Operationalizing Red Teaming for Fun and Profit
Transcript of Operationalizing Red Teaming for Fun and Profit
![Page 1: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/1.jpg)
November15,2016
OperationalizingRedTeamingforFunandProfitIanAllison|SecurityTesting&RedTeam|devsecops.org
![Page 2: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/2.jpg)
November15,2016
![Page 3: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/3.jpg)
November15,2016
@iallison
• Commodore64-1984• 300BaudModem• LOAD"*",1,1• BBS• Lotsoftxtfiles
![Page 4: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/4.jpg)
November15,2016
Background
• LargeScaleLinuxAdmin• ITSecurityAudit• CyberWargamesDesignerandOperator• OffensiveSecurityInstructor• PenetrationTester• EmbeddedDeviceSecurityTester• SecurityResearcher
![Page 5: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/5.jpg)
November15,2016
ThisPathLeadsTo
• Developersarestupid• Developersdon’tcareaboutsecurity
• Developersjustcareaboutdeadlines
• DevOpsareevenworse!• Until….
![Page 6: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/6.jpg)
November15,2016
ChasingtheRedRabbitA.K.ADevSecOps
• InmyfirstweekwriteamicroserviceAPIandgetitsecurelyintoproductioninthecloud
• Instantdeveloperempathy• Iteratecode,securityandsecuredeploymentinthecloud
• Allsecurityapplicationsarehostedinthecloud
![Page 7: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/7.jpg)
November15,2016
SecondStepintoDevSecOps• Howdoyoumakesureall
yourbaselineimagesaresafe?
• HowdoyoudoitforthousandsofAWSaccounts?
• Youhavetowriteyourownautomation
• Learntheinnerworkingsofyourcloudprovider
![Page 8: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/8.jpg)
November15,2016
ScannersSuck
• SprayandPray• Onlyasgoodastheirsignatures
• Remediationguidelinesarenotactionable
• Falsepositivesabound• Whoelselovesreading200pagePDFs?
![Page 9: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/9.jpg)
November15,2016
ScannerVendorsSuck
• Usuallyhaveproprietaryonhostdatabases(killscloudiness)
• Hardtocorrelatesamevulnerabilityacrossmultiplevendors
• Don’tshareasmuchastheyshould
ByClarkStanley[Publicdomain],viaWikimediaCommons
![Page 10: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/10.jpg)
November15,2016
TraditionalInfoSec• Compliance• Regulations• Appliances• Perimeter
A.K.A”BowtomyFirewall”–BrucePotter
![Page 11: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/11.jpg)
November15,2016
InfoSecisSelfish
• GoodatsayingNO• Remediationisuptothedevelopers
• FeedbackisaScannerreport• Onlysolvesforsecurityandcompliancenotdevelopers
• Don’tliketoshare
![Page 12: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/12.jpg)
November15,2016
TrendsintheMedia• SaaSforDevOpsSecurity• CollaborativeSecurity• Tools,CICD,appliancesandCASBsohmy
• ConfigurationManagementistheanswertoeverything
• Compliancewillhelpprotectyou
![Page 13: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/13.jpg)
November15,2016
DevOpsJobsvsSecurityJobs
InfoSecJobs DevOpsJobs
http://www.indeed.com/jobtrends/
![Page 14: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/14.jpg)
November15,2016
TheGoldenRatio
• ResearchvariesastotheratioofSecuritytoDevelopers
• 1to1000to8.5to100• 1to5000networkeddevices!
• WhatifSecurityandDevOpswereoneinthesame?
http://www.infosecisland.com/blogview/8327-How-Many-Information-Security-Staff-Do-We-Need.html
![Page 15: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/15.jpg)
November15,2016
DevOps==Opportunity
• Canbeanamazingthingwhendoneright
• Fast,leanandefficientandsecure• IntegratesecuritycheckswithCICDandcatchlowhangingfruit
• Securityneedstolearnhowtoadaptandevolveoritcouldbecomeirrelevant
• WhenDevOpsisdonewrong...
![Page 16: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/16.jpg)
November15,2016
ItLookslikeThis
![Page 17: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/17.jpg)
November15,2016
HowDoWeMakeitBetter?
• AllowDevteamstoassumetheriskoftheirdecisions
• NomoreSecurityexceptionsorsignoffs
• Securityiseveryone’sresponsibility
• Testthecrapoutofyourownstufflikeanattackerwould
![Page 18: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/18.jpg)
November15,2016
Reality• Scannersfindtheabsolutebareminimum
• BaddefaultconfigsareaHUGEproblemevenwithSaaSvendors
• Manualtestingcanuncoverdefectsthathavebeenhidingforyears
• Theattackersaremoreskilledandmotivated
![Page 19: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/19.jpg)
November15,2016
GettingDirty
• Startedsmall,leanandfocusedonthecloud
• WorkedlikeanAgileDevOpsTeam
• Found,reportedandfixedthousands ofvulnerabilitiesnotfoundbyscanners
• Thiswasalldonemanuallywiththeuseofsometools
![Page 20: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/20.jpg)
November15,2016
Whatisa RedTeam?• Usesametacticsasattackers• Onlyscopeis“Don’ttakedownproduction”
• Needtoadaptandevolvelikeanattacker
• Proveriskactuallyexists• Shouldbewritingtheirownexploits
• Shouldhaveongoingcampaignsthatmimicattackers
![Page 21: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/21.jpg)
November15,2016
RedTeamMindset• Useapplicationsinwaystheyarenotintended.
• Notjusttechnologyfocused• SilentIntruders• PhysicalSecurity• SocialEngineering• Phishing/Spearphishing• Waterholeattacks
![Page 22: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/22.jpg)
November15,2016
IllustratingRisk
![Page 23: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/23.jpg)
November15,2016
RedTeam!=PenetrationTesting
• Pentestingistightlyscoped• Non-realisticattackscenarios
• 5%fun95%meetingsandreporting
• Quicklybecomingatypeofcompliance
![Page 24: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/24.jpg)
November15,2016
SomeoftheToolsUsed• nmap• curl• BurpSuite• MetasploitFramework• Gauntlt• Github• Shodan.io• Jira– CaseManagement• Multiplecloudproviders• Jenkins– Forautomation/scheduling• Nexus– Forfindingbadlibs• Homemadetools
![Page 25: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/25.jpg)
November15,2016
ImpactingReleaseSchedules• Defectscancausechurn• Cancauseescalationstouppermanagement
• Forcestradeoffsbetweenreleasesandsecurity
• CancreatecontentionbetweensecurityandDevteams
• Pivotingcanbehardfornonagileteams
![Page 26: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/26.jpg)
November15,2016
LessonsLearned
• Youcanactuallymovetoofast• ThemoreautomationandAPIsyouprovidedevelopersthebettertheyrespond.
• Havingacentralsourceofrecondataiscriticaltofindingtargets
• Hardtoswitchcontextfromattackertohelper
![Page 27: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/27.jpg)
November15,2016
SecurityDefects• DefectvsVulnerability• Securitypeoplesuckatspeakingdeveloper
• Understandingyouraudience(Developers)iscritical
• ClearlyexplainingtheissuewithaPoCisateachingopportunity
![Page 28: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/28.jpg)
November15,2016
Reporting• DefectsgodirectlyintoaDevteam’sbacklog
• Graded(A– F)• DevTeamdecidespriorityofdefect
• Reportedallthewayup• Firstthingindefectticketisremediationguidance
• IncludeschecksforvalidatingremediationforDevTeams
![Page 29: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/29.jpg)
November15,2016
From->ToOpenJMXandWebConsole
Scrolldownatleast198pagesin200pagePDF:
Solution:
SecureorremoveaccesstotheJMXand/orWebConsoleusingtheadvancedinstalleroptions.
RemediationRequired:
Removeaccesstothejmx-consoleandweb-consolefromJBossby:inJBOSS_HOME/common/deploy/remove:jmx-console.warInJBOSS_HOME/server/<node>/deploy/remove:jmx-console-activator-jboss-beans.xml
RemoveJBossWebServicesconsoleInJBOSS_HOME/common/deploy/remove:jbossws-console.warInJBOSS_HOME/server/<node>/deploy/remove:jbossws-console.warjbossws-console-activator-jboss-beans.xml
Ifconsolesareneeded.EnsureaccesstotheJBossJMXConsole(/jmx-consoleand/web-console)isrestrictedtosmallnumberofinternalIPaddressestopreventunauthorizedaccess.
ImplementstrongJMXconsoleadminpassword.
![Page 30: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/30.jpg)
November15,2016
HowWe’reMakingitBetter• Feedbackisagift!• Showourupcomingtargetstheweekbefore
• Automatedattackingthelowhangingfruit
• Moretransparency• Metrics,MetricsandmoreMetrics
• Helpingourvendorswithbetterremediationguidelines
![Page 31: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/31.jpg)
November15,2016
ButDoesitBlend?
• Weseealotofdatacomeacrossthewire
• Howdoyoufindtheneedleinthehaystack?
• Attackersandattacksareconstantlyevolving
• IttakesmorethanjustaRedTeam, ittakesaDevSecOpsteam
Source:https://www.flickr.com/photos/ciuu96/
![Page 32: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/32.jpg)
November15,2016
SecurityDefectFunnel
Copyright©DevSecOpsFoundation2015-2016
![Page 33: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/33.jpg)
November15,2016
CurrentState• FocusingonautomatingsecuritytestingintoCICD
• UsingJenkinsasourC&CforRedTeamandSecurityTestingActivities
• ScanningandattackingKubernetesandDockercontainers
• Gettingshellsbeforetheattackersthroughapplicationexploitdevelopment
![Page 34: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/34.jpg)
November15,2016
GetInvolved&JointheCommunity
• devsecops.org• @iallison onTwitter• DevSecOpsGrouponLinkedIn
• DevSecOpsonGithub
HugeshoutouttoShannonLietzA.K.A@devsecops
![Page 35: Operationalizing Red Teaming for Fun and Profit](https://reader031.fdocuments.in/reader031/viewer/2022021815/58ee72361a28abca2d8b45dd/html5/thumbnails/35.jpg)
November15,2016