526互联

sans sec 564 Red Team Operations and Adversary Emulation - 红队运营和对手仿真

发布时间 2023-12-13 01:35:55作者: sec875

564.1 红队演习介绍与规划

  • 混乱的术语定义:
    不需要知道这些词语的分别含义,只需要知道你在搞渗透
    • Ethical Hacking
    • Vulnerability Scanning
    • Vulnerability Assessment(SEC460: Enterprise Threat and Vulnerability Assessment)
    • Penetration Testing
    • Red Team
    • Adversary Emulation
    • Purple Team

500系列以下都是扫盲(SEC460: Enterprise Threat and Vulnerability Assessment) SEC460:企业威胁和漏洞评估

渗透测试相关资料
SANS Course:
SEC560: Network Penetration Testing and Ethical Hacking: https://www.sans.org/course/network-penetration-testing-ethical-hacking
SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking:
https://www.sans.org/course/advanced-penetration-testing-exploits-ethical-hacking
SEC542: Web App Penetration Testing and Ethical Hacking: https://www.sans.org/course/web-app-penetration-testing-ethical-hacking
SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques:
https://www.sans.org/course/advanced-web-app-penetration-testing-ethical-hacking

红队的定义是训练蓝队:即模拟APT攻击行为使得蓝队在设备中发现痕迹得到提升

Purple Team紫队:在红蓝程度之间做平衡,不用将大量时间浪费在“隐身”与防溯源中。更多的时间复现TTP来练习蓝队设备与响应方式
SANS Course:
SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses:
https://www.sans.org/course/defeating-advanced-adversaries-kill-chain-defenses
SEC699: Advanced Purple Team Tactics – Adversary Emulation for Breach Prevention & Detection:
https://www.sans.org/course/purple-team-tactics-adversary-emulation

  • 不用太关注红队和渗透和其他的区别:说白了,渗透就是对于一个资产你怎么测,红队就是对于一个目标不择手段。关注明白后你又能咋地,上去绑架他的账号密码?

  • 框架和方法
    • Cyber Kill Chain – Lockheed Martin
    • CBEST Intelligence Led Testing – Bank of England
    • Threat Intelligence-Based Ethical Red Teaming – TIBER-EU
    • Red Team: Adversarial Attack Simulation Exercises – ABS (Association of Banks of Singapore)
    • Intelligence-led Cyber Attack Simulation Testing (iCAST) – HKMA (Hong Kong Monetary Authority)
    • G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT)
    • A Framework for the Regulatory Use of Penetration Testing and Red Teaming in the Financial Services Industry – GFMA (Global Financial Markets Association)
    • ATT&CKTM – MITRE
    • Unified Cyber Kill Chain – Paul Pols

The Cyber Kill Chain References:
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
https://www.secureworks.com/resources/wp-breaking-the-kill-chain

CBEST Intelligence Led Testing Reference:
https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/cbest-implementation-guide

Threat Intelligence-Based Ethical Red Teaming (TIBER-EU)
References:
https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf
https://www.ecb.europa.eu/pub/pdf/other/ecb.tibereu.en.pdf

Red Team: Adversarial Attack Simulation Exercises Reference:
https://abs.org.sg/docs/library/abs-red-team---adversarial-attack-simulation-exercises-guidelines.pdf

Intelligence-Led Cyber Attack Simulation Testing (iCAST)
Reference:
https://www.hkma.gov.hk/media/eng/doc/key-information/speeches/s20160518e2.pdf

G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT)
Reference:
https://www.fin.gc.ca/activty/G7/pdf/G7-penetration-testing-tests-penetration-eng.pdf

A Framework for the Regulatory Use of Penetration Testing and Red Teaming in
the Financial Services Industry
Reference:
https://www.gfma.org/correspondence/gfma-framework-for-the-regulatory-use-of-penetration-testing-in-the-financial-services-industry/

MITRE ATT&CK Reference:
https://attack.mitre.org/

Unified Kill Chain – Paul Pols Reference:
https://www.csacademy.nl/images/scripties/2018/Paul-Pols---The-Unified-Kill-Chain.pdf

Lab 1.1: Consuming Threat Intelligence

推测它实验设计的意图:阅读一堆APT报告,综合OSINT情报分析,最后提取各种威胁情报IOC。与SOC1,2,3,4系列课程lab相似