Embed Size (px)
Citation preview
Red Teaming and the Supply Chain.. proportional red teaming assessments of the supply chain
NCC Group Security Assurance Europe
But first…
"We may be at the point of diminishing returns by trying to buy down vulnerability"
"maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can ‘self-heal’ or ‘self-limit’ the damages inflicted upon them”
Gen. Michael Hayden (USAF-Ret.) ex NSA and CIA head February, 2012
Today’s common approach to cyber
• Governance & compliance• Risk strategy and management • Education• Technical discovery, measurement and validation• Management• Technical counter measures• Security operations• Response
Today’s common problems with cyber
We have data… we struggle to get information
We have risk models …we struggle with accuracy
We have technical counter measures … we have people
We have finite resource!
Today’s breach reality involving humans
Today’s breach reality involving humans
2015 Information Security Breaches Surveyhttps://www.gov.uk/government/uploads/system/uploads/attachment_data/file/432413/bis-15-303_information_security_breaches_survey_2015-executive-eummary.pdf
CBEST & STAR = Red Teaming
Red Teaming = end-to-end assessment involving people, processes and technology plus the interactions
Security Testing Coverage & Depth
Red Teaming: Why?
USB stick drops near physical offices or via post
Red Teaming: Why?
Simple credential phishing
Red Teaming: Why?
Simple Microsoft Office macros needs user interaction
Red Teaming: Why?
Exploits against common desktop apps via e-mail attachments or links
Red Teaming: Why?
Browser exploiting via second party websites
Red Teaming: Why?
Hardware, software and services supply chains
Red Teaming & Defense: Reality…
We often only need one control failure or mistake to gain an internal foothold
.. then we are an insider! ..
Red Teaming: Provides Insight
• Is education / security culture effective?• Are the technical counter measures working?• Can your security operations detect?• How does your incident response work in reality?• Are the risk models accurate?
.. proportional to attacker profile/capabilities
Supply Chains..
Red Teaming: Supply Chain Insight
• Are they capable as they say they are?• Are they doing what they say they are?• Is my exposure what I expect it to be?• Can I detect misuse?
… plus the other insights
Today’s Cyber Risk Reality
• We often look at ‘things’ in isolation• We rarely consider subtle interplays or interconnects• Supply chains work due to pooled aggregated effort• Real-world cyber security is more nuanced than our models reflect
… it’s hard ...
Our Most Mature Clients Concerns..
Confidence they are getting information from their data
.. thus not being able to feed their risk models
.. thus not understanding their true exposure
.. thus not having confidence in their ability to detect
.. thus wavering on their ability to respond
.. thus concern risk/exposure/liability is excessive
.. thus poor ROI from current spend
..
Red teaming is a real-world end-to-end assessment
with scaled representative threat attacker capabilities
Red teaming the supply chain can be the next step on the maturity model for some organizations
NCC Group continues to invest heavily to facilitateThreat/Open Source Intelligence – ex police and government
team
Piranha – phishing platform
Hive – command and control
EDG – exploit development group and implant development
Closing Thoughts..
2015 Information Security Breaches Surveyhttps://www.gov.uk/government/uploads/system/uploads/attachment_data/file/432413/bis-15-303_information_security_breaches_survey_2015-executive-eummary.pdf
Europe
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Milton Keynes
Amsterdam
Copenhagen
Munich
Zurich
North America
Atlanta
Austin
Chicago
Mountain View
New York
San Francisco
Seattle
Australia
Sydney
Thanks! Questions?
Blog: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/
Twitter:@NCCGroupInfoSec
Ollie [email protected]
