SlideShare a Scribd company logo

When is a Red Team a Red Team

Sanjiv Kawa, profile picture
Sanjiv Kawa

1. The document discusses a red team engagement conducted by Nettitude for a large stock exchange to test the security of its real-time trading system. 2. Through targeted phishing, the red team was able to compromise the workstation of a database administrator and gain access to information and systems related to the trading platform. 3. A detection and response assessment found that the blue team failed to detect several of the red team's actions during the simulated attack.

Technology
1 of 58
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
When is a Red Team a Red Team? M AY 2 0 1 9
Agenda [+] Introductions 1m [+] Setting the Stage 5m [+] Tales from the Trenches 13m [+] Conclusion 1m
> whoami • Sanjiv Kawa • Penetration Tester and Red Teamer • I Lead Nettitude's Penetration Testing Team kawabungah skahwah
> whois Nettitude • 160 security professionals • Global presence • Significant Industry Influence
Nettitude’s Research and Zero Days
Setting the Stage
Confusion • What is Red Teaming? • Who is it for? • What does it achieve? • Why is it important?
The Current State of Technical Assurance
The Current State of Technical Assurance
What is a Red Team Engagement? PenTest+
Purpose of a Red Team Engagement Holistically test your organization against a real world breach scenario Driven from real world threats Focus on Depth and not Breadth Exercise your Blue Team People Process Technology https://www.flaticon.com/free-icon/team_476700 https://www.flaticon.com/free-icon/settings_126472 https://www.flaticon.com/free-icon/laptop_114734
What Does a Red Team Engagement Look Like?
What Does a Red Team Engagement Look Like?
What Does a Red Team Engagement Look Like?
Why is Red Teaming Important? Exercise Your Blue Team People Process Technology
Tales from the Trenches
Some of our Achievements • We get to work with some awesome clients • We have an extremely high success rate in reaching objectives
Some of our Achievements • We get to work with some awesome clients • We have an extremely high success rate in reaching objectives https://www.flaticon.com/free-icon/bank_1066122 https://www.flaticon.com/free-icon/medical-history_1685819 https://www.flaticon.com/free-icon/benefits_1369921 https://www.flaticon.com/free-icon/family_1396773
Tales from the Trenches I’m going to walk you through a red team engagement we did for a stock exchange
Tales from the Trenches Disclaimer: Some areas have been replaced with fictitious people, other areas are heavily redacted to protect the identity of the Client and their employees …
Engagement Particulars Client: Large Stock Exchange Objective: Integrity of Real Time Trading System (TS) Assessment: Threat Intelligence Scenario 1: External Threat Scenario 2: Insider Threat Assessment: Detection and Response Capabilities
Threat Intelligence Mitre ATT&CK Group ID: G0032 AKA: Lazarus Group North Korea
Threat Intelligence: Lazarus Group Based on TI: Initial entry is going to be a targeted phish
Threat Intelligence: Recon If I had 8 hours to chop down a tree, I would spend 6 of those hours sharpening my axe Many, many, many tools ...
Threat Intelligence: Finding Targets to Phish • In-house developed, publicly available tool • Checks HIBP for breaches • Name, email, title, etc
Threat Intelligence: Building Pretext • Find target employees who work with TS • Senior Trader at Stock Company • Works with TS • A+ candidate to phish!
Threat Intelligence: Building Pretext
Threat Intelligence: Building Pretext Priority Target at Stock Exchange Position Pretext from LinkedIn 1 Rey Oakley Senior Trader Joseph Thompson – Capital Ventures 2 Mike Cortes IT Support Sarah Cho – Computer Stop 3 Karen Hayes Database Admin John Smith – DevShop 4 Stacy Chan Project Manager Mike Jacklin – Logistics R Us • Don’t stop at one, maximize your chances.
Handover At this point, the TI Team hands over a “target pack” to the Red Team
External Threat: Delivery
External Threat: Delivery
External Threat: Weaponization
External Threat: Delivery and Execution • Pretext: Recruitment and Career Opportunities • Delivery: Targeted Phishing (4 users) • Objective: Impact the Integrity of TS 0 1 2 3 4 5 Users Targeted Emails Confirmed Opened Links Clicked Command and Control Obtained Targeted Phishing Statistics
External Threat: Execution Execution? Target at Stock Exchange Position Pretext from LinkedIn ý Rey Oakley Senior Trader Joseph Thompson – Capital Ventures ý Mike Cortes IT Support Sarah Cho – Computer Stop þ Karen Hayes Database Admin John Smith – DevShop þ Stacy Chan Project Manager Mike Jacklin – Logistics R Us • Who’s workstation are we on?
External Threat: Acting on Objectives Karen Hayes
External Threat: Acting on Objectives þ Know where TS Lives þ Know users who access TS Karen Hayes Global File Share TS Documents Active Directory TS Users
External Threat: Acting on Objectives Compromised Workstation Trader Workstation
External Threat: Acting on Objectives Karen Hayes Karen Hayes Active Directory
External Threat: Acting on Objectives Karen Hayes Karen Hayes Citrix User
CVE-2018-6857: Sophos Safeguard Priv Esc 0-day
External Threat: Acting on Objectives Karen Hayes Citrix Administrator Workstation Administrator Other Citrix Servers
External Threat: Acting on Objectives Compromised Workstation Trader Workstation
External Threat: Acting on Objectives Compromised Workstation Trader Workstation Workstation Administrator
External Threat: Acting on Objectives Trader Workstation
When is a Red Team a Red Team
Now What?
Detection and Response Assessment
Detection and Response Assessment Outcomes Blue Team had many chances to see what we did. What did they actually see? 1. Ascertain timeline of detected events
Detection and Response Assessment Outcomes Blue Team had many chances to see what we did. What did they actually see? 1. Ascertain timeline of detected events 2. How repeatable was the detection method and response? 3. Formal reporting to stakeholders 4. Tools and techniques used in response 5. Lessons learned
Detection and Response Assessment Outcomes 1. Attempt to identify weaknesses in people, processes and most importantly technology which is constraining the detection process 2. Identify areas of strength and significant capability 3. Work together to implement and test these changes
Conclusion
Conclusion • Test people processes and technology • Test Blue Teams ability to respond to a threat • Not a replacement for penetration testing • Assurance activities should be continuous • Improve security posture
Thank You
INTENTIONALLY BLANK
TITLE Insert content Insert Content • Insert Content
Purpose of a Red Team Engagement Holistically test your organisation against a real world breach scenario Strong / Weak Security Posture PROCESS PEOPLE TECHNOLOGY 56 • Measure IR/EDR Capability (Blue Team) • Focus on Depth and not Breadth • Driven from Real World Threats
External Threat: Acting on Objectives
Why is Red Teaming Important? A few examples where People, Process, and Technology fell down… 58

More Related Content

PDF
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
PPTX
Ethical Hacking - Red Team vs Blue Team.pptx
officialstanish
 
PPTX
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Joe Vest
 
PDF
Red Team Assessment Services What Are They and Why Your Company Needs Them.pdf
tsldigitalm
 
PPTX
ITD BSides PDX Slides
EricGoldstrom
 
PPTX
Red team Engagement
Indranil Banerjee
 
PDF
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
PDF
Cliffnotes on Blue Teaming
Rishabh Dangwal
 
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
Ethical Hacking - Red Team vs Blue Team.pptx
officialstanish
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Joe Vest
 
Red Team Assessment Services What Are They and Why Your Company Needs Them.pdf
tsldigitalm
 
ITD BSides PDX Slides
EricGoldstrom
 
Red team Engagement
Indranil Banerjee
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Cliffnotes on Blue Teaming
Rishabh Dangwal
 

Similar to When is a Red Team a Red Team (20)

PPTX
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
PDF
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
PPTX
Purple Teaming - The Collaborative Future of Penetration Testing
FRSecure
 
PDF
GAM 2021 - Aligning Audits with Leadership Cybersecurity Questions.pdf
Nathan Anderson
 
PPTX
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Jorge Orchilles
 
PPTX
ISACA GTACS 2018 - Red Teaming for Enterprise
Saeid Atabaki
 
PDF
External Threat Hunters are Red Teamers
Jorge Orchilles
 
PDF
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
PDF
Why Is Threat Intelligence the Key to Effective Pentesting and Red Teaming
SOCRadar
 
PPTX
Adversary Emulation - DerpCon
Jorge Orchilles
 
PDF
So you want to be a red teamer
Jorge Orchilles
 
PDF
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Chris Gates
 
PDF
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
Marcin Ludwiszewski
 
PPTX
Evolution of offensive assessments
Bryson Bort
 
PPTX
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Jorge Orchilles
 
PPTX
RED Team Assessment | Cyber Audit | Cyber Security Expert- 2023
Cyber Security Experts
 
PDF
Red Team Assessment | Cyber Security - 2023.pdf
Cyber Security Experts
 
PDF
Purple Team Use Case - Security Weekly
Jorge Orchilles
 
PDF
Cyber Security
NC Military Business Center
 
PPTX
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Jorge Orchilles
 
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
Purple Teaming - The Collaborative Future of Penetration Testing
FRSecure
 
GAM 2021 - Aligning Audits with Leadership Cybersecurity Questions.pdf
Nathan Anderson
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Jorge Orchilles
 
ISACA GTACS 2018 - Red Teaming for Enterprise
Saeid Atabaki
 
External Threat Hunters are Red Teamers
Jorge Orchilles
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
Why Is Threat Intelligence the Key to Effective Pentesting and Red Teaming
SOCRadar
 
Adversary Emulation - DerpCon
Jorge Orchilles
 
So you want to be a red teamer
Jorge Orchilles
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Chris Gates
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
Marcin Ludwiszewski
 
Evolution of offensive assessments
Bryson Bort
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Jorge Orchilles
 
RED Team Assessment | Cyber Audit | Cyber Security Expert- 2023
Cyber Security Experts
 
Red Team Assessment | Cyber Security - 2023.pdf
Cyber Security Experts
 
Purple Team Use Case - Security Weekly
Jorge Orchilles
 
Cyber Security
NC Military Business Center
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Jorge Orchilles
 
Ad

More from Sanjiv Kawa (6)

PDF
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa
 
PDF
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa
 
PDF
Abusing MS SQL Using SQLRecon
Sanjiv Kawa
 
PPTX
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
Sanjiv Kawa
 
PPTX
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
Sanjiv Kawa
 
PPTX
Crafting tailored wordlists with Wordsmith
Sanjiv Kawa
 
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa
 
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa
 
Abusing MS SQL Using SQLRecon
Sanjiv Kawa
 
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
Sanjiv Kawa
 
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
Sanjiv Kawa
 
Crafting tailored wordlists with Wordsmith
Sanjiv Kawa
 
Ad

Recently uploaded (20)

PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
A Presentation on Artificial Intelligence
memembruh336
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
August Patch Tuesday
Ivanti
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 

When is a Red Team a Red Team

  • 1. When is a Red Team a Red Team? M AY 2 0 1 9
  • 2. Agenda [+] Introductions 1m [+] Setting the Stage 5m [+] Tales from the Trenches 13m [+] Conclusion 1m
  • 3. > whoami • Sanjiv Kawa • Penetration Tester and Red Teamer • I Lead Nettitude's Penetration Testing Team kawabungah skahwah
  • 4. > whois Nettitude • 160 security professionals • Global presence • Significant Industry Influence
  • 7. Confusion • What is Red Teaming? • Who is it for? • What does it achieve? • Why is it important?
  • 8. The Current State of Technical Assurance
  • 9. The Current State of Technical Assurance
  • 10. What is a Red Team Engagement? PenTest+
  • 11. Purpose of a Red Team Engagement Holistically test your organization against a real world breach scenario Driven from real world threats Focus on Depth and not Breadth Exercise your Blue Team People Process Technology https://www.flaticon.com/free-icon/team_476700 https://www.flaticon.com/free-icon/settings_126472 https://www.flaticon.com/free-icon/laptop_114734
  • 12. What Does a Red Team Engagement Look Like?
  • 13. What Does a Red Team Engagement Look Like?
  • 14. What Does a Red Team Engagement Look Like?
  • 15. Why is Red Teaming Important? Exercise Your Blue Team People Process Technology
  • 16. Tales from the Trenches
  • 17. Some of our Achievements • We get to work with some awesome clients • We have an extremely high success rate in reaching objectives
  • 18. Some of our Achievements • We get to work with some awesome clients • We have an extremely high success rate in reaching objectives https://www.flaticon.com/free-icon/bank_1066122 https://www.flaticon.com/free-icon/medical-history_1685819 https://www.flaticon.com/free-icon/benefits_1369921 https://www.flaticon.com/free-icon/family_1396773
  • 19. Tales from the Trenches I’m going to walk you through a red team engagement we did for a stock exchange
  • 20. Tales from the Trenches Disclaimer: Some areas have been replaced with fictitious people, other areas are heavily redacted to protect the identity of the Client and their employees …
  • 21. Engagement Particulars Client: Large Stock Exchange Objective: Integrity of Real Time Trading System (TS) Assessment: Threat Intelligence Scenario 1: External Threat Scenario 2: Insider Threat Assessment: Detection and Response Capabilities
  • 22. Threat Intelligence Mitre ATT&CK Group ID: G0032 AKA: Lazarus Group North Korea
  • 23. Threat Intelligence: Lazarus Group Based on TI: Initial entry is going to be a targeted phish
  • 24. Threat Intelligence: Recon If I had 8 hours to chop down a tree, I would spend 6 of those hours sharpening my axe Many, many, many tools ...
  • 25. Threat Intelligence: Finding Targets to Phish • In-house developed, publicly available tool • Checks HIBP for breaches • Name, email, title, etc
  • 26. Threat Intelligence: Building Pretext • Find target employees who work with TS • Senior Trader at Stock Company • Works with TS • A+ candidate to phish!
  • 28. Threat Intelligence: Building Pretext Priority Target at Stock Exchange Position Pretext from LinkedIn 1 Rey Oakley Senior Trader Joseph Thompson – Capital Ventures 2 Mike Cortes IT Support Sarah Cho – Computer Stop 3 Karen Hayes Database Admin John Smith – DevShop 4 Stacy Chan Project Manager Mike Jacklin – Logistics R Us • Don’t stop at one, maximize your chances.
  • 29. Handover At this point, the TI Team hands over a “target pack” to the Red Team
  • 33. External Threat: Delivery and Execution • Pretext: Recruitment and Career Opportunities • Delivery: Targeted Phishing (4 users) • Objective: Impact the Integrity of TS 0 1 2 3 4 5 Users Targeted Emails Confirmed Opened Links Clicked Command and Control Obtained Targeted Phishing Statistics
  • 34. External Threat: Execution Execution? Target at Stock Exchange Position Pretext from LinkedIn ý Rey Oakley Senior Trader Joseph Thompson – Capital Ventures ý Mike Cortes IT Support Sarah Cho – Computer Stop þ Karen Hayes Database Admin John Smith – DevShop þ Stacy Chan Project Manager Mike Jacklin – Logistics R Us • Who’s workstation are we on?
  • 35. External Threat: Acting on Objectives Karen Hayes
  • 36. External Threat: Acting on Objectives þ Know where TS Lives þ Know users who access TS Karen Hayes Global File Share TS Documents Active Directory TS Users
  • 37. External Threat: Acting on Objectives Compromised Workstation Trader Workstation
  • 38. External Threat: Acting on Objectives Karen Hayes Karen Hayes Active Directory
  • 39. External Threat: Acting on Objectives Karen Hayes Karen Hayes Citrix User
  • 41. External Threat: Acting on Objectives Karen Hayes Citrix Administrator Workstation Administrator Other Citrix Servers
  • 42. External Threat: Acting on Objectives Compromised Workstation Trader Workstation
  • 43. External Threat: Acting on Objectives Compromised Workstation Trader Workstation Workstation Administrator
  • 44. External Threat: Acting on Objectives Trader Workstation
  • 48. Detection and Response Assessment Outcomes Blue Team had many chances to see what we did. What did they actually see? 1. Ascertain timeline of detected events
  • 49. Detection and Response Assessment Outcomes Blue Team had many chances to see what we did. What did they actually see? 1. Ascertain timeline of detected events 2. How repeatable was the detection method and response? 3. Formal reporting to stakeholders 4. Tools and techniques used in response 5. Lessons learned
  • 50. Detection and Response Assessment Outcomes 1. Attempt to identify weaknesses in people, processes and most importantly technology which is constraining the detection process 2. Identify areas of strength and significant capability 3. Work together to implement and test these changes
  • 52. Conclusion • Test people processes and technology • Test Blue Teams ability to respond to a threat • Not a replacement for penetration testing • Assurance activities should be continuous • Improve security posture
  • 56. Purpose of a Red Team Engagement Holistically test your organisation against a real world breach scenario Strong / Weak Security Posture PROCESS PEOPLE TECHNOLOGY 56 • Measure IR/EDR Capability (Blue Team) • Focus on Depth and not Breadth • Driven from Real World Threats
  • 57. External Threat: Acting on Objectives
  • 58. Why is Red Teaming Important? A few examples where People, Process, and Technology fell down… 58