FromSalmontoScarlet Ge2ngTheMostOutofTheManyShadesofRed EdSkoudis @edskoudis #SANSHackFest November16,2015 WelcometotheSANSHackFest Thankyouforjoiningus! We vebeenplanningandbuildingthisforayear We vegotanawesomeeventforyou 1
2 What sontap? 2DaysofInTDepthSummitTalks 3NightsofNetWars CoinTaTpaloozaduringNetWars SpecialSurprise HackFestHitstheRoad Session FeaturingJoMama ssoopersekretcookies! 6InTDepthCourses Hackingthe InternetofThings Thing ANightofCyberCityMissions SpecialClosingCeremonyonMonday,Nov23 SANSPenTestHackFestAgenda Mon Nov16 Summit& NetWars& w/& Coin2a2& Palooza& 6:30"PM" 9:30"PM" Tues Nov17 Summit& 4:30"PM" Hackfest& Hits&the& Road& 5:00"PM" 10"PM" Wed Nov18 5:30"PM Hacking& The& Internet& of&things& Thing& 7:15"PM" 9:15"PM Thurs Nov19 NetWars& w/& Coin2a2& Palooza& 6:30"PM" 9:30"PM" Fri Nov20 Sat Nov21 CyberCity& 6:30"PM" 9:30"PM" " " Sun Nov22 NetWars& w/& Coin2a2& Palooza& 6:30"PM" 9:30"PM" Mon Nov23 3"PM" Brief& Closing& Session& 3"PM" " "
ThankYoutoOurSponsors! PenTestHackFestThemes Offensehelpscyberdefenders &DFIRprofessionals Theconbnuingevolubonof offensivecapabilibes MulbTfacetedoffensiveskills Wemuststrivetoprovidetechnical excellencewithgreatbusinessvalue 3
PleaseHelpMakeThisSpecial We reacommunityoffriends&colleagues Wewantyoutogetasmuchvalueoutofthis asyoucan Interactwithspeakers,instructors,staff Introduceyourselftoothers makefriends Pleasetakeadvantageofoureveningsessions Lotsoflearning,butalsoalotofFUN! TheManyShadesofRed Width: Approx#ofJobs Depth: RelabveTechnicalComplexity Wheredoyoufit? Wheredoyouwanttofit? Auditors VulnAssessors PenTesters RedTeamers Adversary Simulators Offensive Ops Security Researchers 4
PenTesbngRut Pentesbng,asitiscommonly understood,hasafixedbmespan, narrowscope,andafocusonfinding vulns Andexploibngthemonlyasbmeis available Indoingthis,wesacrificerealism, stealth,depth,andunderstanding deepbusinessimplicabons Andmostimportantly,determining whetherblueisreadytodetectand respondtorealtworldalackers TheMoveTowardRedTeaming Engagementstendtobelonger(insteadof1T2weekpentest) Monthsorevenconbnuously Ooendonewithoutafixedstarbngdate/bme Internalredteamstendtoknowthe layoftheland Usefulindeterminingchangesofsecuritystanceoverbme 5
AdversarySimulabon ApplyingtheRedTeamdeeply FacetheRedTeamagainst theblue/huntteam Applytechniquesusedby realtworldalackers Includesurprise,stealth,lateral movement Focusonmeasuringdetecbon andresponse Veryuseful butcanfeelabit messy TheFoundabonsofRedvs.Blue ConsideringtheevolubonfromVulnAssessment! RedTeam/AdversarySimulabon,what sthereal purposeofred? Tohelpprioribze resourcesandheighten defenses TomakeBluebeler Thiswillhelpusprovide morebusinessvalue 6
Metricsand ConbnuousImprovement Toprovidesomestructure,considerthisprocess: ReddiscusseswithBluethegeneraltechniquesthey lluse Spearphishing somethingthatnearlyguaranteesaccess Or,justassumecompromise&pivotmercilessly EstablishbmemetricforBluetodetect 2weeksofacbveinfiltrabon&exfilsim asafirstblushforaninexperiencedblue Establishascope(fairlywidespread) GO! DidBlueDetectRedinTime? No RedhelpsexplaintoBluewhattheydid,andtheybrainstormhowto detectitbeler,faster,andinamoredistributedfashion RedsharpensBlue No!Buttheydetectedarealbadguy WIN! Yes! Bluethenshowshowit detectedred Tweakscope,enhance allowedredtechniques, lowerbmeframe(1day)! BluesharpensRed 7
Conclusions ItusedtobeOUTLANDISHtosay I mgoingtopay peopletohackmystuff. Now,unlessyoudogetapentestorredteamassessment, youaren texercisingyourduediligence Red Blue SOMETHING AWESOME Red sprimarygoalis tomakebluebeler. Neverlosesightof that,frodo! AsyouparbcipateintheHackFest,thinkabouthow RedandBluecansharpeneachother References RaphaelMudgeBlog, ModelsforRedTeamOperabons hlp://blog.cobaltstrike.com/2015/07/09/modelstfortredtteamt operabons/ EdSkoudispresentabon, HowtoGivetheBestPenTestof YourLife hlp://is.gd/8oaxrn RobinMejiaarbcle, RedTeamVersusBlueTeam:Howto RunanEffecbveSimulabon,CSOOnline hlp://www.csoonline.com/arbcle/2122440 RaphaelMudgeBlog, RedTeamTradecrao hlp://blog.cobaltstrike.com/2015/04/29/2015stredtteamttradecrao/ 8