GF - You’ve Gained +2 Perception! Leveling Up Your Red Team with a New Maturity Model

hello everyone uh my name is haran nikar good afternoon and welcome to bsides Las Vegas uh today we are here with Brian Harold and Garrett tro presenting their talk on you have gained plus two perception level up your red team with a new capability maturity module and before we begin I have a few announcements first of all we would like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsor Prisma Cloud blue cat Toyota it's with this support along with our other sponsors donors and volunteers that make this event possible these talks are being live streamed and as a curtesy to our speakers and audience we would like to ask you to check to make

sure that your cell phones are in silent mode and if you have any question please use the audience microphone so that YouTube can hear you too so with that let's get started and please welcome our [Applause] speakers what up nerds congratulations on gaining plus two perception by attending this presentation today we're going to be talking about a capability maturity model we released earlier this year if you don't know what one of those is it's okay we're going to cover it as you might tell this is a Fallout theme presentation if you haven't played those you should go do that bonus points if you can get them all in before Starfield comes out later this year but little bit

about us not that anyone cares my name is Brent I run the red team at Humana and with me today is Garrett stop he is the director of cyber threat simulation which includes red team pen testing and Brea attack simulation the only stats you need to know for me is that you see me at an airport you better hope you're not on my flight because I have absolutely zero luck it will be delayed and my Charisma level depends on how much you like sarcasm if you don't like sarcasm you won't like me but the feeling's mutual so it's okay little bit about the agenda for today we're going to start with what is a capability maturity model and the

model that we built a little bit of the history of how we got there why you should use this one and then we're going to do a pretty lightning speed coverage of some of of the key elements of this model we only have 20 minutes we're going to try and leave time for questions and we'll wrap up with some implementation ideas of how we did this at human to get your juices flowing on how you can take this back to your teams so what's your special if you've played any RPG or watch stranger things and got a little bit of Dungeons and Dragons you've probably heard of strength and intelligence and dexterity and whatever else these are Cara stats

that affect your character how much health they have how much damage they do uh all those sorts of things well in the Fallout series special is that set of internal stats strength perception endurance Etc but beyond what some other games do these stats don't just affect how much health you have or how much damage you do they affect what perks you can get and there's a big old perk tree with a whole bunch of interesting things passive and active that you can add points to but they're locked behind certain levels of these stats so if you want to be an Uber sniper you've got to dump some points into perception to get to those perks if you want everything to

blow up in a nice gory mess of giblets you got to level up your luck to get the bloody mess perk but if you're like me you've probably spent a lot of time at the start of a new character trying to figure out what am I going to do what do I want to uh get from that perk chart how am I going to do this from a leveling standpoint when do I need to put per points in perception or whatever else but how many times do we do that in our professional lives probably not quite as often as we would like right so as we talk to today consider the capability maturity model your special

as you focus on maturing certain elements that are within this model for your team you're going to be unlocking new capabilities new abilities that will provide your team with better aptitude to conduct operations or better ways to provide value to the organization so that I'll pass it over to Garrett to talk about maturity models so this talk is normally an hour long we're going to fly through it we've only got about 15 to 20 minutes today traditional capability maturity model started in software engineering you've got five levels starts at level one this simply means you can do the thing whatever that thing is whatever the subject is level two means you can do it but you have a repeatable consistent

outcome you know what to expect level three we Define it with documentation so it's easily understood by not only that team performing the service but also others you could think an auditor in this case often times asking how do you do what you do well if you're not at least a level three good luck level four we introduce data so that you can measure and manage whatever that subject is and level five is all about continuous Improvement where you're driving efficiencies and optimization here in a little bit we'll jump into the inventory section which is the 10,000 foot view of the model but Brent's going to speak to a couple of instances where you likely don't want to

be a level five it doesn't make sense and that's going to vary based on your organizational uh requirements you if you go to Red teams. FYI you'll see where we started red teams. FYI was a great start for capability maturity model for red team but there are a few things we wanted to improve upon before I get there the red teams. FYI model it's real lightweight it's easy to absorb it's easy to implement um but if you follow the subjects it's not as consistent as we would like doesn't always build upon itself so we decided to build model with a common format selfishly whenever our executives are talking about the future the strategy the funding of our security

organization offse SEC never had a seat at the table they're not talking about red team pin testing breach attack simulation purple teaming because it's not built into those deprecated models I wanted something that could slide right into that so in this case red team in particular was able to have a seat at the table the standard descriptors all this means is that when you're talking about vulnerability man management or configuration management Asset Management any of the other topics that the models speak to level three is a level three it's all about it being defined level five is a level five it's consistent and easy to understand by everybody in the room that might not be

in a red team and then we expanded the subjects uh the red teams FYI model great model but we there were a handful of subjects that we wanted to focus on which Brent is going to jump into now thank you very much so at the 10,000 ft view this is the overview of the model you got four categories 27 subjects obviously not evenly distributed here there's no secret sauce with these categories you're going to find these in other capability maturity models people processes technology program it's not that uh not that crazy they're just a way to bucket the different things that you're going for the subjects are those special stats that you're trying to dump uh points

into to level up typically you would do your reporting at the category level though you're going to say I'm a 3.2 out of five on proc processes overall you wouldn't necessarily report on a subject by subject basis now before we dig into some of the high points of these things I want to throw a few caveats Garrett mentioned one of them I was just talking to another red team a couple weeks ago they wanted to make some changes to the model because their team was only three people I can relate our team is four right as a result they couldn't they didn't feel they could get to a level five in one of the areas because there

just was not this the manpower to back it up and so they wanted to uh try and reduce that a little bit because hey we're a really mature team why can't we get to a level five I just want to encourage everyone you don't have to get there and a perfect example is is in our organization through the editing process we ended up adding a subject for relationships with HR the organization that brought that up uh was really seeing fruit with that Humana they're not a great stakeholder for us they don't really impact our operations we're leaving that at level one there's only so much time in a day you cannot get to everything just like you can't get to

all the perks in Fallout unless you add mods right you can only focus on the things you have time for that's number one you don't have to get to level five you're trying to get to the place where it's acceptable for your leadership and works for your organization uh second one vault tech recommends that this is for internal teams that are staffed what do I mean by that the internal side there's going to be consultancies that can use elements of this but they're going to care about things that aren't in the model like having a that accounts for all of their clients so crowd strike Microsoft whatever versus an internal team they just need to match the one EDR product

the other side they're going to not care about some of the things that are in the model they don't have to have enduring relationships with our organization's legal team or our Defenders right so it's coming at this from a perspective of internal if you want to write an adendum for this for consultancies would love to talk uh but the second part of this is that it's staffed and that does not mean an offs SEC manager who oversees third party assessments it doesn't mean pen testers who sometimes do red teamy things because those are different fields and it certainly doesn't mean Larry who stays late on Thursdays he's an Insider threat you should take him out into the Wasteland

and leave him for death Clause so processes is the second largest category in here we often care about the what we love hacking things we like obtaining shells uh very interested in that but how we do that is incredibly important because you might come across a flaw and do what you need to do in this particular operation and 9 months later 10 months later you come across the same thing you can't remember what you did because you didn't document it in a knowledge base somehow and you got to recreate the wheel and figure out how do I do this again you also might pick bad operations if you're targeting something you write up all these findings about

this cool little Network segment that you attacked and then leadership tells you hey we're decommissioning that in a month no one's going to do anything about it not the greatest uh generation of data at there so how we do what we do is really going to ultimately reduce your shell acquisition time get you back to the things that you love but in a more consistent way this is really the core of maturity here now technology is the what obviously if we want to go get shells we've got to have the tools to do that uh we can talk about the how all day long but the rubber meets the road here you got to have the tooling you got

to have the infrastructure and that's what this is focused on not going to belabor the point too much other than to say that the focus here with the maturity model piece is on getting operational capability that fits your organization if you have a very immature Security Org that's maybe just starting perhaps invoke mimic hats and Powershell is going to work for you it's probably not going to work in a different place and so you're going to have to go do some development but the focus of the maturity model itself is on that your ability to meet your operational needs and requirements not on hey I got to go buy Nighthawk or I have to develop a

custom C2 if it's not operating Al relevant for you now the other big thing is to test have a test environment you don't get a little fat man and fall out and go run it right at a death claw because you're probably going to underestimate how much Arc is in that thing and you're going to miss and then it's going to be up in your face maybe try it on a bloat fly or a rad scorpion if you're feeling sexy try that with your tools make sure it works make sure that you understand how it's working such you can give the blue team Telemetry as well um that's an incredibly important addition to not just having the tool set but really

understanding it next one up is people this is by far the biggest category 11 of the subjects here seven of them are on relationships with other teams now in the game you're called The Lone Survivor you're not actually alone though you're trying to meet other people gain companions trade with folks and you have to do the same thing here at the end of the day we are not actually attackers we are part of the defensive apparatus of the organization we just happen to attack things in order to find those holes but if we have an adversar relationship with our Defenders or Engineers or we don't have a good relationship with legal who isn't going to back us up when we do

something stupid that's all problems you're not alone in the Wasteland here you have to develop those relationships on the flip side focusing internally you got to make sure that there's time to go find those skill books in the Wasteland and spend some time with R&D and training to build the skill sets internally and that's one of the first things I asked for when I joined Hima which Garrett has been very supportive of is is Friday is an R&D day what new things can we be bringing to the table by thinking about things by doing some research and developing new tools and last but not least if my slides will advance that's to far program people probably consider this

even less sexy than processes but if you're not telling people about all the Raider bases you're taking down and the super mutants you're killing what are you really doing because you're part of the organization the people who pay your bills probably aren't going to see a lot of value in that and they're not likely to support the things that you need to do to get to higher levels of maturity in other areas so focusing on aligning the red team strategy with the organization strategy and vice versa helping the organization leverage the red team to drive their strategy through good metrics uh through understanding what product lines you have available through offensive security and red team

in particular is a great way to coordinate with leadership now one thing that's really important for us is that knowledge sharing piece we're out in this massive Wasteland where there's a whole bunch of dangers and it's not heana versus Signa versus any other insurance company or Google versus Facebook or anything like that it's us against the same people we're all trying to defend our organization against the same types of people that are attacking other organizations and we use so much knowledge from the security field that it's imperative as your team matures to speak back into that now R&D doesn't happen overnight right I'm not saying dump all your coolest tools on the GitHub so they can be signatured and

unusable anymore but when it's operationally reasonable to do so or you can do something like a conference talk and share an idea uh that is the Hallmark of a mature team so that I'm going to pass it to Garrett on a few ideas on how to implement this we started with scoring we had six folks uh red team program management and myself score where we are today and where we desire to be by end of year for each of the 27 subjects through this there was a lot of debate uh we Consolidated all those responses they were done independently so nobody really knew what the other individual was scoring and we had a lot of friendly

arguing about where we thought we were what's great about this though is it drives unified vision and Alignment amongst the team especially with the smaller teams right a lot of red teams are small if you don't have that team marching toward the same goals you're probably going to be quite a bit less effective that happens right here getting everybody on the same page with where you are and what good looks like once you understand that you need to build the road map to get there for us we use Meo just a you know virtual stickies on Virtual whiteboard to throw all of all of our ideas out there we do that independently as well so that we

don't get group think we consolidate the like ideas build a theme and then we start decomposing that into workable chunks in Azure devops so we build our Epic features stories tasks Etc from that continuously refining and prioritizing that backlog selfishly what I really like about this is it allows us to be pretty Dynamic and fluid so if there is a risk that arises or an unforeseen business initiative that we need to inject ourselves into because of how our backlog is built and defined it allows us to be really flexible we can hit the pause button on something build an OP or campaign regardless of size to satisfy the business need again that's our purpose is to serve the business um

and pivot the full model uh it's on Brent's GitHub however if you just want to see the website which has most of the model as well uh just not an easy to uh modify form go to Red team.com we've got the typo squat domain as well so if you accidentally drop an M no sweat you'll get redirected if you trust us pull the Excel enable macros have fun if you don't trust us pull the CSV and again uh while we built the initial version internally at one of our Summits it wouldn't be polished if it wasn't for some of the help from Andy Matt and Johan from Zoom Charter and EA respectively I think we have just a few

minutes left if there are any questions one additional comment the slides are also on my GitHub uh the BC heral so if you want these I also put the template up there if you wanted to have fun with the template so that is there for your

review cool

thanks