seeing red: improving blue teams through red teamingseeing red: improving blue teams through red...

Seeing Red: Improving blue

teams through red teamingDave Hull

Tanium EDR Engineering

What is this?

Copyright 2015 Tanium Inc. All rights reserved.2

Intro


Agenda

• Teaser

• Why red teaming

• What is red teaming

• Highlights and lessons learned

• Who should be red teaming

• When

• Practicalities of red teaming

• Conclusion


Why red team?


Because it delivers a security incident.

Pen testing delivers… a nice report.


Why red team?

Because you will play like you practice.


Why red team?


“We run that play every day — end of every

practice,” [Phil] Booth said.

http://www.nytimes.com/2016/04/06/sports/ncaabasketball/villanova-national-championship.html?_r=0

Why red team?


Why red team?

Because red teaming is quantifiable.


Why red team?

Mean-time-to-compromise.


Why red team?

Mean-time-to-detection.


Why red team?

Mean-time-to-recovery.


Agenda

• Teaser

• Why red teaming




• When


• Conclusion


What is red teaming?

It is not threat modeling.



It is not vulnerability assessment.



It is not penetration testing.



Red teaming is different.



Some call it “adversary emulation.”



Some call it “a force-on-force engagement.”


Red teams:

Have mission objectives.


Red teams:


Enterprise or domain admin?


Red teams:


Customer pivot.


Red teams:


IP theft.


Red teams:


Burn it all down.


Red teams:


Test incident response capabilities and procedures.


Red teams:


Test incident response capabilities and procedures

of the organization... not just the blue team.


Who responds, if...


Who responds, if Brian Krebs is your IDS?

Not just the IR team.

Not just the security team.


Agenda

• Teaser

• Why red teaming




• When


• Conclusion


Lesson learned

Outliers may be leads.


Do you even monoculture?


Dan Geer:


• "Internet security is quite possibly the most

intellectually challenging profession on the planet... for

two reasons... complexity... and rate of change [are] your

enemy.

Loathsome long tails...


“... ever present everywhere...”


Build systems that automate

data collection, analysis and remediation.


Blue’s Prime Directive: Remediation


Remediation, like security, is a process not a product.


Investigate. Remediate. Repeat.


Agenda

• Teaser

• Why red teaming




• When


• Conclusion


Who should be red teaming?

Any organization that may have a security incident.



Any organization with something worth protecting.


Who should be red teaming, practically speaking?

Organizations meeting the previous criteria and having:

Some monitoring.

Some defenses.

Some IR capabilities.



Probably an internal team, but not just the security team.


Lesson learned

Documentation is wrong.

Code comments are wrong.

Assumptions are wrong.


Agenda

• Teaser

• Why red teaming




• When


• Conclusion


When should you red team?

Two, maybe three times a year.


Agenda

• Teaser

• Why red teaming




• When


• Conclusion


Practicalities

Have Rules of Engagement.


Rules of engagement

Get approval from management and legal.


Rules of engagement


Rules of engagement

No accessing or tampering with customer data.


Rules of engagement

No accessing or tampering with real customer data.


Rules of engagement

No outages.


Rules of engagement

No weakening of existing

controls.


Rules of engagement

Give the red team access.


Rules of engagement

Give the red team source code.


Rules of engagement

Give the red team architecture diagrams.


Rules of engagement

Keep the blue team in the dark.


Rules of engagement – Don’t let blue do this


Rules of engagement

Real incidents trump red team incidents.


Rules of engagement

Red incidents are core hours only.


Rules of engagement

Red incidents are core hours only,

plus a little.


Rules of engagement

Cross team collaboration.


Rules of engagement

Establish a situation room.


Rules of engagement

Designate incident and investigative leads.


Rules of engagement

Delegate and PM.


Situation normal...

Investigate.


Situation normal, practice how you want to play

Document.



Report.



Plan for remediation.



Execute remediation.



Post remediation monitoring.


Take aways

Postmortems.


Postmortem: Who?

Stakeholders, blue team, red team.


Postmortem: What?

No blame games.


Postmortem: What?

But hold yourself accountable.


Postmortem: Story time.

Blue team goes first.


Postmortem: Tell all.


Postmortem: The facts.

Red team goes second.


Postmortem: Mind the gap.

Blue Red


Goal: close gap over time

Postmortem: Takeaways.

All teams get bugs, feature requests.


Agenda

• Teaser

• Why red teaming




• When


• Conclusion


Lesson learned

Just-In-Time admin (JIT).


Lesson learned

Dedicated admin workstations.


Lesson learned

Zero human generated passwords.


Lesson learned

2FA everywhere.


Lesson learned

Don’t trust. Verify.


Agenda

• Teaser

• Why red teaming




• When


• Conclusion


Conclusion

Red teaming is hard.


Conclusion

Real incidents may be harder.


Conclusion

Practice how you want to play.


Thank you!

[email protected]

seeing red: improving blue teams through red teamingseeing red: improving blue teams through red...

Documents