Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Seeing Red: Improving Blue Teams through Red Teaming

Dave Hull
October 26, 2016

Seeing Red: Improving Blue Teams through Red Teaming

Dave Hull

October 26, 2016
Tweet

More Decks by Dave Hull

Other Decks in Technology

Transcript

  1. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 12
  2. Why red team? Copyright 2015 Tanium Inc. All rights reserved.

    13 Because it delivers a security incident.
  3. Why red team? Because you will play like you practice.

    Copyright 2015 Tanium Inc. All rights reserved. 15
  4. “We run that play every day — end of every

    practice,” [Phil] Booth said. http://www.nytimes.com/2016/04/06/sports/ncaabasketball/villanova-national- championship.html?_r=0
  5. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 23
  6. What is red teaming? It is not threat modeling. Copyright

    2015 Tanium Inc. All rights reserved. 24
  7. What is red teaming? It is not penetration testing. Copyright

    2015 Tanium Inc. All rights reserved. 26
  8. What is red teaming? Some call it “a force-on-force engagement.”

    Copyright 2015 Tanium Inc. All rights reserved. 29
  9. Red teams: Have mission objectives. Burn it all down. Copyright

    2015 Tanium Inc. All rights reserved. 34
  10. Red teams: Have mission objectives. Test incident response capabilities and

    procedures. Copyright 2015 Tanium Inc. All rights reserved. 35
  11. Red teams: Have mission objectives. Test incident response capabilities and

    procedures of the organization... not just the blue team. Copyright 2015 Tanium Inc. All rights reserved. 36
  12. Who responds, if Brian Krebs is your IDS? Not just

    the IR team. Not just the security team. Copyright 2015 Tanium Inc. All rights reserved. 38
  13. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 39
  14. Dan Geer: Copyright 2015 Tanium Inc. All rights reserved. 44

    • "Internet security is quite possibly the most intellectually challenging profession on the planet... for two reasons... complexity... and rate of change [are] your enemy.
  15. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 51
  16. Who should be red teaming? Any organization that may have

    a security incident. Copyright 2015 Tanium Inc. All rights reserved. 52
  17. Who should be red teaming? Any organization with something worth

    protecting. Copyright 2015 Tanium Inc. All rights reserved. 53
  18. Who should be red teaming, practically speaking? Organizations meeting the

    previous criteria and having: Some monitoring. Some defenses. Some IR capabilities. Copyright 2015 Tanium Inc. All rights reserved. 54
  19. Who should be red teaming? Probably an internal team, but

    not just the security team. Copyright 2015 Tanium Inc. All rights reserved. 55
  20. Lesson learned Documentation is wrong. Code comments are wrong. Assumptions

    are wrong. Copyright 2015 Tanium Inc. All rights reserved. 56
  21. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 57
  22. When should you red team? Two, maybe three times a

    year. Copyright 2015 Tanium Inc. All rights reserved. 58
  23. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 60
  24. Rules of engagement No accessing or tampering with customer data.

    Copyright 2015 Tanium Inc. All rights reserved. 64
  25. Rules of engagement No accessing or tampering with real customer

    data. Copyright 2015 Tanium Inc. All rights reserved. 65
  26. Rules of engagement Give the red team source code. Copyright

    2015 Tanium Inc. All rights reserved. 69
  27. Rules of engagement Keep the blue team in the dark.

    Copyright 2015 Tanium Inc. All rights reserved. 71
  28. Rules of engagement – Don’t let blue do this Copyright

    2015 Tanium Inc. All rights reserved. 72
  29. Rules of engagement Red incidents are core hours only. Copyright

    2015 Tanium Inc. All rights reserved. 74
  30. Rules of engagement Red incidents are core hours only, plus

    a little. Copyright 2015 Tanium Inc. All rights reserved. 75
  31. Situation normal, practice how you want to play Plan for

    remediation. Copyright 2015 Tanium Inc. All rights reserved. 84
  32. Situation normal, practice how you want to play Execute remediation.

    Copyright 2015 Tanium Inc. All rights reserved. 85
  33. Situation normal, practice how you want to play Post remediation

    monitoring. Copyright 2015 Tanium Inc. All rights reserved. 86
  34. Postmortem: Mind the gap. Blue Red Copyright 2015 Tanium Inc.

    All rights reserved. 94 Goal: close gap over time
  35. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 96
  36. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 105