Building an InfoSec RedTeam
9 likes8,490 views
The document outlines the importance of building and maintaining an effective red team for penetration testing within organizations to enhance security and protect reputation. It discusses the structure, roles, and characteristics necessary for a successful red team, highlighting the benefits and challenges of internal versus external teams. The author, Dan Catalin Vasile, shares insights based on over 15 years of experience in the field, emphasizing the complexities involved in creating a red team.
Building an InfoSec RedTeam
- 1. InfoSec RedTeam Building and maintaining a Penetration Testing Team as the driving force of the Security Organizational Structure
- 2. First Page :Why RedTeam? To rescue MONEY& REPUTATION
- 3. First Page :How? By keeping HACKERS away!
- 4. Second Page :Definitions RedTeam Independent group that challenges an organization to improve its security. Penetration TestPenetration Test Method of evaluating computer and network security by simulating an attack on a computer system or network from external and internal threats. Security Operations Center Centralized unit in an organization that deals with security issues, on an organizational and technical level.
- 5. RedTeam – center of security RedTeam members are cutting-edge technical experts in a multitude of IT domains and are used as consultants by other services within the security department. Alongside with consultancy they also provide: -Training - Mentoring - Guidance - Best practices
- 6. Functional relationships The RedTeam provides expert knowledge and share information with all departments across the Security Department. Just to name a few:
- 7. Organizing a RedTeam Given the sensitive information the team is handling and the necessary technical skills, gathering and organizing the team is not an easy task. Key-points: •Finding the right team members•Finding the right team members •Finding the most suited organizational structure •Integrating with the current structure •Maintaining the health of the team •Continuous improvement
- 8. RedTeam members specs Knowledge set: Operating Systems Networking and Protocols Firewalls DatabasesDatabases Scripting Programming Forensics Characteristics: Good communication Curiosity Willing to learn and share knowledge Interact with the team and the clients
- 9. RedTeam members Specific backgrounds: •Network administrator (multiple OSes and infrastructure equipments) •Developer(multiple languages, depending on the organization’s profile) •Quality Assurance (software) •System Architect / Implementer / Consultant (hardware & software)
- 10. General organization structures Organization structures according to PMBOK Executive/CISO Executive/CISO RedTeam manager PenTest expert Pentest expert Functional Matrix RedTeam project coordinator PenTest expert Pentest expert Projectized
- 11. Specific structure To meet performance criteria for a RedTeam, a specific organization structure is needed. CISO Roles CISO – Team Champion, provides business interface and long term goals RedTeam Manager – Technical Rockstar, oversees and works on all RedTeam Director Project Coordinator PenTest Expert Pentest Expert Pentest Expert RedTeam Manager – Technical Rockstar, oversees and works on all projects, distributes workload, translates business needs into technical details, establishes short and medium term goals Project Coordinator – The Organizer, keeps track of everything PenTest Experts – The Army, the very foundation of the security department, champions, rockstars and organizers altogether, exceptional individuals delivering security services
- 12. Penetration tester experts are highly trained individuals with huge egos (a recognized leader of the team is in charge with making everybody happy at the workplace and with each other) Psychological aspects Time for training and research (the experts need to train and to research new subjects to stay at the top of the elite) Creativity (get the experts out of the routine and let them come up with ingenious ideas to solve problems faster and better)
- 13. Building a geographically distributed team (working in different corners of the world can be beneficial to cover all clients, but the sharing of knowledge is obstructed and internal fights can occur) Sociological aspects sharing of knowledge is obstructed and internal fights can occur) Different remuneration for the same skill-set (while it’s impossible to have the same remuneration for everybody, it’s a good idea to keep them within the same ranges and at the top of the market rates to keep the experts on your team)
- 15. Deliverables RedTeam Exercise Reports Penetration Testing Reports Consultancy for fixing the identified vulnerabilitiesConsultancy for fixing the identified vulnerabilities Training for development and networking teams Whitepapers on best practices InfoSec Metrics Advisories for upper management based on all of the above
- 16. Internal vs. External RedTeam Advantages Disadvantages Internal RedTeam • Sensitive information never leaves the company • May be biased • Need managementcompany • Knowledge of the internal systems • When not working on a project, the RedTeam can provide other valuable services • Cheap • Need management External contractor • A fresh pair of eyes • Expertise on exotic systems • The company needs to expose sensitive information to a 3rd party • Need to understand the inner- workings of the systems • Expensive
- 17. Internal vs. External RedTeam So, where is the break-even point in which an internal RedTeam is the best solution? Small company A smaller company can benefit from periodical penetration test with clear scopes from an external contractor Medium company If the company broke the 100 machines limit, a serious options is to hire a dedicated Penetration Tester and as the size of the network and number of the applications grows to increase the number of security experts and eventually create a RedTeam Enterprise For a large company, the internal RedTeam is a must and the ROI is much better than using an external contractor External contractors can be used periodically in conjunction with an internal RedTeam to provide a black-box, unbiased, external view of critical systems
- 18. About the author Dan Catalin VASILE is a security guy with more then 15 years in IT&C, out of which 12 are related to security. He’s been working with start-ups, small companies and industry giants, gathering relevant experience from all of those.gathering relevant experience from all of those. His main areas of interest are around application and network security. He is also involved in local security chapters like OWASP and ISC2 as a meeting organizer, host and presenter. You can contact him at danvasile@pentest.ro http://www.pentest.ro (personal blog)
- 19. About the presentation This presentation is the deliverable of a larger research that the author did over the years. The paper is the result of the personal experience of the author.The paper is the result of the personal experience of the author. - Working for various sized companies - Working as a team member, coordinator, leader and director - Seen and have been under different organizational schemes Creating and managing a RedTeam is a difficult task. This presentation brings some light on the issues an organization will face in setting up a Penetration Testing Team.