Red Teaming (with Joe Vest & James Tubberville)

Jan 24, 2017

ADVANCED PERSISTENT SECURITY PODCAST

EPISODE 34

GUEST:Joe Vest & James Tubberville

January 23, 2017

If you enjoy this podcast, be sure to give us a 5 Star Review and “Love Us” on iTunes; Like us on Google Play, Stitcher, Sound Cloud, Spreaker, Blubrry, and YouTube.
NOTE: The opinions expressed in this podcast are ours alone and do not reflect those of our employers

RED TEAMING (WITH JOE VEST & JAMES TUBBERVILLE)

SHOW NOTES

PART 1

Joe introduces Joe and James. Joe Vest tells us about his background in journey to Information Security and Penetration Testing. He explains that he and James were Red Teaming together then founded Minis with James. James echoes Joe’s sentiments and path. Mr. Vest tells us about how he had to break things as a system administrator to better understand how to secure them. He also tells us how to break into information security via system or network administration. Joe Gray tells us his advice to people trying to get into security. Mr. Vest talks about being passionate about technology which leads to a discussion about enthusiasm versus knowledge and experience.

We talk about the relationship between offense and defense; red and blue. We then transition into a discussion about FamilyTreeNow.com for the current event. It is discussed as an OSINT Playground. Mr. vest talks about “getting personal” when collecting data about targets. James talks about verifying relationships and build a smart password list and profile/dossier on targets. Joe Gray talks about his new FamilyTreeNow phishing proof of concept and the psychology behind making it work. We talk about the burden being on the user and best practices for creating awareness programs.

PART 2

We kick this segment with Mr. Vest discussing what types of penetration testing are used. Mr. Vest talks about the inverse triangle to the left that describes the focus in security assessment and testing. He talks about the realization of vulnerabilities in scope as the triangle narrows. Red Teaming is focused on specific scenarios and goals of which are called “Operational Impacts.” These are what makes organizations tick. Essentially, where can the organization be exploited to a point to cause catastrophic outcome for the organization. Think the worst case scenario for an organization.

This allows organizations to see what capabilities threat actors possess while measuring their security controls, defensive controls and procedures, and exercise their detection and response. Red Teaming is not specifically penetration testing on steroids. Red Teaming is more focused on meeting an objective to enable the organization to assess and measure their security posture and operations. Everything is goal driven. Mr. Vest talks about white carding and the assumed breach model. James talks about the correlation with penetration testing.

We discuss the maturity requirements for penetration testing and compare it to the maturity required for Red Teaming. Mr. Vest talks about providing value to an organization through engagement via red teaming psychology and goals. James clarifies that Blue Team is more than just traditional security defenders and includes Help Desk, System Admins, Networks, and BCP/DRP. Mr. Vest correlates Vulnerability Assessment and Penetration Testing to good security hygiene.

PART 3

James and Joe give us a war story about an engagement that dealt with an external access objective and an operational impact objective. The client CIO asked for a phishing campaign to demonstrate access. James and Joe noted that the client had sensitive files on a network that was not explicitly segregated as thought so. The impacts that dealt with detection and determining compromise and resiliency were implemented.

While ramping up presence (to attempt to be detected), the team quickly realized that they needed to make more noise to gain the attention of the blue team. They deployed EICAR, images, and audio bytes to get noticed. The blue team noticed this and made an announcement for all personnel to stop using network assets, causing a near 6 hour interruption. The blue team started pulling cables after they realized that a reboot did not work. The sound byte was selected from the Non-Rick Roll song below:

ABOUT Joe

Joe Vest has worked in the information technology industry for over 17 years with a focus on red teaming, penetration testing and application security. As a former technical lead for a DoD red team, he has extensive knowledge of cyber threats and their tools, tactics and techniques, including threat emulation and threat detection. Joe is the co-founder of MINIS LLC, providing innovative solutions for the mitigation against an ever-changing cyber threat. He is the technical editor for the book Red Team Field Manual (RTFM) and holds numerous security certifications. OSCP, CISSP-ISSMP, CISA, GPEN, GCIH, GWAPT, CEH

CONTACTING Joe:

Twitter: @JoeVest

ABOUT James

James’ Biography is coming soon.

CONTACTING James:

ABOUT Minis

Minis Website

Find Minis Github

Minis on LinkedIn

Find Minis on Twitter

Minis ThreatExchange Blog

joe and james’ SANS Course

Security 564: Red Team Operations and Threat Emulation

Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will). This is meant to be informative and to provide value to anyone who listens – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Enter your email address:

Delivered by FeedBurner