Kickstart Your Enterprise Red Team

Transcript

1. Kickstart Your Enterprise Red Team Daniel Marques, MSc, CISSP Victoria

   Dea, CISSP, GPEN, GWAPT

2. Disclaimer The views and opinions expressed in this talk are

   our own and do not necessarily represent those of our employer. These slides are for educational purpose only and are not to be relied upon as professional advice.

3. Victoria Dea Daniel Marques @0xc0da Victoria Dea Daniel Marques @0xc0da

4. Does it look familiar? Scope Test Report Fix Can somebody

   hack {…} ? Where do I start?

5. Penetration Testing vs. Breach & Attack Simulation vs. Red Teaming?

   They all have different goals and serve different purposes. Coverage and exploitability Automation and scalability Improve detection and response

6. THE RED TEAM GOAL IS TO HELP IMPROVE RESILIENCE Challenging

   Assumptions Demonstrating Impact Emulating Adversaries

7. DO YOU NEED A. RED TEAM PROGRAM? Which bears the

   question, Structured red team operations Tailored to organization needs Improve support for teams Demonstrate value Maybe.

8. THE CHALLENGE OF CROSS-FUNCTION INTEGRATION Misalignment with business objectives Define

   reasonable metrics Communicating objectives and results

9. Hiring, retaining, and training red teamers Challenge in the people

   space

10. Software & Hardware & Lab setup* *or the case for

    dedicated red team tech

11. You might be asking yourself WHERE DO I START?

12. Why How What Simon Sinek’s Golden Circle Define the mission,

    vision, and goals focused on your business. “Start with the why”

13. COMPARE CURRENT AND DESIRED STATE TO DEVELOP A ROADMAP.

14. redteams.fyi Red Team Maturity Models Jordan Potti Noah Potti Trevin

    Edgeworth redteammaturity.com Brent Harrell Garet Stroup

15. Think in terms of initiatives the red team can support.

    START SMALL BUT PLAN FOR THE FUTURE

16. STANDARDIZE EARLY Operational procedures Report templates Findings and recommendations

17. Relationships matter. Remember: It is not about us. It is

    about them. https://danielmiessler.com/study/red-blue-purple- teams/

18. Are you testing what matters? TALK TO YOUR RISK MANAGEMENT

    TEAM.

19. we need a taxonomy. To improve communication https://attack.mitre.org/ Contextualize vulnerabilities

    Blue team: Map threat behavior to attack path Structured profile-based operations

20. When communicating results up ALIGN FIRST WITH OTHER TEAMS Show

    improvements for detection and response Prepare a remediation plan Tell a story that makes sense and demonstrates impact

21. We need to talk about METRICS.

22. answer questions Metrics should What has the team achieved? What

    positive impact is the red team creating? Are we helping other teams to advance?

23. .Program metrics. vs .Campaign metrics. Is the program advancing? What

    was the operation’s outcome? Operations Planned x Performed New detections created Time to initial access Time to detection Time to recover Attack Path Initial Detection Based on the works of Jordan Potti, Cedric Owens, and Daniel Marques Attack Path Stage Reached Critical processes covered Mean time metrics

24. Key. Takeaways Communication is essential Be flexible and support other

    cybersecurity teams Standardize early and review often Adopt reasonable metrics

25. Thank You!

26. References https://attack.mitre.org/ https://dispatch.redteams.fyi/guidance-on-measurements/ https://github.com/cedowens/Rolling_Op_Metrics https://medium.com/red-teaming-with-a-blue-team-mentality/helpful-red-team-operation-metrics- fabe5e74c4ac https://www.redteams.fyi/ https://www.redteammaturity.com

27. Images https://www.pexels.com/photo/road-landscape-mountains-nature-63324/ https://www.pexels.com/photo/man-in-black-crew-neck-long-sleeve-shirt-9558577/ https://www.pexels.com/photo/red-hoodie-3054218/ https://www.pexels.com/photo/charts-and-graphs-on-paper-on-a-clipboard-9304917/