Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Red Teamer's Guide To Building A Program

Daniel Marques
October 20, 2022
Technology
0
330

The Red Teamer's Guide To Building A Program

HOU.SEC.CON 2022 (Oct/22)

Organizations continue to build internal red teams and penetration testing programs to keep up with the latest threats. The challenge, however, becomes apparent in the first few months of deploying the program: executives want to know if it is cost-effective, the integration with other teams quickly becomes a nightmare, and talent acquisition and retention can be demanding.

We also want our red team to push boundaries and help improve the company’s security posture and ability to survive actual attacks.

So how can we build and deploy red team programs that are meaningful to the enterprise and go beyond frameworks and continuous testing? This talk tackles the problem by:

- Outlining challenges, positive results, and setbacks resulting from building an internal red team program;
- Proposing approaches to select targets for testing and improving the communication between different teams consuming the testing results;
- Discussing the definition of metrics to help track the program, identify improvement opportunities, and demonstrate effectiveness.

HOU.SEC.CON 2022 - https://web.cvent.com/event/0ac8a54d-fbe9-4a16-8510-49dcf538389f/websitePage:dd3dff4f-9597-4a4b-960e-eb732a9a3853

Daniel Marques

October 20, 2022
Tweet

More Decks by Daniel Marques

See All by Daniel Marques
Kickstart Your Enterprise Red Team
0xc0da
0
36
Kickstarting your in-house Red Team: Challenges and approaches
0xc0da
0
580
A Song of Hashes and Dumps: What I've learned from cracking .br passwords
0xc0da
1
490
Python para Análises de Segurança (ERSI-2014)
0xc0da
0
85
Game of Hashes: Quebrando, passando e libertando senhas
0xc0da
0
250
Badass XSS: Esqueça o alert e vá para mundo real
0xc0da
0
85

Other Decks in Technology

See All in Technology
コードや知識を組み込む / Incorporate Code and knowledge
ks91
PRO
0
150
【SORACOM UG 東海】あらゆるモノがつながる社会へ、IoT と SORACOM
soracom
PRO
1
140
Cypress or Playwright?
rainerhahnekamp
0
170
本当のAWS基礎
toru_kubota
1
630
web-application-security
matsuihidetoshi
1
190
Babylon.js JAPAN活動紹介 (2024/4)
limes2018
1
120
認知症フレンドリーテックとスタックチャン
naokiuc
0
190
生産性向上チームの紹介
cybozuinsideout
PRO
1
920
Microsoft Intune 勉強会 第 2 回目
tamaiyutaro
2
410
JAWS-UG Bedrock Claude Night
yamahiro
3
710
Gitlab本から学んだこと - そーだいなるプレイバック / gitlab-book
soudai
7
1.3k
LangSmith入門―トレース/評価/プロンプト管理などを担うLLMアプリ開発プラットフォーム
os1ma
5
710

Featured

See All Featured
Making Projects Easy
brettharned
109
5.5k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
How to train your dragon (web standard)
notwaldorf
75
5.2k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
21
1.4k
Building an army of robots
kneath
300
41k
Code Reviewing Like a Champion
maltzj
515
39k
GitHub's CSS Performance
jonrohan
1025
450k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
275
13k
The Power of CSS Pseudo Elements
geoffreycrofte
62
5k
The MySQL Ecosystem @ GitHub 2015
samlambert
244
12k
For a Future-Friendly Web
brad_frost
172
9k

Transcript

  1. The Red Teamer's Guide To Building A Program Daniel Marques

    October 2022

  2. Disclaimer: The views and opinions expressed in this talk are

    my own and do not necessarily represent those of my employer. These slides are for educational purpose only and are not to be relied upon as professional advice.

  3. Daniel Marques @0xc0da

  4. Does it look familiar? Scope Test Report Fix Can somebody

    hack {…} ? Where do I start?

  5. Penetration Testing vs. Breach & Attack Simulation vs. Red Teaming?

    They all have different goals and serve different purposes. Coverage and exploitability Automation and scalability Improve detection and response

  6. THE RED TEAM GOAL IS TO HELP IMPROVE RESILIENCE Challenging

    Assumptions Demonstrating Impact Emulating Adversaries

  7. DO YOU NEED A. RED TEAM PROGRAM? Which bears the

    question, Structured red team operations Tailored to organization needs Improve support for teams Demonstrate value Maybe.

  8. THERE ARE CHALLENGES, SPECIALLY INTEGRATING WITH OTHER FUNCTIONS Misalignment with

    business objectives Define reasonable metrics Communicating objectives and results

  9. Hiring, retaining, and training red teamers Challenge in the people

    space

  10. You might be asking yourself WHERE DO I START?

  11. Why How What Simon Sinek’s Golden Circle Define the mission,

    vision, and goals focused on your business. “Start with the why”

  12. COMPARE CURRENT AND DESIRED STATE TO DEVELOP A ROADMAP.

  13. redteams.fyi Red Team Maturity Model Jordan Potti Noah Potti Trevin

    Edgeworth

  14. Think in terms of initiatives the red team can support.

    START SMALL BUT PLAN FOR THE FUTURE

  15. STANDARDIZE EARLY IN THE PROCESS Operational procedures Report templates Findings

    and recommendations

  16. Relationships matter. Remember: It is not about us. It is

    about them. https://danielmiessler.com/study/red-blue-purple-teams/

  17. Are you testing what matters? TALK TO YOUR RISK MANAGEMENT

    TEAM. They might point out to a Business Impact Analysis, critical business processes, and key stakeholders.

  18. we need a taxonomy. To improve communication https://attack.mitre.org/ Contextualize vulnerabilities

    Blue team: Map threat behavior to attack path Structured profile-based operations

  19. When communicating results up ALIGN FIRST WITH OTHER TEAMS Show

    improvements for detection and response Prepare a remediation plan Tell a story that makes sense and demonstrates impact

  20. We need to talk about METRICS

  21. answer questions Metrics should What has the team achieved? What

    positive impact is the red team creating? Are we helping other teams to advance?

  22. .Program metrics. vs .Campaign metrics. Is the program advancing? What

    was the operation’s outcome? Operations Planned x Performed Mean time to initial access Time to initial access Time to detection Time to recover Attack Path Initial Detection Mean time to detect Based on the works of Jordan Potti, Cedric Owens, and Daniel Marques Attack Path Stage Reached Mean time to recover Critical processes covered

  23. Key. Takeaways Communication is essential Be flexible and support other

    cybersecurity teams Standardize early and review often Adopt reasonable metrics

  24. Thank you to the folks that collaborated with this work

    Alex Andrucioli David Trollman Hao Wang Josh Theimer Keith Mularski Marcos Matos Mehul Purohit Mike Fotso Paul Hissem Pipe Rodanant Romulo Rocha Victoria Dea Vitor Mendes Yuri Melo

  25. Thank you!

  26. Images • https://www.pexels.com/photo/hands-typing-on-a-laptop-keyboard-5483077/ • https://www.pexels.com/photo/top-view-photo-of-people-near-wooden-table-3183150/ • https://www.pexels.com/photo/person-rock-climbing-3077882/ • https://www.pexels.com/photo/words-in-dictionary-4440720/ •

    https://www.pexels.com/photo/road-landscape-mountains-nature-63324/ • https://www.pexels.com/photo/marketing-businessman-person-hands-6801647/ • https://www.pexels.com/photo/start-written-on-asphalt-2646531/ • https://www.pexels.com/photo/three-woman-talking-near-white-wooden-table-inside- room-1181619/ • https://www.pexels.com/photo/red-hoodie-3054218/ • https://www.pexels.com/photo/black-and-white-browsing-business-coffee-265152/

  27. References • https://attack.mitre.org/ • https://dispatch.redteams.fyi/guidance-on-measurements/ • https://github.com/cedowens/Rolling_Op_Metrics • https://medium.com/red-teaming-with-a-blue-team- mentality/helpful-red-team-operation-metrics-fabe5e74c4ac

    • https://www.redteams.fyi/