During my career I have been lucky enough to conduct red team exercises and defended against them. Recently I've witnessed many security practitioners do not comprehend the amount of time required to thoroughly investigate red team exercises.
To address this I decided to present this year to educate people on the challenges. This talk was an attempt to use minimal slides in an effort to improve my presentation skills, it's why you'll see me stumble a bit.
Some of the takeaways:
- Purple team exercises will always produce better output than Red team exercises alone.
- Fake accounts / Canary Tokens can be used as warning signals for upcoming attacks.
- Write alerts for common tool signatures, for example, NMAP's default user agent string.
- Watch for quieter external scans coming from a single IP address, more likely reflects an actual attacker vs bots scanning.
- If multiple internal hosts on the same subnet are reporting they blocked port scanning activity its probably something you should look into.
- Run an internal sinkhole. Can be noisy but very useful.
- Focus on the basics.
- Use only ISO 8601 timestamps please!
- Watch the video above for a few more...
I've been lucky enough to attend and present at a few conferences earlier this year including Crikeycon, Tuskcon and the first ever Brisbane Bsides. Hopefully in future I can present more and improve my skills.
Feel free to reach out if you would like to discuss anything I covered.