WHO WATCHES THE WATCHMEN? ADVENTURES IN RED TEAM INFRASTRUCTURE HERDING AND BLUE TEAM OPSEC FAILURES presented at HackinParis 2019

by Mark Smeets,

URL : https://www.youtube.com/watch?v=ZezBCAUax6c&list=PLaS1tu_LcHA88Ir4BH5FBtuZKxl9tHWRw&index=7&t=0s

Summary : In this talk we explain our approach for red team infrastructure herding and using that to bust OPSEC failures of blue teams. We discuss our latest research on this topic and present a new version of our opensource tooling RedELK. When performing multi-month, multi-C2teamserver and multi-scenario red team operations, you are working with an infrastructure that becomes very large very quickly. This makes it harder to keep track of what is happening. Coupled with the ever-increasing maturity of blue teams, this makes it more likely the blue team is somewhere analysing parts of your infra and/or artefacts.