Webinar Takeaway: The Roundup by Wild West Hackin´ Fest: Red Team

My key takeaways

• Red is a component of blue
• Blue can exist without red
• Red cannot exist without blue
  • red w/o blue = criminal
• Security Operations Design is often built on existing environment, rarely built from scratch
• Threat definition: Risk = threat * vulnerability
  • alt: Threat = ThreatActor + Intent + Tool/Technique
  • Good intentions by intelligent people do not add up to understanding threats or how they operate
• Getting pwnd most times isn’t a one time event but a threat actor must follow a long series of events using multiple tools and techniques
• The goal of security operations is to prevent, detect and respond to a threat-actor before they achieve their goal
  • binary "you’ve been hacked" vs not is not helpfull, as you loose sooner or later
• A lot of time in blue teams is spend on getting in (exploit) but not so much on stay in (persistence) and act (operation impact)
• Vulnerability assessments is an effort in attack surface reduction
• Penetration Test is an effort in attack surface reduction
• Threat based testing raises the threat success bar
  • prevent first, detect always
  • 100% prevention is not realistic
• Start every engagement as a Security Assessment
  • Understand the problem set
  • Define goals
  • Determine what to measure
  • Label the engagement (if necessary)

• You can only fight the way you practice
  — Miyamoto Musahi

• Cyber crime has increased 600% since COVID-19 Pandemic (according to Tyler Robinson, Dark Element)
• If AV vendors look at all publicly available tools and detect them, it will make them look good on pentests
  • the bad guys have their own tools not publicly available
• Inveigh is like responder if you don’t have Python available
• JS runs on M$ by default
• Pentest: try to find as much as possible
  • Red Team Operations most times has a specific goal and are usually more sophisticated
  • Test your company vs your products

Env

• Provided by Wild West Hackin’ Fest
• Moderator:
  • Corey Overstreet
• Presenter:
  • Joe Vest
  • Chris Truncer
  • Joe Leon
  • Tyler Robinson
  • Matthew Toussain
  • Maril Vernon

additional links

• https://danielmiessler.com/study/red-blue-purple-teams/
• https://medium.com/@jaredcatkinson
• https://opensecurity.io/
• https://redteamer.tips/a-tale-of-net-assemblies-cobalt-strike-size-constraints-and-reflection/
• https://samy.pl/master/master.html
• AZULLE: Access Mini PC Stick
• https://github.com/GhostPack/Seatbelt
• https://github.com/Kevin-Robertson/Inveigh
• http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-04-gryffindor-pure-javascript-covert-exploitation-matthew-toussain
• https://github.com/tyranid/DotNetToJScript
• https://www.thec2matrix.com/matrix

User comments

• covers — heute um 18:31 Uhr
  

  I’ve heard the analogy that the blue team is a knife and red is the whetstone. Red exists to make blue better so that when a real event occurs, blue is prepared and cuts through as quickly as possible

• zer0cooL — heute um 18:39 Uhr
  

  "Without training, how can defenders be expected to protect against a theat?" Start with that question to the CISO…