1
00:00:00,230 --> 00:00:02,700
<v Instructor>Training and exercises.</v>

2
00:00:02,700 --> 00:00:04,940
We're going to talk about tabletop exercises,

3
00:00:04,940 --> 00:00:08,530
penetration testing, and red, blue, and white exercises

4
00:00:08,530 --> 00:00:09,530
in this lesson.

5
00:00:09,530 --> 00:00:11,440
Now, when we talk about tabletop exercises,

6
00:00:11,440 --> 00:00:13,560
we mentioned before that these are exercises

7
00:00:13,560 --> 00:00:15,920
that use an incident scenario against a framework

8
00:00:15,920 --> 00:00:17,810
of controls or a red team.

9
00:00:17,810 --> 00:00:20,030
So what we're going to do here is we are going to carry

10
00:00:20,030 --> 00:00:22,970
a discussion of simulated emergency situations

11
00:00:22,970 --> 00:00:24,320
and security events.

12
00:00:24,320 --> 00:00:26,670
These are great because they're really simple to set up,

13
00:00:26,670 --> 00:00:29,030
but they tend to be more theoretical in nature

14
00:00:29,030 --> 00:00:30,710
and they don't provide practical evidence

15
00:00:30,710 --> 00:00:33,050
of what could go wrong during a real event.

16
00:00:33,050 --> 00:00:35,350
For example, how long will a particular task

17
00:00:35,350 --> 00:00:36,500
take to complete?

18
00:00:36,500 --> 00:00:38,670
You really can't gather that from a tabletop,

19
00:00:38,670 --> 00:00:40,730
but if you actually go through the actions and motions

20
00:00:40,730 --> 00:00:42,510
in something like a penetration test,

21
00:00:42,510 --> 00:00:44,380
you'll be able to see that instead.

22
00:00:44,380 --> 00:00:45,480
Now, I've seen a lot of times

23
00:00:45,480 --> 00:00:47,280
when we're doing tabletop exercises

24
00:00:47,280 --> 00:00:49,570
that people start using their magic wands.

25
00:00:49,570 --> 00:00:51,170
Now, this is a bad thing to do

26
00:00:51,170 --> 00:00:53,040
because you can start getting the effect

27
00:00:53,040 --> 00:00:55,870
that something that might take a real team 12 hours to do

28
00:00:55,870 --> 00:00:57,850
can really be solved in 30 minutes,

29
00:00:57,850 --> 00:00:59,720
and so when something really happens,

30
00:00:59,720 --> 00:01:00,857
the managers start going,

31
00:01:00,857 --> 00:01:03,840
"Well, in the tabletop, it only took us 30 minutes to solve.

32
00:01:03,840 --> 00:01:05,040
Why is it taking you 12 hours?

33
00:01:05,040 --> 00:01:06,590
I need this system up right now."

34
00:01:06,590 --> 00:01:08,800
And so you start getting this negative training, I call it,

35
00:01:08,800 --> 00:01:10,430
where you start training your senior leaders

36
00:01:10,430 --> 00:01:12,550
to expect things to happen faster in the real world

37
00:01:12,550 --> 00:01:13,680
than they really can.

38
00:01:13,680 --> 00:01:14,740
So just be careful about that

39
00:01:14,740 --> 00:01:17,200
if you're dealing with a tabletop exercise.

40
00:01:17,200 --> 00:01:19,020
Now, when you're dealing with a penetration test,

41
00:01:19,020 --> 00:01:22,350
this is a test that uses active tools and security utilities

42
00:01:22,350 --> 00:01:25,900
to evaluate security by simulating an attack on a system

43
00:01:25,900 --> 00:01:28,040
to verify that a threat really does exist,

44
00:01:28,040 --> 00:01:30,240
they actively test that threatened vulnerability,

45
00:01:30,240 --> 00:01:31,810
they bypass security controls,

46
00:01:31,810 --> 00:01:33,890
and then finally exploit those vulnerabilities

47
00:01:33,890 --> 00:01:35,520
on a given system.

48
00:01:35,520 --> 00:01:37,270
When you're doing your penetration test,

49
00:01:37,270 --> 00:01:39,890
you are going to test the system to discover vulnerabilities

50
00:01:39,890 --> 00:01:41,960
or prove security controls are actually working

51
00:01:41,960 --> 00:01:43,080
as they're supposed to.

52
00:01:43,080 --> 00:01:44,630
You're also going to examine the system

53
00:01:44,630 --> 00:01:47,410
to identify any logical weaknesses that may be there

54
00:01:47,410 --> 00:01:49,220
inside the system architecture,

55
00:01:49,220 --> 00:01:50,730
and you're going to interview personnel

56
00:01:50,730 --> 00:01:52,860
to gather information and see how prone they are

57
00:01:52,860 --> 00:01:54,660
to social engineering attacks.

58
00:01:54,660 --> 00:01:55,760
All of these are things you can do

59
00:01:55,760 --> 00:01:57,700
as part of a penetration test.

60
00:01:57,700 --> 00:01:59,480
Now, when you're dealing with a penetration test,

61
00:01:59,480 --> 00:02:01,530
you have to make sure it is properly scoped

62
00:02:01,530 --> 00:02:03,950
and resourced before you can begin it.

63
00:02:03,950 --> 00:02:05,810
Now, what I mean by this is you have to figure out

64
00:02:05,810 --> 00:02:07,470
exactly what is going to be tested

65
00:02:07,470 --> 00:02:09,130
as part of the penetration test.

66
00:02:09,130 --> 00:02:11,290
If you get a penetration tester to come in

67
00:02:11,290 --> 00:02:12,597
and test your organization and you say,

68
00:02:12,597 --> 00:02:14,630
"Just go at the entire organization,"

69
00:02:14,630 --> 00:02:16,380
that's not going to be very effective.

70
00:02:16,380 --> 00:02:17,627
Instead, you should tell them,

71
00:02:17,627 --> 00:02:18,850
"Hey, I'm really concerned

72
00:02:18,850 --> 00:02:20,290
about my Windows domain controller.

73
00:02:20,290 --> 00:02:22,970
I want you to see if you can get root access on that,"

74
00:02:22,970 --> 00:02:24,800
and that would allow them to be able to identify

75
00:02:24,800 --> 00:02:26,410
exactly what your concerns are

76
00:02:26,410 --> 00:02:28,980
and verify your systems are working properly.

77
00:02:28,980 --> 00:02:30,980
Now, when you're dealing with a penetration test,

78
00:02:30,980 --> 00:02:34,110
you can use either an internal team or an external team.

79
00:02:34,110 --> 00:02:35,910
I personally like to use third parties

80
00:02:35,910 --> 00:02:37,600
who are external to the organization

81
00:02:37,600 --> 00:02:39,750
or a separate internal red team.

82
00:02:39,750 --> 00:02:41,610
I don't like to use my system administrators

83
00:02:41,610 --> 00:02:43,260
to conduct penetration tests.

84
00:02:43,260 --> 00:02:45,400
It's not that they're not smart enough to do it.

85
00:02:45,400 --> 00:02:47,200
It's that they're biased in their approach.

86
00:02:47,200 --> 00:02:49,100
When you have a system administrator trying to pen test

87
00:02:49,100 --> 00:02:50,140
their own system,

88
00:02:50,140 --> 00:02:52,810
what ends up happening is they start trying to prove

89
00:02:52,810 --> 00:02:55,330
the system is secure instead of trying to prove

90
00:02:55,330 --> 00:02:57,040
the system can be attacked.

91
00:02:57,040 --> 00:03:00,480
As a penetration tester, our job is to be the bad guy,

92
00:03:00,480 --> 00:03:02,530
it's to go in and find all the holes.

93
00:03:02,530 --> 00:03:04,170
We want to find all the weaknesses,

94
00:03:04,170 --> 00:03:06,950
and the system administrators tend to try to not do that

95
00:03:06,950 --> 00:03:08,480
because they're trying to prove that their work

96
00:03:08,480 --> 00:03:11,240
that they did securing the system is adequate.

97
00:03:11,240 --> 00:03:12,450
And so it's a different perspective,

98
00:03:12,450 --> 00:03:14,610
and that's why I much prefer a third party

99
00:03:14,610 --> 00:03:16,990
or an internal red team be used instead

100
00:03:16,990 --> 00:03:18,500
of system administrators.

101
00:03:18,500 --> 00:03:20,380
Now, if you want to learn more about pen testing,

102
00:03:20,380 --> 00:03:21,580
as I said before,

103
00:03:21,580 --> 00:03:24,360
you should check out the CompTIA PenTest+ curriculum.

104
00:03:24,360 --> 00:03:25,193
In that course,

105
00:03:25,193 --> 00:03:27,440
there is a ton of information on how you can become a member

106
00:03:27,440 --> 00:03:29,170
of the penetration testing team

107
00:03:29,170 --> 00:03:31,130
and learning how to attack these systems

108
00:03:31,130 --> 00:03:33,490
from that outsider perspective.

109
00:03:33,490 --> 00:03:35,140
Now, the last thing we want to talk about in this lesson

110
00:03:35,140 --> 00:03:38,170
is our red teams, our blue teams, and our white teams.

111
00:03:38,170 --> 00:03:39,430
When we talk about red teams,

112
00:03:39,430 --> 00:03:41,350
these are the hostile or attacking teams

113
00:03:41,350 --> 00:03:44,410
in a penetration test or an incident response exercise.

114
00:03:44,410 --> 00:03:47,940
If you hire that third party team, that is a red team.

115
00:03:47,940 --> 00:03:50,020
They're trying to attack your systems.

116
00:03:50,020 --> 00:03:51,210
When we're talking about blue teams,

117
00:03:51,210 --> 00:03:53,750
this is our defensive teams in a penetration test

118
00:03:53,750 --> 00:03:55,670
or an incident response exercise.

119
00:03:55,670 --> 00:03:57,240
This is our system administrators.

120
00:03:57,240 --> 00:03:58,960
This is our network defenders.

121
00:03:58,960 --> 00:04:01,740
This is our cyber security analysts, like you.

122
00:04:01,740 --> 00:04:03,800
You're going to be part of the blue team.

123
00:04:03,800 --> 00:04:05,260
And then we have the white team.

124
00:04:05,260 --> 00:04:08,420
This is a staff who administers, evaluates, and supervises

125
00:04:08,420 --> 00:04:11,400
a penetration test or incident response exercise.

126
00:04:11,400 --> 00:04:13,560
They're also going to be responsible for building the network

127
00:04:13,560 --> 00:04:15,530
if you're going to be using a third party network

128
00:04:15,530 --> 00:04:16,860
as part of your test.

129
00:04:16,860 --> 00:04:19,530
Sometimes organizations don't want to do active testing

130
00:04:19,530 --> 00:04:21,090
on their real live networks,

131
00:04:21,090 --> 00:04:22,470
so they'll build a training ground

132
00:04:22,470 --> 00:04:24,210
and they'll put their red teams and their blue teams,

133
00:04:24,210 --> 00:04:26,500
if they have internal red teams and internal blue teams,

134
00:04:26,500 --> 00:04:28,750
against each other in this simulated environment.

135
00:04:28,750 --> 00:04:30,970
Well, somebody has to build and support

136
00:04:30,970 --> 00:04:32,270
this entire ecosystem,

137
00:04:32,270 --> 00:04:34,050
and that's what the white team will do.

138
00:04:34,050 --> 00:04:36,450
I like to think about the white team as the referees.

139
00:04:36,450 --> 00:04:37,990
They're also going to be the ones who are going to report

140
00:04:37,990 --> 00:04:40,850
after the event and say, this is what the red team did well,

141
00:04:40,850 --> 00:04:42,170
this is what the blue team did well,

142
00:04:42,170 --> 00:04:44,070
and here's what they both did not so well.

143
00:04:44,070 --> 00:04:45,770
That's the role of the white team.