My key takeaways
- Red is a component of blue
- Blue can exist without red
- Red cannot exist without blue
- red w/o blue = criminal
- Security Operations Design is often built on existing environment, rarely built from scratch
- Threat definition:
Risk = threat * vulnerability
- alt:
Threat = ThreatActor + Intent + Tool/Technique
- Good intentions by intelligent people do not add up to understanding threats or how they operate
- alt:
- Getting pwnd most times isn’t a one time event but a threat actor must follow a long series of events using multiple tools and techniques
- The goal of security operations is to prevent, detect and respond to a threat-actor before they achieve their goal
- binary "you’ve been hacked" vs not is not helpfull, as you loose sooner or later
- A lot of time in blue teams is spend on getting in (exploit) but not so much on stay in (persistence) and act (operation impact)
- Vulnerability assessments is an effort in attack surface reduction
- Penetration Test is an effort in attack surface reduction
- Threat based testing raises the threat success bar
- prevent first, detect always
- 100% prevention is not realistic
- Start every engagement as a Security Assessment
- Understand the problem set
- Define goals
- Determine what to measure
- Label the engagement (if necessary)
-
You can only fight the way you practice
— Miyamoto Musahi - Cyber crime has increased 600% since COVID-19 Pandemic (according to Tyler Robinson, Dark Element)
- If AV vendors look at all publicly available tools and detect them, it will make them look good on pentests
- the bad guys have their own tools not publicly available
- Inveigh is like responder if you don’t have Python available
- JS runs on M$ by default
- Pentest: try to find as much as possible
- Red Team Operations most times has a specific goal and are usually more sophisticated
- Test your company vs your products
Env
- Provided by Wild West Hackin’ Fest
- Moderator:
- Presenter:
additional links
- https://danielmiessler.com/study/red-blue-purple-teams/
- https://medium.com/@jaredcatkinson
- https://opensecurity.io/
- https://redteamer.tips/a-tale-of-net-assemblies-cobalt-strike-size-constraints-and-reflection/
- https://samy.pl/master/master.html
- AZULLE: Access Mini PC Stick
- https://github.com/GhostPack/Seatbelt
- https://github.com/Kevin-Robertson/Inveigh
- http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-04-gryffindor-pure-javascript-covert-exploitation-matthew-toussain
- https://github.com/tyranid/DotNetToJScript
- https://www.thec2matrix.com/matrix
User comments
- covers — heute um 18:31 Uhr
I’ve heard the analogy that the blue team is a knife and red is the whetstone. Red exists to make blue better so that when a real event occurs, blue is prepared and cuts through as quickly as possible
- zer0cooL — heute um 18:39 Uhr
"Without training, how can defenders be expected to protect against a theat?" Start with that question to the CISO…