Incorporating Cyber Threat Intelligence into Security Assessment Programs
Security Assessment Team SATBLUE Identifying Vulnerabilities SATRed Simulating Threats Identifying what works and what needs working on with respect to preventing, detecting, and responding to cyber threats
Tumble, Twiddle, Spin & Roll the Black Hat Tumble Terminology: what s in a word? Twiddle Threats: vulnerable, moi? Spin CTI: how to use your intelligence? Roll Reports: show em the light! Doggy Bag - Um, I ll take those thoughts to go, please.
Tumble the Black Hat
Tumbling the Black Hat I don t think that word means what you think it means. The Buzzwords? RED: Simulating Threats Red Teaming, Pentesting Black Box, Grey Box, White Box, Purple Box, Pink Box Florescent Box (80s) Tie-dye Box (70s) Tandem Pentest Blind Pentest, Double-Blind Crystal Box Pentesting Ethical Hacking BLUE: Finding Vulnerabilities Blue Teaming Security Assessment Vulnerability Assessment Security Scan Security Testing What works. What needs working on.
Tumbling the Black Hat I don t think that word means what you think it means. Builders Vs Breakers Beyond the Security Auditor s Perspective System boundaries - well-defined, political, arbitrary Threats just look for vulnerabilities and exploit them Identify failures scripted, criteria open to interpretation Threats just look for vulnerabilities and exploit them Technical generalists they scan, heavily restricted Threats are diverse and they just look for vulnerabilities and exploit them Fancy graphs, bucket lists, detailed matrices about your state of risk Threats found vulnerabilities and exploited them
Twiddle the Black Hat
Twiddling the Black Hat Vulnerable, moi? Cyber Threat Intelligence Get to know the bad guys and gals Who are the threats? What are their motivations? What are their objectives? What tools & techniques do they use?
Twiddling the Black Hat Vulnerable, moi? Use your CTI collection Kung Fu to Get to know yourself 1 The big picture Business risks: financial, regulator, market Hacking at the speed of light 2 Technology & mission What is on your networks? A vulnerability, isn t a vulnerability, isn t a vulnerability
Spin the Black Hat
Spin the Black Hat Using your cyber threat intelligence Approaching Blue/Red Team Security Assessments From a threats perspective Priorities/Objectives Scope Duration Frequency Driven by what matters, Effective use of resources Driven by the threat perspective Not politics, personalities, or auditors Take the time it takes to do good work No scans, one day pentest Continuous blue/red assessments Once a year is not good enough
Spin the Black Hat Using your cyber threat intelligence Approaching Blue/Red Team Security Assessments From a threats perspective Test Points Information Rules of Engagement People Blue Everything / Red - Threats Use your access, be comprehensive Blue Everything / Red - Everything No politics, personalities, or p p auditors Realistic, use creativity Not too constraining to be useful Teams of security professionals Security professionals are not one size fits all
Roll the Black Hat
Roll the Black Hat Show em the light! A Few Ideas The REPORT is EVERYTHING Don t just hack around for the fun of it. It s irresponsible. Blue Team Reports Real world examples Language your customers understand Provide context impact to mission Red Team Reports It is not about you! Details - what did not work? Why? Identify real problems, provide real solutions Don t forget DETECTION and INCIDENT RESPONSE
Roll the Black Hat Show em the light! A Few Ideas The Many Ways to Disseminate Information Use your intelligence, use your results, and use your creativity Road show Tailored presentations techies, security, management Demo TTPs hacker series
The Doggy Bag
The Doggy Bag Some thoughts to take home 1. Assess from a threat perspective - Builders vs. Breakers 2. Continuously discover what works, does not work, and what needs working on 3. Assess prevention, detection, and response all three! 4. Understand the threats, understand your business, and provide real solutions to real problems 5. Influence vs. dictate change 6. Free your people let them be creative
The End