ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

19
ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO

Transcript of ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Page 1: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHESLAWRENCE MUNRO

Page 2: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

About Me

• Director for SpiderLabs at Trustwave (EMEA and APAC)• Built and grown Penetration Testing Practices

– KPMG Head of Red Teaming and commercial Pen Testing– Nebulas (Boutique)

• Director – B-Sides London• Former Penetration tester / Social Engineer• Advisor to various global enterprises on creating Red Teams• Doing my Masters at Oxford University

Page 3: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Agenda

• Introduction to Red Teaming• Why Simulate Attacks?• Threat Intelligence• Why to ‘Roll’ Your Own• Why Not to Roll Your Own• Legal issues (in the UK)• Execution• The Importance of Closure

Page 4: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Introduction to Red Teaming• Simulated attacks

– Replicate realistic threats• Specialisms • Common approaches

– Cyber kill chain• Threat Intelligence

– Planning • Goals

– High level– Broad scopes

Page 5: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Why Simulate Attacks

• Test your defences– Traditional pen testing is not realistic– Post-exploit

• Test your IR capability and Playbooks– As important as penetration

• Compliance– CBEST in FS

• Everyone else is doing it (?)

Page 6: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Threat Intelligence • What’s the concept?

– Threat intelligence improves realism– Quality threat intelligence improves realism

• Scenario-based approach– Creation of scenarios based on TI

• Which providers offer all TI elements? – Really?– Generic?

• Your own data and TI• Risk and threat models

Page 7: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Why to Roll Your Own – Key Points• Money

– Is it more expensive?• Learning activities

– RT != PT• Continuous assessment

– Test all the things, all the time?• Blue Teams and collaboration• Collaboration with IR / SOC• Visibility

– See your network from an attacker’s viewpoint

Page 8: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Why to Roll Your Own

• Attributes– Specialist– Often focused on a specific architectures– Deeply technical

• Creativity – 6/10• Nerd Quotient – 8/10• ££££ / 5

Red Team Top Trumps – The Exploit Dev.

Page 9: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Why to Roll Your Own

• Attributes– Often from a dev. background– Will have some key languages and

platform expertise– Often has infrastructure skills too

• Creativity – 7/10• Nerd Quotient – 7/10• £££ / 5

Red Team Top Trumps – The App. Specialist

Page 10: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Why to Roll Your Own

• Attributes– Long tenure in the industry, seen it all– Often useful for managerial responsibility– Strategist– Probably owns a ham radio

• Creativity – 6/10• Nerd Quotient – 7/10• ££££ / 5

Red Team Top Trumps – The All-rounder

Page 11: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Why to Roll Your Own

• Attributes– OS expert– Network expert– Often from architecture or net. background– Often Mac or Linux zealot

• Creativity – 7/10• Nerd Quotient – 8/10• £££ / 5

Red Team Top Trumps – The Infra. Specialist

Page 12: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Why to Roll Your Own

• Attributes– Could be from anywhere– Often an all-rounder– Often very active in the community– Risky hire (Sometimes)

• Creativity – 10/10• Nerd Quotient – 8/10• ££££ / 5

Red Team Top Trumps – Out-of-the-box Thinker

Page 13: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Why to Roll Your Own

• Attributes– Technical background– Often a has another specialism– Knowledge of NLP

• Creativity – 9/10• Nerd Quotient – 5/10• ££££ / 5

Red Team Top Trumps – The Social Engineer

Page 14: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Why Not to Roll Your Own

• Budget and Value for Money• Lack of knowledge • Belief that external providers have greater expertise• Don’t see the benefit• Lack of justification to business stakeholders

Page 15: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Legal Issues (In the UK)• I’m not a legal expert• You should speak to a legal expert• Computer Misuse Act (1990)

– Section 3a creation of malware • Human Rights Act (1998)

– Article 8 – Right to respect for private and family life• Data Protection Act (1998) –

– Principle 6 – right to claim compensation– Principle 7 – data should be stored securely, ICO can fine– Principle 8 – data not stored overseas

• The Police and Justice Act (2006) – – Section 37 extends section 3a of CMA

Page 16: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Execution - RATs• What are Implant Frameworks (RATs)• Implant Security Controls

– Removal (after time, manual)– Encrypted comms channels– Encrypted local data store– Attribution and identification– Logging– Persistence controls (reboots)– Stealthy, Beacon domains registered– Delivery mechanism control

Page 17: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Execution

• Social engineering– Spearphishing– Physical entry– Phone-based pretexting

• Common Vectors– Watering hole attack– Dead drops

Attack Vectors

Page 18: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

The Importance of Closure• Lessons learned

– Report styles• Remediation activity discussions

– Expect value from the Red Team• Report reconciliation

– Stakeholders– Who should benefit?

• Feedback into Threat and Risk models• SOC

– SIEM alerts– Patterns

• Update IR Playbooks

Page 19: ROLLING YOUR OWN RED TEAM, AND OTHER APPROACHES LAWRENCE MUNRO.

Questions?


BURT MUNRO CHALLENGE REPORT

BURT MUNRO CHALLENGE REPORT

Rolling, Rolling, Rolling

Rolling, Rolling, Rolling

CL-2013-1455 Andrew M. Munro v. Anne M. Munro · Andrew M. Munro, Plaintiff, and Anne M. Munro, Defendant, divorced on March 21, 2013. Paragraph 1 of their Settlement Agreement sets

CL-2013-1455 Andrew M. Munro v. Anne M. Munro · Andrew M. Munro, Plaintiff, and Anne M. Munro, Defendant, divorced on March 21, 2013. Paragraph 1 of their Settlement Agreement sets

Munro Lighting Catalog

Munro Lighting Catalog

Patient Opinion James Munro

Patient Opinion James Munro

Troy R. Munro

Troy R. Munro

John Munro

John Munro

Fugara - Alice Munro - Alice Munro.pdf · Title: Fugara - Alice Munro Author: Alice Munro Keywords: Fugara - Alice Munro Created Date: 12/28/2018 1:09:00 PM

Fugara - Alice Munro - Alice Munro.pdf · Title: Fugara - Alice Munro Author: Alice Munro Keywords: Fugara - Alice Munro Created Date: 12/28/2018 1:09:00 PM

James munro patient opinion

James munro patient opinion

Proposed design concept for Munro site released · PROPOSED DESIGN CONCEPT FOR MUNRO SITE RELEASED Munro development provides community benefits while honouring Queen Victoria Market’s

Proposed design concept for Munro site released · PROPOSED DESIGN CONCEPT FOR MUNRO SITE RELEASED Munro development provides community benefits while honouring Queen Victoria Market’s

Alice Munro

Alice Munro

Nick Munro Interview

Nick Munro Interview

Murphy Munro EMR

Murphy Munro EMR

Exhibition - Munro House

Exhibition - Munro House

2013 Munro Thesis

2013 Munro Thesis

Munro - Probabilistic Representation SFG

Munro - Probabilistic Representation SFG

Alice Munro - Dragi život.pdf

Alice Munro - Dragi život.pdf

Alice Munro - Price

Alice Munro - Price

DES_2.2 Munro

DES_2.2 Munro

THE MUNRO REVIEW OF CHILD PROTECTION … · THE MUNRO REVIEW OF CHILD PROTECTION Progress report: Moving towards a child centred system Professor Eileen Munro

THE MUNRO REVIEW OF CHILD PROTECTION … · THE MUNRO REVIEW OF CHILD PROTECTION Progress report: Moving towards a child centred system Professor Eileen Munro