564.1 红队演习介绍与规划
- 混乱的术语定义:
不需要知道这些词语的分别含义,只需要知道你在搞渗透
• Ethical Hacking
• Vulnerability Scanning
• Vulnerability Assessment(SEC460: Enterprise Threat and Vulnerability Assessment)
• Penetration Testing
• Red Team
• Adversary Emulation
• Purple Team
500系列以下都是扫盲(SEC460: Enterprise Threat and Vulnerability Assessment) SEC460:企业威胁和漏洞评估
渗透测试相关资料
SANS Course:
SEC560: Network Penetration Testing and Ethical Hacking: https://www.sans.org/course/network-penetration-testing-ethical-hacking
SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking:
https://www.sans.org/course/advanced-penetration-testing-exploits-ethical-hacking
SEC542: Web App Penetration Testing and Ethical Hacking: https://www.sans.org/course/web-app-penetration-testing-ethical-hacking
SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques:
https://www.sans.org/course/advanced-web-app-penetration-testing-ethical-hacking
红队的定义是训练蓝队:即模拟APT攻击行为使得蓝队在设备中发现痕迹得到提升
Purple Team紫队:在红蓝程度之间做平衡,不用将大量时间浪费在“隐身”与防溯源中。更多的时间复现TTP来练习蓝队设备与响应方式
SANS Course:
SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses:
https://www.sans.org/course/defeating-advanced-adversaries-kill-chain-defenses
SEC699: Advanced Purple Team Tactics – Adversary Emulation for Breach Prevention & Detection:
https://www.sans.org/course/purple-team-tactics-adversary-emulation
-
不用太关注红队和渗透和其他的区别:说白了,渗透就是对于一个资产你怎么测,红队就是对于一个目标不择手段。关注明白后你又能咋地,上去绑架他的账号密码?
-
框架和方法
• Cyber Kill Chain – Lockheed Martin
• CBEST Intelligence Led Testing – Bank of England
• Threat Intelligence-Based Ethical Red Teaming – TIBER-EU
• Red Team: Adversarial Attack Simulation Exercises – ABS (Association of Banks of Singapore)
• Intelligence-led Cyber Attack Simulation Testing (iCAST) – HKMA (Hong Kong Monetary Authority)
• G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT)
• A Framework for the Regulatory Use of Penetration Testing and Red Teaming in the Financial Services Industry – GFMA (Global Financial Markets Association)
• ATT&CKTM – MITRE
• Unified Cyber Kill Chain – Paul Pols
The Cyber Kill Chain References:
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
https://www.secureworks.com/resources/wp-breaking-the-kill-chain
CBEST Intelligence Led Testing Reference:
https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/cbest-implementation-guide
Threat Intelligence-Based Ethical Red Teaming (TIBER-EU)
References:
https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf
https://www.ecb.europa.eu/pub/pdf/other/ecb.tibereu.en.pdf
Red Team: Adversarial Attack Simulation Exercises Reference:
https://abs.org.sg/docs/library/abs-red-team---adversarial-attack-simulation-exercises-guidelines.pdf
Intelligence-Led Cyber Attack Simulation Testing (iCAST)
Reference:
https://www.hkma.gov.hk/media/eng/doc/key-information/speeches/s20160518e2.pdf
G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT)
Reference:
https://www.fin.gc.ca/activty/G7/pdf/G7-penetration-testing-tests-penetration-eng.pdf
A Framework for the Regulatory Use of Penetration Testing and Red Teaming in
the Financial Services Industry
Reference:
https://www.gfma.org/correspondence/gfma-framework-for-the-regulatory-use-of-penetration-testing-in-the-financial-services-industry/
MITRE ATT&CK Reference:
https://attack.mitre.org/
Unified Kill Chain – Paul Pols Reference:
https://www.csacademy.nl/images/scripties/2018/Paul-Pols---The-Unified-Kill-Chain.pdf
- 威胁情报
References:
Gartner, Inc., Definition: Threat Intelligence (2013, May 16), Retrieved from:
https://www.gartner.com/doc/2487216/definition-threat-intelligence
A curated list of awesome Threat Intelligence resources:
https://github.com/hslatman/awesome-threat-intelligence
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536260992.pdf
SANS Course:
SANS FOR578: Cyber Threat Intelligence
https://www.sans.org/course/cyber-threat-intelligence
Lab 1.1: Consuming Threat Intelligence
推测它实验设计的意图:阅读一堆APT报告,综合OSINT情报分析,最后提取各种威胁情报IOC。与SOC1,2,3,4系列课程lab相似