RED TEAMING

1
RED TEAMING

• Critical to the Defense of the
• Information Environment

Danny Walker Principal Network Security
Engineer Smartronix, Inc. dwalker_at_smartronix.com
2
Overview

• Information Environment
• Red Teaming
• Definition
• Breakout of definition
• Misconceptions
• Growth of Information Environment

3
Information Environment

• Three interrelated dimensions
• Physical
• Where information environment overlays the
  physical world
• Informational
• How information is processed, stored and
  displayed
• Cognitive
• Where humans think, perceive, visualize and decide

4
Red Teaming

• Interdisciplinary group of individuals
  authorized to conduct an independent and focused
  threat-based effort as a simulated adversary to
  expose and exploit system vulnerabilities for the
  purpose of improving the security posture of
  information systems
• (Source National Information Assurance
  Glossary, p.50)

5
Interdisciplinary Group

• Individuals from a variety of backgrounds
• Technical expertise
• Attack techniques
• Subject matter experts on possible target systems

6
Authorized to Conduct

• Requires a charter
• Develop reporting relationships
• Authorization from the top level of the
  organization

7
Independent

• Requires high level organization sponsorship
• To keep from being marginalized
• Captured by the organization bureaucracy
• Needs team accountability
• To maintain the integrity of the process
• Need to be able to prove what was done
• When asked know what was not done
• Requires objectivity
• Need an unbiased perspective

8
Threat-based Effort

• Attacks based on realistic threats
• Existing or anticipated
• Simulated attacks differ based on adversary
• Adversaries have developed Information Operations
  capability

9
Simulated Adversary

• Act as the adversary would
• Use their tactics to achieve objectives
• Rules are to be broken
• Could include policies, procedures or laws
• Subject to the Rules of Engagement
• Adversary Modeling
• Evaluates abilities, resources, motivations and
  constraints

10
Adversary Modeling I

• Abilities
• Operators skill level
• Technology
• Attacks
• Team Depth and Breadth
• Resources
• Technologies available
• Financial backing

11
Adversary Modeling II

• Motivations
• Willingness to do what it takes
• Using criminal or terrorist tactics
• Constraints
• Limitations of adversary
• Attribution aversion keeping identity unknown
• Discovery aversion keeping presence unknown
• Objective Timeline

12
Expose and Exploit Vulnerabilities

• Assessment of the interrelations of the
  information environment dimensions
• Failure in one could impact others
• Real world look at our current Information
  Assurance practices
• Assessment of our Defensive Information
  Operations Readiness

13
Improving the Security Posture

• Most important component
• Reporting of findings
• Brief covering immediate concerns
• Final Report with targeted areas
• Expectation management
• Assessment of Red Team performance

14
Misconceptions

• Security testing that are sometimes confused with
  Red Teaming
• Security Audit
• Vulnerability Assessment
• Risk Assessment
• Penetration Testing
• Each are vital but they serve a different purpose

15
Security Audit

• Adherence to existing standards, policies and
  controls
• Red Teaming
• Does not address standards or policies
• Results typically used to develop new standards
  and policies

16
Vulnerability Assessment

• Uses automated scanning tools
• Systematically scans for known vulnerabilities
• Red Teaming
• Focuses on achieving adversary objective
• Shows operational impact on found vulnerabilities

17
Risk Assessment

• Comprehensive assessment
• Considers probability and ranking of every known
  attack vector
• Red Teaming
• Focuses on finding significant attack vectors
  that show operation impact

18
Penetration Testing

• Attempts to circumvent the security features of a
  given system or network
• Red Teaming
• Focuses on the entire Information Environment and
  adversary objectives
• Uses similar methodology and tactics for system
  exploitation

19
Growth of Information Environment

• Information Age
• Increased reliance on computers networks and
  interconnected systems
• Economy and national security dependent on
  information environment
• Department of Defense support of Net Centric
  Warfare will focus efforts on Net Centric
  Operations

20
Red Teaming

• Crucial in assessing current state of information
  environment
• Provide vital real world training to Defensive
  Information Operations Readiness
• Identify holes within Information Assurance
  security posture that are not detected with any
  other type of testing

21
Questions