Seeing Red: Improving blue teams through red teamingSeeing Red: Improving blue teams through red...

Seeing Red: Improving blue

teams through red teamingDave Hull

Tanium EDR Engineering

What is this?

Agenda

• Teaser

• Why red teaming

• What is red teaming

• Highlights and lessons learned

• Who should be red teaming

• When

• Practicalities of red teaming

• Conclusion

Why red team?

Because it delivers a security incident.

Pen testing delivers… a nice report.

Why red team?

Because you will play like you practice.

Why red team?

“We run that play every day — end of every

practice,” [Phil] Booth said.

http://www.nytimes.com/2016/04/06/sports/ncaabasketball/villanova-national-championship.html?_r=0

Why red team?

Because red teaming is quantifiable.

Why red team?

Mean-time-to-compromise.

Why red team?

Mean-time-to-detection.

Why red team?

Mean-time-to-recovery.

Agenda

• Teaser

• Why red teaming

• When

• Conclusion

What is red teaming?

It is not threat modeling.

It is not vulnerability assessment.

It is not penetration testing.

Red teaming is different.

Some call it “adversary emulation.”

Some call it “a force-on-force engagement.”

Red teams:

Have mission objectives.

Red teams:

Enterprise or domain admin?

Red teams:

Customer pivot.

Red teams:

IP theft.

Red teams:

Burn it all down.

Red teams:

Test incident response capabilities and procedures.

Red teams:

Test incident response capabilities and procedures

of the organization... not just the blue team.

Who responds, if...

Who responds, if Brian Krebs is your IDS?

Not just the IR team.

Not just the security team.

Agenda

• Teaser

• Why red teaming

• When

• Conclusion

Lesson learned

Outliers may be leads.

Do you even monoculture?

Dan Geer:

• "Internet security is quite possibly the most

intellectually challenging profession on the planet... for

two reasons... complexity... and rate of change [are] your

enemy.

Loathsome long tails...

“... ever present everywhere...”

Build systems that automate

data collection, analysis and remediation.

Blue’s Prime Directive: Remediation

Remediation, like security, is a process not a product.

Investigate. Remediate. Repeat.

Agenda

• Teaser

• Why red teaming

• When

• Conclusion

Who should be red teaming?

Any organization that may have a security incident.

Any organization with something worth protecting.

Who should be red teaming, practically speaking?

Organizations meeting the previous criteria and having:

Some monitoring.

Some defenses.

Some IR capabilities.

Probably an internal team, but not just the security team.

Lesson learned

Documentation is wrong.

Code comments are wrong.

Assumptions are wrong.

Agenda

• Teaser

• Why red teaming

• When

• Conclusion

When should you red team?

Two, maybe three times a year.

Agenda

• Teaser

• Why red teaming

• When

• Conclusion

Practicalities

Have Rules of Engagement.

Rules of engagement

Get approval from management and legal.

Rules of engagement

No accessing or tampering with customer data.

Rules of engagement

No accessing or tampering with real customer data.

Rules of engagement

No outages.

Rules of engagement

No weakening of existing

controls.

Rules of engagement

Give the red team access.

Rules of engagement

Give the red team source code.

Rules of engagement

Give the red team architecture diagrams.

Rules of engagement

Keep the blue team in the dark.

Rules of engagement – Don’t let blue do this

Rules of engagement

Real incidents trump red team incidents.

Rules of engagement

Red incidents are core hours only.

Rules of engagement

Red incidents are core hours only,

plus a little.

Rules of engagement

Cross team collaboration.

Rules of engagement

Establish a situation room.

Rules of engagement

Designate incident and investigative leads.

Rules of engagement

Delegate and PM.

Situation normal...

Investigate.

Situation normal, practice how you want to play

Document.

Report.

Plan for remediation.

Execute remediation.

Post remediation monitoring.

Take aways

Postmortems.

Postmortem: Who?

Stakeholders, blue team, red team.

Postmortem: What?

No blame games.

Postmortem: What?

But hold yourself accountable.

Postmortem: Story time.

Blue team goes first.

Postmortem: Tell all.

Postmortem: The facts.

Red team goes second.

Postmortem: Mind the gap.

Blue Red

Goal: close gap over time

Postmortem: Takeaways.

All teams get bugs, feature requests.

Agenda

• Teaser

• Why red teaming

• When

• Conclusion

Lesson learned

Just-In-Time admin (JIT).

Lesson learned

Dedicated admin workstations.

Lesson learned

Zero human generated passwords.

Lesson learned

2FA everywhere.

Lesson learned

Don’t trust. Verify.

Agenda

• Teaser

• Why red teaming

• When

• Conclusion

Conclusion

Red teaming is hard.

Conclusion

Real incidents may be harder.

Conclusion

Practice how you want to play.

Thank you!

dave.hull@tanium.com

Seeing Red: Improving blue teams through red teamingSeeing Red: Improving blue teams through red...

Documents

Transcript of Seeing Red: Improving blue teams through red teamingSeeing Red: Improving blue teams through red...

WWT: Tanium and Cisco Solutions Presentation from Cisco Live 2017

Ch. 7 Test Review Game.notebook. 7...Ch. 7 Test Review Game.notebook 2 January 13, 2016 Teams Purple Blue Green Yellow Orange Red Teams Purple Blue Green Yellow Orange Red

Tanium Asset User Guide

Tanium and Palo Alto Networks: Real-Time Cyberthreat Detection, Prevention and Remediation · 2016-11-30 · PALO ALTO NETWORKS: Technology Partner Solution Brief Tanium and Palo

1 18 Months - Activity Demonstrations Patents/Patent Applications: Experiments: Publications: Red Team Engagements: Red Teams Sandia RABA Cigital White.

2021 Grapeworks Tanium | T: +61 3 9555 5500 E: info ...

MHAC VOLLEYBALL MEETINGmhacvolleyball.com/uploads/3/4/3/0/34300718/mhac_info_meeting_2016-17.pdfProjected 2016-17 teams: 12 Red 14 Black 14 Red 16 Black 16 Red ... We may call for

Tanium Integrity Monitor User Guide...©2019TaniumInc.AllRightsReserved Page4 Createanewwatchlist 24 Editawatchlist 26 Viewwatchlistdetails 27 Addnewpaths 28 ExampleTaniumCSV fileusedtoimportpaths

Red Zone Teams Systematic Support for Struggling Students and Families

TODAY’S teams review€¦ · TODAY’S teams 1 2 3 4 5 6 7 8 9 10 11 12 14 15 16 17 Petersfield Town Red and black striped shirts, black shorts, red and black socks Totton & Eling

Tanium Comply User Guide

DS Core v3 - Amazon S3 · With Tanium Core, teams can better secure their environment by identifying all unmanaged assets on the network and directly maintain configurations such

106-Toward an Automated Attack Model for Red Teams

COMMONWEALTH OF PENNSYLVANIA LEGISLATIVE JOURNALApr 11, 2018 · 5,490 individuals received financial assistance from the Red Cross, while Red Cross teams responded to more than 1200

Red Cross Red Crescent Magazine -No3 - 2012 teams from the Red Cross Society of China struggled through rugged terrain and precipitous mountain roads to bring help to survivors of

1 TANIUM - Grapeworksgrapeworks.com.au/image/2019-Tanium Catalogue-1-Web.pdf · 2018. 12. 11. · Semi Auto Corking, Capping & Wiring Enolmechanica Multi Function Screw Cap, Crown

Tanium Comply User Guide©2018TaniumInc.AllRightsReserved Page4 UsingJREencryption 26 Workingwithdeployments 28 Clonedeployments 29 Editdeployments 29 Legacydeployments 29 Updatetooldeployment

Security by Collaboration: Rethinking Red Teams versus Blue Teams

A White Box Approach to Red Teaming in industry€¦ · Red Teaming in industry One of the Experiments Presented by David Ferguson . About Me ... The Cyber Kill Chain Early Red Teams

DOCTRINE AND COVENANTS 104. RED and GREEN GAME 4 Teams- 7 Rounds Give a red square and receive red square: -5 Give a red square and receive green square: