ADVERSARY SIMULATION“RED CELL”

APPROACHES TO IMPROVING SECURITY

Talk Background

Introduction and Overview of Red TeamingWhat are our organizations Challenges & Opportunities?What makes Red Teaming / Red Cell effective?What is Adversary simulationTLDR… Extra Resources

$whoami

• Chris Hernandez • Red Teamer• Former:• Pentester @Veris Group ATD• Lots of other stuff

• Exploit / Bug Research• Blog= Nopsled.ninja• @piffd0s

What is Red Teaming?

•Mindset and Tactics• Takes many forms, Tabletop Exercises,

Alternative analysis, computer models, and vulnerability probes.•Not limited to InfoSec • Critical Thinking• Cognitive Psychologist

What are its origins?

• Originated in the 1960’s military war-game exercises• “Red” = the soviet union• 1963 - First public / documented example was a

red team exercise structured around procuring a long range bomber.• Most early examples are structured around

determining Soviet Unions capability

Why does this matter to me?

Pass the salt…

Try This…

What happens when we fail?

Unified Vision ‘01 & Millennium Challenge ‘02

• Millennium challenge ’02

• Red Cell Is highly restricted in its actions

• Red Cell pre-emptively attacks US navy fleet with all of their air and sea resources sinking 21 Navy Vessels

• White Cell “refloats” sunken navy vessels

• Unified Vision ’01

• White Cell informs Red Cell that Blue Team has destroyed all of their 21 hidden ballistic missile silos

• Blue Team commander never actually new the location of any of the 21 silos

What happens when we succeed?

RedTeam Success Stories• New York Marathon, NYPD and New York Roadrunners

• Cover scenarios like:• How do you identify tainted water sources• How to respond if drones show up in specific locations• Race can be diverted at any point

• Israeli Defense Force – “Ipcha Mistabra”• The opposite is most likely• Small group in the intelligence branch• Briefs Officials and Leaders on opposite explanations for scenarios

How does any of that apply to my business?• Red Team Failure

• Agendas

• Restricted actions

• Poor Communication

• Narrow scope

• Unrealistic Scenarios

• Not having a red team

• Red Team Success

• Good questions

• Make no assumptions

• Open Access

• Fluid Communication

• Realistic Scenarios

• Agendas

What makes a red team effective?

Red Cell Effectiveness• Ex. 57th adversary tactics group

• Only Highly skilled pilots are allowed to become “aggressors”

• Allowed only to use known adversary tactics and techniques depending on who they are emulating

• Same should apply to all red teams

• Adversary emulation is key to realistic simulations

Red Cell Effectiveness• Effective adversary emulation

can mean being a “worse” threat actor

• Tests defenders “post-compromise” security posture. Aka “assumed breach model”

• Post compromise / foothold can also save valuable time and money.

What are the benefits of an effective Red Cell?

• Train and measure IR teams detection and response. • MSFT measures this as MTTD MTTR Mean time to

detect, and Mean Time to Recovery• Validates investment in very expensive security

products, services, and subscriptions

Putting it all together – Adversary simulation• Emulate realistic threat actors TTPs

• Assume breach model

• Model attacker activity to your environment / risk

• Information exchange between red and blue teams*

• Protect Red Team culture

• Repeat in a reasonable amount of time

ADDITIONAL RESOURCES

Books:

Red Team – Micah Zenko

Applied Critical Thinking Handbook – UFMCS

Online:

Microsoft Enterprise Cloud Redteaming Whitepaper

2015’s Red team Tradecraft / Adversary Simulation – Raphael Mudge

The Pyramid of Pain – David Bianco

Veris Group - Adaptive Threat Devision – Will Shroeder and Justin Warner

The Adversary Manifesto - Crowdstrike