Download - Adversary simulation
![Page 1: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/1.jpg)
ADVERSARY SIMULATION“RED CELL”
APPROACHES TO IMPROVING SECURITY
![Page 2: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/2.jpg)
Talk Background
Introduction and overview of Red Teaming
Organization challenges & Opportunities
Redteaming / Red Cell effectiveness • Meeting the defenders where they are at
-Adversary simulation• Emulating Tactics Techniques and Procedures• Being the Adversary
Resources
![Page 3: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/3.jpg)
$whoami
• Chris Hernandez • RedTeamer• Former:• Pentester• Vuln/ Patch Mgmt• Sysadmin
• Bug bounty hunter• Irc handle= piffd0s • Blog= Nopsled.ninja• @piffd0s
![Page 4: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/4.jpg)
Introduction to Red Teaming• What is “Red Teaming”?
• Origins of “Red Team”
• Examples of Red Teaming Failures
• Examples of Red Team Successes
![Page 5: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/5.jpg)
What is Red Teaming?
• Both Approach, Mindset and Tactics
• Takes many forms, Tabletop Exercises, Alternative analysis, computer models, and vulnerability probes.
• Critical Thinking
• A Therapist…
![Page 6: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/6.jpg)
What are its origins?• Originated in the 1960’s military war-game exercises
• Red Team was meant to emulate the soviet union
• 1963 - First historical example was a redteam exercise structured around procuring a long range bomber.
• Most early examples are structured around determining soviet unions capability
![Page 7: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/7.jpg)
Red Team Failures: Operation Eagle Claw• Failed mission to rescue 52
diplomats held captive in the US Embassy in Tehran.
• Operation was “need to know” not Red Teamed
• Operation was initiated without enough planning and foresight into potential challenges / obstacles
![Page 8: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/8.jpg)
Unified Vision ‘01 & Millennium Challenge ‘02
• Millenium challenge ’02
• Red Cell Is highly restricted in its actions
• Red Cell pre-emptively attacks US navy fleet with all of their air and sea resources sinking 21 Navy Vessels
• White Cell “refloats” sunken navy vessels
• Unified Vision ’01
• White Cell informs Red Cell that Blue Team has destroyed all of their 21 hidden ballistic missile silos
• Blue Team commander never actually new the location of any of the 21 silos
![Page 9: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/9.jpg)
RedTeam Success Stories• New York Marathon, NYPD and New York Roadrunners
• Cover scenarios like:• How do you identify tainted water sources• How to respond if drones show up in specific locations• Race can be diverted at any point
• Israeli Defense Force – “Ipcha Mistabra”• The opposite is most likely• Small group in the intelligence branch• Briefs Officials and Leaders on opposite explanations for scenarios
![Page 10: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/10.jpg)
Organizational Challenges
• Overcoming Groupthink
• Maintaining Divergent thought
• Remaining Skeptical
• Assimilation into culture
• Communicating risk effectively
• Metacognition
• Leadership buy in
• “Gaming” the Op
![Page 11: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/11.jpg)
Red Cell Effectiveness• Ex. 57th adversary tactics group
• Only Highly skilled pilots are allowed to become “aggressors”
• Allowed only to use known adversary tactics and techniques depending on who they are emulating
• Same should apply to all red teams
• Adversary emulation is key to realistic simulations
![Page 12: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/12.jpg)
Red Cell Effectiveness• Effective adversary emulation
can mean being a “worse” threat actor
• Tests defenders “post-compromise” security posture. Aka “assumed breach model”
• Post compromise / foothold can also save valuable time and money.
![Page 13: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/13.jpg)
Adversary Skill and Detection Model
Ignorance Detection Proactive Pre-emptive0
1
2
3
4
5
6
Difficulty
Difficulty
ScriptKiddie
Criminal(s)
APT
![Page 14: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/14.jpg)
What are the benefits of an effective Red Cell?
• Train and measure IR teams detection and response. • MSFT measures this as MTTD MTTR Mean time to
detect, and Mean Time to Recovery• Validates investment in very expensive security
products, services, and subscriptions
![Page 15: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/15.jpg)
An example red cell exercise
• Build a relevant threat model based on your industry threats, or competitors breaches / news events• Story board the attack• Determine where IR should detect and respond• Use Red Team to validate story board • What went well / what went wrong – postmortem analysis• Debrief Tactics
![Page 16: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/16.jpg)
Putting it all together – Adversary simulation• Emulate realistic threat actors TTPs
• Assume breach model
• Model attacker activity to your story board
• Information exchange between red and blue teams*
• Protect Red Team culture
• Repeat in a reasonable amount of time
![Page 17: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/17.jpg)
Example Adversary Simulation – TTPs – “Deep Panda”
After seeing how these indicators were being applied, though, I came to realize something very interesting: almost no one is using them effectively. - Pyramid of Pain
![Page 18: Adversary simulation](https://reader035.vdocuments.us/reader035/viewer/2022081512/58a7871d1a28abef478b6691/html5/thumbnails/18.jpg)
ADDITIONAL RESOURCES
Books:
Red Team – Micah Zenko
Applied Critical Thinking Handbook – UFMCS
Online:
Microsoft Enterprise Cloud Redteaming Whitepaper
2015’s Redteam Tradecraft / Adversary Simulation – Raphael Mudge
The Pyramid of Pain – David Bianco
Veris Group - Adaptive Threat Devision – Will Shroeder and Justin Warner
The Adversary Manifesto - Crowdstrike