Download - [AVTOKYO 2017] What is red team?
![Page 1: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/1.jpg)
What is Red Team Service?~Latest Penetration Test Trends in U.S.~
TOMOHISA ISHIKAWA
www.scientia-security.org
![Page 2: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/2.jpg)
$$ WHO AM I ?
Tomohisa Ishikawa• Security Consultant (9 years experience)
• Specialized Area
• Penetration Test, IR, Security Consultation, Vulnerability Management, Awareness,
Training, Global Security Management…
• Various Speaker Experience
• SANSFIRE 2011 & 2012, DEF CON 24 SE Village, LASCON 2016, BSides Philly 2017
• Certification Junkie
• CISSP, CSSLP, CISA, CISM, CFE, GPEN, GWAPT, GXPN, GWEB, GSNA, GREM, GCIH
![Page 3: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/3.jpg)
Objective
Sharing One Year Experience in security team of U.S.
insurance company
Understanding difference of Methodology• Traditional “Penetration Test” vs. “Red Team”
![Page 4: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/4.jpg)
皆様の会社(組織)、ペネトレーションテストやっていますか?
Do you have penetration test in your organization??
![Page 5: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/5.jpg)
![Page 6: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/6.jpg)
![Page 7: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/7.jpg)
![Page 8: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/8.jpg)
![Page 9: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/9.jpg)
日本で言うペネトレーションテストって…
Penetration Test in Japan is …
某L社とか某N社のページを見てみると..
Let’s see HP of N company, L company, M company…
• Webセキュリティ診断サービス (Web Application Testing)
• プラットフォーム診断サービス (Platform Testing)
• 標的型攻撃診断サービス(メール訓練サービス・出口対策検証)
• 無線LAN診断サービス
• DDoS体制検証サービス
安全第一!!Safety of system is First Priority.
※ちなみにセキュリティ診断とペネトレーションテストをほぼ同じ意味で使いますが、宗教上の理由でこの二つを一緒に語ることが許せない人とは適当に読み替えてください。
![Page 10: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/10.jpg)
米国に行くと…
意外とペネトレーションテスターって言わない人が多い?
Only few people said “I am a penetration tester”
![Page 11: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/11.jpg)
「ペネトレーションテスト」ってダサい?
“Penetration Test” is tacky???
![Page 12: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/12.jpg)
![Page 13: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/13.jpg)
What is “Red Team”?
もともと、諜報機関で生まれた概念Originally, it is from intelligence community
敵の観点から作戦を検証したり、取得した情報の信憑性を批判的に検証するチームのこと
Verify strategies or information from adversary view point
• Devil‘s Advocate(悪魔の弁護人)
• CIA Red Cell
![Page 14: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/14.jpg)
What is the difference btw “Red Team” and “Pen Test”?⇒ Coverage is different!!
Digital
Physical Social
• Web Application Testing• Platform Testing• APT Simulation• APT Mail Awareness training
• Vishing(Voice Phishing)• OSINT• Tail Gating• Impersonation
• ID Card Cloning• Physical Access to box• Elevator Hacking• Physical Control Bypass
![Page 15: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/15.jpg)
![Page 16: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/16.jpg)
![Page 17: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/17.jpg)
According to Gartner…• Long Term Challenge (NOT point-in-time assessment)
• より長期的にテストを実施。実施時間も24時間いつでも実施する.
• Defense Coordination
• Blue Teamの機能も含めて評価を行い、改善につなげる。
• Adversary Simulation• 攻撃者そのものの観点から実施する。(3つの観点の融合)
• Controlled but Real Intrusion
What is the difference btw “Red Team” and “Pen Test”?⇒ Different Feature
![Page 18: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/18.jpg)
Case 1: Physical Penetration Test
![Page 19: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/19.jpg)
Objective• どこまで内部侵入して情報が取れるのか?
Is it possible to bypass physical access control?
Methodology• Breaking Lock (Picking, impassioning, Bypassing)
• Elevator Hacking
• RFID Cloning
• Social Engineering
Physical Penetration Test
![Page 20: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/20.jpg)
Case 2: APT Adversary Simulation Service
![Page 21: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/21.jpg)
SLA of APT Adversary Simulation Service is following.
• Awareness Phishing
• Penetration Test Phishing
• Red Team Phishing
標的型攻撃サービスAPT Adversary Simulation Service
![Page 22: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/22.jpg)
Attempting attacks as same as “Japan Pension Service”
• Following Cyber Kill Chain
• OSINT & SOCMINT
• Selecting 2~3 targets, and sending attached email
• Exploitation
• Using “Fresh” vulnerability & Exploit
• Post Exploitation with PowerShell
• Password Cracking with GPU
• Lateral Movement & Reaching out “Treasures”
Red Team Phishing
![Page 23: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/23.jpg)
OSINT Example
Check LinkedIn and find out target
Analyzing Twitter with SOCMINT Tools• Target has a tendency to buy shoes in apparel shop
• Sending Coupon by pretending as appeal shop
![Page 24: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/24.jpg)
TOOLS OSINT
• Maltago https://www.paterva.com/web7/
• FOCA https://www.elevenpaths.com/labstools/foca/index.html
• SpiderFoot http://www.spiderfoot.net/
• Discovery Script https://github.com/leebaird/discover
• Recon-ng https://bitbucket.org/LaNMaSteR53/recon-ng
• Cymon https://cymon.io/
• WeLink https://welink.com/dashboard/
• GEOFEEDIA https://geofeedia.com/
• ECHOSEC https://www.echosec.net/
![Page 25: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/25.jpg)
TOOLS
OTHER TOOLS (Part of them is experimental)• GoPhish https://getgophish.com/
• Social Engineering Toolkit in Kali Linux
• Cobalt Strike https://www.cobaltstrike.com/
• Mimikatz https://github.com/gentilkiwi/mimikatz
• Responder https://github.com/SpiderLabs/Responder
• IPMI http://fish2.com/ipmi/remote-pw-cracking.html
• MITM Framework https://github.com/byt3bl33d3r/MITMf
• Spray WMI https://github.com/trustedsec/spraywmi
![Page 26: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/26.jpg)
![Page 27: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/27.jpg)
![Page 28: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/28.jpg)
![Page 29: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/29.jpg)
TOOLS PowerShell Tools
• PowerShell Empire https://github.com/EmpireProject/Empire
• EmPyre (Python) https://github.com/EmpireProject/EmPyre
• PowerSploit https://github.com/PowerShellMafia/PowerSploit
• Including PowerView・Invoke-Mimikatz・PowerUp
• Veil Framework https://www.veil-framework.com/
• Nishang https://github.com/samratashok/nishang
• Invoke-Obfuscation https://github.com/danielbohannon/Invoke-Obfuscation
• PS Attack https://github.com/jaredhaight/psattack
• NaishoDeNusumu https://github.com/3nc0d3r/NaishoDeNusumu
• BloodHound https://github.com/BloodHoundAD/BloodHound
![Page 30: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/30.jpg)
![Page 31: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/31.jpg)
![Page 32: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/32.jpg)
Resource Great Presentation
• AD Security https://adsecurity.org/
• All presentation is awesome
• Adversarial Post-Exploitation: Lessons From The Pros
• https://www.youtube.com/watch?v=x3crG-hM9sc
• A Year in the Empire
• https://www.youtube.com/watch?v=ngvHshHCt_8
• PowerShell Secrets and Tactics
• https://www.youtube.com/watch?v=EQv4bJnCw8M
• Introducing PowerShell into your Arsenal with PS>Attack
• https://www.youtube.com/watch?v=mPckt6HQPsw
• Invoke-Obfuscation: PowerShell obFUsk8tion Techniques
• https://www.youtube.com/watch?v=P1lkflnWb0I
![Page 33: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/33.jpg)
From Blue Team Side
以下が本当に重要!!
• Full Spectrum Visibility (完全な可視化)
• Targeted Containment (標的型封じ込め)
EDR (Endpoint Detection & Response)• Ex) Tanium, Fidelis, Carbon Black, FireEye, Crowd Strike, Red Cloak, Cyber
Reason…
![Page 34: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/34.jpg)
Wrap-Up
“Red team” is U.S. trends
Focus on comprehensive test
![Page 35: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/35.jpg)
Thank You!!
If you have any questions, please feel free to contact me
Contact Info• Email [email protected]
• JP Blog www.scientia-security.org
![Page 36: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/36.jpg)
Bonus Session
![Page 37: [AVTOKYO 2017] What is red team?](https://reader033.vdocuments.us/reader033/viewer/2022052116/5a648c4a7f8b9a27568b6347/html5/thumbnails/37.jpg)
Digital Penetration Test Certification
Certification for Penetration Tester• CEH (by EC-Council)
• GIAC (by SANS)
• OSCP (by Offensive Security)