About Your Trainer
Dakota State University faculty member Bank pen testers in a former life
Instructor at Secure Banking Solution’s Institute (www.protectmybank.com)
I’m lucky; I don’t have a real job like you
From Madison, SD
Today’s Rundown
1. What is Red Teaming?
2. So it’s just an awesome pen test? 3. Nuts & Bolts of Red Teaming
4. Why should we care? 5. Conclusions; Q&A
What is Red Teaming?
Born out of the military world
A true simulation of an adversary
Adversary <> Pen test AKA Full scope testing AKA Tiger Teaming
What is Red Teaming?
A hacker’s doctrine is like nothing you’ve seen before
{time, defenses, personnel, consequences} don’t matter at all
Of course, we have to have limits
Blended Threats
technology Social Physical Red TeamingWhat is Red Teaming?
Full scope means FULL score
Partners Suppliers Vendors Customers Etc…
What is Red Teaming?
It’s truly a question of scope:
What do you want tested v.
What you should have tested
So it’s just an awesome pen test?
There are some huge differences here
PT = How are you vulnerable / exploited? Red Team = How do you make money?
So it’s just an awesome pen test?
Think of the difference among IT staff and “business” staff
Two ships passing in the night
Pen testing hits 5-10% of your BUSINESS
So it’s just an awesome pen test?
Red teaming is EXTREMELY personal
Would it make a difference to your business model if:
The CEO was kidnapped,
The web application hacked, or
So it’s just an awesome pen test?
Don’t be dramatic, sir…
No, really! Is there enough out there for kidnap?
Family/kids tweets, Facebook posts, pics, etc… Tons of goodies out there
OSINT is an entire hacker world
So it’s just an awesome pen test?
Pen testers are nice!
They will stay in scope
They will play by your rules
Nuts & Bolts of Red Teaming
Red Teamers are true adversaries
They target CORE business functions & people
Nuts & Bolts of Red Teaming
Who LOVES the exhibits?
Who lives and die with the collections?
Who secured the donation/loan of the items? Who is ultimately responsible for the artifacts? These are the business people!
Nuts & Bolts of Red Teaming
Who looks over the exhibits?Talks about them from a script?
Cleans around them to make them look nice? Hosts tours through them?
It’s a job. Out of there at 5PM. TGIF.
These are the technology people! (not a bad thing, just how it works…)
Nuts & Bolts of Red Teaming
Red Teamers go for your heart 1. What bothers you?
2. What keeps you up at night?
3. How big of a fight are you willing to get in? All that will be dug up and used against you…
Nuts & Bolts of Red Teaming
Remember what PT has historically been Hunting for reds/purples in Nessus
Firing exploits based on vuln scanning
“Signatures say you’re vulnerable…so do these canned exploits…so I guess you
Nuts & Bolts of Red Teaming
That level of automation is pen testing Red Teaming uses imagination
Vulnerability Assessments are even worse! And I know IT guys don’t want to hear all
Nuts & Bolts of Red Teaming
IT guys want to: do PTs
pick safe/friendly vendors secure their world only
Nuts & Bolts of Red Teaming
Red Team on site
Nobody knows where/when/how/who 99% of the work is already done
TONS of leakage by your vendors,
personnel, competitors, job postings, BoD members, corporate events, etc…
Why should we care?
The cost per incident is CRAZY
$168K in 2006 $5.4M in 2013
Only 52% of breaches involve “hacking”
Why should we care?
80% of breaches included using weak or leaked credentials
Automated scanners don’t catch that stuff
Total false sense of security
Fraud, stolen hardware, snail mail are still #1 Hacking = 28%; web apps = 9%
Why should we care?
And the biggest reason: your industry is ready for this
Automated PTs are so 2010
Compliance is a roadmap for the bad guys
Why should we care?
Too many firms claim they can do this This isn’t a computer guy only job
Current PTs are a compliance box checker Other industries are watching you
Conclusions; Q&A
Josh.Pauli@dsu.edu
Josh.Pauli@protectmybank.com Love to hear from you!