The Roundup: Red Team

MC: Corey Overstreet
Topic: Red Team
Price: $0 (Free to Attendees)
August 12, 2021
Time: Noon to 5PM ET
Click here to register

The landscape of an attacker’s tactics, techniques, and procedures (TTPs) is constantly evolving as the defensive side shores up holes in their networks and detection of intruders becomes ever faster. As red teamers, we not only have to find the cracks in the walls that allow us in but have to remain undetected while doing so. Join us for this Red Team Roundup where we’ll discuss new and well tested methods for getting in, staying in, and achieving our objectives.

Join Corey Overstreet from Red Siege Information Security (@retronaut7) for this August’s Roundup event.

Matt Toussain, Founder of Open Security

Since graduating from the US Air Force Academy in 2012, Matthew Toussain has served as the Senior Cyber Tactics Development Lead for the US Air Force and worked as a red teamer for Black Hills Information Security and CounterHack Challenges. In 2014, he started Open Security to focus on a more holistic approach to cybersecurity from incident response through red teaming. He is the author of SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment and has created numerous popular penetration testing tools. Matt is also a Grand Champion of NetWars Tournament of Champions. An avid runner and #RedTeamFit influence peddler, Matthew is a passionate supporter of cyber competitions such as the Collegiate Cyber Defense Competition and SANS Institute’s NetWars.
Twitter: @0sm0s1z

Chris Truncer, Co-Founder of FortyNorth Security

Christopher Truncer is a co-founder of FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing tools, WMImplant, EyeWitness, and other open-source software. Chris began developing tools that are not only designed for the offensive community but can enhance the defensive community’s ability to defend their network as well.
Twitter: @ChrisTruncer

Joe Vest, Cobalt Strike Technical Director at HelpSystems

Joe has nearly 20 years of experience in red teaming, penetration testing, and application security. Joe is currently the Cobalt Strike Technical Director at HelpSystems. Prior experience ranges from authoring the book “Red Team Development and Operations,” the original author of the SANS 564 red team course, red team lead on a DoD red team, owner of a security consulting company, and a former director at SpecterOps. This diverse experience has given him extensive knowledge of cyber threats, tools, and tactics, including threat emulation and threat detection.
Twitter: @joevest

Tyler Robinson, Director of Offensive R&D at Trimarc Security / Founder and CEO of Dark Element

With over 2+ decades of security experience in both the offensive and defensive spaces, Tyler has worked with and for the industry’s most prestigious companies leading teams of elite operators.

Tyler specializes in Red Teaming, APT threat modeling, blackbox network penetration testing, and Physical/Social-Engineering, and Purple teaming while having a deep-rooted technical understanding of most enterprise network architecture, configurations, and defensive strategies for which he has helped secure and offer advice, consulting, and strategies for companies worldwide.

Tyler has presented at multiple conferences including BSides, DefCon and Blackhat panels, SANS security events and to multiple branches of the military. In Addition to helping teach the DarkSide-Ops and Accessing & Exploiting ICS class at Blackhat.

Tyler has helped the development of a world class offensive security capability, strategy, and programs of Offensive services at several incredible companies such as Silent Break Security, InGuardians, Inc., Nisos, and now Trimarc, directly shaping Offensive operations and research.

Currently, as Managing Director of Offensive Security & Research at Trimarc, Tyler leads a team of high-performance security professionals within the offensive security field by simulating sophisticated adversaries, & creating scalable offensive security platforms using the latest techniques as seen in the wild.

Tyler serves as a highly technical operator on client engagements while managing & leading offensive technical operations within Trimarc. In addition to providing strategic guidance & advice to Trimarc’s leadership along with new & existing clients, Tyler helps guide product development, offensive capabilities, & infrastructure to ensure future proof resiliency & excellence within the market space. Tyler also aids in the effort of business development by representing & marketing the Trimarc Brand through training, conferences, speaking, and client cultivation.
Twitter: @tyler_robinson

Maril Vernon, Offensive Security Engineer at Zoom Video Communications

Maril Vernon, @SheWhoHacks, is a Red Team Operator for Zoom Communications and PluralSight author, specializing in Red Teaming tools, Purple Team methodology, MITRE, and Cloud Security strategies. Maril’s expertise on VPN exploits was featured on the Cyber Security Forum Initiative, and she is a contributing editor of the latest CIS AWS Foundation Benchmark for cloud security. She broke in to information security a year and a half ago and is an example of what you can achieve in a short time..
Twitter: @SheWhoHacks

Time Speaker Presentation
12:00PM to 12:45PM ET Joe Vest Title: Why We Red Team – The Real Value of Threat Emulation

Abstract: Before we can talk about testing an organization’s security, including red team engagements, we must start at the beginning and consider the overall plan for security operations. Designing, building, deploying, operating, and managing a comprehensive security program is not an easy task. Pressure from every direction drives a security program Compliance, management, peers, budget, news all influence a security program. Although this process is complex and challenging, organizations can overcome these pressures and design and implement what is considered a robust security program.

Organizations can please various parties when describing the security operations plan and, at least on paper, express a strong security program designed to stop a malicious attack. These programs pass audit and compliance checks, have a robust patch management system, conduct vulnerability assessments and penetration tests, and generally have good security hygiene. These are all great steps in defending a network from attack, but unfortunately, they still fall short of achieving the primary goal of preventing, detecting, and responding to a real threat. Why? What is missing? We must consider this question.

Are organizations building security programs designed to address the threat?

This presentation dives into the shortcomings of security operations planning, design, implementation, and testing and how applying threat-based security testing (red teaming) can reduce these gaps and ultimately improve the state of security.

1:00PM to 1:45PM ET Chris Truncer Title: What the F#$%

Abstract: The shift in offensive security from PowerShell to .NET resulted in the creation of an entire arsenal of Sharp* tools, like SharpUp, SharpDPAPI and SharpMapExec. All of these awesome Sharp* tools have been written in C#, but the .NET framework works with a second sharp (#) language, F#. F# is something that can easily run on top of Windows systems which makes it an interested but not widely (yet) used language.

F# hasn’t been widely explored (publicly) by many offensive security firms, but penetration testers and red team operators can use F# to execute many of the post-exploitation steps commonly performed on an assessment via C#.

During this talk, we’ll demonstrate how we’ve used F# for offensive security engagements. Specifically, we’ll cover the basics of F#, differences with C#, real-world examples using F# on engagements, discuss detection considerations, as well as cover the previous release of a tool, appropriately written in F#, which you can use for your assessments! Been interested in using unmanaged F# code? Well now can be your chance!

2:00PM to 2:45PM ET Tyler Robinson Title: Breaking and Entering: A Hacker’s Field Manual for Physical Access

Abstract: In this speedrun primer talk about physical penetration testing you will learn:

  • Physical 101
  • Full Scope Red Team Tales for Initial Access
  • How to properly demonstrate impact using physical penetration testing within an engagement
  • Social Engineering done right
  • Physical Pro-tips to not get shot
  • and more….

Join me today to learn Physical Operations: A Primer of the Tactics, Techniques, and Procedures used in Physical Penetration tests.

3:00PM to 3:45PM ET Matt Toussain Title: The .NET Assembly and You! | How Library-based Post-Exploitation is Changing the World of C2

Abstract: Chances are that you’ve hacked some stuff? With what? A Command and Control tool to provide remote access, right? As offensive security practitioners, we often find ourselves picking between tools based on factors like AV and network evasion, post-exploitation features, lateral movement capability, and even ease of use. What if we could have our cake and eat it too? What if we could have every feature and simply bring them along for the ride? Let’s talk about the .NET Assembly. Let’s build them, execute them, and obscure them. Let’s show these networks who’s boss!

4:00PM to 4:45PM ET Maril Vernon Title: Leveraging CTI, PTEs, and TTP tracking in Internal Red Team Operations

Abstract: So you’ve survived a pentest or two, and you think you’re ready for a Red Team engagement- but what does that really mean? What are the differences? How do you plan one? Who’s involved? How are they conducted? What’s in scope? How do you take what you’ve done and translate it into actionable remediations or items you can track? It sounds really cool- but what’s the benefit or the point to senior managers and other stakeholders? This talk will illuminate how red team operations are meant to be leveraged, panned, executed, and the value they provide- along with some tools you can employ for tracking and remediating defenses. Additionally, we’ll touch on the continuous feedback loop red team operations can play in purple team exercises and the way these can influence future red team operations while bolstering security for your organization. Whether you’re a sys admin, CISO, operator, analyst or pentester- red team operations cna provide value and play an important role in your security program.