Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kickstart Your Enterprise Red Team

Kickstart Your Enterprise Red Team

ISC2 Security Congress 2023 (Oct/23)

Organizations building internal red teams and penetration testing programs to keep up with the latest threats typically face three challenges: translating results to other security functions and leadership; aligning the red team program with business objectives; and demonstrating value. Learn how to address these challenges and kickstart your internal red team programs. We’ll explore approaches to improving communication, integrating enterprise functions and measuring program effectiveness. You’ll be ready to take the first steps toward deploying a team focused on improving your organization’s security posture in lieu of “rinse-and-repeat” testing.

ISC2 Security Congress 2023: https://cdmcd.co/PnKJ99 #ISC2Congress

Daniel Marques

October 26, 2023
Tweet

More Decks by Daniel Marques

Other Decks in Technology

Transcript

  1. Disclaimer The views and opinions expressed in this talk are

    our own and do not necessarily represent those of our employer. These slides are for educational purpose only and are not to be relied upon as professional advice.
  2. Penetration Testing vs. Breach & Attack Simulation vs. Red Teaming?

    They all have different goals and serve different purposes. Coverage and exploitability Automation and scalability Improve detection and response
  3. THE RED TEAM GOAL IS TO HELP IMPROVE RESILIENCE Challenging

    Assumptions Demonstrating Impact Emulating Adversaries
  4. DO YOU NEED A. RED TEAM PROGRAM? Which bears the

    question, Structured red team operations Tailored to organization needs Improve support for teams Demonstrate value Maybe.
  5. Why How What Simon Sinek’s Golden Circle Define the mission,

    vision, and goals focused on your business. “Start with the why”
  6. redteams.fyi Red Team Maturity Models Jordan Potti Noah Potti Trevin

    Edgeworth redteammaturity.com Brent Harrell Garet Stroup
  7. Think in terms of initiatives the red team can support.

    START SMALL BUT PLAN FOR THE FUTURE
  8. Relationships matter. Remember: It is not about us. It is

    about them. https://danielmiessler.com/study/red-blue-purple- teams/
  9. we need a taxonomy. To improve communication https://attack.mitre.org/ Contextualize vulnerabilities

    Blue team: Map threat behavior to attack path Structured profile-based operations
  10. When communicating results up ALIGN FIRST WITH OTHER TEAMS Show

    improvements for detection and response Prepare a remediation plan Tell a story that makes sense and demonstrates impact
  11. answer questions Metrics should What has the team achieved? What

    positive impact is the red team creating? Are we helping other teams to advance?
  12. .Program metrics. vs .Campaign metrics. Is the program advancing? What

    was the operation’s outcome? Operations Planned x Performed New detections created Time to initial access Time to detection Time to recover Attack Path Initial Detection Based on the works of Jordan Potti, Cedric Owens, and Daniel Marques Attack Path Stage Reached Critical processes covered Mean time metrics
  13. Key. Takeaways Communication is essential Be flexible and support other

    cybersecurity teams Standardize early and review often Adopt reasonable metrics