Take the 2018 SANS Security Awareness Report Survey. Chance to Win an iPad.

SEC564: Red Team Operations and Threat Emulation New

This course provides the foundation needed to manage and operate a Red Team and conduct Red Team engagements. What is Red Teaming? Red Teaming is the process of using tactics, techniques, and procedures (TTPs) to emulate a real-world threat with the goals of training and measuring the effectiveness of people, processes and technology used to defend an environment.

Red Teaming is built on the fundamentals of penetration testing, yet focuses on specific scenarios and goals used to evaluate and measure an organization's overall security defense posture. That posture includes people, processes, and technology. This course will explore Red Teaming concepts in depth to provide a clear understanding of what a Red Team is and its role in Security Testing.

Organizations spend a great deal of time and money on the security of their systems. Red Teaming uses a comprehensive approach to gain insight into an organization's overall security. Red Teams have a unique goal of testing an organization's ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities significantly improve an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations.

The Red Team concept requires a different approach from a typical security test, and it relies heavily on well-defined tactics, techniques, and procedures (TTPs). These are critical if a Red Team is to successfully emulate a realistic threat or adversary. Red Team results exceed a typical list of penetration test vulnerabilities, provide a deeper understanding of how an organization would perform against an actual threat, and identify where security strengths and weaknesses exist.

Course Syllabus

Overview

Day 1 begins by introducing Red Team topics, concepts, and ideas. You will learn what Red Teaming is, how it is used, and how it compares to other security testing types such as vulnerability assessments and penetration tests. Several topics, concepts, and ideas that are specific to Red Teams, and which constitute the critical foundation of Red Teaming, are examined in order to provide a solid base of understanding.

Exercises
  • Setting up an Attack Platform
  • Decomposing a Threat

CPE/CMU Credits: 6

Topics
  • Red Teaming Definitions, Assumptions, and Expectations
  • Common Red Teaming Terms
  • Security Misconceptions and AssumptionsHistory and Origin
  • Red Teaming Introductions
  • How Red Teaming Compares to Other Security Tests
  • Red Team's Role in Blue Team Training
  • Live Assessment Example
  • Red Teaming Concepts
  • Red Team Roles and Responsibilities
  • Standard Attack Platform
  • Engagement Planning
  • Understanding and Controlling Tool Indicators
  • Threat Planning
  • Threat Perspective
  • Threat Emulation Scenarios
  • Red Team Goals
  • Social Engineering
  • Other Red Team Engagement Concepts
  • Handling Client Data
  • Engagement Frequency
  • How to Succeed
Overview

Day 2 continues with engagement execution and a focus on Red Team tools and techniques. The day is filled with exercises that walk students through a mock Red Team engagement. Multiple Red Teaming phases are explored and concludes by impacting the target organization's supply chain. During the exercises, you manage and control indicators of compromise (IOCs), design custom command and control channels, and use unique command and control tools. You will also learn Red Teaming concepts needed to control and manage a Red Team. These include how to interface with clients, collect and log engagement artifacts, successfully execute an engagement, manage deconfliction, properly end an engagement, and deliver a professional report.

Exercises
  • Using Web Shells to Support C2
  • C2 Design and Customization - PowerShell Empire
  • Performing Operational Impact Against an ICS System

CPE/CMU Credits: 6

Topics
  • Red Team Engagement Execution
  • Data Collection
  • Tradecraft and TTPs
  • Execution Concepts
  • Tools and Techniques
  • Engagement Background
  • Engagement Culmination
  • Red Team Engagement Reporting

Additional Information

To get the most value out of this course, students are required to bring their own laptop so that they can connect directly to the workshop network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to an Ethernet network.

VMware

The class does not support Virtual Box, VirtualPC, or other non-VMware virtualization products.

You will use VMware to run a Linux guest operating system to perform exercises in class. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on their website. No license number is required for VMware Player.

If you plan to use a Macintosh, please make sure you bring VMware Fusion.

Mandatory Laptop Hardware Requirements:

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • 8 GB RAM minimum with 16 GB or higher recommended Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you)
  • 40 GB available hard-drive space
  • An available USB Port

During the course exercises, you will be connecting to a hostile network. Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks during course exercises.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Security professionals interested in expanding their knowledge of Red Teaming
  • Penetration testers
  • Ethical hackers
  • Defenders who want to better understand offensive methodologies, tools, and techniques
  • Auditors who need to build deeper technical skills
  • Red Team members
  • Blue Team members
  • Forensics specialists who want to better understand offensive tactics

The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts is encouraged, and a background in security fundamentals will provide a solid base upon which to build Red Teaming concepts.

Many of the Red Teaming concepts taught in this course are suitable for anyone in the security community, and both highly technical staff as well as management personnel will be able to gain a deeper understanding of Red Teaming.

  • A course USB with the SANS Slingshot Linux Penetration Testing Environment loaded with numerous tools used for all exercises
  • Details on Red Team use of common tools and their usage
  • A variety of sample documents used in planning, executing, and reporting Red Team engagements
  • Make the best use of a Red Team to understand and measure an organization's defenses. You will learn what Red Teaming is and how it differs from other security testing engagements. This course offers a unique view of the offensive security field of Red Teaming and the concepts, principles, and guidelines critical to a Red Team's success. It prepares you to design and create threat-specific goals to measure and train organizational defenders (CND/Blue Teams) and shows how a Red Team uses the "Get In, Stay In, and Act" methodology to achieve operational impacts.

Authors' Statement

"A great deal of time and money are spent on protecting critical digital assets. Many organizations focus their security testing on compliance or limited scope reviews of a system. These limited tests often leave an organization with a false sense of security. Organizations that open themselves to assessment not only of their technology, but also of their people and processes, can significantly improve their security posture and adjust a limited security budget to protect their most critical assets. Scenario-based testing and Red Team techniques can be used to determine how an organization really stands up to a realistic and determined threat."

- Joe Vest and James Tubberville

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

*CPE/CMU credits not offered for the SelfStudy delivery method


6 Training Results
Type Topic Course / Location / Instructor Date Register

Training Event
Waitlist
Dec 12, 2017 -
Dec 13, 2017
 

Community SANS
New
Dec 18, 2017 -
Dec 19, 2017
 

Training Event
Mar 17, 2018 -
Mar 18, 2018
 

Training Event
SANS 2018
Orlando, FL
Apr 9, 2018 -
Apr 10, 2018
 

Training Event
May 17, 2018 -
May 18, 2018
 

Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.