Five phases of IRTOF: Kickstarting your organization's Red Team Operations programme

on this afternoon's uh agenda is let's see aberjeeth hello abigail please come on to the stage abhijith how are you sir whoops i don't think we can hear you oh i'm sorry i'm sorry i was i wasn't there you guys whew it's don't worry it's user error nothing to do with us how are you sir uh i'm doing good so far uh i will i would not say very good you know because of uh what is happening around there exactly we we all woke up this morning let's take that as a good sign so yeah where are you where are you calling in from i'm from uh deep south of india uh a place called

place called what uh gala it's called it's a state of india oh yes yes i do know it i do know it so you will be talking about the five phases of uh ertoff it's called internal team operations framework i would not say framework but in general operations you know yeah okay so if you could bring your slides up please um showing us how to kickstart our organization's red team operations program give me a second get you started can i just remind everybody that you want to be putting your questions in the box to your right in the comments field please do put questions in there um and uh aberdjith i am going to hand

straight over to you it is your floor awesome awesome also before uh before that at home uh you can see my screen right oh we're all good we're good to go don't worry awesome awesome otherwise yeah thank you tom

so hello everyone good evening and uh it's is a privilege to uh back in b sides because uh it's kind of uh i really uh like uh the fox behind b sides and i have been there uh for uh in 2017. so uh let's start uh as i mentioned uh that the title of my talk would be five phase of internal team operation framework kick starting your organization's internal team operations program so let's go to the introduction slide

okay my name is abhijit and i'm also known by the student name abx currently i'm leading offensive security operations for an organization uh a global fintech company i'm not mentioning my company's name here because of a couple of complaints related related issues so before that i used to work work as a deputy manager for cyber security at uh nissan motor corporation previously with anna changing as a senior security analyst so uh it's been 10 years more than 10 years i've been working in the information and cyber security industry recently i started running a blog called tactical adversary.io which is only related to address resume nation teaming and later stuff so i i also managed two different

communities one is called our teamvillage.org so we used to organize ctf and acting villages in uh cocoa and narcon and a couple of other conferences we also manage a local defcon group called dc 0471 that is in kerala so and uh yeah that's it about the introduction part and for if you guys need to know more anything like uh anything more you free free to visit my webpages or feel free to pick me in my teacher handed okay moving on to the next slide okay definitions so before going forward like before our talking further about returning and later stuff we just need to do a couple of definitions because most i mean everyone know about our

vulnerability assessment pen testing the teaming blue teaming purple teaming stuff like that right but still uh we have to do a couple of definitions only because a couple of these terms are kind of misused in different different areas so uh and and it is always good to do uh a definition like i mean explain about what is a certain time right and uh the first thing would be vulnerability assessment is not redeeming because because uh we can see that in the security industry we could see a thousands of rectums nowadays right so uh in the beginning in the old school days we started with one level t assessment then there are two kind of vulnerabilities meant like automated and

manual then we had this pen testing then people started to call like manual and automated fantastic i don't know how uh what does mean but again coming back to vulnerability assessment it is kind of a very very basic thing it's about assessing or identifying the list of vulnerabilities or list of weakness which can happen in a system and listed down right so maybe we can do it in a manual mode or maybe maybe we can perform a couple of a kind of automated scan to identify the vulnerability vulnerabilities that may uh exist in a stacker system maybe an application uh or a uh like network device automaties and it is not a team or you cannot i

mean for example if you are performing automated scans and you know that is that is not it that is an entirely different field we are all started from there and second thing uh would be penetration testing it is also not right teaming because we we do know uh the difference between assessment vulnerability assessments and pen testing right pen testing is kind of very much focused i mean it is very much focused in the second goal for example if you are targeting an application our goal would be uh like compromising that application and getting the backend server so that would be our goal so we will not be uh reporting anything other than you know our attack path you know how we

got into that system how we got that access from that access as an administrator user or a root user so that is entirely different we cannot for example we cannot call uh pen testing or penetration testing as retaining that is entirely different for example uh in the beginning uh fantastic would be uh for example if you are looking at a fantastic report that would be very focused it would only explain the attack path uh for the attacker uh i mean which was used by the attacker to obtain or compromise uh that system right the target server right but nowadays uh we are seeing pentesting reports with ssl related findings seriously um i mean if you're uh i get to see a

lot of uh pendulum report in my previous organizations and before that so it's kind of uh nobody destroying only ssr related findings or uh you know for example ssl letter findings open ports and stuff like that dude that is not fantastic right so that is entirely different and again pending it is also not redeeming you know that is what we are going to talk uh today uh it is still it is kind of uh confusing but uh we cannot blame anyone here because you know uh the industry is like that i mean nowadays the term redeeming the teaming is also being used to denote the offensive side of security i mean the entire offensive side of security is

being called as a team or a team that's another scenario

so coming to the main point what is what is the rating or you know what do you mean by a team for uh for example uh it's kind of uh the time kind of originated from uh military right for example military professionals i mean the military personals they would act as an adversary to get into an outpost you know to steal stuff uh you know to uh to do other stuff as well so it was kind of an exercise you know they created uh both red and blue teams to mimic the actions of an adversary and how the defending teams would be detecting their activity and defending them something called like a game right so that's how the time originated then

uh in the in when it comes into computers and you know information security the same method uh was there and it was kind of you know modified to fit into our scenarios we have a very cool experience from redteams.net very very very simple one error team is a group of highly skilled people that continuously challenge and challenge the plans defensive measures and security concepts for example uh the main difference between pen testing and the teaming would be pendlessly is kind of goal oriented gold focus for example we have a web application we have a network we have a device the goal of the apprenticeship would be identifying a critical vulnerability and uh exploiting that into uh you know that to get

get into that system or you know steal a certain file or obtain administrator or root privileges that is his goal you know that is very much uh i mean the scope is very much you know uh different very well defined you know that is only thing apprentice has to do but when it comes into retaining it is kind of a full scope assessment we are not the attacker attacker is not only targeting the organization it is targeting everything related to the organization for example a full scope assessment means the attacker or the adversary uh they'll be targeting the employees of that organization intern facing assets of that organization uh for example uh i mean uh cloud-based

as a cloud-based based asset on on-premises asset then the offices data centers everything everything comes under a full scope or a teaming assessment so that's what is i mean that is what the main difference between error team security assessment and normal penetration testing and based on the requirement many organizations are uh making i mean heavily modifying the rules of engagement like you know the scope of the engagement for example uh instead of doing a full scope assessment sometimes some organizations are only targeting uh their or like employees maybe uh fishing campaigns and stuff like that so based on the requirement or based on the need the organizations are kind of modifying uh you know the scoping and uh making it a

little bit more comfortable for that organization's requirement so moving on to the next slide this is something something very silly right for example i'm not uh you know like i'm not mocking anyone here but uh most of the security sales guys are like uh i mean services company sales guy they'll be telling you that uh for example our team or our offensive security team oh i mean they'll they'll be specifically mentioning that our red team will be doing a pen test maybe a vulnerability scanning for the you know for you or for the clients i mean uh that is not the actual i mean you know use case of this team right but again uh many

organizations and many people are still using the time or a team us i mean routine to denote the entire often sea side of cyber security so we cannot actually plane them there but if you are technically if you are thinking about it technically then that may be a little bit confused for example for us for the technical people uh in our teaming pen testing vulnerability assessment a web application secures many everything is different right but for the other end it's kind of you know they're kind of for example what can i say they they're kind of changing the times and it's a little bit hard too hard for us to understand maybe uh you guys know uh

the vulnerability assessment and testing part if you are working for an organization and you get to see a lot of reports coming from the vendors coming from internal security teams something you get to you'll get confused because i mean something you cannot even understand what is the difference between these two reports you have a vulnerability assessment report on your on your left hand and a pandestine report from the vendor on the right hand something you will get confused like you know what is what so that is uh happening right now happening nowadays there is a new relatively new team uh like it's called adversary emulation it's called emulating the actions of an adversary for example we all know about the apts

right for example many threat actors are out there uh many previously found threat tactics are right there emulation means these techniques are because the security organizations they successfully managed to record the activities the malicious activities which were performed by a couple of well-known adversaries or a couple of well-known threat tactics so we have very very very well organized collection of that thanks a lot to maitreye so they are maintaining a very very good collection of i mean third and uh apts so we can in in within our organization we can try to emulate the actions of an advisory for example if you are taking a threat actor called cobalt uh you know there are a set of items or set

of attacks which has been performed by that threat actor right so we can copy and you know we can try to replicate or mimic those actions performed by the adversary within our within our organization in that way we can identify what are the you know security counter machines or cyber different systems which we have within our organization and how efficient is their performance this is relatively ammunition is relatively easy like we have a lot of open source and free software's free scripts stuff like that are there to perform adversary emulation um then we have advanced simulation sometimes people are using uh you know uh advisory emulation and simulation uh with the same meaning uh you know

because we don't have any kind of well defined uh you know meanings for these these uh scenarios right these weights right so uh because of that many many people are using adversaries some emulation and simulation uh with the same meaning but when it comes in the simulation i believe we are also manually simulating an actions of an adversary then adversary might be previously discovered on or we can try to simulate the actions of a relatively new adversary or a manual i mean a custom kind of an adversary so that would be the main difference when we are doing adversary emulation is kind of we all have we are having the list of previously detected tactics and

adversaries we're just trying to uh you know replay the action performed by this adversary within our organization to identify uh the the efficient efficiency of cyber defense systems within our organization when it comes to simulation is i mean a couple of people are like i mentioned uh are using the weight simulation similar to emulation but it is not uh similar we can do it manually we can perform adversary i mean we can manually simulate the actions of another adversary within our organization uh maybe uh that might i mean that uh there is no rule that uh you know it should be previously discovered at these actions we can come up with new actions and we can try to simulate the actions of an

advisory from you know any number of angles also we can perform adversary simulation as a similar to a team engagement a full scope adversarial assessment we can call it in the call it as adjustable simulation but it's not same as emulation uh that is kind of uh performing full scope additional assessment against our organization uh that is the actual meaning of a team a full scope a divisive assessment against our organization moving on to the next slide here we have uh you know we can start building an internal team for example most of the things mentioned here mentioned in this presentation uh you know these are from my own uh experience and from the awesome contributors of

information and security community so most of the secure i mean before we going forward most of the companies most of the cyber security and other companies they are having nowadays they are having their own security teams right uh it is very common that an organization might be having an internal pen testing team or maybe internal web application security assessment team for example if there is a product company uh for sure they'll be having uh you know a product secure testament team uh they'll be helping the organizations to identify the security vulnerabilities which can be there in that product maybe if that is a web app that can be a web application maybe a declined application whatever it

is for example a companies uh into uh for example devices or companies into manufacturing so they'll be having a secret uh internal security team to identify the vulnerabilities that can be uh i mean that may be there in that product right so that is very common nowadays most of most of the companies are nowadays having internal securities to perform because i it big security became a part of complaints now so after part of complaints most of this organization will have to perform internal securities and vulnerable discounting and stuff like that so this is nothing new that our organization will be having their own dedicated teams securities maybe uh if they have they have a matured

security program they will be having different teams for different tasks for example different theme for web application security assessment different thing for in infrastructure and then for cloud and stuff like that so there is not a new thing right but what if this organization have to uh you know they want to move to the next level you know for example we are seeing a lot of adversaries or new advisories and tech tactics are coming into the industry right so what if an organization want to uh go to the next level so i think this talk would be helpful for you know that kind of audience who is trying to set up their own internal red team

no into the next slide okay so uh this is the very first slide regarding internal team operations framework so i would not call this as a framework you know that that actually came into flow you know you know i would not name it as a framework it's kind of a couple of steps to create your own internal team operations uh that's what is that is the actual meaning of i mean actual purpose of this talk then uh i mean i don't know why i put framework but still uh you know it's a well-defined set of steps so that you can follow that steps and actions to create your own offensive security team within your organization

so i have divided that into five different phases because we know that for example in all of the organizations we not build something from the scratch to fully mature uh step within a couple of months right so we need to afford everything for if you are making a product if you are doing internal security assessment maybe you are if you are creating uh something up something else so everything needs to be perfectly aligned with the timeline and that needs to be communicated with the management right so because of without the management or without the funding we cannot do anything within within an organization if there is any organization so that's the reason i had to split that into

different different set of faces because uh even if we are i mean we nowadays we are using agile platforms right agile frameworks right you know to get things done so something like that so it will be easier for us to build stuff into different set of items then follow concentrate on a simple tactical packs so here we have five different faces face onto phase five i really wanted to put you know superman's picture in these slides for example a baby superman then a teenage superman then you know he learns to walk and run then eventually uh he starts to fly but i could not find a decent guy who you know who could do that right for

example creating a baby superman to a fully mature superman so that's the reason i had to use this picture and go into the phase one so here we have internal team operation space one which is scoring this is very much important because these are the foundation of building an internal uh team or internal offensive security team the very first thing would be define the practical goals and objectives every or every organization would be having different set of business concepts business different set of business goals and stuff like that so your internal team internal offensive team's goals must be aligned with your organization's goal that is very very much important and second thing would be getting the

budget approval uh for example you need to come up with a plan uh how are you going to uh you know take care of this team how are you going to build the team what is that what are the timelines what are the tools required what are what are the team size how much people what is the manpower record stuff like that then you need to get the budget approval and thirdly you need to identify the crown jewels and people for example if you are creating an internal frenzy secular team uh you need to understand right so what is your organization's uh initial uh you know business or their area of uh you know activities then you need to identify

what are your organization's critical assets or crown jewels so if it is a manufacturing company that would be their their ip right their secrets right if it is a product company that would be their source code or is your crown jewel if it is a services company then it is their techniques and other stuff you know that is their counselors so based on your organization's industrial you know uh industry then you need to identify the councils and people uh i i said people because uh most of the business have their own you know uh like executive people right they may be a target most of the time so we need to come identify the councils assad's and people

of that your organization then you need to come up with our rules of engagement how are you great trying to create this in general team that is only uh is it going to be only internal or are we are we trying to do our time to access the same organization other locations as well from an external facing or internal facing only stuff like that and number of things are there so you need to create uh rules of engagement that is very very much important then reporting an other process documentation of i mean that is all related to paperwork and it is also a critical one or you know ro needs to be uh reviewed by uh i mean higher

management and legal department that is very critical i will show you an example it happened last year 2019 uh you know there is a company called called fire security that is very uh one of the uh you know major players in the in the offensive security industry so a two of their uh consultants were arrested during a physical security assessment uh because you know for example you can read about in their call first block and testoster can also uh you know publish their blog regarding that it happened because you know a couple of misunderstanding and stuff like that so we need to make sure we always have proper escalation and proper point of contact and strong legal documentation

rule of rules of engagement stuff etcetera etcetera that is very much important to prevent stuff like that from being happening so uh there is a episode from uh darknet diaries unnamed the courthouse or you can uh i mean listen to that episode that is a very awesome episode where these two consultants are explaining about their experiences which happened during that assessment also after that incident practice uh published uh of their documentation for physical security testament which is a good reference and don't forget to hear listen to that episode from our documentary that is that is really really awesome okay then you'll have to understand the technologies in use uh within your organization on i mean

internal infrastructure the devices hardware devices other than cloud infrastructure are we totally relying into relying on aws infrastructure or actual stuff like that then what is the active dirty implementation what is the uh what are the devices which is being used within the organization and you know all the technologies which are in use within your organization that that is very critical then understand the security post of your organization uh this is recommended because uh it is not magic right you need to understand your own organization's security porsche along with the weakness uh for example of the end user laptops the end user laptops are they're only having an antivirus software or are they having edr or do they have

epm uh i mean endpoint uh privilege manager i mean endpoint uh privilege manager tools to improve the security are they having dlp are they having internet level proxies to prevent outbound traffic stuff like that so you need to understand the the entire security post of your organization uh you know what is the attack surface from the cloud what are suffers from the internet so that is a very very long process you need to understand that that is very critical and hire the talent because uh i mean if you have i mean a lot of budget and stuff like that you need to get uh awesome people for the job right talent is everything you need to

uh hire the talent uh in a in a very very efficient way i i always showcase this slide as an example of a perfect team because uh this from a show called uh you know the a team i mean i'm not talking about the new a team it's a the old one so if you're looking at uh camera handyman he's a leader right also at the same time he's a solo player all of this his teammates they have they are skilled in different set of areas they can uh do stuff as solo and they can work as a team uh which would be kind of a false multiplayer thing right so uh your team must be uh similar to

this or you know they'll be you must be having people who are uh very much skilled in different set of technologies and uh you know other stuff and uh i mean you also always try to include someone uh someone is non-technical or someone is not from the security industry or you know from someone from not some fargo someone uh who is not from the offensive security industry because just imagine a bunch of hardcore technical guys are writing a phishing campaign email you know that would not look good so for that matter it is always good to have other non-technical people such as hr or someone in your team uh you know as an address also there is

one more thing uh for example in my team uh maybe i'm not also good as uh good in writing shell card or creating uh new command and control programs or something like that maybe someone in my team maybe my team member is very much skilled in uh writing shell code and creating custom malware binaries so that is one thing so uh all i have to do is maybe the operators in the team all they have to do is get that code which is written by your teammate and put it put that into use right so that is called teamwork and there should not be no place for ego within your team because everyone is killed in uh you know their

own area and you know as a team uh everything should comes under a single entity and you know put it in a good manner um going to the next slide i i forgot to mention one more thing uh when it comes to your team of i mean the team must be the team and team members must be able to walk under excessive amount of pressure that is one more critical thing because nowadays we can i i personally seeing that many people are many many new people they cannot handle the pressure uh maybe during an assessment uh you know during if they are doing something individually uh they cannot actually handle the pressure uh you know that is

one critical thing that t members must be able to work under excessive amount of pressure that is very much recommended go into the next slide so this is the phase two of your internal team operations framework the very first thing would be uh creating external infrastructure red team infrastructure so uh that is a very very uh critical on i'll show you an example so i got this uh the basic image from blue screen blue screen of jeff.com you know he's a nice guy who is writing a lot of articles related to team infrastructure and stuff you know similar to i mean stuff similar to uh with respect to a team teaming and later stuff so i got this uh diagram from that

website and i made a couple of modifications this is kind of a very basic uh infrastructure which can be used for uh your organization i mean to attack your to simulate the actions of an advisory against your organization so for example we have a victim here and a different set of like surveys are hosted each server is uh i mean circuit with a revised proxy or a redirector right for example uh the corporate user is having uh i mean that your organization is having a routine right i don't know if your payload or one of your phishing campaign got flagged and your blue team is performing investigation against that domain if they are finding out that this domain

is related to a certain ip they will be blacklisting that domain and an ip address right so you need to secure your actual uh command and control and service behind the redirections so even even if they're uh blacklisting or blocking that would be that domain name and uh that redirect is right that release proxies so i mean this topic the infrastructure itself uh we can spend uh a couple of hours to explain about the the infrastructure itself and i heavily suggest uh if you are hosting this i heavily suggest using uh cloud service power day such as aws and azure because nowadays most of the organizations are moving into cloud like office 365 and aws right

and for example if you're hosting a command and controlled server in an aws ip with aws url and it is uh and the chances are the traffic will be uh you know going out out of the firewall maybe most of the organizations are whitelisting issued domains and aws are domain names and for example if you want to host a malware binary and you know execute a new laptop or actually download it in your laptop uh the very easiest way would be uh uploading that into an s3 bucket for example i mean more if your organization see organization is heavily relying on on aws services then things are most likely they will be allowing s3 packets that you also

see three practice right so i mean this in this creation of instructor itself will be a whole or different new talk and this is a you know basic uh setup going back to the previous slide okay 15 minutes and also be friends with your organization's blue team because uh if you're considering any organizations their blue team will be having all the fancy tools like all the enterprise level tools they'll be having a a sim tool they'll be having edr console they'll be having dlp console epm console pm console they're having all these cool tools right so it is essential to uh be friends with your organization cyber defense team so that you can also learn you can also identify

how are these blue team is identifying your activities blocking it defending it so that is very critical then the emulation part again the dust elimination part itself can be a whole new talk so uh there are two uh well-known open source uh tools out there called automatically team and caldera so you can emulate the actions of a well previously known adversary within your organization and uh you can also have a look at the detection reports which came from the blue team and you can identify the gaps this is very relatably easy task then validate the current difference mechanisms with blue team from metric this is relatively because recently metra has launched a new project called shield.mitre

that is kind of it has a set of nice use cases which can be used for the blue teams then kind of manual campaigns and again external attacks are first discovered that is important because of the real attack is they'll be assessing your organization's internal i mean externally facing assets right how many web applications our internet phase how many services are there uh you know what are the assets which are internet facing uh that's kind of an entry point of an addition so that is also critical phase three here uh we will come up with a set of improved ttps for example uh we we spent uh some some time to understand the current security cost of your

organization right for example if your organization is blocking the execution of powershell scripts or they are blocking powershell.exe to uh you know prevent you from executing position scripts you can try with unmanaged partial skips maybe you can check you can validate whether the unmanaged powershell scripts are being detected by your organization's antivirus or area so stuff like that always come up with improved ttps then identify eradicate findings with respect to because in the previous step we found the crown jewels and people of your organization right now we need to patch those identified previously identified vulnerabilities for example a couple of senior executives of your organization they are not using two-factor authentication for their email services

or our critical uh dashboard if your company so we can address them to use i mean address them to enforce the use of two-factor authentication for all of their accounts so it's things like that the evaluation of instant response process automated adversary emulation because in the previous step we did autumn adversary emulation now we can do it periodically like you know every time we can automate and we can within uh you know a certain time of interval we can uh perform automated emulation then improvised rto process documentation because when we reach phase three we would be having a set of uh objectives and we'll be having set of items in your hand right based on that we can come up with an

improvised version of red team operations documentation and process go into the phase four so again all these items are all these steps or the sub point which i had mentioned uh they can be you know a new talk because they can be uh you know very very uh long set of items long set of tasks this is not an easy thing right building a team from a scratch so here uh one important item is here collaborative and continuous purple team exercises so purple team it is uh kind of you know trending nowadays because every organizations have to uh identify the effectiveness of their security measures effectiveness of their cyber defense teams so it's like the teams are

actually helping them because all the adversarial actions performed by the team it is there to enhance the capabilities of your blue team right because everything will be repo every every for example you found a way to bypass an antivirus you found a way to bypass edr you found that a couple of security policies are not well confirmed in your organization everything will be handed over to blue team and it will enhance their capabilities they will be fortifying their capabilities right so that is the end goal of being uh in international team your end goal would be enhancing the capabilities so your company is bloating always keep that in mind so again uh enterprise tooling capabilities or in the beginning

we are using open source tools and stuff like that right now we can when we reach phase four i kind of you know a higher phase is there right so we can move on to enterprise tooling capabilities or maybe instead of using free command and control such as uh empire uh count and uh we can move on to cobalt strike then immunity canvas uh then i know other enterprise getting tools then the important uh one of the important items in this phase would be start doing covert physical security assessment because we all know that when it comes to sorry when it comes into full scope red team assessment physical security is a part of it right

so it's kind of very very uh you know interesting area so when we when we reach this phase because we we have taken care of kind of many other aspects of that organization when we reach there also start doing covered physical security assessment so what is covered security uh physical security assessment for example when you when we think about physical security assessment that is all about lock picking you know getting into an organization evading uh counter measures such as in our fedex scan aids security uh guard stuff like that right but when it comes into covert physical security assessment this is all about uh i mean we are not doing anything in covert mode we are uh going into your

organization and you know walking through the doors and we are having uh you know we are inspecting the data centers or you know and other physical security measures to understand i mean we will be walking along with that uh people from that facility you know we are not doing anything in covert mode right so uh we can identify the most important uh data centers manufacturing plants you know processing standards stuff like that to identify many physical uh sector related findings for example if you are looking at this screenshot you can see that this this is from a smart tv right it's on kind of a smart tv which is using for uh performing uh like a video

conferencing and stuff like that if you are placing a dropbox a physical dropbox in the back of this tv it is i mean it is not it cannot be detected so i have used these uh slides uh when i presented something in this year's nerdcon conference and people my question was to identify the attack is dropbox which is attached in this screenshot in this behind this tv and most of the people they were not able to you know identify that and then proactive remediation process and plans uh you know always as a result of the first three phases we'll come up with a proactive remediation process and plans because all these identified issues needs to be

remediated right

and the funny thing about our physical security assistant you don't get to break any doors or locks you know just do a review to identify these vulnerabilities in you know physical systems you know always keep an eye open okay i have eight more minutes so this is the final phase phase five so this is where we will have we will attain a place that uh a mature team operations because we did a lot of stuff in the back i mean the past four steps right uh four phases right so this is where uh by by when we reach five five we'll be having significant improvement of organizational security posture because we identified many issues we

shared our findings with blue teams uh we shared our findings with management and you know they did a lot of remediation against these findings so by this time we'll be having highly skilled operators or you know who has capabilities to write custom code custom command and control service and stuff like that and most importantly we will be having a well different property model to measure the progress of red and blue team capabilities because we are not there to just do things right so we need to have a well different way so that we can trout track our own progress and convey that to the management because they are spending money for all these activities so that is very much

important then we can start doing cover physical security assessment because uh you know we have cleared most of things in the past four phases then uh like i mentioned custom tuning capabilities and one of the important thing would be continuous adversary emulation and simulation to keep different days on the toes because every week or every day new attack vector is new psr comes into the play right so we need to uh do continuous simulation and elimination exercises so that defenders will be you know will be on their own toes and will be more efficient then continues our team operations with well-defined process because uh these are things are not happening in a day or a couple of months

it will take you know a significant amount of time to reach phase five of red team operations international operations going to the next one so this is the important part because we have strategic plans and tactical plans so for example we have a long time objective we need to identify uh you know how what i mean how many senior executives are in our company and how many of them are vulnerable to phishing attacks so that is the long term objective so we can split that into tactical pants like on tactical plants uh last for for four to five months within four to five months we can understand uh the the senior executives entire on who are all these how many of these

people are vulnerable to simple phishing campaigns then uh you know uh perform awareness then ask them to enable two-factor authentication so every strategy plan can be divided into tactical plans and put that into play so there is uh you know i have followed this pla this method uh you know for a long time and it is kind of uh very much you know it gives result also there is one more point the management always needs updates about everything so uh they are asking us to do uh perform writing operations and they are not supposed to wait for like six months without any results right so they need periodic updates from our ends so the best way to do that having

technical plans for each subcategory from a business standpoint and about this picture i always i really wanted to show off this image because uh you know this is the perfect symphony between the attackers and different days adversaries and different things uh we created uh this uh conceptual team versus routine picture uh you know uh for a cpa which we had organized uh before two years for cocoon uh cyber security contracts uh this picture is uh you know portrait uh as native kerala master art form called curry pattu uh you know i really like this picture the cocoon organizing team they had created this image for us i really like this i i really like to show off

this picture in kind of uh in almost every presentations which i give it is really example of you know the actual symphony between the really cool symphony between red teams and blue teams they are not enemies because uh for example the blue the red guy comes up with a new tactic the blue uh the blue guy lands it and prevents it right so the next next time the red guy attacks the blue guy he has to come up with a new attack plan he has to come up with a new tools techniques or procedure it's kind of you know a game a kind of a martial arts so that's how i uh like uh xbox or you know uh the red team and the

blue team uh should be working together and uh yeah i saved two minutes right so now it's a time for q and a i know uh this has been uh you know i talked a little bit faster this time because uh you know i wanted to keep the within 45 minutes i'm afraid i would just that uh it's two minutes until the next speaker is on so very little time but that said there are no questions uh are in the comments field so uh but thank you for that that was absolutely fascinating and i always like a presenter who pulls together some great looking slides there's an art to making good powerpoint and good slides for a presentation

and