6.Ion Bica - Red Teaming
Transcript of 6.Ion Bica - Red Teaming
-
Using Red Teaming for Information
Assurance
Ion BICA, PhD, CISA
Military Technical Academy
1
-
Cyber attacks in the news
2
-
Personal level attacks
Zeus / Zbot
Torping / Sinowal
Conficker / Downup
Phishing
Spyware
3
-
Organizational level attacks
HTRC, 2007
25 million records lost
Heartland Payment Systems, 2009
130 million records lost
Wikileaks Mastercard, 2010
13.9 million card details stolen
RSA breach
40 million tokens and access compromised
Sony Playstation Network
101.6 million records lost
UBS (Kweku Adoboli), 2011
$2.3billion fraud
Zappos, 2012
24 million records lost
4
-
National level attacks
Estonia, 2007
Georgia, 2008
Operation Aurora, 2009/2010
Stuxnet, 2010
Flame, 2012
Cyber Warfare is a reality!
5
-
Threat environment
Increasing sophistication of cyber threats
Attacks are organized, disciplined, aggressive, and well resourced
Adversaries are nation states, terrorist groups, criminals, hackers, and individuals or groups with intentions of
compromising information systems
Information technology is our greatest strength and at the same time, our greatest weakness [NIST]
Growing cyber threats demand advanced mitigation strategies
6
-
The need for proactive security
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle. (Sun Tzu The Art of War)
Proactive / offensive security
simulate attackers behavior against your own systems
Reactive / defensive security
system hardening, monitoring, forensics, etc
Proactive security provide certain degree of trust that protection methods have been implemented correctly and they are efficient
7
-
What is Red Teaming?
Military wargaming Blue Team (USA) vs. Red Team (Soviet Union)
Opposing force in a simulated military conflict
Red Teaming is used to reveal weaknesses in military readiness
The aggressor (red team) is composed of various threat actors, equipment, and techniques that are at least partially unknown
by the defenders (blue team)
The red team challenges the defenders by playing the role of a thinking enemy
Understand adversarys capabilities and potential actions
8
-
Red Teaming domains
Military when soldiers address and anticipate enemy courses of action
Forensics when detectives attempt to get inside a criminals mind
Corporate when businesses simulate competition in case of a new plan or initiative
Computer security when professionals test and penetrate client communication and information systems
The friendly side (blue team) attempts to view a problem through the eyes of an adversary or competitor (red team)
9
-
Red Teaming from the cyber security perspective
Red Teaming is a process designed to detect vulnerabilities by taking an attacker-like approach
Authorized, adversary-based assessment for defensive purposes
authorized means that someone with legal control of the facility, system, or entity to be red teamed has agreed to the process
adversary-based means that the activity implies taking into account the adversaries knowledge, skills, commitment, resources, and culture
assessment means one is making a judgment, possibly a comparison, of the state of the target with respect to actions by the adversary
defensive purposes refers to the ethical approach of the assessment
10
-
Red Teaming functions
Understand adversaries and threat environment Gather relevant data to identify trends and most pressing vulnerabilities
Anticipate enemy courses of action and avoid surprise Alternative analysis for security risks evaluation to improve decision
making
Assess the effectiveness of the existing security measures and demonstrate the possible impact of cyber attacks
Enhanced form of penetration testing (highly specialized tools, custom scripts, etc)
Improve the cyber security staffs ability to detect and respond to cyber attacks
Cyber Defense Exercises (CDX)
11
-
Red Teaming functions (cont.)
12
-
Red Teaming in practice
Sandia National Laboratories Information Design Assurance Red Team (IDART)
http://www.idart.sandia.gov/
US Department of Homeland Security DHS Red Team
Evaluate security of federal networks
NATO NC3A Cyber Red Team (CRT)
-
Conclusions
Red Teaming is a process that models and simulates adversary actions
Red Teaming requires highly skilled specialists
Red Teaming provides a more realistic picture of security readiness of an organization than other methods (e.g.
penetration testing)
Red Teaming may contribute to achieving objectives of national strategy for cyber security
14
-
15