Today s Rundown 1. What is Red Teaming? 2. So it s just an awesome pen test? 3. Nuts & Bolts of Red Teaming 4. Why should we care? 5.

Size: px

Start display at page:

Download "Today s Rundown 1. What is Red Teaming? 2. So it s just an awesome pen test? 3. Nuts & Bolts of Red Teaming 4. Why should we care? 5."

Reginald Hopkins
8 years ago
Views:

2 2

3 3 About Your Trainer Dakota State University faculty member Bank pen testers in a former life Instructor at Secure Banking Solution s Institute ( I m lucky; I don t have a real job like you

4 4 From Madison, SD

5 Today s Rundown 1. What is Red Teaming? 2. So it s just an awesome pen test? 3. Nuts & Bolts of Red Teaming 4. Why should we care? 5. Conclusions; Q&A

6 What is Red Teaming? Born out of the military world A true simulation of an adversary Adversary <> Pen test AKA Full scope testing AKA Tiger Teaming

7 What is Red Teaming? A hacker s doctrine is like nothing you ve seen before {time, defenses, personnel, consequences} don t matter at all Of course, we have to have limits Remember, hackers don t worry about scope

8 technology Blended Threats Social Red Teaming Physical

9 What is Red Teaming? Full scope means FULL score Partners Suppliers Vendors Customers Etc

10 What is Red Teaming? It s truly a question of scope: What do you want tested v. What you should have tested And when/where/how those actions go down

11 So it s just an awesome pen test? There are some huge differences here PT = How are you vulnerable / exploited? Red Team = How do you make money? HUUUGE difference and that s the point!

12 So it s just an awesome pen test? Think of the difference among IT staff and business staff Two ships passing in the night Pen testing hits 5-10% of your BUSINESS Certainly a higher percentage of your tech

13 So it s just an awesome pen test? Red teaming is EXTREMELY personal Would it make a difference to your business model if: The CEO was kidnapped, The web application hacked, or Physical access granted to sensitive areas?

14 So it s just an awesome pen test? Don t be dramatic, sir No, really! Is there enough out there for kidnap? Family/kids tweets, Facebook posts, pics, etc Tons of goodies out there OSINT is an entire hacker world Open Source Intelligence (not touching your systems)

15 So it s just an awesome pen test? Pen testers are nice! They will stay in scope They will play by your rules They are technology guys (you call us nerds)

16 Nuts & Bolts of Red Teaming Red Teamers are true adversaries They target CORE business functions & people Think of a museum

17 Nuts & Bolts of Red Teaming Who LOVES the exhibits? Who lives and die with the collections? Who secured the donation/loan of the items? Who is ultimately responsible for the artifacts? These are the business people!

18 Nuts & Bolts of Red Teaming Who looks over the exhibits? Talks about them from a script? Cleans around them to make them look nice? Hosts tours through them? It s a job. Out of there at 5PM. TGIF. These are the technology people! (not a bad thing, just how it works )

19 Nuts & Bolts of Red Teaming Red Teamers go for your heart 1. What bothers you? 2. What keeps you up at night? 3. How big of a fight are you willing to get in? All that will be dug up and used against you

20 Nuts & Bolts of Red Teaming Remember what PT has historically been Hunting for reds/purples in Nessus Firing exploits based on vuln scanning Signatures say you re vulnerable so do these canned exploits so I guess you are sorry about that pay me $5K

21 Nuts & Bolts of Red Teaming That level of automation is pen testing Red Teaming uses imagination Vulnerability Assessments are even worse! And I know IT guys don t want to hear all of this, but it s the truth

22 Nuts & Bolts of Red Teaming IT guys want to: do PTs pick safe/friendly vendors secure their world only What about physical & operations?

23 Nuts & Bolts of Red Teaming Red Team on site Nobody knows where/when/how/who 99% of the work is already done TONS of leakage by your vendors, personnel, competitors, job postings, BoD members, corporate events, etc

24 Why should we care? The cost per incident is CRAZY $168K in 2006 $5.4M in 2013 Only 52% of breaches involve hacking The stuff PTs are supposed to be mimicking

25 Why should we care? 80% of breaches included using weak or leaked credentials Automated scanners don t catch that stuff Total false sense of security Fraud, stolen hardware, snail mail are still #1 Hacking = 28%; web apps = 9%

26 Why should we care? And the biggest reason: your industry is ready for this Automated PTs are so 2010 Compliance is a roadmap for the bad guys Resource allocation plan

27 Why should we care? Too many firms claim they can do this This isn t a computer guy only job Current PTs are a compliance box checker Other industries are watching you Healthcare, Energy are closely watching

28 Conclusions; Q&A Love to hear from you! Love to come to your events!

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Cyber Threats Insights from history and current operations Prepared by Cognitio May 5, 2015 About Cognitio Cognitio is a strategic consulting and engineering firm led by a team of former senior technology