BSidesATL 2020 - Connect: From 0 to red team — what does the red team do and when/why do I need one?

so hey everyone I'm Nico I'm gonna be doing the talk from zero to red team we're gonna be talking about what a red team is and when we need one and when I should put my computer in do you know sister so the first thing we'll talk about Oh hold on and let me share my screen that's about me all right can you guys see the presentation yes yep okay great all right so a little about me before we get started Nico my name is Nico I'm on the red team at Deloitte I'm based in San Diego California before coming to Deloitte I worked at several companies Accenture PwC ResMed an active network I'm also an adjunct

professor specializing in ethical hacking and information assurance at several universities here in San Diego I got my undergraduate degree in political science from UC San Diego and my grad degree in information security from the University of London is anybody who knows me will tell you I hate coffee and I much prefer Red Bull you can follow me on twitter at eco Behar then my LinkedIn address is at the bottom of the slide here so first thing we need to do is we need to map the attack surface and so in order to do that we need to understand what our assets are so in today's day and age assets can come in a lot of

different shapes and sizes so I was shown in the beautiful stock photograph here we have phones laptops mice we can have IOT devices we can have operational technology devices medical devices we can have ICS devices anything really with an operating system or a network connection can be considered an asset and we first thing we have to do before we actually go and form a red team or Commissioner red team is we have to determine our assets so first type of asset we're going to look at our hardware assets so there's a few different types we have endpoints and in that category we have laptops desktops and terminals then we also have servers in that category we have file servers

databases and hypervisors among others then we have Network Devices which include routers switches access points firewalls and hubs we also have mobile assets so smart phones tablets and points of sale and then operational technology or high-end IOT so any network enabled devices any ICS devices any sensors any medical devices and we want to collect certain data points from our Hardware assets so we'll want to collect the serial number we'll want to collect the model number we'll want to look at the manufacturer we'll want to look at the warranty and the hardware specifications this is important because different Hardware types can have unique vulnerabilities like firmware vulnerabilities architecture vulnerabilities and hardware vulnerabilities next we want to look at

software assets so there's several different types of software that we want to look at first we'll want to look at operating systems so for example Unix Linux Microsoft Mac Android iOS among others then we have productivity software so we're talking about word processors spreadsheet software slide deck software any email clients any calendar software another type of software is a driver and that's a piece of software that allows the operating system to interact with the hardware own host then we have other third-party software so video editing software CAD software visual design software any data visualization software any IDE etc so what kind of data do we want to collect about these assets while we want to

collect first application name then the version number who's the vendor of the application is the application supported right so a little side story here I was recently at a client and they were running a patching system that was not supported for the past three years and could not patch Windows 10 so it's very important to find out if the software that you're running is supported and updates are still provided for it we also want to look at any dependencies so maybe it has some library the software will have some libraries that it runs on or some codecs that need to be installed so we want to make sure we're looking at those as well and the

reason that this matters is because different applications can introduce various vulnerabilities in different parts of the application or the underlying libraries runtimes or dependencies and those are all that are just the two different types and now let's put it together so now we can see which vulnerabilities are in the environment so the hardware asset information will help monitor for vulnerabilities that affect the hardware and equipment in the environment the software asset information is going to help monitor for vulnerabilities that affect applications running in the environment so now we can look at vendor advisories to see if there's any vulnerabilities that have been disclosed we can do the same with mailing lists we can look at community forums and

discussion boards and we can look at any update feeds for many of our security products that we have so this matters because monitoring the environment and the appropriate information sources allows for identification and analysis of new vulnerabilities that are present in the environment and in step zero on our journey to a red team all right so now we'll look at the next step which is vulnerability management so some objectives and activities we're going to scan assets for vulnerabilities and misconfigurations so we can do this with a commercial solution like necess or we can use an open source solution like open bass or we can build our own solution we want to make sure that we're monitoring and

analyzing threats and vulnerabilities reported in real time to respond to security incidents right so we want to look at any threats new threats and new vulnerabilities that are being released through whatever mechanisms were using to get those whether that be a threat intelligence feed or through community intelligent sharing network we want to make sure that we're using that information to respond to security incidents that may present themselves in our environment we want to make sure that we're maintaining our scanning tools and we're reviewing the latest rules and configurations that are to be used we want to make sure that they line up with our environment and that they're not going to take anything down we also

want to use the software asset information to help monitor for vulnerabilities that affect applications that are running in our environment so we're doing this but how do we actually determine if we're performing as we should be well first thing we want to do is we want to consider the risk and prioritize the activity so this is very important because every organization is different and so every organization's risk is going to be different so they're going to be measuring and differently and they're going to be looking at different vulnerabilities because every organization has different unique risks that are posed to them and so they should approach that appropriately after we've considered the risk and prioritize the activity we can also look at the

percentage of organizationally deemed critical systems scan per quarter so of the systems that are the most to us so for example let's say we have a bottling company somebody that bottle soda right one of their most critical systems would be the system that runs the the bottling machine the one that actually files the bottles through the factory and they get filled with this soda right so that's gonna be a very that's going to be a critical system so how many of the systems with that criticality that are very very important throughout the organization have been examined this quarter another metric we can look at to see how we're doing is we can look at the number of

vulnerabilities that have been enumerated we can also look at the percentage of systems with no known severe vulnerabilities we can look at the percentage of detected vulnerabilities associated with accepted risks or non-technical controls so what we mean by accepted risks is that sometimes we can get a if we're not able to patch a vulnerability we can get a risk exception and then they'll and the risk is then accepted and they will allow us to forego applying or that update or remediating that vulnerability because somebody has accepted the risk now we can also another metric we can look at the percentage of vulnerabilities associated with known patches or fixes and how many how many of those vulnerabilities have been

actually remediated and how many are still in the environment waiting to be remediated with the patch available so the reason that a vulnerability management matters is because monitoring our environment and the appropriate information sources will allow us to efficiently identify and address new vulnerabilities that are present in our environment and this is going to be considered step one on our journey to a red team all right so next we have penetration testing and this is where we're actually going to exploit the vulnerabilities so oftentimes it can start out with a set of formal documents right and so for example it could have a statement of work and a rules of engagement and the rules of engagement is going to say what

we can and cannot do so we'll oftentimes refer to the rules of engagement document to see if something's in scope so before we start a penetration test we're gonna look at all the systems for going to sit down with the client and we're going to determine the scope and we're gonna determine their pools of engagement so they can say okay you can only test between one time I had it where it was you can only test between 4:00 p.m. and 2:00 a.m. so you have to be on-site only between 4:00 p.m. and 2:00 a.m. right and so if that's what the rules of engagement say then that's the time that you're going to be testing

penetration tests also allow an organization to discover potential weaknesses in their environment because the key difference here between the penetration tests and the vulnerability assessment is that in a penetration test are actually exploiting the vulnerability whereas in the vulnerability assessment we're just checking to see if the vulnerability is present now that's not to say that we could potentially exploit it there but the key difference between the penetration test and the vulnerability assessment it's the active exploitation of vulnerabilities and so this gives us an opportunity to test our security controls are the controls that are looking for exploitation going to detect that exploitation or are they going to fail and not be able to detect that

exploitation the penetration test is ideally going to be a blackbox test that ideally would be performed by a third party in order to get an independent perspective and it can oftentimes be compliance driven as we know a lot of regulations like HIPAA Sox among others they require penetration tests to be carried out I think every year or multiple times per year depending on the regulation and the security team so oftentimes gonna know that the penetration test is going on so how do we measure our performance in one or conducting penetration tests how do we know that they're helping our organization become more secure well how many vulnerabilities have we picked up right did we pick up all the vulnerabilities

that were picked up in the vulnerability assessment base are we able to identify the main root cause that can address a lot of the findings that the penetration test has brought to light so if we have a lot of MIS configuration do we know why everything is misconfigured are we able to address that so we can fix it if we have something that's not updated do we know why it's not updated are we going to be able to identify the root cause and then go and fix it and so the reason that penetration testing matters is because monitoring it and testing it is actually going to allow us to see if we can test our controls and see if we

can actually exploit the vulnerabilities and it's step two on our journey to the red tape so now let's get to Red Team operations and one of the main goals of teams operations is to look at the organizational blind box so we're going to assess the effectiveness of the organization's cybersecurity program from a holistic standpoint to include the monitoring and response capabilities so the testing is performed and via tailored scenarios looking at an organization as a sum of its parts so we're taking into account physical human and cyber as well as from the point of view of a determined attacker so these are oftentimes the different aspects that we're going to look at when we're doing a Red Team engagement right so we

can look at physical entry we can look at physical access mechanisms access control mechanisms or also definitely going to look at the human element right and a lot of the times we're going to engage in phishing all right so I promise pretty pictures so here come to pick pretty pictures all right so the bottom line with red teaming right so real quick some points of reference based on our client experience so six days is the average time to achieve a set objective after the reconnaissance phase 94% of our clients we're successfully compromised during the red teaming engagement 70% of our clients had very limited capabilities in detecting or responding to the breach of their system and their

crown jewels and one day is on average the time to compromise the first device and gain initial access to the clients network after the reconnaissance face so when we talk about adversarial simulation or red teaming we're talking about a realistic approach to security testing right because we're emulating our adversaries so it's going to enable an organization to assess their overall readiness resiliency and awareness using a realistic scenario based controlled events adversarial simulations offerings go above and beyond for 'nor ability assessments and penetration testing as it incorporates all components within the organization in scope and has a realistic scenario based approach but ultimately red team operations allow organizations to mature their cyber capabilities and kickstart transformation programs so as we talked

about on the last slide there's three core elements that we consider when we're doing red teaming so the first thing we're gonna look at is we're gonna look at physical so we're gonna look at your buildings we're gonna look at your desks we're gonna look at the safes right and we're gonna look at any physical IT infrastructure the amount of passwords that I have found on people's desks I've lost track people leaving their drawers on lock right a whole bunch of stuff going on in the physical element then we have human helmet right so that represents the employees or customers the clients or third parties that bind the cyber in the physical world together right so people will oftentimes hold the

door open for you or if you ask them questions they will give you the answer even if they're not supposed to right then we have cyber that represents the online world the Internet as well as corporate internets right any cloud services right and all other computer networks and devices so some use cases for adversary simulation right so the first example we can look at is source code exfiltration so somebody might bring in a red team to do source code exfiltration so they can test from both a trusted insider and an external threat agent perspective right so we're going to do so for example we could do reconnaissance and find the exposed repository or we could find it on the

Internet then after that we could exfiltrate the code we could also test developer workstations and develop and deployment workflows like Jenkins to create target packages for spearfishing developers right we could X well we could export rate through physical means such as USB another use case would be customer data exfiltration we could identify where the technology stores customer data where the website and CRM the databases the workstations the software as service applications and the client services data is stored then we can test different exfiltration vectors both overt and covert and depending on what we find during the reconnaissance phase and we can also leverage targeting data supplied by our reconnaissance phase to attack eternally facing weaknesses and

misconfigurations we could also go after a manufacturing and logistics system first we would identify critical manufacturing and logistic systems then we would conduct physical and wireless security testing at manufacturing plants then we would test system segmentation move laterally throughout the network and then we would test any hardware and firmware and maybe do some source code review we can also look at remote update mechanisms for customer systems right so we've done a few of those we can test the authentication mechanisms and we can see if we can bypass them we can test the impact of an insider threat to clients so this is one that I was lucky enough to have just done unfortunately it was cancelled but we were doing an

insider threat emulation at a point where we had to break out of a Citrix environment we were successful until the corona virus came along also code signing services another example so the first thing we would try to do is identify key individuals in appropriate business units and craft targeted spear phishing emails after they click the link hopefully we're going to elevate access to the point that it's possible to sign malicious code and the final use case is product or technology testing so one example would be testing the data synchronization mechanisms and the protocol between the company network and their air-gapped recovery system we could also test the recovery procedure and verify the integrity and the

recovery system can't be affected when performing those procedures so some benefits of adversarial simulation or event timing well we're gonna have extensive technology coverage right so we're going to test the traditional attack surface right so network application and wireless but then we're also going to look at non-traditional technologies like ICS SCADA we can do cloud we can do mobile we're definitely going to incorporate threat intelligence we're going to use multiple threat intelligence sources to provide insight based on threat sources so we're going to emulate the threats that may actually pertain to you so if you're doing business in China or if you're business that's heavily relying on China we could choose to emulate the TTP's of known Chinese actors we can

test the process effectiveness not just the technical symptoms right so since we have a much larger scope we can actually go and test the entire process right now we can tie it back to a cybersecurity process we can recognize that threats don't respect boundaries right because during remember I talked about the penetration test we had the rules of engagement we do have rules when we're doing Red Team operations but they're not there aren't as many rules so we can more closely emulate a real-world adversary by reducing the amount of boundaries that we have to subject ourselves to we're also going to address the human factor of cybersecurity right a lot of penetration tests and vulnerability assessments aren't going

to assess the human factor but in Red Team operations advance address or simulation we're making sure to address the human factor of cybersecurity we're going to do social engineering we're gonna do insider threat and we're going to do phishing you can also look at automation and integration between tools we can look at the alignment to actual emerging cyber threats not just compliance requirements so we'll make sure that we're testing we're testing systems based on threats that could actually be posed to them we're not just going through and doing the OWASP top 10 or the CIS top 20 we're actually going to look at the environment and see what is possible in the environment and try

to craft something that is unique would successfully result in accomplishing one of our objectives also we can provide business awareness and insight because we're going above and beyond the difficult penetration tests we're getting to know the different business processes the different functions and therefore we can test the integration between business and IT all right so I promise maturity model so here we go so adversarial simulation uses multiple testing techniques to achieve value so we're gonna focus on performing realistic cyber threat based testing activities with actionable and value-added results and resulting in improvements to the client's capabilities to protect against detect and respond to cyber attacks so here is the Red Team maturity model so on the

bottom on the x-axis we have actually slide to the right the organizational maturity and the capability to action on results that they get from one of the three steps is going to increase on the y-axis as we move up the y-axis the analysis and complexity of the test and the environment are going to go up so we can see in the first step we have ulnar ability assessments so here before we move to the next step we want to make sure we're doing automated and vulnerability scans that we have configuration analysis so we're making sure everything is configured correctly and it stays configured correctly we want to make sure we're integrated with security operations so everything that

we're doing in a vault in the vulnerability assessment base and looking at configuration management doing all that should be integrated security operations we should also be conducting code analysis if we're writing any software and in addition we should be manually verifying our the existence of our vulnerabilities then once we move to step two we should be performing manual exploitation analysis right we should be validating the existence of our exploits if we have wireless networks we should be engaging in wireless security assessments which would be beginning to venture down the path of physical and social attack vectors we should also be looking at business risk integration in the second phase and we should also be testing our

detection and response now once we move into advanced adversary simulation or red team operations those are going to be tailored threat driven testing for your organization we're going to integrate in the cyber human and physical aspects of information security and we're going to have multiple feedback mechanisms and integrations with key stakeholders to make sure to keep them in the loop and to demonstrate that we're adding value we're also going to perform deep exploitation and exfiltration analysis now when we're ready for a red team we're going to have scenario based analysis right so one of the things that sets red teaming apart is that it's scenario based so somebody can say hey ok let's say a soda company comes and

hires to you the soda company it's not going to come and tell you hey go get domain admin they're gonna tell you ok go steal the secret formula for secret soda pop and also turn the bottling machine off without anybody noticing so they'll give they'll give objective and scenario based that's how that's how the results are based we want to have objective and scenario based outcomes we're also going to start involving our blue team once we get into the red team operations maturity level we're going to want to as I said before engage in threat actor profiling and emulation so if your business if your business or your organization has a lot of exposure to Russia then we could be asked to

emulate rushon apt we're also going to do exfiltration analysis we're gonna see if you're going to catch us stealing your stuff so if you're able to see us stealing your stuff then great and then if not that's something that is going to be worked on during this phase of maturity right that's something we're gonna be working on since we already have all of the other stuff in other two phases like vulnerability scans basic physical and social attacks exploiting vulnerabilities that's all in previous phases we want to be engaging in cyber war games we want to make sure and we also want to make sure that we have consistent and sustained operations that is the highest level of maturity when

we're doing all of this consistent in a consistent and sustained fashion so that's it if you guys have questions I can take a few I don't know if we have time to do it here or I can just do it in slack

I'll go ahead and take a question you actually I mean we're behind but you actually kind of kicked us back in okay yeah I mean anything but if you want to go into flack connect the track net on see if there's oh somebody SP we're sharing your slides and I don't think they meant like during this talk I think maybe after so you can yeah you can reach out to me and I'll let you know where you can get a copy they'll be distributed eventually all right cool well Nico we appreciate your time today I know you got up early um so thanks for doing that and hopefully next time this all be in person yep thanks thank you