Upload
phamque
View
227
Download
4
Embed Size (px)
Citation preview
SATBLUE
SATRed
“Simulating Threats”
“Identifying Vulnerabilities”
Security Assessment Team
Identifying
what works and what needs working on
with respect to preventing, detecting, and
responding to cyber threats
Tumble, Twiddle, Spin & Roll
the Black Hat
• Tumble – Terminology: what’s in a word?
• Twiddle – Threats: vulnerable, moi?
• Spin – CTI: how to use your intelligence?
• Roll – Reports: show’em the light!
Doggy Bag - “Um, I’ll take those thoughts
to go, please.”
The Buzzwords?
Red Teaming, Pentesting Black Box, Grey Box, White Box, Purple Box, Pink Box… Florescent Box (80s) Tie-dye Box (70s) Tandem Pentest Blind Pentest, Double-Blind Crystal Box Pentesting Ethical Hacking
“I don’t think that word means what you think it means.”
Tumbling the Black Hat
Blue Teaming Security Assessment Vulnerability Assessment Security Scan Security Testing
RED: Simulating Threats BLUE: Finding Vulnerabilities
“What works. What needs working on.”
“I don’t think that word means what you think it means.”
Tumbling the Black Hat
Builders Vs Breakers
• System boundaries - well-defined, political, arbitrary
Threats just look for vulnerabilities and exploit them
• Identify ‘failures’ – scripted, criteria open to interpretation
Threats just look for vulnerabilities and exploit them
• Technical generalists – they ‘scan,’ heavily restricted
Threats are diverse and…
they just look for vulnerabilities and exploit them
• Fancy graphs, bucket lists, detailed matrices about your state
of risk
Threats found vulnerabilities and exploited them
Beyond the Security Auditor’s Perspective
Vulnerable, moi?
Twiddling the Black Hat
Cyber Threat Intelligence
Get to know the bad guys and gals
• Who are the threats?
• What are their motivations?
• What are their objectives?
• What tools & techniques do
they use?
Vulnerable, moi?
Twiddling the Black Hat
Get to know yourself
• The “big picture”
• Business risks: financial, regulator,
market…
• Technology & mission
• What is on your networks?
Use your CTI collection Kung Fu to
Hacking at the
speed of light
A vulnerability,
isn’t a vulnerability,
isn’t a vulnerability
1
2
Using your cyber threat intelligence
Spin the Black Hat
Approaching
Blue/Red Team Security Assessments
Driven by what matters,
Effective use of resources
Driven by the threat perspective
Not politics , personalities, or auditors
Take the time it takes to do good work
No “scans,” one day pentest
Continuous blue/red assessments
Once a year is not good enough
From a threats perspective
• Priorities/Objectives
• Scope
• Duration
• Frequency
Blue – Everything / Red - Threats
Use your access, be comprehensive
Blue – Everything / Red - Everything
No politics, personalities, or p…p…auditors
Realistic, use creativity
Not too constraining to be useful
Teams of security professionals
Security professionals are not one size fits all
Spin the Black Hat
• Test Points
• Information
• Rules of
Engagement
• People
Using your cyber threat intelligence
Approaching
Blue/Red Team Security Assessments From a threats perspective
Show’em the light!
Roll the Black Hat
A Few Ideas
The REPORT…is EVERYTHING Don’t just hack around for the fun of it. It’s irresponsible.
Blue Team Reports
• Real world examples
• Language your customers understand
• Provide context – impact to mission
Red Team Reports
• It is not about you!
• Details - what did not work? Why?
• Identify real problems, provide real solutions • Don’t forget DETECTION and INCIDENT RESPONSE
Roll the Black Hat
• Road show
• Tailored presentations – ‘techies’,
‘security,’ ‘management’
• Demo TTPs – “hacker series”
The Many Ways to Disseminate Information Use your intelligence, use your results, and use your creativity
A Few Ideas
Show’em the light!
Some thoughts to take home
The
Doggy Bag
1. Assess from a threat perspective - Builders vs.
Breakers
2. Continuously discover “what works, does not
work, and what needs working on”
3. Assess prevention, detection, and response – all
three!
4. Understand the threats, understand your business,
and provide real solutions to real problems
5. Influence vs. dictate change
6. Free your people – let them be creative