Intel-Driven Red Teaming - Carlos Gonçalves

hello everyone can hear me can you hear me okay thanks for coming first I would like to warn you that my English comes from video games so you had to be my strong Brazilian accent for the F the next minutes all right so what what I'm bringing here today is a project to implement on the last months I've been to Brazil it's a continuous purple team uh exercise driven by Intel data that with that we were we were able to take that technical data from the pen testing from the purple Cham and bring it to to the risk chams so that info can can TR all the security CH the in back to Brazil so to start I

think you all know the answer to the question but let me ask it anyway do the best guaranteed safety we I would like to make a a a parallel with a the auto automobile industry we have on the automobile industry we have safety equipments we have regulations like this this is a spec sheet from a car they have frontal airbag belt per tensioner belt load liit something that I don't even know what it is airbags or all that all that and I sure make many of you may may be aware of the endcap tests where they just throw the car against the wall against the bar they simulate accidents and they test the results into the the passengers where

the where the the safety controls enough to guarantee the safety of the passengers from the pedestrians outside of the car and M cars I I don't I won't bring the name here this one was a zero star rating few cars get Z ratings even with the all the the security controls the airbags the seat belts it wasn't enough to guarantee the SEC the security of the passengers so what do how how does what what do you how do we make this into security that's what our project was make to based on this incap results we were trying to concent evaluate the security controls and update the the security control according to the results of the test the

goes where to be establish on no Frameworks and in best practice evaluate the security controls simulate prioritized threats that's where the inter information comes because we don't have enough resources I think no one can can test the entire h m attack Matrix so that's why the Intel team comes to prioritize which techniques are going to be simulated and the results must go up out to the C levels and how you doing this we divide it into two layers the first lay is a technical one based on the M attack framework where we get thre Cham our red Cham our blue Cham with our our defens CH our inos and through this process we we have several

inputs the threat feeds the the Intel feeds the threats to the organization for results made by the incident Response Team all the experience for the red team all these are translat translated into TP this ttic technicals and procedures from the mar attch into a constant and Cy purp te exercise just white tpce just bring you here the concept of the pyram of pain many you might be aware of this on the base you have very trivial things like hash values it's very trivial to detect hash values and at the same time it's very easy for the attacker to bypass that the detection and as we move up to the P it gets harder and harder to

detect but at the same time we'll be hitting the attack hard too so that's our FOC on the top of the pyr the techniques done by the attacker because the techniques would be harder for them to adapt so and this is one of one simulator campaign made by CED that was one one hand group that attacked one of our Brazilian Banks one of our peers of of the industry here we don't have all the the the attack chain it's just the techniques prioritized by the tring T team and when the for example in a c manipulation for persistance you go we go red CH and blue CH together at the same screen at the left the red Cham DET tells all what

they're doing the procedures the command the command executors they get all the details and other to the other side I haven't put put the the test for the blue CH to not bring our results here but we are able to tell was it the attack blocked was it detected was there any logging or no we haven't seen it all and as we for each technique as we we do this for every Technique we were able to make a hit map of our MCH cap uh defense capacity where we can say where we are stronger what you have to improve and as as as we do more tests this heat map comes closer to reality okay this is the techn part

technical part and how did you bring this to the Strategic teams that enters the layer two it's based it was based on the N SP 853 but it can it can be used any framework can be used like this right now we are implementing the CSF V2 with some some specific needs for the Brazilian regulation but at in this layer the risk Cham is at the center and to bring that the technical information to the risk team we use a mitro Ingenuity project called control to attack how this works based on on a [Music] one of the technique that simulated like T 103 credential dump there's a mapping saying this control will mitigate the technique and we can also do a hit map

of the controls and here is where the red cham the blue cham the technical people have to go through the same room with the with the strategic CH to tell exactly what was done on the test because there are many mappings and not not every mapping will be Rel will be related to the test that was made and that's why we put our our guys with the metall C- shirts with the guys in in tie to in they end up speaking the same language okay if the risk change making this this hit map just like that hit map from the incap results what's the impact of the test of the technique that was tested in the

organization that thing can come up with an action plan to mitigate what it needs to be mitigated because maybe a control that wasn't performing that was performing poly it's an accepted accepted risk so that acual plan when we we we made that we were able to guide the acquisition team so we we were able to drive which tools must be bought how how are they how they should work our Pro our cyber program for the whole organization and many policies were changed based on the action plan done by the risk chain after the results of the of the technical the right chain blue chain and at the end as this action plan is implemented all this goes back to the

first layup because it be as as soon as as the the the controls are being improved the thre team the tring T team will prioritize some other techniques that Wen tested before because of the of how the maturity of the organization goes up okay the time short I have I could spend all all day talking about every one of the boxs but some some some results from the from from last year we simulated seven apts this was with two basically two ring analysts two blue CH analysts and two tring to six people in total simulated seven apts over 50 techniques and over 60 Ms evaluated 25 security controls it identified some shortterm actions long-term actions to improve our the

mitigation capabilities came up with better form risk management and what are what is most important for me better integration between security CHS all right I don't know how it's a time all okay time sh I said I could I could spend all day I'll be available to talk F to talk about it they tell some something El here are my contacts so thank

you have a time does anyone have any question for tell

us with take the from from basically from our our in FS our we we have several butons that Fe us how the epts are doing are doing the the attacks we take this this this info and simulate inside outside the

bank caros please have a warm warm Grand