Red Team Framework
- 2. About Adrian
Defender - 9 years
Financial Services
Consultant - 5 years
Pen Testing, PCI
Industry Analyst - 4 years
451 Research
Research, Vendor Strategy - 2 years
Savage Security, Threatcare, NopSec,
Thinkst
@sawaba
- 3. • Senior Security Architect
• 2017 DerbyCon Social Engineering Capture the Flag (SECTF) winner
• On 3rd Place Team at 2018 & 2019 NOLACon OSINT CTF (Password Inspection Agency)
• On 2nd Place Team at 2019 BSides OSINT CTF (Password Inspection Agency)
• Served in the US Navy, Navigating Submarines
• CISSP-ISSMP, GSNA, GCIH, OSWP
• Forbes Contributor
• Currently Authoring Social Engineering and OSINT Book, Securing the Human Element with No
Starch Press
• Maintained blog and podcast at https://advancedpersistentsecurity.net
• Just started offering OSINT training (OSINTion; formerly OSINT Associates)
About Joe
- 4. Why Create a New Framework?
What do these words mean to you?
Red Team
Purple Team
Pen Testing
Vuln Assessment
WebApp Assessment
- 5. What’s wrong with pen testing/red teaming?
● The design is flawed and can’t fulfill expectations
○ Not an indicator of an organization’s risk
○ Doesn’t simulate adversaries
○ Tries to prove/disprove a persistent negative
● The execution is inefficient; lots of room for improvement
○ Consulting industry ‘cash cow’ – why change?
○ Lack of automation; process improvement; feedback loops
○ Better alternatives are sold as ‘advanced’, to more mature orgs
● It isn’t what clients need to improve
- 6. Pen Test vs Red Team Engagement
Pen Test
• Pwnage based
• Largely for compliance
• Incorrectly helps management
sleep better (digital melatonin)
Red Team
• Objective based
• Emulates a specific actor or TTP
• Seeks to measure various
metrics that actually matter
(Penetration capability,
detection, etc)
- 11. Myth #5
Black box testing is the most comprehensive method
of applied security testing
- 13. Scoping
• Define the objective(s)
• Define success
• Scope the following:
• Time
• Money
• Number of systems
• Rules of Engagement
• IOCs/TTPs to utilize
- 14. Identification of Threat Model
• Based on several variables
• Client base
• Geographic Location
• Line of business
• Government affiliations
• Sector/Industry
- 15. Baseline Security Model
• Are you tall enough to ride the proverbial ride?
• Frameworks like Centre for Internet Security Critical Security
Controls
• Minimum of the Top 5
• Vulnerability Management
• Previous Testing
• DFIR/Monitoring Capabilities?
• NIST SP 800-53
- 16. Rescoping
• Refine the objective(s)
• Focus the scope the following:
• Time (time frame and allocated hours to complete)
• Money
• Refine Number of systems (likely a lower number than in scoping)
• Rules of Engagement
• Social Engineering, Web, Exploit Development
• IOCs/TTPs to utilize
• Potentially solicit input from an ISAC
- 17. Learning
• “Simulated Dwell Time”
• Access to and/or data from:
• SEIM
• Previous Reports
• PCAPs, Netflow, other monitoring tools
• Diagrams
• Configurations
• Interviews
- 19. Measurement
• I see you, do you see me?
• Data points:
• Time to detect
• Quality of report
• Accuracy of the report
• Actions taken
• Efficacy of actions taken
- 22. Purple Teaming
• Similar to retesting, but the adversary is in the room/in
communication with the defensive team
• Allows the adversaries to allow detection attempts or announce actions to
teach detections
• More efficient that turning the noise up or Thunderstrucking or Rick Rolling
- 23. Supporting Frameworks
● Pen Test Execution Standard
○ http://www.pentest-standard.org/index.php/Main_Page
● Social Engineering Framework
○ https://www.social-engineer.org/framework/general-discussion/
● Mitre ATT&CK
○ https://attack.mitre.org/
● NIST SP 800-115 (Technical Guide to Information Security Testing
and Assessment)
○ https://csrc.nist.gov/publications/detail/sp/800-115/final
● More here:
https://www.owasp.org/index.php/Penetration_testing_methodologies#Technical_Guide_to_Information_Security_Testing_and_Asses
sment_.28NIST800-115.29
- 24. Joe’s Upcoming Speaking Engagements
• 9/26-27: DefendCon (Seattle)
• 10/10-11: HackerHalted (Atlanta, GA)
• 10/22: Wild West Hackin Fest
- 26. Upcoming OSINT Training Opportunities
• In-Person
•All with details TBD (unless otherwise noted):
• Louisville (around the time of DerbyCon
• Atlanta (around the time of HackerHalted)
• Maybe Dallas, Philadelphia, and Boston in 2019
•Online:
• More upcoming, watch Twitter and LinkedIn
- 27. Hacker Halted 2019
• October 10-11
• Atlanta, GA USA
• Free Admission
• Coupon Code: Joe100
or https://hackerhalted2019.eventbrite.com?discount=Joe100
• Discount on Training
• Coupon Code: JJHHTRN (15% off training)
• Register at: - https://hackerhalted2019.eventbrite.com
- 28. Recon-ng Training
• August 29
• 6-8 PM (Eastern Time)
• Coupon Code: 13BSIDESLV37
• August 31
• 1-3 PM (Eastern Time)
• Coupon Code: 13BSIDESLV37
• Register for either here:
• https://bit.ly/2YVqyJu
- 30. Contacting Us
• Contacting Adrian:
• @sawaba
• Contacting Joe:
• @C_3PJoe | @advpersistsec | @hackingglass
• @TheOSINTion |@valhallainfos3c
• Facebook.com/theOSINTion
• LinkedIn.com/in/JoeGrayInfosec