Professional Documents
Culture Documents
Red Teaming For The Enterprise
Red Teaming For The Enterprise
Red Teaming For The Enterprise
OBJECTIVE
‣ Helping the business figure out when they should apply a penetration test vs red team exercise
‣ Helping the business figure out how to approach red teaming in a bite-sized manner
‣ Red teaming..
‣ ..can streamline security budgeting in the business, if you scope and do it right
‣ Know what is functional within your environment and what you can detect
WHEN TO USE …
Red Team - I need to understand how my organisation will perform under real world attacks
PRISM INTELLIGENCE
Red teaming is getting an ala carte menu of random attacks which you can choose from
Short-Term *
Scanners? *
Complex C2 infrastructure
Be smart about it
PRISM INTELLIGENCE
DEFINE
THREAT SUCCESS WHITE TECHNIQUE SCORING THE
RELEVANCE CRITERIA CARDING GUIDANCE EXERCISE
‣ Know who your adversaries are and the associated “crown jewels”
‣ IOCs aren’t good enough intelligence, they’re called “indicators” for a reason
‣ Figure out the threat attacker TTPs, most times you won’t get all the known TTPs but
remember, attackers in general are lazy and there’s always a common attack thread
‣ Domain admin?
‣ Assumed breach
‣ Bypassing of certain steps (eg: Waiting on a compromised box for several weeks before someone
logs in)
‣ .. other situations which may come up during the exercise or prior to, during discussions
PRISM INTELLIGENCE
‣ Regardless of affiliation, if you aren’t using this, you are doing yourself a disfavour
2
PRISM INTELLIGENCE
‣ Give them points for obtaining, subtract points if IR team manages to identify and track a
technique
‣ Result
CAVEATS
‣ Red teaming is as complex as you want to make it but know what you are getting yourself into
PRISM INTELLIGENCE
▸ Emil Tan
▸ Justin Tan
▸ ..and to about everyone else who kept asking me to get on stage to talk about this.
PRISM INTELLIGENCE