Presented at the DEFCON27 Red Team Offensive Village on 8/10/19. From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors. In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.

1. Red Team Framework
Adrian Sanabria
Joe Gray

2. About Adrian
Defender - 9 years
Financial Services
Consultant - 5 years
Pen Testing, PCI
Industry Analyst - 4 years
451 Research
Research, Vendor Strategy - 2 years
Savage Security, Threatcare, NopSec,
Thinkst
@sawaba

3. • Senior Security Architect
• 2017 DerbyCon Social Engineering Capture the Flag (SECTF) winner
• On 3rd Place Team at 2018 & 2019 NOLACon OSINT CTF (Password Inspection Agency)
• On 2nd Place Team at 2019 BSides OSINT CTF (Password Inspection Agency)
• Served in the US Navy, Navigating Submarines
• CISSP-ISSMP, GSNA, GCIH, OSWP
• Forbes Contributor
• Currently Authoring Social Engineering and OSINT Book, Securing the Human Element with No
Starch Press
• Maintained blog and podcast at https://advancedpersistentsecurity.net
• Just started offering OSINT training (OSINTion; formerly OSINT Associates)
About Joe

4. Why Create a New Framework?
What do these words mean to you?
Red Team
Purple Team
Pen Testing
Vuln Assessment
WebApp Assessment

5. What’s wrong with pen testing/red teaming?
● The design is flawed and can’t fulfill expectations
○ Not an indicator of an organization’s risk
○ Doesn’t simulate adversaries
○ Tries to prove/disprove a persistent negative
● The execution is inefficient; lots of room for improvement
○ Consulting industry ‘cash cow’ – why change?
○ Lack of automation; process improvement; feedback loops
○ Better alternatives are sold as ‘advanced’, to more mature orgs
● It isn’t what clients need to improve

6. Pen Test vs Red Team Engagement
Pen Test
• Pwnage based
• Largely for compliance
• Incorrectly helps management
sleep better (digital melatonin)
Red Team
• Objective based
• Emulates a specific actor or TTP
• Seeks to measure various
metrics that actually matter
(Penetration capability,
detection, etc)

7. Myth #1
Penetration tests are accurate measurements of an
organization’s security

8. Myth #2
Penetration testing emulates adversarial behavior

9. Myth #3
Penetration tests serve no purpose in a mature
organization’s environment

10. Myth #4
Penetration testing is synonymous with red teaming

11. Myth #5
Black box testing is the most comprehensive method
of applied security testing

12. Red Teaming Process
Scoping
ID the
Threat
Model
Baseline
Security
Rescoping Learning
Execution Measurement Debriefing Retesting
Purple
Team

13. Scoping
• Define the objective(s)
• Define success
• Scope the following:
• Time
• Money
• Number of systems
• Rules of Engagement
• IOCs/TTPs to utilize

14. Identification of Threat Model
• Based on several variables
• Client base
• Geographic Location
• Line of business
• Government affiliations
• Sector/Industry

15. Baseline Security Model
• Are you tall enough to ride the proverbial ride?
• Frameworks like Centre for Internet Security Critical Security
Controls
• Minimum of the Top 5
• Vulnerability Management
• Previous Testing
• DFIR/Monitoring Capabilities?
• NIST SP 800-53

16. Rescoping
• Refine the objective(s)
• Focus the scope the following:
• Time (time frame and allocated hours to complete)
• Money
• Refine Number of systems (likely a lower number than in scoping)
• Rules of Engagement
• Social Engineering, Web, Exploit Development
• IOCs/TTPs to utilize
• Potentially solicit input from an ISAC

17. Learning
• “Simulated Dwell Time”
• Access to and/or data from:
• SEIM
• Previous Reports
• PCAPs, Netflow, other monitoring tools
• Diagrams
• Configurations
• Interviews

18. Execution
• Reference technical frameworks:
• Pen Test Execution Standard
• Social Engineering Framework
• Mitre ATT&CK

19. Measurement
• I see you, do you see me?
• Data points:
• Time to detect
• Quality of report
• Accuracy of the report
• Actions taken
• Efficacy of actions taken

20. Debriefing
• Presentation including:
• TTPs
• Findings
• Statistics from Measurement Phase
• Recommended Actions
• Qualitative Score

21. Retesting
• Allow the organization to retrain, adjust, and retry

22. Purple Teaming
• Similar to retesting, but the adversary is in the room/in
communication with the defensive team
• Allows the adversaries to allow detection attempts or announce actions to
teach detections
• More efficient that turning the noise up or Thunderstrucking or Rick Rolling

23. Supporting Frameworks
● Pen Test Execution Standard
○ http://www.pentest-standard.org/index.php/Main_Page
● Social Engineering Framework
○ https://www.social-engineer.org/framework/general-discussion/
● Mitre ATT&CK
○ https://attack.mitre.org/
● NIST SP 800-115 (Technical Guide to Information Security Testing
and Assessment)
○ https://csrc.nist.gov/publications/detail/sp/800-115/final
● More here:
https://www.owasp.org/index.php/Penetration_testing_methodologies#Technical_Guide_to_Information_Security_Testing_and_Asses
sment_.28NIST800-115.29

24. Joe’s Upcoming Speaking Engagements
• 9/26-27: DefendCon (Seattle)
• 10/10-11: HackerHalted (Atlanta, GA)
• 10/22: Wild West Hackin Fest

25. Adrian’s Upcoming Speaking Engagements
Virus Bulletin 2019 in London: Closing Keynote with
Haroon Meer

26. Upcoming OSINT Training Opportunities
• In-Person
•All with details TBD (unless otherwise noted):
• Louisville (around the time of DerbyCon
• Atlanta (around the time of HackerHalted)
• Maybe Dallas, Philadelphia, and Boston in 2019
•Online:
• More upcoming, watch Twitter and LinkedIn

27. Hacker Halted 2019
• October 10-11
• Atlanta, GA USA
• Free Admission
• Coupon Code: Joe100
or https://hackerhalted2019.eventbrite.com?discount=Joe100
• Discount on Training
• Coupon Code: JJHHTRN (15% off training)
• Register at: - https://hackerhalted2019.eventbrite.com

28. Recon-ng Training
• August 29
• 6-8 PM (Eastern Time)
• Coupon Code: 13BSIDESLV37
• August 31
• 1-3 PM (Eastern Time)
• Coupon Code: 13BSIDESLV37
• Register for either here:
• https://bit.ly/2YVqyJu

29. Questions?

30. Contacting Us
• Contacting Adrian:
• @sawaba
• Contacting Joe:
• @C_3PJoe | @advpersistsec | @hackingglass
• @TheOSINTion |@valhallainfos3c
• Facebook.com/theOSINTion
• LinkedIn.com/in/JoeGrayInfosec