SEC564: Red Team Operations and Threat Emulation

Provided by SANS

About the course

Red Teaming is the process of using tactics, techniques, and procedures (TTPs) to emulate real-world threats in order to train and measure the effectiveness of the people, processes, and technology used to defend environments. Built on the fundamentals of penetration testing, Red Teaming uses a comprehensive approach to gain insight into an organization's overall security in order to test its ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities significantly improve an organization's security controls, hone its defensive capabilities, and measure the effectiveness of its security operations.

The Red Team concept requires a different approach from a typical security test and relies heavily on well-defined TTPs, which are critical to successfully emulate a realistic threat or adversary. Red Team results exceed a typical list of penetration test vulnerabilities, provide a deeper understanding of how an organization would perform against an actual threat, and identify where security strengths and weaknesses exist.

Whether you support a defensive or offensive role in security, understanding how Red Teams can be used to improve security is extremely valuable. Organizations spend a great deal of time and money on the security of their systems, and it is critical to have professionals who can effectively and efficiently operate those systems. SEC564 will provide you with the skills to manage and operate a Red Team, conduct Red Team engagements, and understand the role of a Red Team and its importance in security testing. This two-day course will explore Red Team concepts in-depth, provide the fundamentals of threat emulation, and help you reinforce your organization's security posture.

Course Syllabus

SEC564.1: Introduction, Planning, and Management of Red Team Operations

Overview

Day 1 begins by introducing Red Team topics, concepts, and ideas. You will learn what Red Teaming is, how it is used, and how it compares to other security testing types, such as vulnerability assessments and penetration tests. Several topics, concepts, and ideas that are specific to Red Teams, and which constitute the critical foundation of Red Teaming, are examined in order to provide a solid base of understanding.

Exercises

• Setting Up an Attack Platform
• Adversarial Mindset Challenge
• Analyzing, Understanding, and Controlling Indicators of Compromise (IOCs)
• Decomposing a Threat
• Secure Credential Files

CPE/CMU Credits: 6

Topics

• Red Teaming Definitions, Assumptions, and Expectations
• Common Red Teaming Terms
• Security Misconceptions and Assumptions
• History and Origin
• Red Teaming Introduction
• Standard Attack Platform
• How Red Teaming Compares to Other Security Tests
• Red Team's Role in Blue Team Training
• Live Engagement Example
• Red Teaming Concepts
• Red Team Roles and Responsibilities
• Engagement Planning
• Threat Planning
• Threat Perspective
• Threat Emulation Scenarios
• Red Team Goals
• Social Engineering
• Other Red Team Engagement Concepts
• Handling Client Data
• Engagement Frequency
• How to Succeed

SEC564.2: Red Team Engagement Execution

Overview

Day 2 continues with engagement execution and a focus on Red Team tools and techniques. The day is filled with exercises that walk students through a mock Red Team engagement. Multiple Red Teaming phases are explored that use realistic TTPs to ultimately impact the target organization's supply chain. During the exercises, you manage and control indicators of compromise, design custom command and control channels, and use unique command and control tools. You will also learn Red Teaming concepts needed to control and manage a Red Team. These concepts include how to interface with clients, collect and log engagement artifacts, successfully execute an engagement, manage deconfliction, properly end an engagement, and deliver a professional report.

Exercises

• Using Web Shells to Support C2
• C2 Design and Customization -- PowerShell Empire
• Performing an Operational Impact Against an ICS System

CPE/CMU Credits: 6

Topics

• Red Team Engagement Execution
• Data Collection
• Tradecraft and TTPs
• Execution Concepts
• Tools and Techniques
• Engagement Background
• Tools and Techniques (Continued)
• Engagement Culmination
• Red Team Engagement Reporting

 Who Should Attend

• Security professionals interested in expanding their knowledge of Red Teaming
• Penetration testers or ethical hackers looking to understand how Red Teaming is different from other security testing types
• Defenders who want to better understand offensive methodologies, tools, and techniques
• Auditors who need to build deeper technical skills
• Red Team members looking to better understand their craft
• Blue Team members looking to better understand how Red Teaming can increase their ability to defend
• CND/CNE Teams
• Forensics specialists who want to better understand offensive tactics
• Information security managers who need to incorporate Red Team activities into their operations

Prerequisites

The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts and tools is encouraged, and a background in security fundamentals will provide a solid base upon which to build Red Teaming concepts.

Many of the Red Teaming concepts taught in this course are suitable for anyone in the security community, and both technical staff as well as management personnel will be able to gain a deeper understanding of Red Teaming.

You Will Receive With This Course

• A course USB with the Red Team Attack Platform loaded with numerous tools used for all exercises
• Details on Red Team use of common tools
• A variety of sample documents used in planning, executing, and reporting Red Team engagements
• MP3 audio files of the complete course lecture

This Course Will Prepare You To

• Make the best use of a Red Team and apply it to measure and understand an organization's security defenses
• Learn what Red Teaming is and how it differs from other security testing engagements
• Understand the unique view of the offensive security field of Red Teaming and the concepts, principles, and guidelines critical to its success
• Design and create threat-specific goals to measure and train organizational defenders (CND/Blue Teams)
• Learn to use the "Get In, Stay In, and Act" methodology to achieve operational impacts