Internal Red Team Operations Framework: Building your organization's Internal Red Team | 20 October 2020.


DEFINITIONS? WE STILL NEED TO DO THIS.


Vulnerability assessment is not Red Teaming.

The below-given write-up is just a PoC, which does not include the actual actions carried out as the part of the engagement.

Penetration testing is also not Red Teaming.

The below-given write-up is just a PoC, which does not include the actual actions carried out as the part of the engagement.

What is red team?


A RED TEAM IS A GROUP OF HIGHLY SKILLED PEOPLE THAT CONTINUOUSLY CHALLENGE THE PLANS, DEFENSIVE MEASURES AND SECURITY CONCEPTS. [Redteams.net]

BUILDING AN INTERNAL RED TEAM.
[ADVERSARY SIMULATION and FULL SCOPE]


5 Phases of Internal Red Team Operations Framework [IRTO-F]

IRTO Phase 1: Crawling.


• Define the practical goals, objectives

• Get the budget approval

• Identify the crown jewels and people

• Rules of engagement (ROE), reporting and other process documentation

• Assistance from the Management and Legal department

• Understand the technologies in use – On premise infra, Cloud, Active Directory, Devices etc

• Understand the security posture of the organization

• Hire the talent – The Red Team

IRTO Phase 2: Get on your feet.


• Red Team external infrastructure (Digital ocean, GCP, AWS)

• Corp. tools, Improvised open source tooling capabilities

• Identifying the business specific risks

• Be friends with your organization’s Blue Team

• Adversary Emulation (Atomic red team, Caldera etc)

• Validate current defense mechanisms with blue team (MITRE)

• Manual campaigns against the organization and employees

• External attack surface discovery and mapping

• Designing a remediation process to address issues

IRTO Phase 3: Start walking.


• Improved Tools, techniques and procedures (TTP’s) based on current security posture

• Identify and eradicate findings 1, 2 - crown jewels and people*

• Evaluation of Incident response process*

• Automated Adversary Emulation

• Automated campaigns

• Targeted APT emulation based on Threat Intel

• Improvised RTO process documentation

IRTO Phase 4: Start running.


• Collaborative and continuous Purple team exercises

• Enterprise tooling capabilities

• Targeted campaigns against the Crown jewels and key people

• Overt physical security assessments

• Continuous awareness programme for employees and key people

• Continuous training process for operators and defenders

• Proactive remediation process and plans

IRTO Phase 5: Time to fly.


• Matured red team operations

• Significant improvement of organizational security posture

• Highly skilled operators

• Well defined Purple team model to measure the progress of Red and Blue team capabilities.

• Covert physical security assessments

• Custom tooling capabilities

• Continuous Adversary simulation to keep the defenders on their toes.

• Continuous RTO with well defined process


Planning: Strategic and tactical.


Originally presented at the DEF CON GROUPS (DCG) VR Village at DEFCON 28 Safemode conference on 7th Aug, 2020.
BSides Delhi virtual conference on October 18, 2020.