Using Red Teaming for Information

Assurance

Ion BICA, PhD, CISA

Military Technical Academy

1

Cyber attacks in the news

2

Personal level attacks

Zeus / Zbot

Torping / Sinowal

Conficker / Downup

Phishing

Spyware

3

Organizational level attacks

HTRC, 2007

25 million records lost

Heartland Payment Systems, 2009

130 million records lost

Wikileaks Mastercard, 2010

13.9 million card details stolen

RSA breach

40 million tokens and access compromised

Sony Playstation Network

101.6 million records lost

UBS (Kweku Adoboli), 2011

$2.3billion fraud

Zappos, 2012

24 million records lost

4

National level attacks

Estonia, 2007

Georgia, 2008

Operation Aurora, 2009/2010

Stuxnet, 2010

Flame, 2012

Cyber Warfare is a reality!

5

Threat environment

Increasing sophistication of cyber threats

Attacks are organized, disciplined, aggressive, and well resourced

Adversaries are nation states, terrorist groups, criminals, hackers, and individuals or groups with intentions of

compromising information systems

Information technology is our greatest strength and at the same time, our greatest weakness [NIST]

Growing cyber threats demand advanced mitigation strategies

6

The need for proactive security

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

If you know neither the enemy nor yourself, you will succumb in every battle. (Sun Tzu The Art of War)

Proactive / offensive security

simulate attackers behavior against your own systems

Reactive / defensive security

system hardening, monitoring, forensics, etc

Proactive security provide certain degree of trust that protection methods have been implemented correctly and they are efficient

7

What is Red Teaming?

Military wargaming Blue Team (USA) vs. Red Team (Soviet Union)

Opposing force in a simulated military conflict

Red Teaming is used to reveal weaknesses in military readiness

The aggressor (red team) is composed of various threat actors, equipment, and techniques that are at least partially unknown

by the defenders (blue team)

The red team challenges the defenders by playing the role of a thinking enemy

Understand adversarys capabilities and potential actions

8

Red Teaming domains

Military when soldiers address and anticipate enemy courses of action

Forensics when detectives attempt to get inside a criminals mind

Corporate when businesses simulate competition in case of a new plan or initiative

Computer security when professionals test and penetrate client communication and information systems

The friendly side (blue team) attempts to view a problem through the eyes of an adversary or competitor (red team)

9

Red Teaming from the cyber security perspective

Red Teaming is a process designed to detect vulnerabilities by taking an attacker-like approach

Authorized, adversary-based assessment for defensive purposes

authorized means that someone with legal control of the facility, system, or entity to be red teamed has agreed to the process

adversary-based means that the activity implies taking into account the adversaries knowledge, skills, commitment, resources, and culture

assessment means one is making a judgment, possibly a comparison, of the state of the target with respect to actions by the adversary

defensive purposes refers to the ethical approach of the assessment

10

Red Teaming functions

Understand adversaries and threat environment Gather relevant data to identify trends and most pressing vulnerabilities

Anticipate enemy courses of action and avoid surprise Alternative analysis for security risks evaluation to improve decision

making

Assess the effectiveness of the existing security measures and demonstrate the possible impact of cyber attacks

Enhanced form of penetration testing (highly specialized tools, custom scripts, etc)

Improve the cyber security staffs ability to detect and respond to cyber attacks

Cyber Defense Exercises (CDX)

11

Red Teaming functions (cont.)

12

Red Teaming in practice

Sandia National Laboratories Information Design Assurance Red Team (IDART)

http://www.idart.sandia.gov/

US Department of Homeland Security DHS Red Team

Evaluate security of federal networks

NATO NC3A Cyber Red Team (CRT)

Conclusions

Red Teaming is a process that models and simulates adversary actions

Red Teaming requires highly skilled specialists

Red Teaming provides a more realistic picture of security readiness of an organization than other methods (e.g.

penetration testing)

Red Teaming may contribute to achieving objectives of national strategy for cyber security

14

15