended Actions • Qualitative Score
  • 21. Retesting • Allow the organization to retrain, adjust, and retry
  • 22. Purple Teaming • Similar to retesting, but the adversary is in the room/in communication with the defensive team • Allows the adversaries to allow detection attempts or announce actions to teach detections • More efficient that turning the noise up or Thunderstrucking or Rick Rolling
  • 23. Supporting Frameworks ● Pen Test Execution Standard ○ http://www.pentest-standard.org/index.php/Main_Page ● Social Engineering Framework ○ https://www.social-engineer.org/framework/general-discussion/ ● Mitre ATT&CK ○ https://attack.mitre.org/ ● NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) ○ https://csrc.nist.gov/publications/detail/sp/800-115/final ● More here: https://www.owasp.org/index.php/Penetration_testing_methodologies#Technical_Guide_to_Information_Security_Testing_and_Asses sment_.28NIST800-115.29
  • 24. Joe’s Upcoming Speaking Engagements • 9/26-27: DefendCon (Seattle) • 10/10-11: HackerHalted (Atlanta, GA) • 10/22: Wild West Hackin Fest
  • 25. Adrian’s Upcoming Speaking Engagements Virus Bulletin 2019 in London: Closing Keynote with Haroon Meer
  • 26. Upcoming OSINT Training Opportunities • In-Person •All with details TBD (unless otherwise noted): • Louisville (around the time of DerbyCon • Atlanta (around the time of HackerHalted) • Maybe Dallas, Philadelphia, and Boston in 2019 •Online: • More upcoming, watch Twitter and LinkedIn
  • 27. Hacker Halted 2019 • October 10-11 • Atlanta, GA USA • Free Admission • Coupon Code: Joe100 or https://hackerhalted2019.eventbrite.com?discount=Joe100 • Discount on Training • Coupon Code: JJHHTRN (15% off training) • Register at: - https://hackerhalted2019.eventbrite.com
  • 28. Recon-ng Training • August 29 • 6-8 PM (Eastern Time) • Coupon Code: 13BSIDESLV37 • August 31 • 1-3 PM (Eastern Time) • Coupon Code: 13BSIDESLV37 • Register for either here: • https://bit.ly/2YVqyJu
  • 30. Contacting Us • Contacting Adrian: • @sawaba • Contacting Joe: • @C_3PJoe | @advpersistsec | @hackingglass • @TheOSINTion |@valhallainfos3c • Facebook.com/theOSINTion • LinkedIn.com/in/JoeGrayInfosec