WEBVTT 1 00:00:00.040 --> 00:00:03.200 Welcome back everyone to the deep Dive. This time we're 2 00:00:03.240 --> 00:00:07.200 taking a close look at Johann Raeberger's book Cybersecurity Attacks, 3 00:00:07.280 --> 00:00:08.960 Red Team Strategies, a. 4 00:00:08.960 --> 00:00:11.240 Really practical guide for anyone who wants to know about 5 00:00:11.279 --> 00:00:15.119 penetration testing and you know, really building a strong security program. 6 00:00:15.160 --> 00:00:17.519 Definitely. It kind of feels like a masterclass in proactive 7 00:00:17.559 --> 00:00:21.120 security almost. Yeah, definitely, showing us how to think like 8 00:00:21.199 --> 00:00:24.000 the attackers would, so we can build, you know, a 9 00:00:24.039 --> 00:00:25.920 really strong security program exactly. 10 00:00:25.960 --> 00:00:28.399 And it's all about being prepared and like you said, 11 00:00:28.519 --> 00:00:32.520 thinking like an attacker, finding those vulnerabilities, but before the bad. 12 00:00:32.320 --> 00:00:35.159 Guys do before the bad guys exactly. And it's packed 13 00:00:35.159 --> 00:00:38.719 with so many like real world examples and practical advice. 14 00:00:38.840 --> 00:00:39.799 It's not just theory. 15 00:00:40.000 --> 00:00:42.000 Yeah, yeah, absolutely, So let's start. 16 00:00:41.880 --> 00:00:44.399 The very beginning. Sure, what is red teaming? What's the 17 00:00:44.439 --> 00:00:46.799 core idea behind this in cybersecurity? 18 00:00:46.960 --> 00:00:47.320 Okay? 19 00:00:47.399 --> 00:00:49.439 So, and how would you explain it? 20 00:00:49.600 --> 00:00:51.159 I think the easiest way to think about it is, 21 00:00:51.799 --> 00:00:56.359 you're basically assembling a team of ethical hackers, okay, whose 22 00:00:56.520 --> 00:01:00.719 entire mission is to mimic real world attacks, but from 23 00:01:00.759 --> 00:01:03.679 the good side. So they're probing your defenses, your tech, 24 00:01:04.120 --> 00:01:07.560 your processes, even like physical security sometimes like a real 25 00:01:07.560 --> 00:01:08.640 attacker would Wow. 26 00:01:08.719 --> 00:01:10.519 So it's really like taking that stressed us to the 27 00:01:10.560 --> 00:01:12.560 next level for your entire security setup. 28 00:01:13.120 --> 00:01:14.400 Yeah, that's a great way to put it. 29 00:01:14.439 --> 00:01:17.079 Okay, So that kind of begs the question, then, how 30 00:01:17.159 --> 00:01:19.920 is this different from something like penetration testing, which we've 31 00:01:19.920 --> 00:01:20.439 all heard of? 32 00:01:20.680 --> 00:01:23.599 Right? So, pin testing is generally more focused. You know, 33 00:01:23.640 --> 00:01:27.159 you're zeroing in on a specific system, a specific app 34 00:01:27.519 --> 00:01:30.959 to find as weaknesses. Red teaming is more I guess 35 00:01:31.000 --> 00:01:34.599 you could say holistic. It's examining how your entire organization 36 00:01:34.760 --> 00:01:37.439 responds to a more full blown attack. 37 00:01:37.599 --> 00:01:39.840 Oh so it's really looking at it from the perspective 38 00:01:39.920 --> 00:01:42.760 of not just are there bugs in the software, but 39 00:01:42.879 --> 00:01:46.400 how would a human being actually try to get in 40 00:01:46.439 --> 00:01:48.599 and exploit those? And then what would happen next. 41 00:01:48.680 --> 00:01:51.120 Yeah, it's not just about finding like a software bug, 42 00:01:51.159 --> 00:01:55.040 it's about how your company reacts when you know things 43 00:01:55.079 --> 00:01:55.599 go south. 44 00:01:55.799 --> 00:01:58.560 It's about their reflexes exactly to security breaches. 45 00:01:58.840 --> 00:02:01.400 Yeah, and to really test those reflexes, you need a 46 00:02:01.439 --> 00:02:02.640 dedicated red team, right. 47 00:02:02.879 --> 00:02:05.519 Okay, But before you even think about who's on the team, 48 00:02:05.959 --> 00:02:08.159 you need to convince the people up top totally. 49 00:02:08.560 --> 00:02:11.280 Yeah, leadership in is absolutely. 50 00:02:11.039 --> 00:02:13.280 Critical, Like how do you even begin to get them 51 00:02:13.319 --> 00:02:13.840 on board? 52 00:02:14.039 --> 00:02:16.759 Data? Data is your best friend here? Oh good, show 53 00:02:16.800 --> 00:02:19.080 them those scary data breach numbers, like how much they cost? 54 00:02:19.159 --> 00:02:20.680 Oh, make it real for them. 55 00:02:20.639 --> 00:02:23.759 Yeah, how much it can impact the bottom line, because 56 00:02:23.840 --> 00:02:24.759 that's what they care about. 57 00:02:24.879 --> 00:02:27.159 They need to see those dollar signs. Yeah, exactly, and 58 00:02:27.159 --> 00:02:28.840 be afraid of what's going to happen if they don't 59 00:02:28.879 --> 00:02:29.840 invest in security. 60 00:02:30.039 --> 00:02:32.319 Right. And then once they've signed off, you need to 61 00:02:32.319 --> 00:02:33.960 figure out where the Red team fits. 62 00:02:34.120 --> 00:02:35.240 Okay, where should it fit? 63 00:02:35.919 --> 00:02:40.919 Ideally a good degree of independence, Okay, reporting directly to 64 00:02:41.000 --> 00:02:44.479 like the Blue team, the defenders can actually cause some problems. 65 00:02:44.599 --> 00:02:47.840 Oh okay, what because remember the Red team is supposed 66 00:02:47.840 --> 00:02:51.520 to be the devil's advocate, you know, right, the weaknesses 67 00:02:51.919 --> 00:02:53.560 even if it makes people uncomfortable. 68 00:02:53.719 --> 00:02:56.439 So they need to be able to operate independently without 69 00:02:56.479 --> 00:02:58.840 any pressure from the people they might be embarrassing. 70 00:02:58.960 --> 00:02:59.639 Exactly, you got. 71 00:02:59.759 --> 00:03:02.039 Okay, So let's talk about the team itself. Yeah, I 72 00:03:02.039 --> 00:03:04.759 mean these are skilled, ethical hackers that we're talking about. 73 00:03:04.800 --> 00:03:07.960 Oh yeah, yeah, So how do you even find these people? 74 00:03:08.120 --> 00:03:12.039 That's the million dollar question, right, attracting and keeping great talent. 75 00:03:12.639 --> 00:03:14.919 It's not just about offering a lot of money, although 76 00:03:14.919 --> 00:03:18.199 that helps, but you really need to build an environment 77 00:03:18.240 --> 00:03:21.520 that speaks to their passion, you know, the thrill of this. 78 00:03:21.800 --> 00:03:23.199 Okay, well what would that look like? 79 00:03:23.520 --> 00:03:27.240 So things like development opportunities, you know, go into conferences 80 00:03:27.680 --> 00:03:29.560 and just like a culture of sharing knowledge. 81 00:03:29.719 --> 00:03:32.240 Right, So building this team is more about understanding what 82 00:03:32.319 --> 00:03:35.879 motivates them and what gets them excited about cybersecurity than 83 00:03:36.000 --> 00:03:37.360 just finding someone who can hack. 84 00:03:38.000 --> 00:03:40.240 Exactly. You need that mindset, that passion. 85 00:03:40.919 --> 00:03:43.560 Now, I'm guessing not every hacker out there's going to 86 00:03:43.560 --> 00:03:47.199 be ethical, So how do you filter for that? 87 00:03:47.199 --> 00:03:50.800 That's where you use scenarios in the interview process. Okay, 88 00:03:50.919 --> 00:03:53.080 you know, I like to throw out a hypothetical. Ok 89 00:03:53.280 --> 00:03:56.280 let's say you got to compromise this HR system to 90 00:03:56.360 --> 00:03:59.199 see if someone can pull out data. Would you download 91 00:03:59.240 --> 00:04:04.560 your own file, would you access other employee records, or 92 00:04:05.039 --> 00:04:07.479 you know, would you propose using dummy data? 93 00:04:07.560 --> 00:04:09.840 So it's like an ethical puzzle exactly. 94 00:04:10.080 --> 00:04:12.680 Yeah, and how they answer tells you a lot about 95 00:04:12.680 --> 00:04:16.839 their boundaries and how they handle that kind of sensitive information. 96 00:04:17.120 --> 00:04:20.639 That's super interesting. Yeah, are there any other essential things? 97 00:04:20.680 --> 00:04:23.120 To consider when putting this team together. 98 00:04:23.519 --> 00:04:26.920 I think diversity is absolutely key, Okay, and that's something 99 00:04:26.920 --> 00:04:30.199 that the cybersecurity world struggles with in what way? You 100 00:04:30.240 --> 00:04:33.040 know it's still a very male dominated field, is it. Yeah, 101 00:04:33.079 --> 00:04:35.360 Like globally it's only about eleven percent women. 102 00:04:35.600 --> 00:04:37.240 Wow, that's a really low number. 103 00:04:37.319 --> 00:04:38.319 Yeah, it's pretty shocking. 104 00:04:38.480 --> 00:04:41.360 Why is diversity so important, especially when bailing a red 105 00:04:41.399 --> 00:04:43.160 team Because. 106 00:04:42.800 --> 00:04:45.959 You get more creative and effective solutions when you have 107 00:04:46.000 --> 00:04:47.279 different perspectives in the room. 108 00:04:47.360 --> 00:04:49.759 Oh, you don't want everyone thinking the same way exactly. 109 00:04:49.920 --> 00:04:51.199 That's a recipe for disaster. 110 00:04:51.399 --> 00:04:54.560 So you've got your dream team. It's diverse, they're ethical, 111 00:04:54.560 --> 00:04:56.319 they're ready to go. Yeah, but then you need to 112 00:04:56.360 --> 00:04:59.759 manage them. What's the challenge in managing a red team? 113 00:05:00.560 --> 00:05:02.519 Well, I think it's about finding that balance, right. You 114 00:05:02.519 --> 00:05:08.839 want to give clear goals, but also not squash their creativity, 115 00:05:08.879 --> 00:05:13.839 their freedom to explore. Okay, So regular feedback communication is 116 00:05:13.879 --> 00:05:17.120 really important building that culture of trust and respect. 117 00:05:17.480 --> 00:05:19.720 So it's like you're a coach, but you're not dictating 118 00:05:19.720 --> 00:05:22.120 every move exactly. You want to make sure that they 119 00:05:22.160 --> 00:05:25.040 feel comfortable coming to you and bouncing ideas off of 120 00:05:25.079 --> 00:05:26.600 you and not feeling micromanaged. 121 00:05:26.759 --> 00:05:27.519 Yeah, you got it. 122 00:05:28.120 --> 00:05:31.199 This is all sounding pretty intense. Are there any other considerations? 123 00:05:31.360 --> 00:05:34.360 Well, this field can be really prone to burnout in 124 00:05:34.399 --> 00:05:37.399 what way? Red teamers are always on edge, you know, right, 125 00:05:37.600 --> 00:05:39.839 thinking about new threats and how to get ahead of them. 126 00:05:39.879 --> 00:05:42.000 That's a lot of pressure, it is. Yeah, So a 127 00:05:42.079 --> 00:05:46.000 healthy team culture, promoting work life balance is essential. 128 00:05:46.279 --> 00:05:48.519 So really making sure that they can do this job 129 00:05:48.560 --> 00:05:50.680 long term and not burn out after a year or two. 130 00:05:50.920 --> 00:05:53.959 Yeah, you want sustainability, not just a quick burst of energy. 131 00:05:54.199 --> 00:05:57.360 Okay, so you've got your team, they're happy, they're healthy, 132 00:05:57.360 --> 00:06:01.240 they're ready to go. How do they actually plan a test? 133 00:06:01.439 --> 00:06:02.720 A Red Team operation? 134 00:06:03.759 --> 00:06:06.600 It always starts with clearly defined objectives. 135 00:06:06.680 --> 00:06:07.240 What do you mean? 136 00:06:07.600 --> 00:06:09.759 What are you trying to achieve? Do you want to 137 00:06:09.800 --> 00:06:12.160 disrupt the system? Are you trying to get to some 138 00:06:12.279 --> 00:06:16.519 juicy data? Or is it about testing how they respond 139 00:06:16.639 --> 00:06:17.279 to an incident? 140 00:06:17.519 --> 00:06:19.120 Right? So you really need to have a plan. It's 141 00:06:19.160 --> 00:06:20.519 not just about breaking. 142 00:06:20.160 --> 00:06:23.560 Thing, No, definitely not. You get to simulate a real attack, 143 00:06:23.680 --> 00:06:25.480 one that actually makes sense for that company. 144 00:06:25.560 --> 00:06:29.279 Okay, so you've established your target, your goals. What happens next? 145 00:06:29.879 --> 00:06:31.360 Well, then they got to choose their approach. 146 00:06:32.120 --> 00:06:33.160 What do you mean by approach? 147 00:06:33.560 --> 00:06:36.120 Think surgical strike versus carpet bombing. 148 00:06:36.480 --> 00:06:37.560 I like that analogy. 149 00:06:37.639 --> 00:06:41.959 Ye know. Surgical strike is very focused, very specific objective, okay. 150 00:06:42.040 --> 00:06:44.920 Carpet bombing is more about throwing everything you got seeing 151 00:06:44.920 --> 00:06:45.480 what sticks. 152 00:06:45.639 --> 00:06:47.199 Okay, So how do you know which one's the right 153 00:06:47.240 --> 00:06:47.680 way to go? 154 00:06:47.920 --> 00:06:50.360 It depends. Sometimes you need that precision of a surgical 155 00:06:50.360 --> 00:06:54.600 strike to test a very specific mechanism, and other times 156 00:06:55.079 --> 00:06:58.959 that broader approach reveals more systemic weaknesses. 157 00:06:59.040 --> 00:07:02.600 It's about choosing the right tool for the job exactly. Now. 158 00:07:02.759 --> 00:07:06.639 Red teams have a real advantage over actual attackers, right 159 00:07:06.680 --> 00:07:09.040 because they have that home field advantage. 160 00:07:09.120 --> 00:07:10.560 Oh yeah, a huge advantage. 161 00:07:10.560 --> 00:07:12.879 They know the organization inside and out. 162 00:07:12.759 --> 00:07:15.279 They know the systems, they know the people. They even 163 00:07:15.319 --> 00:07:17.399 know the little quirks that nobody documents. 164 00:07:17.480 --> 00:07:19.480 Right, So they might know about a system that everyone 165 00:07:19.480 --> 00:07:22.680 forgot about, or a security protocol that nobody's actually following, 166 00:07:22.759 --> 00:07:25.120 or even like a disgruntled employee that they won't be 167 00:07:25.160 --> 00:07:25.959 able to manipulate. 168 00:07:26.079 --> 00:07:28.199 Exactly. All that insider info is gold. 169 00:07:28.439 --> 00:07:30.759 But what happens is they get caught during an operation. 170 00:07:31.439 --> 00:07:34.920 It happens, you know, really, and sometimes that can actually 171 00:07:34.920 --> 00:07:35.759 be really valuable. 172 00:07:35.879 --> 00:07:36.040 Oh. 173 00:07:36.120 --> 00:07:38.839 Interesting, because it's a chance to see how the incident 174 00:07:38.920 --> 00:07:41.279 response team, you know, how they react. 175 00:07:41.399 --> 00:07:44.240 Okay, yeah, it shows their strength and weaknesses. 176 00:07:43.759 --> 00:07:45.920 Exactly, highlights where they need to improve. 177 00:07:46.040 --> 00:07:49.079 You can't get that from a theoretical exercise. 178 00:07:49.199 --> 00:07:52.000 Yeah. The key is to view these as learning opportunities. 179 00:07:52.040 --> 00:07:55.680 Oh, to embrace those mistakes, right, to make them positive. 180 00:07:55.759 --> 00:07:58.199 And this is where we start talking about purple teaming. 181 00:07:58.360 --> 00:08:01.399 Yeah, purple teaming is all about cloudberation. The red team 182 00:08:01.439 --> 00:08:04.959 and the blue team working together, breaking down those silos. 183 00:08:05.040 --> 00:08:08.600 Instead of working against each other, they're actually joining. 184 00:08:08.319 --> 00:08:12.920 Forces exactly, sharing knowledge and understanding the threat from both sides. 185 00:08:13.240 --> 00:08:14.399 How would that actually work. 186 00:08:14.639 --> 00:08:17.959 They might do joint exercises like threat hunting, where the 187 00:08:18.000 --> 00:08:21.680 red team shares what they know about attacker tactics and 188 00:08:21.720 --> 00:08:24.600 then the blue team uses that to strengthen their defenses. 189 00:08:24.839 --> 00:08:27.839 Okay, so it's like they're sparring partners, pushing each other 190 00:08:27.879 --> 00:08:28.399 to get better. 191 00:08:28.480 --> 00:08:29.759 Yeah, that's good analogy. 192 00:08:30.000 --> 00:08:33.440 Now, how does a red team actually know if what 193 00:08:33.480 --> 00:08:36.440 they're doing is working? How do they measure their effectiveness? 194 00:08:36.639 --> 00:08:38.759 It's a really good question, right, and there are lots 195 00:08:38.799 --> 00:08:41.399 of ways to do it. Like what one is just 196 00:08:41.480 --> 00:08:45.120 tracking what they find. You know, how many vulnerabilities, how 197 00:08:45.159 --> 00:08:48.080 long it takes them to exploit something. Okay, you know, 198 00:08:48.240 --> 00:08:49.879 really quantifying. 199 00:08:49.279 --> 00:08:51.360 The risk so they can go back and say, look, 200 00:08:51.639 --> 00:08:54.279 we found all these problems. We help make the organization 201 00:08:54.320 --> 00:08:55.679 more secure exactly. 202 00:08:55.759 --> 00:08:59.679 Yeah, and these reports can be really useful for justifying budgets, yeah, 203 00:09:00.080 --> 00:09:01.200 oritizing what needs fixing. 204 00:09:01.559 --> 00:09:03.919 Oh right, they can say, look, we need more resources 205 00:09:03.960 --> 00:09:06.440 to do this because it's actually having a real impact. 206 00:09:06.759 --> 00:09:07.759 Exactly, you get it. 207 00:09:07.799 --> 00:09:09.960 So it's not just about the technical side of hacking. 208 00:09:10.039 --> 00:09:16.320 It's about communication, analysis and actually making the organization more secure. 209 00:09:16.000 --> 00:09:17.639 One hundred percent. It's all connected. 210 00:09:17.720 --> 00:09:20.639 Now, a lot of organizations might be thinking they haven't 211 00:09:20.679 --> 00:09:23.679 been attacked, right, so maybe there's nothing to worry about. 212 00:09:23.679 --> 00:09:25.000 Maybe they're doing everything right. 213 00:09:25.799 --> 00:09:29.679 That's a dangerous assumption. Okay, Why because it creates this 214 00:09:29.759 --> 00:09:33.480 illusion of control. Oh they think they're secure because they 215 00:09:33.480 --> 00:09:34.679 haven't been tested properly. 216 00:09:35.000 --> 00:09:38.279 Oh so red teaming is almost like forcing them to 217 00:09:38.360 --> 00:09:39.679 confront that reality. 218 00:09:39.879 --> 00:09:43.440 Yeah. It shatters the illusion by exposing those weaknesses so 219 00:09:43.480 --> 00:09:46.039 they can fix them before a real attacker gets in. 220 00:09:46.159 --> 00:09:48.200 It's like a wake up call exactly. 221 00:09:48.440 --> 00:09:50.000 Prevention is always better than a cure. 222 00:09:50.679 --> 00:09:52.919 Okay, So let's dive a little deeper into some of 223 00:09:52.960 --> 00:09:55.840 the tactics that red teams use. Sure, the book talks 224 00:09:55.840 --> 00:09:58.000 about something called attack graphs. What are those? 225 00:09:58.279 --> 00:10:01.480 Okay? So attack graphs think of it like a roadmap, 226 00:10:02.159 --> 00:10:03.039 but for hackers. 227 00:10:03.320 --> 00:10:03.679 Okay. 228 00:10:03.879 --> 00:10:06.120 It shows how an attacker might try to move through 229 00:10:06.120 --> 00:10:07.240 your systems, So it's. 230 00:10:07.159 --> 00:10:08.919 Like a blueprint for how they would attack. 231 00:10:09.240 --> 00:10:12.600 Yeah, it's really valuable for the red team to map 232 00:10:12.600 --> 00:10:13.679 out potential paths. 233 00:10:13.960 --> 00:10:18.840 Oh, to see how different assets connect and where the vulnerabilities. 234 00:10:18.000 --> 00:10:19.320 Are exactly, you get it. 235 00:10:19.360 --> 00:10:22.519 And it can be used for threat modeling, vulnerability analysis, 236 00:10:22.600 --> 00:10:25.879 even for training your employees on security awareness. 237 00:10:26.039 --> 00:10:28.759 Yeah, totally. It helps you understand how an attacker thinks. 238 00:10:29.240 --> 00:10:33.039 Now, the book also mentions threat trees and graphs, Right, 239 00:10:33.159 --> 00:10:34.720 how are those different from attack graphs. 240 00:10:34.799 --> 00:10:37.039 Well, attack graphs focus on those specific paths. 241 00:10:37.120 --> 00:10:37.480 Okay. 242 00:10:37.720 --> 00:10:39.679 Threat trees and graphs take a broader look. 243 00:10:39.759 --> 00:10:40.240 Oh, Okay. 244 00:10:40.519 --> 00:10:43.120 They map out all the potential threats, what their impact 245 00:10:43.200 --> 00:10:43.679 could be. 246 00:10:43.679 --> 00:10:45.960 So it's like zooming out to see the big picture. 247 00:10:45.759 --> 00:10:50.919 Exactly, and they often include info about what motivates the attackers, 248 00:10:51.279 --> 00:10:53.360 what they're capable of and who they're after. 249 00:10:53.480 --> 00:10:55.399 Oh wow, so it's not just about the how, but 250 00:10:55.480 --> 00:10:57.559 also the why behind an attack. 251 00:10:57.720 --> 00:10:58.879 Yeah, that's really important. 252 00:10:58.960 --> 00:11:02.279 That's a crucial distinction, right, because if you understand the why, 253 00:11:02.440 --> 00:11:05.080 you can prioritize what to protect and how to defend. 254 00:11:05.279 --> 00:11:06.399 Absolutely. Yeah. 255 00:11:06.480 --> 00:11:10.720 Now, the book talks about building these conceptual graphs manually, right, 256 00:11:10.799 --> 00:11:12.919 what does that involve? How does it actually work? 257 00:11:13.200 --> 00:11:15.960 It's basically a brainstorming session. You know, a bunch of 258 00:11:16.320 --> 00:11:22.840 security experts getting together, okay, mapping out those scenarios, identifying assets, vulnerabilities, 259 00:11:22.879 --> 00:11:24.200 all those attacker actions. 260 00:11:24.360 --> 00:11:26.200 So you're trying to predict what they might. 261 00:11:26.080 --> 00:11:29.279 Do exactly, and you can use a whiteboard, sticky notes 262 00:11:29.759 --> 00:11:30.879 just trying to connect the dots. 263 00:11:31.080 --> 00:11:33.159 That sounds super time consuming though. 264 00:11:33.120 --> 00:11:35.159 It can be, and that's where automation comes in. 265 00:11:35.279 --> 00:11:36.799 Oh okay, how does that work. 266 00:11:36.919 --> 00:11:41.159 There are tools that can scan networks, analyze those configurations, 267 00:11:41.679 --> 00:11:43.159 find known vulnerabilities. 268 00:11:43.240 --> 00:11:46.759 So it's like perbocharging that brainstorming session with technology exactly. 269 00:11:46.759 --> 00:11:49.360 It frees up the security teams from more strategic work. 270 00:11:49.639 --> 00:11:51.600 Okay, Now, let's shift gears a little bit and talk 271 00:11:51.600 --> 00:11:55.399 about measuring how effective a red team's work is sure. 272 00:11:55.679 --> 00:11:59.799 The book talks about defining things called metrics and KPIs. 273 00:12:00.039 --> 00:12:01.919 What are those? Can you give me some examples of those? 274 00:12:02.200 --> 00:12:04.399 Yeah? So there are two main times. Ones that focus 275 00:12:04.440 --> 00:12:08.159 on the Red team's internal operations, okay, and then ones 276 00:12:08.200 --> 00:12:10.279 that look at the impact of their work. Give me 277 00:12:10.320 --> 00:12:13.399 an example, like, an operational kpiah could be the number 278 00:12:13.399 --> 00:12:16.120 of pen tests they've done. Okay, Well, an impact KPI 279 00:12:16.200 --> 00:12:19.080 would be how many critical vulnerabilities they found or how 280 00:12:19.120 --> 00:12:20.200 long it takes to fix them. 281 00:12:20.360 --> 00:12:23.000 Oh so one's about efficiency and the other ones about 282 00:12:23.000 --> 00:12:27.279 effectiveness exactly. What about these attack insight dashboards that I 283 00:12:27.320 --> 00:12:28.320 saw mentioned in the book? 284 00:12:28.399 --> 00:12:29.440 Oh yeah, they're really cool. 285 00:12:29.519 --> 00:12:30.039 What are they? 286 00:12:30.240 --> 00:12:33.440 Imagine a dashboard that gives you a real time view 287 00:12:33.600 --> 00:12:36.519 of what's happening in an operation. Okay, you can see 288 00:12:36.799 --> 00:12:40.279 what phase the attack is, in, which assets have been compromised, 289 00:12:40.559 --> 00:12:42.000 what techniques are being used. 290 00:12:42.159 --> 00:12:44.559 So it's like watching the attack unfold live. 291 00:12:44.679 --> 00:12:46.720 Yeah, super helpful for the Blue team. You know, they 292 00:12:46.720 --> 00:12:50.240 can observe what's going on, learn those tactics, and adapt 293 00:12:50.240 --> 00:12:51.720 their defenses in real time. 294 00:12:51.919 --> 00:12:53.720 Like they're getting a front row seat to a real 295 00:12:53.759 --> 00:12:57.960 attack exactly. The book also mentioned something called Red Team scores. 296 00:12:58.159 --> 00:13:00.360 Yeah, what are they? So they basically quant to find 297 00:13:00.399 --> 00:13:03.480 the impact of the findings. Oh, they might assign points 298 00:13:03.519 --> 00:13:07.000 based on how bad a vulnerability is, how easy it 299 00:13:07.080 --> 00:13:08.840 is to exploit it, and how what do you damage 300 00:13:08.879 --> 00:13:09.240 it could do. 301 00:13:09.399 --> 00:13:12.759 So it helps prioritize what to fix first exactly. 302 00:13:12.759 --> 00:13:14.559 You want to focus on the things that pose the 303 00:13:14.559 --> 00:13:16.120 biggest risk, right okay. 304 00:13:16.120 --> 00:13:18.720 And then I saw burn down charts. Yeah, what are 305 00:13:18.720 --> 00:13:19.279 those used for? 306 00:13:19.440 --> 00:13:22.279 They're like visual trackers Okay. In this case, they show 307 00:13:22.279 --> 00:13:24.279 you how quickly vulnerabilities are being addressed. 308 00:13:24.320 --> 00:13:26.960 Oh, so you can see if the organization is actually 309 00:13:27.000 --> 00:13:30.799 fixing the problems that the Red Team finds, right exactly. 310 00:13:30.840 --> 00:13:34.639 And then there's this blast radius visualization. Yeah, what's that 311 00:13:34.879 --> 00:13:36.279 and why is it important? 312 00:13:36.440 --> 00:13:39.480 Well, it shows you the potential fallout if an attack 313 00:13:39.559 --> 00:13:42.240 is successful. Okay, Like let's say the Red Team got 314 00:13:42.320 --> 00:13:45.759 hold of a user account. Okay, this visualization would show 315 00:13:45.759 --> 00:13:47.879 you all the systems they could access, the data they 316 00:13:47.879 --> 00:13:48.360 could get to. 317 00:13:49.000 --> 00:13:51.480 Oh wow, it's like a worst case scenario map. 318 00:13:51.679 --> 00:13:54.320 Yeah, you can see the potential domino effect. 319 00:13:54.440 --> 00:13:57.000 That's important for risk management because then you can really 320 00:13:57.080 --> 00:13:58.200 understand what's at stake. 321 00:13:58.600 --> 00:13:59.240 Absolutely. 322 00:13:59.320 --> 00:14:01.399 Now, one thing the book points out is that using 323 00:14:01.480 --> 00:14:06.480 simple ratings like critical, high, medium, low to assess risk 324 00:14:06.720 --> 00:14:07.600 isn't really enough. 325 00:14:07.879 --> 00:14:09.679 Yeah, those terms can be subjective. 326 00:14:09.879 --> 00:14:10.360 Oh okay. 327 00:14:10.600 --> 00:14:13.399 What one person thinks is critical, another person might say 328 00:14:13.440 --> 00:14:17.120 is high. And without clear definitions, it's hard to prioritize 329 00:14:17.200 --> 00:14:18.679 you know where to put your resources. 330 00:14:18.759 --> 00:14:21.559 So how do you move beyond those simple ratings? 331 00:14:21.600 --> 00:14:25.960 Then? Well, you could use more quantitative methods like simulations. 332 00:14:25.960 --> 00:14:28.679 Oh okay, like Monty Carlo simulations. 333 00:14:28.159 --> 00:14:29.480 Money Carlos simulations. 334 00:14:29.480 --> 00:14:32.879 That sounds complex, It can be, but it's a powerful tool. 335 00:14:33.440 --> 00:14:37.879 You basically run thousands of simulations to model different attack 336 00:14:37.960 --> 00:14:40.919 scenarios and then calculate the impact of each one. 337 00:14:41.080 --> 00:14:44.080 So you're factoring the likelihood of the attack, how strong 338 00:14:44.120 --> 00:14:47.120 your defenses are, and what the financial hit would be. 339 00:14:47.360 --> 00:14:50.320 Yeah, exactly. You want to make data driven decisions, not 340 00:14:50.399 --> 00:14:52.600 just gut feeling, right, Data is key, okay. 341 00:14:52.600 --> 00:14:55.960 The book also mentions meantime metrics. Yeah, what are those? 342 00:14:56.360 --> 00:14:58.600 So these basically measure how long it takes to do 343 00:14:58.840 --> 00:15:02.000 certain things, how long to detect an attack, how long 344 00:15:02.039 --> 00:15:04.720 to fix a vulnerability, how long to recover. 345 00:15:05.000 --> 00:15:07.440 So you're measuring how quickly you can respond and then 346 00:15:07.519 --> 00:15:09.679 using that to improve your response times. 347 00:15:09.799 --> 00:15:11.559 Yeah, you want to be fast and efficient. 348 00:15:11.240 --> 00:15:15.000 Right, Okay. There's also something called the Threat Response Matrix, right, 349 00:15:15.080 --> 00:15:16.240 can you explain what that is? 350 00:15:16.320 --> 00:15:19.480 Basically, it's a playbook, Okay. It lists potential threats, what 351 00:15:19.519 --> 00:15:23.240 their impact could be, and how the organization wants to respond. 352 00:15:23.360 --> 00:15:25.919 Oh, so everybody knows what to do if a specific 353 00:15:26.000 --> 00:15:27.360 threat shows up exactly. 354 00:15:27.440 --> 00:15:29.559 Yeah, especially when you're under pressure, you need a plan. 355 00:15:29.799 --> 00:15:30.159 Right. 356 00:15:30.240 --> 00:15:33.559 Then there's the Test Maturity Model Integration or TMI. 357 00:15:33.840 --> 00:15:35.559 TMI Okay, I'm not familiar with that. 358 00:15:35.919 --> 00:15:40.480 It's a framework for evaluating how mature a testing process is. Okay. 359 00:15:40.559 --> 00:15:43.840 It wasn't designed specifically for security, okay, but a lot 360 00:15:43.840 --> 00:15:45.679 of the principles apply to red teaming. 361 00:15:45.879 --> 00:15:49.879 Okay, So how can organizations use this framework to improve 362 00:15:49.919 --> 00:15:50.759 their red teaming? 363 00:15:51.080 --> 00:15:55.000 Well, they can assess their processes against the TMMI and 364 00:15:55.039 --> 00:15:56.240 see where they need to improve. 365 00:15:56.480 --> 00:15:59.399 So it's like benchmarking themselves against best practices. 366 00:16:00.080 --> 00:16:02.720 Exactly. You want to make sure your operations are top notch. 367 00:16:03.000 --> 00:16:05.120 Okay, I'm sure our listeners are eager to hear about 368 00:16:05.159 --> 00:16:08.240 some of the more I guess cutting edge red team operations. 369 00:16:08.279 --> 00:16:11.240 Oh yeah, definitely, let's dive into those more innovative and 370 00:16:11.320 --> 00:16:12.440 challenging exercises. 371 00:16:12.519 --> 00:16:16.559 Okay, let's start with progressive red teaming, which really pushes 372 00:16:16.600 --> 00:16:18.200 beyond those traditional methods. 373 00:16:18.279 --> 00:16:18.600 Okay. 374 00:16:18.639 --> 00:16:22.039 One example is cryptocurrency mining, oh wow, where red teams 375 00:16:22.039 --> 00:16:27.000 are simulating attacks designed to basically hijack your computing resources 376 00:16:27.320 --> 00:16:28.120 to make money. 377 00:16:28.480 --> 00:16:32.279 So instead of stealing data, they're stealing your processing power. 378 00:16:32.480 --> 00:16:35.440 Yeah, exactly, they're using your resources for their own profit. 379 00:16:35.639 --> 00:16:37.840 That's a big concern for organizations today. 380 00:16:37.919 --> 00:16:40.200 It is. Yeah, it can be really expensive, slow down 381 00:16:40.200 --> 00:16:42.159 your systems, even damage your hardware. 382 00:16:42.679 --> 00:16:46.000 What are some other types of progressive red teaming operations? 383 00:16:46.120 --> 00:16:49.879 Another area is red teaming for privacy violations. Okay, so 384 00:16:49.960 --> 00:16:53.080 you're testing the defenses against attacks that are trying to 385 00:16:53.120 --> 00:16:55.720 steal or misuse personal data. 386 00:16:55.399 --> 00:16:58.559 So basically making sure you're complying with things like GDPR. 387 00:16:59.000 --> 00:17:05.359 Exactly. They might simulate attacks that exploit weaknesses in data protection. 388 00:17:05.400 --> 00:17:07.240 So you might find out that your web app is 389 00:17:07.240 --> 00:17:10.000 insecure or your database isn't configured properly. 390 00:17:10.200 --> 00:17:13.960 Yeah, exactly. You're finding those hidden risks that companies might 391 00:17:14.000 --> 00:17:14.799 not even be aware of. 392 00:17:14.960 --> 00:17:17.920 It's all about being proactive, right, finding the problem before 393 00:17:17.960 --> 00:17:19.119 it becomes a bigger problem. 394 00:17:19.319 --> 00:17:20.279 Yeah. Absolutely. 395 00:17:20.319 --> 00:17:23.200 Are there any other progressive red team exercises that you 396 00:17:23.240 --> 00:17:24.279 think are worth mentioning? 397 00:17:24.599 --> 00:17:28.400 Yeah? Another big one is attacking AI and machine learning systems. 398 00:17:28.680 --> 00:17:29.440 Oh interesting. 399 00:17:29.519 --> 00:17:32.680 So these are systems that are becoming more and more common, right, 400 00:17:32.839 --> 00:17:35.079 and we're starting to see the vulnerabilities in them. 401 00:17:35.119 --> 00:17:36.440