Upload
chris-hernandez
View
1.096
Download
0
Embed Size (px)
Citation preview
ADVERSARY SIMULATION“RED CELL”
APPROACHES TO IMPROVING SECURITY
Talk Background
Introduction and overview of Red Teaming
Organization challenges & Opportunities
Redteaming / Red Cell effectiveness • Meeting the defenders where they are at
-Adversary simulation• Emulating Tactics Techniques and Procedures• Being the Adversary
Resources
$whoami
• Chris Hernandez • RedTeamer• Former:• Pentester• Vuln/ Patch Mgmt• Sysadmin
• Bug bounty hunter• Irc handle= piffd0s • Blog= Nopsled.ninja• @piffd0s
Introduction to Red Teaming• What is “Red Teaming”?
• Origins of “Red Team”
• Examples of Red Teaming Failures
• Examples of Red Team Successes
What is Red Teaming?
• Both Approach, Mindset and Tactics
• Takes many forms, Tabletop Exercises, Alternative analysis, computer models, and vulnerability probes.
• Critical Thinking
• A Therapist…
What are its origins?• Originated in the 1960’s military war-game exercises
• Red Team was meant to emulate the soviet union
• 1963 - First historical example was a redteam exercise structured around procuring a long range bomber.
• Most early examples are structured around determining soviet unions capability
Red Team Failures: Operation Eagle Claw• Failed mission to rescue 52
diplomats held captive in the US Embassy in Tehran.
• Operation was “need to know” not Red Teamed
• Operation was initiated without enough planning and foresight into potential challenges / obstacles
Unified Vision ‘01 & Millennium Challenge ‘02
• Millenium challenge ’02
• Red Cell Is highly restricted in its actions
• Red Cell pre-emptively attacks US navy fleet with all of their air and sea resources sinking 21 Navy Vessels
• White Cell “refloats” sunken navy vessels
• Unified Vision ’01
• White Cell informs Red Cell that Blue Team has destroyed all of their 21 hidden ballistic missile silos
• Blue Team commander never actually new the location of any of the 21 silos
RedTeam Success Stories• New York Marathon, NYPD and New York Roadrunners
• Cover scenarios like:• How do you identify tainted water sources• How to respond if drones show up in specific locations• Race can be diverted at any point
• Israeli Defense Force – “Ipcha Mistabra”• The opposite is most likely• Small group in the intelligence branch• Briefs Officials and Leaders on opposite explanations for scenarios
Organizational Challenges
• Overcoming Groupthink
• Maintaining Divergent thought
• Remaining Skeptical
• Assimilation into culture
• Communicating risk effectively
• Metacognition
• Leadership buy in
• “Gaming” the Op
Red Cell Effectiveness• Ex. 57th adversary tactics group
• Only Highly skilled pilots are allowed to become “aggressors”
• Allowed only to use known adversary tactics and techniques depending on who they are emulating
• Same should apply to all red teams
• Adversary emulation is key to realistic simulations
Red Cell Effectiveness• Effective adversary emulation
can mean being a “worse” threat actor
• Tests defenders “post-compromise” security posture. Aka “assumed breach model”
• Post compromise / foothold can also save valuable time and money.
Adversary Skill and Detection Model
Ignorance Detection Proactive Pre-emptive0
1
2
3
4
5
6
Difficulty
Difficulty
ScriptKiddie
Criminal(s)
APT
What are the benefits of an effective Red Cell?
• Train and measure IR teams detection and response. • MSFT measures this as MTTD MTTR Mean time to
detect, and Mean Time to Recovery• Validates investment in very expensive security
products, services, and subscriptions
An example red cell exercise
• Build a relevant threat model based on your industry threats, or competitors breaches / news events• Story board the attack• Determine where IR should detect and respond• Use Red Team to validate story board • What went well / what went wrong – postmortem analysis• Debrief Tactics
Putting it all together – Adversary simulation• Emulate realistic threat actors TTPs
• Assume breach model
• Model attacker activity to your story board
• Information exchange between red and blue teams*
• Protect Red Team culture
• Repeat in a reasonable amount of time
Example Adversary Simulation – TTPs – “Deep Panda”
After seeing how these indicators were being applied, though, I came to realize something very interesting: almost no one is using them effectively. - Pyramid of Pain
ADDITIONAL RESOURCES
Books:
Red Team – Micah Zenko
Applied Critical Thinking Handbook – UFMCS
Online:
Microsoft Enterprise Cloud Redteaming Whitepaper
2015’s Redteam Tradecraft / Adversary Simulation – Raphael Mudge
The Pyramid of Pain – David Bianco
Veris Group - Adaptive Threat Devision – Will Shroeder and Justin Warner
The Adversary Manifesto - Crowdstrike