Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Red Team Framework

Presented at the DEFCON27 Red Team Offensive Village on 8/10/19.

From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors.

In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.

Libros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

Red Team Framework

  1. 1. Red Team Framework Adrian Sanabria Joe Gray
  2. 2. About Adrian Defender - 9 years Financial Services Consultant - 5 years Pen Testing, PCI Industry Analyst - 4 years 451 Research Research, Vendor Strategy - 2 years Savage Security, Threatcare, NopSec, Thinkst @sawaba
  3. 3. • Senior Security Architect • 2017 DerbyCon Social Engineering Capture the Flag (SECTF) winner • On 3rd Place Team at 2018 & 2019 NOLACon OSINT CTF (Password Inspection Agency) • On 2nd Place Team at 2019 BSides OSINT CTF (Password Inspection Agency) • Served in the US Navy, Navigating Submarines • CISSP-ISSMP, GSNA, GCIH, OSWP • Forbes Contributor • Currently Authoring Social Engineering and OSINT Book, Securing the Human Element with No Starch Press • Maintained blog and podcast at https://advancedpersistentsecurity.net • Just started offering OSINT training (OSINTion; formerly OSINT Associates) About Joe
  4. 4. Why Create a New Framework? What do these words mean to you? Red Team Purple Team Pen Testing Vuln Assessment WebApp Assessment
  5. 5. What’s wrong with pen testing/red teaming? ● The design is flawed and can’t fulfill expectations ○ Not an indicator of an organization’s risk ○ Doesn’t simulate adversaries ○ Tries to prove/disprove a persistent negative ● The execution is inefficient; lots of room for improvement ○ Consulting industry ‘cash cow’ – why change? ○ Lack of automation; process improvement; feedback loops ○ Better alternatives are sold as ‘advanced’, to more mature orgs ● It isn’t what clients need to improve
  6. 6. Pen Test vs Red Team Engagement Pen Test • Pwnage based • Largely for compliance • Incorrectly helps management sleep better (digital melatonin) Red Team • Objective based • Emulates a specific actor or TTP • Seeks to measure various metrics that actually matter (Penetration capability, detection, etc)
  7. 7. Myth #1 Penetration tests are accurate measurements of an organization’s security
  8. 8. Myth #2 Penetration testing emulates adversarial behavior
  9. 9. Myth #3 Penetration tests serve no purpose in a mature organization’s environment
  10. 10. Myth #4 Penetration testing is synonymous with red teaming
  11. 11. Myth #5 Black box testing is the most comprehensive method of applied security testing
  12. 12. Red Teaming Process Scoping ID the Threat Model Baseline Security Rescoping Learning Execution Measurement Debriefing Retesting Purple Team
  13. 13. Scoping • Define the objective(s) • Define success • Scope the following: • Time • Money • Number of systems • Rules of Engagement • IOCs/TTPs to utilize
  14. 14. Identification of Threat Model • Based on several variables • Client base • Geographic Location • Line of business • Government affiliations • Sector/Industry
  15. 15. Baseline Security Model • Are you tall enough to ride the proverbial ride? • Frameworks like Centre for Internet Security Critical Security Controls • Minimum of the Top 5 • Vulnerability Management • Previous Testing • DFIR/Monitoring Capabilities? • NIST SP 800-53
  16. 16. Rescoping • Refine the objective(s) • Focus the scope the following: • Time (time frame and allocated hours to complete) • Money • Refine Number of systems (likely a lower number than in scoping) • Rules of Engagement • Social Engineering, Web, Exploit Development • IOCs/TTPs to utilize • Potentially solicit input from an ISAC
  17. 17. Learning • “Simulated Dwell Time” • Access to and/or data from: • SEIM • Previous Reports • PCAPs, Netflow, other monitoring tools • Diagrams • Configurations • Interviews
  18. 18. Execution • Reference technical frameworks: • Pen Test Execution Standard • Social Engineering Framework • Mitre ATT&CK
  19. 19. Measurement • I see you, do you see me? • Data points: • Time to detect • Quality of report • Accuracy of the report • Actions taken • Efficacy of actions taken
  20. 20. Debriefing • Presentation including: • TTPs • Findings • Statistics from Measurement Phase • Recommended Actions • Qualitative Score
  21. 21. Retesting • Allow the organization to retrain, adjust, and retry
  22. 22. Purple Teaming • Similar to retesting, but the adversary is in the room/in communication with the defensive team • Allows the adversaries to allow detection attempts or announce actions to teach detections • More efficient that turning the noise up or Thunderstrucking or Rick Rolling
  23. 23. Supporting Frameworks ● Pen Test Execution Standard ○ http://www.pentest-standard.org/index.php/Main_Page ● Social Engineering Framework ○ https://www.social-engineer.org/framework/general-discussion/ ● Mitre ATT&CK ○ https://attack.mitre.org/ ● NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) ○ https://csrc.nist.gov/publications/detail/sp/800-115/final ● More here: https://www.owasp.org/index.php/Penetration_testing_methodologies#Technical_Guide_to_Information_Security_Testing_and_Asses sment_.28NIST800-115.29
  24. 24. Joe’s Upcoming Speaking Engagements • 9/26-27: DefendCon (Seattle) • 10/10-11: HackerHalted (Atlanta, GA) • 10/22: Wild West Hackin Fest
  25. 25. Adrian’s Upcoming Speaking Engagements Virus Bulletin 2019 in London: Closing Keynote with Haroon Meer
  26. 26. Upcoming OSINT Training Opportunities • In-Person •All with details TBD (unless otherwise noted): • Louisville (around the time of DerbyCon • Atlanta (around the time of HackerHalted) • Maybe Dallas, Philadelphia, and Boston in 2019 •Online: • More upcoming, watch Twitter and LinkedIn
  27. 27. Hacker Halted 2019 • October 10-11 • Atlanta, GA USA • Free Admission • Coupon Code: Joe100 or https://hackerhalted2019.eventbrite.com?discount=Joe100 • Discount on Training • Coupon Code: JJHHTRN (15% off training) • Register at: - https://hackerhalted2019.eventbrite.com
  28. 28. Recon-ng Training • August 29 • 6-8 PM (Eastern Time) • Coupon Code: 13BSIDESLV37 • August 31 • 1-3 PM (Eastern Time) • Coupon Code: 13BSIDESLV37 • Register for either here: • https://bit.ly/2YVqyJu
  29. 29. Questions?
  30. 30. Contacting Us • Contacting Adrian: • @sawaba • Contacting Joe: • @C_3PJoe | @advpersistsec | @hackingglass • @TheOSINTion |@valhallainfos3c • Facebook.com/theOSINTion • LinkedIn.com/in/JoeGrayInfosec

    Sé el primero en comentar

    Inicia sesión para ver los comentarios

  • KylaStoner

    Aug. 13, 2019
  • tuantm88

    Aug. 16, 2019
  • kamalinux

    Apr. 7, 2020
  • IanLi1

    Jun. 27, 2020
  • mrpa

    Jun. 4, 2021

Presented at the DEFCON27 Red Team Offensive Village on 8/10/19. From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors. In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.

Vistas

Total de vistas

1.626

En Slideshare

0

De embebidos

0

Número de embebidos

21

Acciones

Descargas

2

Compartidos

0

Comentarios

0

Me gusta

5

×