Using Red Teaming for Information

Assurance

Ion BICA, PhD, CISA

Military Technical Academy
1

Cyber attacks in the news

Personal level attacks

Zeus / Zbot
Torping / Sinowal
Conficker / Downup
Phishing
Spyware

Organizational level attacks

HTRC, 2007
25 million records lost

Heartland Payment Systems, 2009

130 million records lost

Wikileaks Mastercard, 2010

13.9 million card details stolen

RSA breach
40 million tokens and access compromised

Sony Playstation Network

101.6 million records lost

UBS (Kweku Adoboli), 2011

$2.3billion fraud

Zappos, 2012
24 million records lost

National level attacks

Estonia, 2007
Georgia, 2008
Operation Aurora, 2009/2010
Stuxnet, 2010
Flame, 2012

Cyber Warfare is a reality!

Threat environment
Increasing sophistication of cyber threats
Attacks are organized, disciplined, aggressive, and well
resourced
Adversaries are nation states, terrorist groups, criminals,
hackers, and individuals or groups with intentions of
compromising information systems
Information technology is our greatest strength and at the
same time, our greatest weakness [NIST]
Growing cyber threats demand advanced mitigation strategies

The need for proactive security

If you know the enemy and know yourself, you need not fear the result of a
hundred battles.
If you know yourself but not the enemy, for every victory gained you will
also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every
battle. (Sun Tzu The Art of War)
Proactive / offensive security
simulate attackers behavior against your own systems

Reactive / defensive security

system hardening, monitoring, forensics, etc

Proactive security provide certain degree of trust that protection methods

have been implemented correctly and they are efficient
7

What is Red Teaming?

Military wargaming
Blue Team (USA) vs. Red Team (Soviet Union)

Opposing force in a simulated military conflict

Red Teaming is used to reveal weaknesses in military
readiness
The aggressor (red team) is composed of various threat actors,
equipment, and techniques that are at least partially unknown
by the defenders (blue team)
The red team challenges the defenders by playing the role of a
thinking enemy
Understand adversarys capabilities and potential actions
8

Red Teaming domains

Military when soldiers address and anticipate enemy courses
of action
Forensics when detectives attempt to get inside a criminals
mind
Corporate when businesses simulate competition in case of
a new plan or initiative
Computer security when professionals test and penetrate
client communication and information systems
The friendly side (blue team) attempts to view a problem
through the eyes of an adversary or competitor (red team)

Red Teaming from the cyber security perspective

Red Teaming is a process designed to detect vulnerabilities by
taking an attacker-like approach
Authorized, adversary-based assessment for defensive
purposes
authorized means that someone with legal control of the facility,
system, or entity to be red teamed has agreed to the process
adversary-based means that the activity implies taking into account the
adversaries knowledge, skills, commitment, resources, and culture
assessment means one is making a judgment, possibly a comparison,
of the state of the target with respect to actions by the adversary
defensive purposes refers to the ethical approach of the assessment

10

Red Teaming functions

Understand adversaries and threat environment
Gather relevant data to identify trends and most pressing vulnerabilities

Anticipate enemy courses of action and avoid surprise

Alternative analysis for security risks evaluation to improve decision
making

Assess the effectiveness of the existing security measures and

demonstrate the possible impact of cyber attacks
Enhanced form of penetration testing (highly specialized tools, custom
scripts, etc)

Improve the cyber security staffs ability to detect and respond

to cyber attacks
Cyber Defense Exercises (CDX)

11

Red Teaming functions (cont.)

12

Red Teaming in practice

Sandia National Laboratories
Information Design Assurance Red Team (IDART)
http://www.idart.sandia.gov/

US Department of Homeland Security

DHS Red Team
Evaluate security of federal networks

NATO NC3A
Cyber Red Team (CRT)

Conclusions
Red Teaming is a process that models and simulates
adversary actions
Red Teaming requires highly skilled specialists
Red Teaming provides a more realistic picture of security
readiness of an organization than other methods (e.g.
penetration testing)
Red Teaming may contribute to achieving objectives of
national strategy for cyber security

14

15