Upload
others
View
10
Download
1
Embed Size (px)
Citation preview
Technology Security
Secure Southwest – 22nd March 2019
A White Box Approach to Red Teaming in industry
One of the Experiments
Presented by David Ferguson
About Me
David Ferguson Bank of England
Senior Manager / Security Principle
Plymouth Uni - 2003
IBM – 2007
Cigital – 2010
Bank of England – 2014
CISSP, CSSLP, CISM
Bank of England
• Manage the movement of £700,000,000,000 per day. • RTGS – International settlements platform.
• Storing 5,134 tonnes of gold.
• Approximate value of £174,000,000,000
• Responsible for tracking 3,600,000,000 Banknotes
TVM’s Relationship with the Business
The Business
Economists
Security Department
Value
Threat & Vulnerability Management (TVM)
Discovery Scanning
Vulnerability Scanning
Policy Scanning
Continuous Monitoring
Continuous Monitoring: Heavy Automation
Vulnerability Scanning
Technical Pentest
Business Objective Pentest
Red Team Assessment
Intelligent Testing: Business & Threat Focused Intelligent Testing
Purple Team Assessment
Vulnerability & Intelligence Feed
Identify - Analyse - Secure
Technical Pentest
ACME App
Advanced Money Movement
The Problem with a purely technical approach…
It often does not take into account the systems purpose, the environment or any context of what might be valuable.
If we don’t know what is valuable and how the vulnerability discovered can have an impact on the system, then we’re in no place to assign a Risk Level that holds any importance to
our Business.
Business Objectives Pentest
ACME App
Advanced Money Movement
Payment processing checks are enforced at all gateways.
Users roles and permissions are enforced at all stages.
Log integrity is maintained at all stages.
A Bad Security Testing Department…
Becomes a tick box exercise on a gateway which is not respected, correctly understood and often
gamed.
A Good Security Testing Department…
Highlights process failings in the design, build and
maintain function for the business.
Becomes an indispensable internal marketing tool for demonstrating the value of Security Investment to
the Business.
Red Teaming
Red Team Exercise
Red Teaming is a full-scope, multi-layered attack simulation designed to measure how well a company’s people,
networks, applications and physical security controls can withstand an attack from a real-life adversary.
The Cyber Kill Chain
Early Red Teams can have a great boardroom impact. It brings the threat to life.
Scary Reports to invoke a Senior lvl reaction which says X, Y & Z
Exploit
Persist
Pivot
Call C2C
Exfil
A “What’s wrong report” gives the wrong impression. We want to show where our defensive capabilities worked, failed and where our reactive capabilities kick in.
Linkedin, Phished in, Kerberrosed some creds, installed RAT, C2c’ed, pivoted, elevated and P0wn3d!
Many are repeating the mistakes of the past…
Treating it as a technical exercise
Lacking clear business
objectives
Academic in places
Poor adversary simulation
Expensive for the potential value for the activity
Blackbox Poor
communication
Back to basics
What are we protecting?
Who are we protecting it
from?
What are their techniques?
What is of value to the business
Information Money Human Life
Hacktivists
Nation states
Terrorists
Organised crime
Potential threats
Cap
abili
ty
Internal External
Potential Threat
Accidental Malicious
Keep it current, threat actors evolve and so do their techniques.
Hardware hacking equipment. Less than £400 for all 3 devices & video tutorials are on YouTube.
Barrier for entry has reduced from both a cost perspective and skill level.
Cyber Resilience
Cap
abili
ty
Defensive Capabilities
Detective / Reactive Capabilities
Sec Infra
SOC
Red Team – Report x, y & z
Initial Access
Execution Persistence Privilege Escalation
Credential Access
Discovery Lateral Movement
C2 Channel
Data Exfiltration
IAD.4 ED.4 C2CD.4
IAD.3 ED.3 PD.3 C2CD.3
IAD.2 ED.2 PD.2 PED.2 C2CD.2
IAD.1 ED.1 PD.1 PED.1 CAD.1 C2CD.1
PEP.6
PEP.5
IAP.4 PP.4 PEP.4 LMP.4
IAP.3 EP.3 PP.3 PEP.3 CAP.3 LMP.3
IAP.2 EP.2 PP.2 PEP.2 CAP.2 DP.2 LMP.2 EXP.2
IAP.1 EP.1 PP.1 PEP.1 CAP.1 DP.1 LMP.1 EXP.1
Pre
ven
t D
ete
ct
We Hacked ACME System. Red Team is Elite!
Kill Chain
White Box Red Team / Purple Team Make it open & collaborative!
Strong collaboration with the Red Team and Blue
Team (SOC) Do it in real time, not post engagement
- Be honest with each other
- Whitebox
Test a range of defensive and reactive controls from the perspective of the threat.
Threat External/Internal
- Script kiddie / Organised Crime / Etc.
Hacktivist Threat Actor - ACME
Initial Access
Execution Persistence Privilege Escalation
Credential Access
Discovery Lateral Movement
C2 Channel
Data Exfiltration
IAD.4 ED.4 C2CD.4
IAD.3 ED.3 PD.3 C2CD.3
IAD.2 ED.2 PD.2 PED.2 C2CD.2
IAD.1 ED.1 PD.1 PED.1 CAD.1 C2CD.1
PEP.6
PEP.5
IAP.4 PP.4 PEP.4 LMP.4
IAP.3 EP.3 PP.3 PEP.3 CAP.3 LMP.3
IAP.2 EP.2 PP.2 PEP.2 CAP.2 DP.2 LMP.2 EXP.2
IAP.1 EP.1 PP.1 PEP.1 CAP.1 DP.1 LMP.1 EXP.1
Pre
ven
t D
ete
ct
Objectives: Money Movement, Log Tampering, Data Exfiltration against ACME System
Kill Chain
Organised Crime Threat Actor - ACME
Initial Access
Execution Persistence Privilege Escalation
Credential Access
Discovery Lateral Movement
C2 Channel
Data Exfiltration
IAD.4 ED.4 C2CD.4
IAD.3 ED.3 PD.3 C2CD.3
IAD.2 ED.2 PD.2 PED.2 C2CD.2
IAD.1 ED.1 PD.1 PED.1 CAD.1 C2CD.1
PEP.6
PEP.5
IAP.4 PP.4 PEP.4 LMP.4
IAP.3 EP.3 PP.3 PEP.3 CAP.3 LMP.3
IAP.2 EP.2 PP.2 PEP.2 CAP.2 DP.2 LMP.2 EXP.2
IAP.1 EP.1 PP.1 PEP.1 CAP.1 DP.1 LMP.1 EXP.1
Pre
ven
t D
ete
ct
Objectives: Money Movement, Log Tampering, Data Exfiltration against ACME System
Kill Chain
Executive Reporting
ACME – Advanced Money Movement
Objective not achieved.
Objective achieved but likely to be detected by SOC
Objective achieved and unlikely to be detected by SOC
External Exposure Internal Exposure
Threat Sophistication Money Movement
Log Tampering Data Exfil
Money Movement
Log Tampering Data Exfil
High Nation state
Espionage
Moderate Organised Crime
Hacker
Low Opportunist
Accident
Assets Controls Threats
When performing any kind of security testing
Closing Notes
A better set of meaningful
results
Less risk to business ops
than a wargame
A lower cost to the business
A good understanding of the problem you’re looking to achieve and a collaborative.