• No results found

Today s Rundown 1. What is Red Teaming? 2. So it s just an awesome pen test? 3. Nuts & Bolts of Red Teaming 4. Why should we care? 5.

N/A
N/A
Protected

Academic year: 2021

Share "Today s Rundown 1. What is Red Teaming? 2. So it s just an awesome pen test? 3. Nuts & Bolts of Red Teaming 4. Why should we care? 5."

Copied!
28
0
0

Loading.... (view fulltext now)

Full text

(1)
(2)
(3)

About Your Trainer

Dakota State University faculty member Bank pen testers in a former life

Instructor at Secure Banking Solution’s Institute (www.protectmybank.com)

I’m lucky; I don’t have a real job like you

(4)

From Madison, SD

(5)

Today’s Rundown

1. What is Red Teaming?

2. So it’s just an awesome pen test? 3. Nuts & Bolts of Red Teaming

4. Why should we care? 5. Conclusions; Q&A

(6)

What is Red Teaming?

Born out of the military world

A true simulation of an adversary

Adversary <> Pen test AKA Full scope testing AKA Tiger Teaming

(7)

What is Red Teaming?

A hacker’s doctrine is like nothing you’ve seen before

{time, defenses, personnel, consequences} don’t matter at all

Of course, we have to have limits

(8)

Blended Threats

technology Social Physical Red Teaming

(9)

What is Red Teaming?

Full scope means FULL score

Partners Suppliers Vendors Customers Etc…

(10)

What is Red Teaming?

It’s truly a question of scope:

What do you want tested v.

What you should have tested

(11)

So it’s just an awesome pen test?

There are some huge differences here

PT = How are you vulnerable / exploited? Red Team = How do you make money?

(12)

So it’s just an awesome pen test?

Think of the difference among IT staff and “business” staff

Two ships passing in the night

Pen testing hits 5-10% of your BUSINESS

(13)

So it’s just an awesome pen test?

Red teaming is EXTREMELY personal

Would it make a difference to your business model if:

The CEO was kidnapped,

The web application hacked, or

(14)

So it’s just an awesome pen test?

Don’t be dramatic, sir…

No, really! Is there enough out there for kidnap?

Family/kids tweets, Facebook posts, pics, etc… Tons of goodies out there

OSINT is an entire hacker world

(15)

So it’s just an awesome pen test?

Pen testers are nice!

They will stay in scope

They will play by your rules

(16)

Nuts & Bolts of Red Teaming

Red Teamers are true adversaries

They target CORE business functions & people

(17)

Nuts & Bolts of Red Teaming

Who LOVES the exhibits?

Who lives and die with the collections?

Who secured the donation/loan of the items? Who is ultimately responsible for the artifacts? These are the business people!

(18)

Nuts & Bolts of Red Teaming

Who looks over the exhibits?

Talks about them from a script?

Cleans around them to make them look nice? Hosts tours through them?

It’s a job. Out of there at 5PM. TGIF.

These are the technology people! (not a bad thing, just how it works…)

(19)

Nuts & Bolts of Red Teaming

Red Teamers go for your heart 1. What bothers you?

2. What keeps you up at night?

3. How big of a fight are you willing to get in? All that will be dug up and used against you…

(20)

Nuts & Bolts of Red Teaming

Remember what PT has historically been Hunting for reds/purples in Nessus

Firing exploits based on vuln scanning

“Signatures say you’re vulnerable…so do these canned exploits…so I guess you

(21)

Nuts & Bolts of Red Teaming

That level of automation is pen testing Red Teaming uses imagination

Vulnerability Assessments are even worse! And I know IT guys don’t want to hear all

(22)

Nuts & Bolts of Red Teaming

IT guys want to: do PTs

pick safe/friendly vendors secure their world only

(23)

Nuts & Bolts of Red Teaming

Red Team on site

Nobody knows where/when/how/who 99% of the work is already done

TONS of leakage by your vendors,

personnel, competitors, job postings, BoD members, corporate events, etc…

(24)

Why should we care?

The cost per incident is CRAZY

$168K in 2006 $5.4M in 2013

Only 52% of breaches involve “hacking”

(25)

Why should we care?

80% of breaches included using weak or leaked credentials

Automated scanners don’t catch that stuff

Total false sense of security

Fraud, stolen hardware, snail mail are still #1 Hacking = 28%; web apps = 9%

(26)

Why should we care?

And the biggest reason: your industry is ready for this

Automated PTs are so 2010

Compliance is a roadmap for the bad guys

(27)

Why should we care?

Too many firms claim they can do this This isn’t a computer guy only job

Current PTs are a compliance box checker Other industries are watching you

(28)

Conclusions; Q&A

Josh.Pauli@dsu.edu

Josh.Pauli@protectmybank.com Love to hear from you!

References

Related documents

Attendance figures have always been sufficient to support a school, but over the past twenty years, Hallsburg has experienced a trend of decreased enrollment (Texas Education

Alternatively, this study employs the community-wide centralized data collection and processing approach (see Figure 2c). The centralized community-wide data processing simply

Carbon disulfide, CS 2 , used as a solvent in a chemical plant, is evaporated from the product in a dryer into an inert gas (essentially N 2 ) in order to avoid an explosion hazard.

The study will eventually argue that in spite o f being a thriving industry in Malaysia, which depends exclusively on these freelance labours, the Malaysian film and

organizations, central securities depositories and other financial institutions around the world. OMX is listed on the Nordic Exchange in Stockholm, Helsinki and Copenhagen. For

Utilice solamente el cargador de la batería cuando la temperatura ambiente esté entre 5 °C (41 °F) y 40 °C (104 °F). Se

Thriving Resilience Loss Coping efficacy Illness acceptance Depressive symptoms Perceived social support. Coping efficacy Illness acceptance Depressive symptoms

The research highlighted the importance of direct instruction for the speaking 4-Picture Narrative assessment of the California English Language Development Test (CELDT), as well