Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kickstarting your in-house Red Team: Challenges and approaches

Daniel Marques
June 10, 2023
Technology
0
580

Kickstarting your in-house Red Team: Challenges and approaches

BSidesSATX 2023 (Jun/23)

You have to build your organization’s Red Team from scratch. Where do you start? Organizations building internal red teams and penetration testing programs to keep up with the latest threats typically face three challenges: translating results to other security functions and leadership, aligning the red team program with business objectives, and demonstrating value.

This talk aims to help attendees address these challenges and kickstart their internal red team programs by:

- Outlining challenges, positive results, and setbacks identified while building internal red team programs;
- Proposing approaches to improving communication, integrating enterprise functions, and measuring program effectiveness
- Discussing our experiences managing a team of red team operators, helping organizations build a red team program, and what was observed in many companies trying to develop similar initiatives.

The goal is to help attendees kickstart an in-house red team program, providing ideas to communicate with other security functions, keep red team operators engaged, and deliver meaningful outcomes aligned with the overall cybersecurity goals. After the talk, attendees should be capable of taking the first steps toward deploying a team focused on improving the organization’s security posture instead of rinse-and-repeat testing.

BSides SATX 2023: https://cfp.bsidessatx.com/2023/talk/DRMSQQ/

Daniel Marques

June 10, 2023
Tweet

More Decks by Daniel Marques

See All by Daniel Marques
Kickstart Your Enterprise Red Team
0xc0da
0
36
The Red Teamer's Guide To Building A Program
0xc0da
0
330
A Song of Hashes and Dumps: What I've learned from cracking .br passwords
0xc0da
1
490
Python para Análises de Segurança (ERSI-2014)
0xc0da
0
85
Game of Hashes: Quebrando, passando e libertando senhas
0xc0da
0
250
Badass XSS: Esqueça o alert e vá para mundo real
0xc0da
0
85

Other Decks in Technology

See All in Technology
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
400
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
210
Improve Your Development Workflow with Gemini Code Assist
meteatamel
0
130
LayerXにおけるLLMプロダクト開発の今までとこれから
layerx
PRO
4
660
いつか使うかも貯金してたらめちゃめちゃ機能が増えてた話
riyaamemiya
0
620
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
150
require(ESM)とECMAScript仕様
uhyo
4
960
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
3.3k
競技としてのKaggle、役に立つKaggle
yu4u
6
2.3k
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
330
Grafana x PagerDuty Better Together
jacopen
1
260
IPUT App Dev. Co. -Overview 2024/4
iputapp
0
120

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
244
12k
Rebuilding a faster, lazier Slack
samanthasiow
74
8.2k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
20
1.6k
Designing the Hi-DPI Web
ddemaree
276
33k
Art, The Web, and Tiny UX
lynnandtonic
290
19k
Facilitating Awesome Meetings
lara
43
5.6k
A better future with KSS
kneath
231
16k
The Mythical Team-Month
searls
216
42k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
20
1.7k
Agile that works and the tools we love
rasmusluckow
325
20k
Building Better People: How to give real-time feedback that sticks.
wjessup
356
18k
Music & Morning Musume
bryan
41
5.6k

Transcript

  1. Kickstarting your in-house Red Team Challenges and approaches Daniel C.

    Marques (@0xc0da) Victoria Dea

  2. Disclaimer: The views and opinions expressed in this talk are

    our own and do not necessarily represent those of our employer. These slides are for educational purpose only and are not to be relied upon as professional advice.

  3. Victoria Dea Daniel Marques @0xc0da

  4. Does it look familiar? Scope Test Report Fix Can somebody

    hack {…} ? Where do I start?

  5. Penetration Testing vs. Breach & Attack Simulation vs. Red Teaming?

    They all have different goals and serve different purposes. Coverage and exploitability Automation and scalability Improve detection and response

  6. THE RED TEAM GOAL IS TO HELP IMPROVE RESILIENCE Challenging

    Assumptions Demonstrating Impact Emulating Adversaries

  7. DO YOU NEED A. RED TEAM PROGRAM? Which bears the

    question, Structured red team operations Tailored to organization needs Improve support for teams Demonstrate value Maybe.

  8. THERE ARE CHALLENGES, SPECIALLY INTEGRATING WITH OTHER FUNCTIONS Misalignment with

    business objectives Define reasonable metrics Communicating objectives and results

  9. Hiring, retaining, and training red teamers Challenge in the people

    space

  10. Software & Hardware & Lab setup* *or justifying dedicated red

    team tech

  11. You might be asking yourself WHERE DO I START?

  12. Why How What Simon Sinek’s Golden Circle Define the mission,

    vision, and goals focused on your business. “Start with the why”

  13. COMPARE CURRENT AND DESIRED STATE TO DEVELOP A ROADMAP.

  14. redteams.fyi Red Team Maturity Models Jordan Potti Noah Potti Trevin

    Edgeworth redteammaturity.com Brent Harrell Garet Stroup

  15. Think in terms of initiatives the red team can support.

    START SMALL BUT PLAN FOR THE FUTURE

  16. STANDARDIZE EARLY IN THE PROCESS Operational procedures Report templates Findings

    and recommendations

  17. Relationships matter. Remember: It is not about us. It is

    about them. https://danielmiessler.com/study/red-blue-purple-teams/

  18. Are you testing what matters? TALK TO YOUR RISK MANAGEMENT

    TEAM.

  19. we need a taxonomy. To improve communication https://attack.mitre.org/ Contextualize vulnerabilities

    Blue team: Map threat behavior to attack path Structured profile-based operations

  20. When communicating results up ALIGN FIRST WITH OTHER TEAMS Show

    improvements for detection and response Prepare a remediation plan Tell a story that makes sense and demonstrates impact

  21. We need to talk about METRICS

  22. answer questions Metrics should What has the team achieved? What

    positive impact is the red team creating? Are we helping other teams to advance?

  23. .Program metrics. vs .Campaign metrics. Is the program advancing? What

    was the operation’s outcome? Operations Planned x Performed New detections created Time to initial access Time to detection Time to recover Attack Path Initial Detection Based on the works of Jordan Potti, Cedric Owens, and Daniel Marques Attack Path Stage Reached Critical processes covered Mean time metrics

  24. Key. Takeaways Communication is essential Be flexible and support other

    cybersecurity teams Standardize early and review often Adopt reasonable metrics

  25. Thank you!

  26. Images • https://www.pexels.com/photo/hands-typing-on-a-laptop-keyboard-5483077/ • https://www.pexels.com/photo/top-view-photo-of-people-near-wooden-table-3183150/ • https://www.pexels.com/photo/person-rock-climbing-3077882/ • https://www.pexels.com/photo/words-in-dictionary-4440720/ •

    https://www.pexels.com/photo/road-landscape-mountains-nature-63324/ • https://www.pexels.com/photo/marketing-businessman-person-hands-6801647/ • https://www.pexels.com/photo/start-written-on-asphalt-2646531/ • https://www.pexels.com/photo/three-woman-talking-near-white-wooden-table-inside-room-1181619/ • https://www.pexels.com/photo/red-hoodie-3054218/ • https://www.pexels.com/photo/black-and-white-browsing-business-coffee-265152/ • https://www.pexels.com/photo/man-in-black-crew-neck-long-sleeve-shirt-9558577/

  27. References • https://attack.mitre.org/ • https://dispatch.redteams.fyi/guidance-on-measurements/ • https://github.com/cedowens/Rolling_Op_Metrics • https://medium.com/red-teaming-with-a-blue-team-mentality/helpful-red-team-operation-metrics-fabe5e74c4ac •

    https://www.redteams.fyi/ • https://www.redteammaturity.com