ADVERSARY SIMULATION“RED CELL”

APPROACHES TO IMPROVING SECURITY

Talk Background

Introduction and overview of Red Teaming

Organization challenges & Opportunities

Redteaming / Red Cell effectiveness • Meeting the defenders where they are at

-Adversary simulation• Emulating Tactics Techniques and Procedures• Being the Adversary

Resources

$whoami

• Chris Hernandez • RedTeamer• Former:• Pentester• Vuln/ Patch Mgmt• Sysadmin

• Bug bounty hunter• Irc handle= piffd0s • Blog= Nopsled.ninja• @piffd0s

Introduction to Red Teaming• What is “Red Teaming”?

• Origins of “Red Team”

• Examples of Red Teaming Failures

• Examples of Red Team Successes

What is Red Teaming?

• Both Approach, Mindset and Tactics

• Takes many forms, Tabletop Exercises, Alternative analysis, computer models, and vulnerability probes.

• Critical Thinking

• A Therapist…

What are its origins?• Originated in the 1960’s military war-game exercises

• Red Team was meant to emulate the soviet union

• 1963 - First historical example was a redteam exercise structured around procuring a long range bomber.

• Most early examples are structured around determining soviet unions capability

Red Team Failures: Operation Eagle Claw• Failed mission to rescue 52

diplomats held captive in the US Embassy in Tehran.

• Operation was “need to know” not Red Teamed

• Operation was initiated without enough planning and foresight into potential challenges / obstacles

Unified Vision ‘01 & Millennium Challenge ‘02

• Millenium challenge ’02

• Red Cell Is highly restricted in its actions

• Red Cell pre-emptively attacks US navy fleet with all of their air and sea resources sinking 21 Navy Vessels

• White Cell “refloats” sunken navy vessels

• Unified Vision ’01

• White Cell informs Red Cell that Blue Team has destroyed all of their 21 hidden ballistic missile silos

• Blue Team commander never actually new the location of any of the 21 silos

RedTeam Success Stories• New York Marathon, NYPD and New York Roadrunners

• Cover scenarios like:• How do you identify tainted water sources• How to respond if drones show up in specific locations• Race can be diverted at any point

• Israeli Defense Force – “Ipcha Mistabra”• The opposite is most likely• Small group in the intelligence branch• Briefs Officials and Leaders on opposite explanations for scenarios

Organizational Challenges

• Overcoming Groupthink

• Maintaining Divergent thought

• Remaining Skeptical

• Assimilation into culture

• Communicating risk effectively

• Metacognition

• Leadership buy in

• “Gaming” the Op

Red Cell Effectiveness• Ex. 57th adversary tactics group

• Only Highly skilled pilots are allowed to become “aggressors”

• Allowed only to use known adversary tactics and techniques depending on who they are emulating

• Same should apply to all red teams

• Adversary emulation is key to realistic simulations

Red Cell Effectiveness• Effective adversary emulation

can mean being a “worse” threat actor

• Tests defenders “post-compromise” security posture. Aka “assumed breach model”

• Post compromise / foothold can also save valuable time and money.

Adversary Skill and Detection Model

Ignorance Detection Proactive Pre-emptive0

1

2

3

4

5

6

Difficulty

Difficulty

ScriptKiddie

Criminal(s)

APT

What are the benefits of an effective Red Cell?

• Train and measure IR teams detection and response. • MSFT measures this as MTTD MTTR Mean time to

detect, and Mean Time to Recovery• Validates investment in very expensive security

products, services, and subscriptions

An example red cell exercise

• Build a relevant threat model based on your industry threats, or competitors breaches / news events• Story board the attack• Determine where IR should detect and respond• Use Red Team to validate story board • What went well / what went wrong – postmortem analysis• Debrief Tactics

Putting it all together – Adversary simulation• Emulate realistic threat actors TTPs

• Assume breach model

• Model attacker activity to your story board

• Information exchange between red and blue teams*

• Protect Red Team culture

• Repeat in a reasonable amount of time

Example Adversary Simulation – TTPs – “Deep Panda”

After seeing how these indicators were being applied, though, I came to realize something very interesting: almost no one is using them effectively. - Pyramid of Pain

ADDITIONAL RESOURCES

Books:

Red Team – Micah Zenko

Applied Critical Thinking Handbook – UFMCS

Online:

Microsoft Enterprise Cloud Redteaming Whitepaper

2015’s Redteam Tradecraft / Adversary Simulation – Raphael Mudge

The Pyramid of Pain – David Bianco

Veris Group - Adaptive Threat Devision – Will Shroeder and Justin Warner

The Adversary Manifesto - Crowdstrike