Red Teaming is hot right now. Many people want to get into it just because it sounds cool. While I tend to agree, there are many things to consider. There is way more to red teaming than just "getting in" to organizations. Join us for this one hour webcast where we cover what red team is, why you may want to be a red teamer, and how to become a red teamer.
2. • CTO @
• 10 years @ Citi
– Vulnerability Assessment
– Penetration Testing
– Red Team
– Purple Team
• Certified SANS Instructor
– Author SEC564: Red Team Exercises and
Adversary Emulation
– SEC560: Network Penetration Testing
– SEC504: Hacker Tools, Techniques,
Exploits, and Incident Handling
3.
4. ● Senior Red Teamer @ NVISO
● Founder of redteamer.tips
● Big believer in open sourcing tools
● Instructor candidate for SEC699
https://redteamer.tips/so-you-want-to-be-a-pentester-and-or-red-teamer/
16. • Basic definitions
• People - YOU! This is our focus today!
• Process
• Technology
• SANS Promise
17. • A hacker is a skilled individual who uses their technical
knowledge to overcome a problem
• A criminal is one who engages in illegal activities
18. • Definition: Automated (tool-based) scanning against assets (IPs or
applications).
• Goal: Identify low hanging, known vulnerabilities pre, or
post-authentication.
• Effort: Small; requires tool investment
– Many vendors: Tenable Nessus, Rapid7 Nexpose, Qualys, AlientVault, IBM AppScan,
HP WebInspect, etc.
• Focus: Technology vulnerabilities, patches, configuration
• Frequency: Weekly to Monthly
• Customer: System owners and operations teams
19. • Definition: Automated and manual assessment of assets in scope to find
security vulnerabilities, which may or may not be used to get in or steal
data.
• Goal: Identify ALL vulnerabilities from assets in scope.
• Effort: ~30% tools based and ~70% manual testing
• Focus: Assessments are broader and often include explicit policy and
procedure reviews.
• Frequency: Once per year or once per certification of product/version
• Customer: System owners, operations, engineers, application stakeholders
20. • Definition: Finding and exploiting vulnerabilities in technology
• Goal: Report all exploitable vulnerabilities under controlled circumstances.
• Effort: ~10% tools based and ~90% manual testing
• Frequency: ~once per year
• Customer: System owners, operations, engineering, and application
stakeholders
21. • Definition: Red Team emulates Tactics, Techniques, and Procedures
(TTPs) of real adversaries to improve the people, processes, and technology
in the target environment.
• Goal: Make Blue Team better. Train and measure blue teams' detection
and response policies, procedures, and technologies are effective.
• Effort: Manual; some Red Team Automation tools
• Frequency: Intelligence-led (new exploit, tool, or TTP)
• Customer: Blue Teams
“The practice of looking at a problem or situation from the
perspective of an adversary” – Red Team Journal 1997
22. • Created based on various organization’s experiences
• Not a step-by-step guide, but should serve as a baseline for
improvement and maturity
• You can skip steps based on business requirements and goals
• Every organization is different
• Continuous improvement should not halt previous assessment
types
23. • Much like organizations, this roadmap also holds true for your
infosec career.
• You don’t become a red teamer “over night”
• Red teaming takes a vast knowledge in order to be successful
ranging from networking to operating system internals
• Purple teaming requires you to have a balanced skill set in both
offence and defense (that takes time).
24. ● One of the great aspects in life is that no person is the same.
● You can follow advice, but stay true to yourself and take your
own path
● Do it because it’s your passion, not for the $$$
● Enjoy the journey, as it’s a never ending one
25. ● Don’t rush into things, take your time to learn
● Dare to ask! You are never alone in this community
○ Don’t ask us to do your homework though.. :)
26. ● Probably the most asked question I get in my DM’s
● Start with a solid use case, and go for it!
● Stack overflow/Google/….
● Learn from toolsmiths such as byt3bl33d3r,
RastaMouse, XPN,...
27. • SANS of course
– SEC564: Red Team Exercises and Adversary Emulation
– SEC565: Red Team Operations (coming soon)
– SEC599 and SEC699: Purple Teaming and Advanced PT
• Zero Point Security
• PenTesterAcademy
• BC-Security
• FortyNoth
• Many more
28. Short answer: No, but…
● It helps pass HR gates in certain companies
● It shows you are capable of solving challenges
● They are a reward for your hard work and dedication
29. • Cyber Kill Chain® – Lockheed Martin
• Unified Cyber Kill Chain – Paul Pols
• MITRE ATT&CK
• Purple Team Exercise Framework (PTEF)
30. • Tactics, Techniques, and Procedures (TTPs) are Adversary
Behaviors
• Tactics – 14 high level adversary goals
• Techniques – how the adversary achieves their goals
– Sub-Techniques
• Procedures – how to perform each technique
31. • Coming from VA or PenTest you are familiar with CVE
– Common Vulnerability and Exposures: http://cve.mitre.org/
– Finding vulnerabilities in technology is fun!
– Bug Bounties pay!
• Red Teamers may still find vulnerabilities and perform
exploitation but much less than a penetration tester
• Exploitation is just a means to an end
32.
33. • Command and Control (C2) frameworks are the most common
• C2 Matrix
– Google doc of most C2 frameworks
– Documents various capabilities of each framework
– There is no right or wrong, better or worse
– Find ideal C2 for your current objective
– Wizard like UI to select which one
– www.thec2matrix.com
– howto.thec2matrix.com
34. • Download the free, SANS Slingshot C2 Matrix Edition virtual
machine
– https://howto.thec2matrix.com/slingshot-c2-matrix-edition
• Run the virtual machine in vmware (free version is fine)
• Follow the how-to guide to setup your first Command and
Control server
• Create a payload
• Execute it on a target system (that you have permission)
• Emulate various adversary behavior
35. • 564.1: Introduction and Planning
of Red Team Exercises
– Consume Cyber Threat Intelligence
– Prepare for a Red Team engagement
– Set up Attack Infrastructure
• 564.2: Red Team Exercise
Execution and Closure
– Gain Initial Access
– Emulate adversary behaviors aligned
to ATT&CK
– Provide Value
36. • Everything you do in offensive operations should bring business
value
• Focus on the original goals and objectives
• Getting in and meeting the adversary objectives is great!
• But report it with the same care and diligence you did the test
• Put yourself in the perspective of the audience
• Work together, collaborate, improve, repeat