Incorporating

Cyber Threat Intelligence into

Security Assessment

Programs

SATBLUE

SATRed

“Simulating Threats”

“Identifying Vulnerabilities”

Security Assessment Team

Identifying

what works and what needs working on

with respect to preventing, detecting, and

responding to cyber threats

Tumble, Twiddle, Spin & Roll

the Black Hat

• Tumble – Terminology: what’s in a word?

• Twiddle – Threats: vulnerable, moi?

• Spin – CTI: how to use your intelligence?

• Roll – Reports: show’em the light!

Doggy Bag - “Um, I’ll take those thoughts

to go, please.”

Tumble the Black Hat

The Buzzwords?

Red Teaming, Pentesting Black Box, Grey Box, White Box, Purple Box, Pink Box… Florescent Box (80s) Tie-dye Box (70s) Tandem Pentest Blind Pentest, Double-Blind Crystal Box Pentesting Ethical Hacking

“I don’t think that word means what you think it means.”

Tumbling the Black Hat

Blue Teaming Security Assessment Vulnerability Assessment Security Scan Security Testing

RED: Simulating Threats BLUE: Finding Vulnerabilities

“What works. What needs working on.”

“I don’t think that word means what you think it means.”

Tumbling the Black Hat

Builders Vs Breakers

• System boundaries - well-defined, political, arbitrary

Threats just look for vulnerabilities and exploit them

• Identify ‘failures’ – scripted, criteria open to interpretation

Threats just look for vulnerabilities and exploit them

• Technical generalists – they ‘scan,’ heavily restricted

Threats are diverse and…

they just look for vulnerabilities and exploit them

• Fancy graphs, bucket lists, detailed matrices about your state

of risk

Threats found vulnerabilities and exploited them

Beyond the Security Auditor’s Perspective

Twiddle the Black Hat

Vulnerable, moi?

Twiddling the Black Hat

Cyber Threat Intelligence

Get to know the bad guys and gals

• Who are the threats?

• What are their motivations?

• What are their objectives?

• What tools & techniques do

they use?

Vulnerable, moi?

Twiddling the Black Hat

Get to know yourself

• The “big picture”

• Business risks: financial, regulator,

market…

• Technology & mission

• What is on your networks?

Use your CTI collection Kung Fu to

Hacking at the

speed of light

A vulnerability,

isn’t a vulnerability,

isn’t a vulnerability

1

2

Spin the Black Hat

Using your cyber threat intelligence

Spin the Black Hat

Approaching

Blue/Red Team Security Assessments

Driven by what matters,

Effective use of resources

Driven by the threat perspective

Not politics , personalities, or auditors

Take the time it takes to do good work

No “scans,” one day pentest

Continuous blue/red assessments

Once a year is not good enough

From a threats perspective

• Priorities/Objectives

• Scope

• Duration

• Frequency

Blue – Everything / Red - Threats

Use your access, be comprehensive

Blue – Everything / Red - Everything

No politics, personalities, or p…p…auditors

Realistic, use creativity

Not too constraining to be useful

Teams of security professionals

Security professionals are not one size fits all

Spin the Black Hat

• Test Points

• Information

• Rules of

Engagement

• People

Using your cyber threat intelligence

Approaching

Blue/Red Team Security Assessments From a threats perspective

Roll the Black Hat

Show’em the light!

Roll the Black Hat

A Few Ideas

The REPORT…is EVERYTHING Don’t just hack around for the fun of it. It’s irresponsible.

Blue Team Reports

• Real world examples

• Language your customers understand

• Provide context – impact to mission

Red Team Reports

• It is not about you!

• Details - what did not work? Why?

• Identify real problems, provide real solutions • Don’t forget DETECTION and INCIDENT RESPONSE

Roll the Black Hat

• Road show

• Tailored presentations – ‘techies’,

‘security,’ ‘management’

• Demo TTPs – “hacker series”

The Many Ways to Disseminate Information Use your intelligence, use your results, and use your creativity

A Few Ideas

Show’em the light!

The Doggy Bag

Some thoughts to take home

The

Doggy Bag

1. Assess from a threat perspective - Builders vs.

Breakers

2. Continuously discover “what works, does not

work, and what needs working on”

3. Assess prevention, detection, and response – all

three!

4. Understand the threats, understand your business,

and provide real solutions to real problems

5. Influence vs. dictate change

6. Free your people – let them be creative

The

End