Secure 360 adversary simulation
-
Upload
chris-hernandez -
Category
Technology
-
view
368 -
download
1
Transcript of Secure 360 adversary simulation
ADVERSARY SIMULATION“RED CELL”
APPROACHES TO IMPROVING SECURITY
Talk Background
Introduction and Overview of Red TeamingWhat are our organizations Challenges & Opportunities?What makes Red Teaming / Red Cell effective?What is Adversary simulationTLDR… Extra Resources
$whoami
• Chris Hernandez • Red Teamer• Former:• Pentester @Veris Group ATD• Lots of other stuff
• Exploit / Bug Research• Blog= Nopsled.ninja• @piffd0s
What is Red Teaming?
•Mindset and Tactics• Takes many forms, Tabletop Exercises,
Alternative analysis, computer models, and vulnerability probes.•Not limited to InfoSec • Critical Thinking• Cognitive Psychologist
What are its origins?
• Originated in the 1960’s military war-game exercises• “Red” = the soviet union• 1963 - First public / documented example was a
red team exercise structured around procuring a long range bomber.• Most early examples are structured around
determining Soviet Unions capability
Why does this matter to me?
Pass the salt…
Try This…
What happens when we fail?
Unified Vision ‘01 & Millennium Challenge ‘02
• Millennium challenge ’02
• Red Cell Is highly restricted in its actions
• Red Cell pre-emptively attacks US navy fleet with all of their air and sea resources sinking 21 Navy Vessels
• White Cell “refloats” sunken navy vessels
• Unified Vision ’01
• White Cell informs Red Cell that Blue Team has destroyed all of their 21 hidden ballistic missile silos
• Blue Team commander never actually new the location of any of the 21 silos
What happens when we succeed?
RedTeam Success Stories• New York Marathon, NYPD and New York Roadrunners
• Cover scenarios like:• How do you identify tainted water sources• How to respond if drones show up in specific locations• Race can be diverted at any point
• Israeli Defense Force – “Ipcha Mistabra”• The opposite is most likely• Small group in the intelligence branch• Briefs Officials and Leaders on opposite explanations for scenarios
How does any of that apply to my business?• Red Team Failure
• Agendas
• Restricted actions
• Poor Communication
• Narrow scope
• Unrealistic Scenarios
• Not having a red team
• Red Team Success
• Good questions
• Make no assumptions
• Open Access
• Fluid Communication
• Realistic Scenarios
• Agendas
What makes a red team effective?
Red Cell Effectiveness• Ex. 57th adversary tactics group
• Only Highly skilled pilots are allowed to become “aggressors”
• Allowed only to use known adversary tactics and techniques depending on who they are emulating
• Same should apply to all red teams
• Adversary emulation is key to realistic simulations
Red Cell Effectiveness• Effective adversary emulation
can mean being a “worse” threat actor
• Tests defenders “post-compromise” security posture. Aka “assumed breach model”
• Post compromise / foothold can also save valuable time and money.
What are the benefits of an effective Red Cell?
• Train and measure IR teams detection and response. • MSFT measures this as MTTD MTTR Mean time to
detect, and Mean Time to Recovery• Validates investment in very expensive security
products, services, and subscriptions
Putting it all together – Adversary simulation• Emulate realistic threat actors TTPs
• Assume breach model
• Model attacker activity to your environment / risk
• Information exchange between red and blue teams*
• Protect Red Team culture
• Repeat in a reasonable amount of time
ADDITIONAL RESOURCES
Books:
Red Team – Micah Zenko
Applied Critical Thinking Handbook – UFMCS
Online:
Microsoft Enterprise Cloud Redteaming Whitepaper
2015’s Red team Tradecraft / Adversary Simulation – Raphael Mudge
The Pyramid of Pain – David Bianco
Veris Group - Adaptive Threat Devision – Will Shroeder and Justin Warner
The Adversary Manifesto - Crowdstrike