RED TEAMING FOR THE ENTERPRISE

INSIGHTS FOR CONSIDERATION(™)

PRISM INTELLIGENCE

OBJECTIVE

‣ Helping the business figure out when they should apply a penetration test vs red team exercise

‣ Bridging the gap between penetration testing and red teaming

‣ Helping the business figure out how to approach red teaming in a bite-sized manner

Disclaimer: This is not a technical talk

PRISM INTELLIGENCE

TAKE-AWAY FOR THE BUSINESS

‣ Red teaming..

‣ ..can streamline security budgeting in the business, if you scope and do it right

‣ ..is not a penetration test or vulnerability assessment replacement

‣ ..is useful to model real world threats

‣ ..allows you to understand how a breach leads to your nightmare scenario

‣ ..can be very expensive if you go all out with it

PRISM INTELLIGENCE

TAKE-AWAY FOR THE BLUE TEAM

‣ All is not lost

‣ Learn to identify and mitigate the techniques, not the tooling

‣ Follow every tool, defend like a fool

‣ Know what is functional within your environment and what you can detect

‣ Red teams can be detected and mitigated

PRISM INTELLIGENCE

WHEN TO USE …

Penetration Test - I need a check on the technology

Red Team - I need to understand how my organisation will perform under real world attacks
PRISM INTELLIGENCE

COMMON MISCONCEPTIONS OF RED TEAMING

Red teaming is launching attacks 24x7 repeatedly against the perimeter

Red teaming is getting an ala carte menu of random attacks which you can choose from

Red teamers are not your friend (We actually are)

I want to emulate an APT within a 2 week timeframe

I want to run a red team exercise to impress my management

Enterprise red teaming is the same as nation state-level red teaming

PRISM INTELLIGENCE

BREAKING DOWN - PENETRATION TESTING VS RED TEAMING

A"ribute Penetra,on Test Red Team

Short-Term *

Real-world adversarial profile emula7on? *

Scanners? *

Ring-fenced to single asset? *

Assessment of enterprise IR plans?

Standard tes7ng methodology (OWASP, PTES) *

Advance no7fica7on of the SOC/IR teams *

Complex C2 infrastructure

Reports Focused technical reports Focused strategic reports

PRISM INTELLIGENCE

RED TEAMING - HOW DO I DEVELOP A SCOPE..?

Know the threat you’re trying to address.

You are not the government.

You do not have unlimited resources.

To APT or not to APT?

Anything goes or not?

Be smart about it
PRISM INTELLIGENCE

STRUCTURING THE SCOPE

THREAT DEFINE TECHNIQUE SCORING THE

SUCCESS WHITE
RELEVANCE CARDING GUIDANCE EXERCISE
CRITERIA
PRISM INTELLIGENCE

DEFINE
THREAT SUCCESS WHITE TECHNIQUE SCORING THE
RELEVANCE CRITERIA CARDING GUIDANCE EXERCISE

‣ Know who your adversaries are and the associated “crown jewels”

‣ Proper intelligence gathering is required against threat actors

‣ IOCs aren’t good enough intelligence, they’re called “indicators” for a reason

‣ Figure out the threat attacker TTPs, most times you won’t get all the known TTPs but
remember, attackers in general are lazy and there’s always a common attack thread

‣ Know if you need to track general trends or specific threats

PRISM INTELLIGENCE

DEFINE WHITE TECHNIQUE SCORING THE

THREAT SUCCESS
RELEVANCE CARDING GUIDANCE EXERCISE
CRITERIA

‣ Determine the success criteria; objectives and sub-objectives

‣ Domain admin?

‣ Exfiltration of sensitive data?

‣ Persistence across systems and networks over X number of days?

‣ What if we’re successful with the objectives and the sub-objectives?

‣ Make some noise?

‣ Make more noise?

‣ Make a lot of noise?

PRISM INTELLIGENCE

DEFINE TECHNIQUE SCORING THE

THREAT SUCCESS WHITE
RELEVANCE CARDING GUIDANCE EXERCISE
CRITERIA

‣ Possible white-card scenarios*

‣ Assumed breach

‣ Assumed threat actor has gained employment in your company

‣ Bypassing of certain steps (eg: Waiting on a compromised box for several weeks before someone
logs in)

‣ .. other situations which may come up during the exercise or prior to, during discussions
PRISM INTELLIGENCE

DEFINE TECHNIQUE SCORING THE

THREAT SUCCESS WHITE
RELEVANCE CARDING GUIDANCE EXERCISE
CRITERIA

‣ More of that pass-the-hash? B O R I N G

PRISM INTELLIGENCE

DEFINE TECHNIQUE SCORING THE

THREAT SUCCESS WHITE
RELEVANCE CARDING GUIDANCE EXERCISE
CRITERIA

‣ Introducing the MITRE ATT&CK framework (v2), Pre, Attack, Mobile

‣ Regardless of affiliation, if you aren’t using this, you are doing yourself a disfavour

‣ Not all techniques are created equal

1

2
PRISM INTELLIGENCE

DEFINE TECHNIQUE SCORING THE

THREAT SUCCESS WHITE
RELEVANCE CARDING GUIDANCE EXERCISE
CRITERIA
PRISM INTELLIGENCE

DEFINE TECHNIQUE SCORING THE

THREAT SUCCESS WHITE
RELEVANCE CARDING GUIDANCE EXERCISE
CRITERIA
PRISM INTELLIGENCE

DEFINE TECHNIQUE SCORING THE

THREAT SUCCESS WHITE
RELEVANCE CARDING GUIDANCE EXERCISE
CRITERIA

‣ Objectives & Sub-Objectives

‣ Give them points for obtaining, subtract points if IR team manages to identify and track a
technique

‣ Make that noise — score accordingly

‣ Tally the scores

‣ Result

‣ Share the data with the SOC/IR to refine defensive attributes

‣ MAGIC HAPPENS HERE - Standardised framework for measuring materialisation of scenario

PRISM INTELLIGENCE

CAVEATS

‣ Techniques listed are general

‣ More than one way to skin a cat

‣ May not be representative of all the methods of executing said technique

‣ Use as guidance rather than hard figures

‣ Red teaming is as complex as you want to make it but know what you are getting yourself into
PRISM INTELLIGENCE

THIS TALK WOULD NOT HAVE BEEN POSSIBLE ..

▸ Raphel Mudge - armitagehacker

▸ Matt Nelson - enigma0x3

▸ Emil Tan

▸ Justin Tan

▸ ..and to about everyone else who kept asking me to get on stage to talk about this.
PRISM INTELLIGENCE

QUESTIONS? PREFERABLY DISCUSSIONS.