6.Ion Bica - Red Teaming

15
Using Red Teaming for Information Assurance Ion BICA, PhD, CISA Military Technical Academy 1

Transcript of 6.Ion Bica - Red Teaming

  • Using Red Teaming for Information

    Assurance

    Ion BICA, PhD, CISA

    Military Technical Academy

    1

  • Cyber attacks in the news

    2

  • Personal level attacks

    Zeus / Zbot

    Torping / Sinowal

    Conficker / Downup

    Phishing

    Spyware

    3

  • Organizational level attacks

    HTRC, 2007

    25 million records lost

    Heartland Payment Systems, 2009

    130 million records lost

    Wikileaks Mastercard, 2010

    13.9 million card details stolen

    RSA breach

    40 million tokens and access compromised

    Sony Playstation Network

    101.6 million records lost

    UBS (Kweku Adoboli), 2011

    $2.3billion fraud

    Zappos, 2012

    24 million records lost

    4

  • National level attacks

    Estonia, 2007

    Georgia, 2008

    Operation Aurora, 2009/2010

    Stuxnet, 2010

    Flame, 2012

    Cyber Warfare is a reality!

    5

  • Threat environment

    Increasing sophistication of cyber threats

    Attacks are organized, disciplined, aggressive, and well resourced

    Adversaries are nation states, terrorist groups, criminals, hackers, and individuals or groups with intentions of

    compromising information systems

    Information technology is our greatest strength and at the same time, our greatest weakness [NIST]

    Growing cyber threats demand advanced mitigation strategies

    6

  • The need for proactive security

    If you know the enemy and know yourself, you need not fear the result of a hundred battles.

    If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

    If you know neither the enemy nor yourself, you will succumb in every battle. (Sun Tzu The Art of War)

    Proactive / offensive security

    simulate attackers behavior against your own systems

    Reactive / defensive security

    system hardening, monitoring, forensics, etc

    Proactive security provide certain degree of trust that protection methods have been implemented correctly and they are efficient

    7

  • What is Red Teaming?

    Military wargaming Blue Team (USA) vs. Red Team (Soviet Union)

    Opposing force in a simulated military conflict

    Red Teaming is used to reveal weaknesses in military readiness

    The aggressor (red team) is composed of various threat actors, equipment, and techniques that are at least partially unknown

    by the defenders (blue team)

    The red team challenges the defenders by playing the role of a thinking enemy

    Understand adversarys capabilities and potential actions

    8

  • Red Teaming domains

    Military when soldiers address and anticipate enemy courses of action

    Forensics when detectives attempt to get inside a criminals mind

    Corporate when businesses simulate competition in case of a new plan or initiative

    Computer security when professionals test and penetrate client communication and information systems

    The friendly side (blue team) attempts to view a problem through the eyes of an adversary or competitor (red team)

    9

  • Red Teaming from the cyber security perspective

    Red Teaming is a process designed to detect vulnerabilities by taking an attacker-like approach

    Authorized, adversary-based assessment for defensive purposes

    authorized means that someone with legal control of the facility, system, or entity to be red teamed has agreed to the process

    adversary-based means that the activity implies taking into account the adversaries knowledge, skills, commitment, resources, and culture

    assessment means one is making a judgment, possibly a comparison, of the state of the target with respect to actions by the adversary

    defensive purposes refers to the ethical approach of the assessment

    10

  • Red Teaming functions

    Understand adversaries and threat environment Gather relevant data to identify trends and most pressing vulnerabilities

    Anticipate enemy courses of action and avoid surprise Alternative analysis for security risks evaluation to improve decision

    making

    Assess the effectiveness of the existing security measures and demonstrate the possible impact of cyber attacks

    Enhanced form of penetration testing (highly specialized tools, custom scripts, etc)

    Improve the cyber security staffs ability to detect and respond to cyber attacks

    Cyber Defense Exercises (CDX)

    11

  • Red Teaming functions (cont.)

    12

  • Red Teaming in practice

    Sandia National Laboratories Information Design Assurance Red Team (IDART)

    http://www.idart.sandia.gov/

    US Department of Homeland Security DHS Red Team

    Evaluate security of federal networks

    NATO NC3A Cyber Red Team (CRT)

  • Conclusions

    Red Teaming is a process that models and simulates adversary actions

    Red Teaming requires highly skilled specialists

    Red Teaming provides a more realistic picture of security readiness of an organization than other methods (e.g.

    penetration testing)

    Red Teaming may contribute to achieving objectives of national strategy for cyber security

    14

  • 15