Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Threat Perspective
| Questions to consider regarding Red Team scoping. 1) Could your Red Team perform these actions? If not, consider your team’s ability to emulate these actions and possibly enhancing with training or internal development. 2) Do you have access to zero-days? If not, how would you emulate this sort of attack? Many teams do not have zero-days or time allocated to develop them. Consider using white carded scenarios to emulate these types of attacks. 3) This attack took six weeks+ hours, and a single person to complete. This is a great metric for scope duration. Could your team do the same? Does your team have the necessary skills, knowledge, abilities, tools, TTPs, etc. to perform within the same timeframe? Consider adjusting your timeline and hour allocation to accommodate your team’s capabilities. 4) Would you scope an engagement with the same staff and time parameters? Team’s should not operate alone. No matter what issue a team has with staffing or budget, an engagement should have at least twice this staffing. As for time, six weeks maybe longer than possible. If so, consider what is in or out of scope. Consider using the assumed breach model to help utilize resources efficiently. Threat Perspective As briefly mentioned earlier, a Threat’s Perspective is the threat’s initial point of view. This perspective is used to build and shape a threat profile or scenario. A threat's perspective maybe that of an outsider, nearsider, or insider. Outsider An entity that has no legitimate access to specific software, systems, and networks. An outsider is anyone outside an organization. An example would be a competitor’s employee who would not have authorized physical or digital access to any systems, network, software, or hardware. Nearsider An entity that has no legitimate access to specific software, systems, and networks but may have physical access to buildings and equipment or access to systems that integrate with target assets An example would be janitorial staff. They would not likely have authorized digital access to any systems or networks, but may have physical access to buildings, communication facilities, systems, networks, etc. Insider An entity that has legitimate access to specific software, systems, and networks and has physical access to buildings and equipment An example of a malicious insider is a rogue system administrator who has authorized, privileged access and willingly removes information from target assets or modifies target assets to cause failure An example of anon- malicious insider is an employee on the sales staff who has authorized access to the systems, networks, software, and hardware required to perform sales. The individual maybe an unknowing target during initial access There are several methods used to gain access to a target system. Initial access is debated too often during Red Team planning. Using a diagram like the one below during planning can help you decide a starting point based on goals. Each dot represents a potential starting point. The type of access needed at each point is different. Build this into the Red Team plan. The process of deciding the threat perspective is fundamental. The scenario and engagement goals drive this decision. For example, the goals of an engagement include measuring the ability for security operations to identify and respond to a threat moving through the company's network. The effective use of resources would be to start the engagement somewhere inside this network. Forcing a team to establish access from outside the network could waste the limited engagement time on steps that do not directly support engagement goals. Download 4.62 Mb. Share with your friends:
|