Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Red Teamer's Guide To Building A Program

Daniel Marques
October 20, 2022
Technology
0
370

The Red Teamer's Guide To Building A Program

HOU.SEC.CON 2022 (Oct/22)

Organizations continue to build internal red teams and penetration testing programs to keep up with the latest threats. The challenge, however, becomes apparent in the first few months of deploying the program: executives want to know if it is cost-effective, the integration with other teams quickly becomes a nightmare, and talent acquisition and retention can be demanding.

We also want our red team to push boundaries and help improve the company’s security posture and ability to survive actual attacks.

So how can we build and deploy red team programs that are meaningful to the enterprise and go beyond frameworks and continuous testing? This talk tackles the problem by:

- Outlining challenges, positive results, and setbacks resulting from building an internal red team program;
- Proposing approaches to select targets for testing and improving the communication between different teams consuming the testing results;
- Discussing the definition of metrics to help track the program, identify improvement opportunities, and demonstrate effectiveness.

HOU.SEC.CON 2022 - https://web.cvent.com/event/0ac8a54d-fbe9-4a16-8510-49dcf538389f/websitePage:dd3dff4f-9597-4a4b-960e-eb732a9a3853

Daniel Marques

October 20, 2022
Tweet

More Decks by Daniel Marques

See All by Daniel Marques
Kickstart Your Enterprise Red Team
0xc0da
0
110
Kickstarting your in-house Red Team: Challenges and approaches
0xc0da
1
640
A Song of Hashes and Dumps: What I've learned from cracking .br passwords
0xc0da
1
500
Python para Análises de Segurança (ERSI-2014)
0xc0da
1
85
Game of Hashes: Quebrando, passando e libertando senhas
0xc0da
0
260
Badass XSS: Esqueça o alert e vá para mundo real
0xc0da
0
110

Other Decks in Technology

See All in Technology
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.9k
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
230
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
150
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
490
Terraform Stacks入門 #HashiTalks
msato
0
360
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
AIチャットボット開発への生成AI活用
ryomrt
0
170
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
180
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160

Featured

See All Featured
A Philosophy of Restraint
colly
203
16k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Fireside Chat
paigeccino
34
3k
Navigating Team Friction
lara
183
14k
A designer walks into a library…
pauljervisheath
204
24k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Writing Fast Ruby
sferik
627
61k
Designing Experiences People Love
moore
138
23k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Site-Speed That Sticks
csswizardry
0
28

Transcript

  1. The Red Teamer's Guide To Building A Program Daniel Marques

    October 2022

  2. Disclaimer: The views and opinions expressed in this talk are

    my own and do not necessarily represent those of my employer. These slides are for educational purpose only and are not to be relied upon as professional advice.

  3. Daniel Marques @0xc0da

  4. Does it look familiar? Scope Test Report Fix Can somebody

    hack {…} ? Where do I start?

  5. Penetration Testing vs. Breach & Attack Simulation vs. Red Teaming?

    They all have different goals and serve different purposes. Coverage and exploitability Automation and scalability Improve detection and response

  6. THE RED TEAM GOAL IS TO HELP IMPROVE RESILIENCE Challenging

    Assumptions Demonstrating Impact Emulating Adversaries

  7. DO YOU NEED A. RED TEAM PROGRAM? Which bears the

    question, Structured red team operations Tailored to organization needs Improve support for teams Demonstrate value Maybe.

  8. THERE ARE CHALLENGES, SPECIALLY INTEGRATING WITH OTHER FUNCTIONS Misalignment with

    business objectives Define reasonable metrics Communicating objectives and results

  9. Hiring, retaining, and training red teamers Challenge in the people

    space

  10. You might be asking yourself WHERE DO I START?

  11. Why How What Simon Sinek’s Golden Circle Define the mission,

    vision, and goals focused on your business. “Start with the why”

  12. COMPARE CURRENT AND DESIRED STATE TO DEVELOP A ROADMAP.

  13. redteams.fyi Red Team Maturity Model Jordan Potti Noah Potti Trevin

    Edgeworth

  14. Think in terms of initiatives the red team can support.

    START SMALL BUT PLAN FOR THE FUTURE

  15. STANDARDIZE EARLY IN THE PROCESS Operational procedures Report templates Findings

    and recommendations

  16. Relationships matter. Remember: It is not about us. It is

    about them. https://danielmiessler.com/study/red-blue-purple-teams/

  17. Are you testing what matters? TALK TO YOUR RISK MANAGEMENT

    TEAM. They might point out to a Business Impact Analysis, critical business processes, and key stakeholders.

  18. we need a taxonomy. To improve communication https://attack.mitre.org/ Contextualize vulnerabilities

    Blue team: Map threat behavior to attack path Structured profile-based operations

  19. When communicating results up ALIGN FIRST WITH OTHER TEAMS Show

    improvements for detection and response Prepare a remediation plan Tell a story that makes sense and demonstrates impact

  20. We need to talk about METRICS

  21. answer questions Metrics should What has the team achieved? What

    positive impact is the red team creating? Are we helping other teams to advance?

  22. .Program metrics. vs .Campaign metrics. Is the program advancing? What

    was the operation’s outcome? Operations Planned x Performed Mean time to initial access Time to initial access Time to detection Time to recover Attack Path Initial Detection Mean time to detect Based on the works of Jordan Potti, Cedric Owens, and Daniel Marques Attack Path Stage Reached Mean time to recover Critical processes covered

  23. Key. Takeaways Communication is essential Be flexible and support other

    cybersecurity teams Standardize early and review often Adopt reasonable metrics

  24. Thank you to the folks that collaborated with this work

    Alex Andrucioli David Trollman Hao Wang Josh Theimer Keith Mularski Marcos Matos Mehul Purohit Mike Fotso Paul Hissem Pipe Rodanant Romulo Rocha Victoria Dea Vitor Mendes Yuri Melo

  25. Thank you!

  26. Images • https://www.pexels.com/photo/hands-typing-on-a-laptop-keyboard-5483077/ • https://www.pexels.com/photo/top-view-photo-of-people-near-wooden-table-3183150/ • https://www.pexels.com/photo/person-rock-climbing-3077882/ • https://www.pexels.com/photo/words-in-dictionary-4440720/ •

    https://www.pexels.com/photo/road-landscape-mountains-nature-63324/ • https://www.pexels.com/photo/marketing-businessman-person-hands-6801647/ • https://www.pexels.com/photo/start-written-on-asphalt-2646531/ • https://www.pexels.com/photo/three-woman-talking-near-white-wooden-table-inside- room-1181619/ • https://www.pexels.com/photo/red-hoodie-3054218/ • https://www.pexels.com/photo/black-and-white-browsing-business-coffee-265152/

  27. References • https://attack.mitre.org/ • https://dispatch.redteams.fyi/guidance-on-measurements/ • https://github.com/cedowens/Rolling_Op_Metrics • https://medium.com/red-teaming-with-a-blue-team- mentality/helpful-red-team-operation-metrics-fabe5e74c4ac

    • https://www.redteams.fyi/