Seeing Red: Improving Blue Teams through Red Teaming

Transcript

1. Seeing Red: Improving blue teams through red teaming Dave Hull

   Tanium EDR Engineering

2. What is this? Copyright 2015 Tanium Inc. All rights reserved.

   2

3. Intro Copyright 2015 Tanium Inc. All rights reserved. 3

4. Intro Copyright 2015 Tanium Inc. All rights reserved. 4

5. Intro Copyright 2015 Tanium Inc. All rights reserved. 5

6. Intro Copyright 2015 Tanium Inc. All rights reserved. 6

7. Intro Copyright 2015 Tanium Inc. All rights reserved. 7

8. Intro Copyright 2015 Tanium Inc. All rights reserved. 8

9. Intro Copyright 2015 Tanium Inc. All rights reserved. 9

10. Intro Copyright 2015 Tanium Inc. All rights reserved. 10

11. Intro Copyright 2015 Tanium Inc. All rights reserved. 11

12. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 12

13. Why red team? Copyright 2015 Tanium Inc. All rights reserved.

    13 Because it delivers a security incident.

14. Pen testing delivers… a nice report. Copyright 2015 Tanium Inc.

    All rights reserved. 14

15. Why red team? Because you will play like you practice.

    Copyright 2015 Tanium Inc. All rights reserved. 15

16. Why red team? Copyright 2015 Tanium Inc. All rights reserved.

    16

17. “We run that play every day — end of every

    practice,” [Phil] Booth said. http://www.nytimes.com/2016/04/06/sports/ncaabasketball/villanova-national- championship.html?_r=0

18. Why red team? Copyright 2015 Tanium Inc. All rights reserved.

    18

19. Why red team? Because red teaming is quantifiable. Copyright 2015

    Tanium Inc. All rights reserved. 19

20. Why red team? Mean-time-to-compromise. Copyright 2015 Tanium Inc. All rights

    reserved. 20

21. Why red team? Mean-time-to-detection. Copyright 2015 Tanium Inc. All rights

    reserved. 21

22. Why red team? Mean-time-to-recovery. Copyright 2015 Tanium Inc. All rights

    reserved. 22

23. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 23

24. What is red teaming? It is not threat modeling. Copyright

    2015 Tanium Inc. All rights reserved. 24

25. What is red teaming? It is not vulnerability assessment. Copyright

    2015 Tanium Inc. All rights reserved. 25

26. What is red teaming? It is not penetration testing. Copyright

    2015 Tanium Inc. All rights reserved. 26

27. What is red teaming? Red teaming is different. Copyright 2015

    Tanium Inc. All rights reserved. 27

28. What is red teaming? Some call it “adversary emulation.” Copyright

    2015 Tanium Inc. All rights reserved. 28

29. What is red teaming? Some call it “a force-on-force engagement.”

    Copyright 2015 Tanium Inc. All rights reserved. 29

30. Red teams: Have mission objectives. Copyright 2015 Tanium Inc. All

    rights reserved. 30

31. Red teams: Have mission objectives. Enterprise or domain admin? Copyright

    2015 Tanium Inc. All rights reserved. 31

32. Red teams: Have mission objectives. Customer pivot. Copyright 2015 Tanium

    Inc. All rights reserved. 32

33. Red teams: Have mission objectives. IP theft. Copyright 2015 Tanium

    Inc. All rights reserved. 33

34. Red teams: Have mission objectives. Burn it all down. Copyright

    2015 Tanium Inc. All rights reserved. 34

35. Red teams: Have mission objectives. Test incident response capabilities and

    procedures. Copyright 2015 Tanium Inc. All rights reserved. 35

36. Red teams: Have mission objectives. Test incident response capabilities and

    procedures of the organization... not just the blue team. Copyright 2015 Tanium Inc. All rights reserved. 36

37. Who responds, if... Copyright 2015 Tanium Inc. All rights reserved.

    37

38. Who responds, if Brian Krebs is your IDS? Not just

    the IR team. Not just the security team. Copyright 2015 Tanium Inc. All rights reserved. 38

39. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 39

40. Lesson learned Outliers may be leads. Copyright 2015 Tanium Inc.

    All rights reserved. 40

41. Outliers may be leads. Copyright 2015 Tanium Inc. All rights

    reserved. 41

42. Outliers may be leads. Copyright 2015 Tanium Inc. All rights

    reserved. 42

43. Do you even monoculture? Copyright 2015 Tanium Inc. All rights

    reserved. 43

44. Dan Geer: Copyright 2015 Tanium Inc. All rights reserved. 44

    • "Internet security is quite possibly the most intellectually challenging profession on the planet... for two reasons... complexity... and rate of change [are] your enemy.

45. Loathsome long tails... Copyright 2015 Tanium Inc. All rights reserved.

    45

46. “... everpresent everywhere...” Copyright 2015 Tanium Inc. All rights reserved.

    46

47. Build systems that automate data collection, analysis and remediation. Copyright

    2015 Tanium Inc. All rights reserved. 47

48. Blue’s Prime Directive: Remediation Copyright 2015 Tanium Inc. All rights

    reserved. 48

49. Remediation, like security, is a process not a product. Copyright

    2015 Tanium Inc. All rights reserved. 49

50. Investigate. Remediate. Repeat. Copyright 2015 Tanium Inc. All rights reserved.

    50

51. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 51

52. Who should be red teaming? Any organization that may have

    a security incident. Copyright 2015 Tanium Inc. All rights reserved. 52

53. Who should be red teaming? Any organization with something worth

    protecting. Copyright 2015 Tanium Inc. All rights reserved. 53

54. Who should be red teaming, practically speaking? Organizations meeting the

    previous criteria and having: Some monitoring. Some defenses. Some IR capabilities. Copyright 2015 Tanium Inc. All rights reserved. 54

55. Who should be red teaming? Probably an internal team, but

    not just the security team. Copyright 2015 Tanium Inc. All rights reserved. 55

56. Lesson learned Documentation is wrong. Code comments are wrong. Assumptions

    are wrong. Copyright 2015 Tanium Inc. All rights reserved. 56

57. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 57

58. When should you red team? Two, maybe three times a

    year. Copyright 2015 Tanium Inc. All rights reserved. 58

59. Lesson learned Avoid concurrent red team incidents. Copyright 2015 Tanium

    Inc. All rights reserved. 59

60. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 60

61. Practicalities Have Rules of Engagement. Copyright 2015 Tanium Inc. All

    rights reserved. 61

62. Rules of engagement Get approval from management and legal. Copyright

    2015 Tanium Inc. All rights reserved. 62

63. Rules of engagement Copyright 2015 Tanium Inc. All rights reserved.

    63

64. Rules of engagement No accessing or tampering with customer data.

    Copyright 2015 Tanium Inc. All rights reserved. 64

65. Rules of engagement No accessing or tampering with real customer

    data. Copyright 2015 Tanium Inc. All rights reserved. 65

66. Rules of engagement No outages. Copyright 2015 Tanium Inc. All

    rights reserved. 66

67. Rules of engagement No weakening of existing controls. Copyright 2015

    Tanium Inc. All rights reserved. 67

68. Rules of engagement Give the red team access. Copyright 2015

    Tanium Inc. All rights reserved. 68

69. Rules of engagement Give the red team source code. Copyright

    2015 Tanium Inc. All rights reserved. 69

70. Rules of engagement Give the red team architecture diagrams. Copyright

    2015 Tanium Inc. All rights reserved. 70

71. Rules of engagement Keep the blue team in the dark.

    Copyright 2015 Tanium Inc. All rights reserved. 71

72. Rules of engagement – Don’t let blue do this Copyright

    2015 Tanium Inc. All rights reserved. 72

73. Rules of engagement Real incidents trump red team incidents. Copyright

    2015 Tanium Inc. All rights reserved. 73

74. Rules of engagement Red incidents are core hours only. Copyright

    2015 Tanium Inc. All rights reserved. 74

75. Rules of engagement Red incidents are core hours only, plus

    a little. Copyright 2015 Tanium Inc. All rights reserved. 75

76. Rules of engagement Cross team collaboration. Copyright 2015 Tanium Inc.

    All rights reserved. 76

77. Rules of engagement Establish a situation room. Copyright 2015 Tanium

    Inc. All rights reserved. 77

78. Rules of engagement Designate incident and investigative leads. Copyright 2015

    Tanium Inc. All rights reserved. 78

79. Rules of engagement Delegate and PM. Copyright 2015 Tanium Inc.

    All rights reserved. 79

80. Situation normal... Investigate. Copyright 2015 Tanium Inc. All rights reserved.

    80

81. Situation normal, practice how you want to play Document. Copyright

    2015 Tanium Inc. All rights reserved. 81

82. Situation normal, practice how you want to play Report. Copyright

    2015 Tanium Inc. All rights reserved. 82

83. Situation normal, practice how you want to play Copyright 2015

    Tanium Inc. All rights reserved. 83

84. Situation normal, practice how you want to play Plan for

    remediation. Copyright 2015 Tanium Inc. All rights reserved. 84

85. Situation normal, practice how you want to play Execute remediation.

    Copyright 2015 Tanium Inc. All rights reserved. 85

86. Situation normal, practice how you want to play Post remediation

    monitoring. Copyright 2015 Tanium Inc. All rights reserved. 86

87. Take aways Postmortems. Copyright 2015 Tanium Inc. All rights reserved.

    87

88. Postmortem: Who? Stakeholders, blue team, red team. Copyright 2015 Tanium

    Inc. All rights reserved. 88

89. Postmortem: What? No blame games. Copyright 2015 Tanium Inc. All

    rights reserved. 89

90. Postmortem: What? But hold yourself accountable. Copyright 2015 Tanium Inc.

    All rights reserved. 90

91. Postmortem: Story time. Blue team goes first. Copyright 2015 Tanium

    Inc. All rights reserved. 91

92. Postmortem: Tell all. Copyright 2015 Tanium Inc. All rights reserved.

    92

93. Postmortem: The facts. Red team goes second. Copyright 2015 Tanium

    Inc. All rights reserved. 93

94. Postmortem: Mind the gap. Blue Red Copyright 2015 Tanium Inc.

    All rights reserved. 94 Goal: close gap over time

95. Postmortem: Takeaways. All teams get bugs, feature requests. Copyright 2015

    Tanium Inc. All rights reserved. 95

96. Agenda • Teaser • Why red teaming • What is

    red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 96

97. Lesson learned No one runs as admin. Copyright 2015 Tanium

    Inc. All rights reserved. 97

98. Lesson learned Just-In-Time admin (JIT). Copyright 2015 Tanium Inc. All

    rights reserved. 98

99. Lesson learned Segment the network. Copyright 2015 Tanium Inc. All

    rights reserved. 99

100. Lesson learned Segment the accounts. Copyright 2015 Tanium Inc. All

     rights reserved. 100

101. Lesson learned Dedicated admin workstations. Copyright 2015 Tanium Inc. All

     rights reserved. 101

102. Lesson learned Zero human generated passwords. Copyright 2015 Tanium Inc.

     All rights reserved. 102

103. Lesson learned 2FA everywhere. Copyright 2015 Tanium Inc. All rights

     reserved. 103

104. Lesson learned Don’t trust. Verify. Copyright 2015 Tanium Inc. All

     rights reserved. 104

105. Agenda • Teaser • Why red teaming • What is

     red teaming • Highlights and lessons learned • Who should be red teaming • When • Practicalities of red teaming • Conclusion Copyright 2015 Tanium Inc. All rights reserved. 105

106. Conclusion Red teaming is hard. Copyright 2015 Tanium Inc. All

     rights reserved. 106

107. Conclusion Real incidents may be harder. Copyright 2015 Tanium Inc.

     All rights reserved. 107

108. Conclusion Practice how you want to play. Copyright 2015 Tanium

     Inc. All rights reserved. 108

109. Thank you! [email protected]