Metadata
Abstract
Historically, most of my posts have been technical in nature (and can be found on the MDSec blog — normal service will resume shortly)…
Tags and Collections
- Keywords: 05 Finished; Red Teaming
Comments
Annotations
Notes
See: red teaming
So what is a red team?
- “cyber resilience” simulation frameworks: threat intelligence-driven (TI)
- CBEST
- TIBER-NL
- TIBER-EU
- TI defines a couple of scenarios in which an adversary may attack an organization.
- Common TTP used across scenarios: spear phishing, compromise through cloud infra, insider threats, physical access.
- Engagement has objectives specific to the organization. The red team’s goal is the complete the objectives while remaining undetected.
- Gaining domain admin is usually not a part of the objectives. In fact, privesc might get detected.
- Minimal intra-organization knowledge about the engagement.
- If red team gets stuck gaining a foothold, the organization can give them an artificial one.
- benefits
- A red team engagement simulates a real, organized attack and tests the security of the organization’s assets. A successful engagement should reveal failure points in the organization’s computer system.
- A red team engagement also reveals the overall security posture of the organization—think not just raw vulnerabilities, but intrusion detection/prevent, incident response, etc. If the organization still has not detected the red team at the end of an engagement, then the red team can consider acting more noisily until they become discovered in order to gauge how oblivious the organization is.