h1

Training Recommendations for Threat Emulation and Red Teaming

March 26, 2015

A few weeks ago, I had someone write and ask which training courses I would recommend to help setup a successful Red Team program. If you find yourself asking this question, you may find this post valuable.

First things first, you’ll want to define the goals of your red team and what value it’s going to offer to your organization. Some private sector internal red teams do a variety of offensive tasks and work like an internal consulting shop to their parent organization. If you think this is you, please don’t ignore some of the tasks that may fall on your plate such as reviewing web applications and evaluating different systems for vulnerabilities/bad configuration before they’re added to your environment. I don’t do much with this side of red team activity and my recommendations will show this gap.

When I think about red teaming, I think about it from the standpoint of an aggressor squad, a team that emulates a sophisticated adversary’s process closely to look at security operations from a holistic standpoint not just a vulnerability/patch management.

I see several private sector red teams moving towards something like Microsoft’s model. Microsoft uses one of their red teams to constantly exercise their post-breach security posture and demonstrate a measurable improvement to their intrusion response over time. Their white paper covers their process and their metrics very well.

If the above describes you, here are the courses I’d go for when building out a team:

1. I’d have everyone work to get the OSCP certification. The offsec courses are good fundamental knowledge every offensive operator should know.

2. Veris Group’s Adaptive Threat Division teaches an Adaptive Red Team Tactics course and they’ll come to your organization to teach it. The Veris Group’s red team class focuses on data mining, abusing active directory, and taking advantage of trust relationships in very large Windows enterprises.

This talk is a good flavor for how the Veris folks think:

Veris Group is teaching Adaptive Red Team Tactics and their Adaptive Penetration Testing courses at Black Hat USA 2015.

3. Silent Break Security teaches a course called Dark Side Ops: Custom Penetration Testing. Silent Break sells primarily full scope pen tests and their selling point to customers is they use custom tools to emulate a modern adversary.

This course is the intersection of malware development and red team tradecraft. They give you their custom tools and put you through 15 labs on how to modify and extend their custom tools with new capability. Their process is dead on in-parallel with how I see full scope operations [1, 2].

I reviewed their December 2014 course. Silent Break Security is teaching Dark Side Ops: Custom Penetration Testing at Black Hat USA 2015.

4. I’d also consider putting your money on anything from Attack Research. I plan to eventually take their Tactical Exploitation course. Their Meta-Phish paper from 2009 had more influence on how I think about offense than anything else I’ve read. I have friends who’ve taken their courses and they say they’re excellent.

Tactical Exploitation

MetaPhish

Tactical Exploitation is available at BlackHat USA 2015 as well.

5. I’d invest in a PowerShell skillset and take a course or two along these lines. Most of the high-end red teams I see have bought into PowerShell full-bore for post-exploitation. As a vendor and non-PowerShell developer, I had to embrace PowerShell, or watch my customers move ahead without me. They’re going this way for good reason though. Using native tools for post-ex will give you more power with less opportunity for detection than any other approach. I don’t know of a specific course to point you to here. Carlos Perez (DarkOperator) teaches a PowerShell for Hackers course at DerbyCon and it gets very good reviews.

6. If you’re interested in Cobalt Strike, I do offer the Advanced Threat Tactics course. My course is primarily a developer’s perspective on the Cobalt Strike product. This course is similar to the Tradecraft course except it includes labs, an exercise, and it’s up to date with the latest Cobalt Strike capabilities.

4 comments

  1. you said about silent break “Their process is dead on in-parallel with how I see full scope operations” Can you explain why??


    • We wear the same cologne, similar outfits, we complete each other’s sentences, and our conversations are so intense that we forget what’s happening in the world around us.


  2. I was just thinking to take their training in blackhat Asia, that’s why I asked that question. I meant to start a constructive discussion not intense 🙂 .by the way, I like cobaltstrike and the way you explain attack strategies . You certainly have “beautiful mind”.


    • I wrote a detailed review on Dark Side Operations a few years ago:

      https://www.ethicalhacker.net/features/root/course-review-dark-side-ops-custom-penetration-testing

      Brady (owner of Silent Break) is a friend and someone I respect a great deal. He also has very smart people that do and have worked for his company. For example, Lee Christensen came from Silent Break Security (Lee was the one who gave us Unmanaged PowerShell).

      His course is unique in that it focuses on the tools and tool development (the review covers this). But, the course explains how each tool, technique, and idea supports a broader offensive process and good tradecraft. I try to do the same thing in my Cobalt Strike courses (e.g., I don’t *just* explain how to setup a listener for a Beacon, I provide recommendations for how to organize your infrastructure and why). Our recommendations are very similar.

      I say this in the review (*cough*go read it*cough), but as a developer, if I had taken this course in 2012, it would have saved me two years of time. Dark Side Ops covers a lot of things I had to learn on my own.

      When my schedule allows it and the venue is reachable, I’ll probably take Dark Side Ops II.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s