WEBVTT 00:00:00.000 --> 00:00:06.073 align:middle line:90% 00:00:06.073 --> 00:00:07.740 align:middle line:84% In this video, we're going to be talking 00:00:07.740 --> 00:00:10.020 align:middle line:90% about what is a Red Team? 00:00:10.020 --> 00:00:14.130 align:middle line:84% Now, Red Team may seem like a strange reference 00:00:14.130 --> 00:00:16.079 align:middle line:90% for some people. 00:00:16.079 --> 00:00:18.600 align:middle line:84% There are different teams out there. 00:00:18.600 --> 00:00:19.710 align:middle line:90% There's Red Teams. 00:00:19.710 --> 00:00:22.820 align:middle line:84% There's Blue Teams - both of which 00:00:22.820 --> 00:00:24.260 align:middle line:90% were going to be getting into. 00:00:24.260 --> 00:00:27.200 align:middle line:84% There's also other teams that were developed later, 00:00:27.200 --> 00:00:29.010 align:middle line:84% things like Purple Team and Tiger Team. 00:00:29.010 --> 00:00:30.680 align:middle line:84% We're not going to be getting into them. 00:00:30.680 --> 00:00:36.660 align:middle line:84% The core of this type of teams are going to be red and Blue. 00:00:36.660 --> 00:00:39.070 align:middle line:90% But let's talk about Red Team. 00:00:39.070 --> 00:00:43.820 align:middle line:84% So a typical network will try to keep out a malicious attacker. 00:00:43.820 --> 00:00:45.230 align:middle line:90% They'll have a firewall. 00:00:45.230 --> 00:00:48.290 align:middle line:84% They'll typically have an antivirus, probably 00:00:48.290 --> 00:00:50.270 align:middle line:84% some sort of monitoring software in order 00:00:50.270 --> 00:00:53.090 align:middle line:84% to protect their servers, or critical files, 00:00:53.090 --> 00:00:57.380 align:middle line:84% and their overall infrastructure. 00:00:57.380 --> 00:01:01.570 align:middle line:84% Now, the problem is a malicious hacker, if they're good 00:01:01.570 --> 00:01:06.730 align:middle line:84% or even a unwitting person working for your company, 00:01:06.730 --> 00:01:09.190 align:middle line:84% or it could be a malicious person working 00:01:09.190 --> 00:01:11.770 align:middle line:84% for your company, an insider attack, 00:01:11.770 --> 00:01:15.510 align:middle line:84% won't be able to circumvent all of this. 00:01:15.510 --> 00:01:18.773 align:middle line:84% Now, that's not great, obviously. 00:01:18.773 --> 00:01:20.940 align:middle line:84% And even though you got all these different defences 00:01:20.940 --> 00:01:24.940 align:middle line:84% in place, which are supposed to stop people, 00:01:24.940 --> 00:01:28.150 align:middle line:84% again, a good malicious hacker, or a lucky malicious hacker, 00:01:28.150 --> 00:01:30.400 align:middle line:84% will be able to bypass all of this. 00:01:30.400 --> 00:01:32.560 align:middle line:90% And this is really critical. 00:01:32.560 --> 00:01:36.350 align:middle line:84% This is critical that we figure out how to stop this. 00:01:36.350 --> 00:01:39.170 align:middle line:84% So what can we do in order to stop this? 00:01:39.170 --> 00:01:41.540 align:middle line:84% Well, we could do the usual things. 00:01:41.540 --> 00:01:44.690 align:middle line:84% We could do user auditing, monitor active users, 00:01:44.690 --> 00:01:50.390 align:middle line:84% monitor inactive users, look for unusual user accounts that 00:01:50.390 --> 00:01:52.030 align:middle line:90% shouldn't be there. 00:01:52.030 --> 00:01:54.020 align:middle line:84% We can implement training, keep users 00:01:54.020 --> 00:01:59.300 align:middle line:84% up-to-date on not only different attacks that are coming out, 00:01:59.300 --> 00:02:02.210 align:middle line:84% but also the company policies that 00:02:02.210 --> 00:02:06.230 align:middle line:84% should be changing as things grow 00:02:06.230 --> 00:02:10.340 align:middle line:90% or as things need to be changed. 00:02:10.340 --> 00:02:12.950 align:middle line:84% System patching, keeping up with critical updates, 00:02:12.950 --> 00:02:17.900 align:middle line:84% firmware updates, shutting down any unneeded services, 00:02:17.900 --> 00:02:20.030 align:middle line:84% removing programs that aren't needed anymore, 00:02:20.030 --> 00:02:24.870 align:middle line:84% keeping your servers, switches, wireless access points, 00:02:24.870 --> 00:02:30.110 align:middle line:84% your workstations, et cetera all up-to-date. 00:02:30.110 --> 00:02:33.470 align:middle line:84% Logs, viewing and auditing your system log files 00:02:33.470 --> 00:02:36.080 align:middle line:84% and looking for strange activities - all of this 00:02:36.080 --> 00:02:38.210 align:middle line:90% is very important. 00:02:38.210 --> 00:02:43.070 align:middle line:84% Even if you have a Red Team, a Blue Team, both teams, 00:02:43.070 --> 00:02:45.785 align:middle line:84% you do want to absolutely keep up with all of this. 00:02:45.785 --> 00:02:50.780 align:middle line:84% This is all baseline stuff you can do to protect yourself. 00:02:50.780 --> 00:02:55.860 align:middle line:84% However, this is always enough to protect your network. 00:02:55.860 --> 00:02:58.250 align:middle line:84% Especially when we consider things like, well, 00:02:58.250 --> 00:03:03.860 align:middle line:84% USB drops, cables that look like phone chargers that 00:03:03.860 --> 00:03:08.030 align:middle line:84% are actually malicious tools that can inject keystrokes 00:03:08.030 --> 00:03:09.330 align:middle line:90% into your network. 00:03:09.330 --> 00:03:11.570 align:middle line:84% And we talked about all these previously. 00:03:11.570 --> 00:03:12.780 align:middle line:90% Social engineering. 00:03:12.780 --> 00:03:15.470 align:middle line:84% Social engineering, again, a very powerful attack. 00:03:15.470 --> 00:03:17.090 align:middle line:84% And there's really no patch for it. 00:03:17.090 --> 00:03:20.720 align:middle line:84% There's no antivirus or intrusion detection 00:03:20.720 --> 00:03:22.640 align:middle line:84% or prevention system that I'm aware of that 00:03:22.640 --> 00:03:30.410 align:middle line:84% will stop a social engineering attack - viruses, malware, 00:03:30.410 --> 00:03:35.660 align:middle line:84% your typical viruses, your ransomware, et cetera. 00:03:35.660 --> 00:03:38.030 align:middle line:84% Things like scareware is still going to be a thing. 00:03:38.030 --> 00:03:42.070 align:middle line:84% And as things progress, they'll probably 00:03:42.070 --> 00:03:43.990 align:middle line:84% get lucky and get through an antivirus, 00:03:43.990 --> 00:03:47.270 align:middle line:90% for example, once or twice. 00:03:47.270 --> 00:03:50.740 align:middle line:84% That's all it takes to get through whatever protection 00:03:50.740 --> 00:03:54.680 align:middle line:84% system you have and the user clicks it once. 00:03:54.680 --> 00:03:55.880 align:middle line:90% Critical flaws. 00:03:55.880 --> 00:03:59.060 align:middle line:84% Things like VMware had a critical flaw 00:03:59.060 --> 00:04:00.230 align:middle line:90% on their corporate server. 00:04:00.230 --> 00:04:05.430 align:middle line:84% So even if you do your due diligence, 00:04:05.430 --> 00:04:07.380 align:middle line:84% there are vulnerabilities coming out and being 00:04:07.380 --> 00:04:08.470 align:middle line:90% discovered all the time. 00:04:08.470 --> 00:04:11.430 align:middle line:84% So until the company actually patches it, 00:04:11.430 --> 00:04:15.620 align:middle line:84% there's not a whole lot you could do about this. 00:04:15.620 --> 00:04:18.519 align:middle line:84% So this is kind of where Red Teams come in handy. 00:04:18.519 --> 00:04:21.910 align:middle line:84% A Red Team is a individual or individuals 00:04:21.910 --> 00:04:24.880 align:middle line:84% that tends to network posing as a malicious hacker. 00:04:24.880 --> 00:04:28.000 align:middle line:84% A Red Team's job is to use the same tools and techniques 00:04:28.000 --> 00:04:32.020 align:middle line:84% as a malicious hacker to gain network access, 00:04:32.020 --> 00:04:34.060 align:middle line:84% obtain critical files, circumvent 00:04:34.060 --> 00:04:36.220 align:middle line:90% security measures, et cetera. 00:04:36.220 --> 00:04:38.620 align:middle line:84% And of course, it's all going to be within predetermined 00:04:38.620 --> 00:04:39.880 align:middle line:90% guidelines. 00:04:39.880 --> 00:04:44.205 align:middle line:84% After all, a Red Team member does work for your corporation 00:04:44.205 --> 00:04:47.620 align:middle line:90% or your company, whatnot. 00:04:47.620 --> 00:04:52.570 align:middle line:84% Whether they're permanent staff or if you're contracting them, 00:04:52.570 --> 00:04:54.420 align:middle line:90% they are working with you. 00:04:54.420 --> 00:05:01.860 align:middle line:84% So while the ultimate goal is to simulate a hacker break in 00:05:01.860 --> 00:05:07.200 align:middle line:84% and whatnot it's not to really destroy files, to steal files, 00:05:07.200 --> 00:05:07.980 align:middle line:90% whatnot. 00:05:07.980 --> 00:05:13.320 align:middle line:84% They're simulating a real attack. 00:05:13.320 --> 00:05:16.110 align:middle line:84% So Red Teams will break into your network 00:05:16.110 --> 00:05:19.530 align:middle line:84% using the same techniques and tools as a malicious hacker. 00:05:19.530 --> 00:05:22.440 align:middle line:84% Again, however they ultimately are working for the same goals, 00:05:22.440 --> 00:05:24.990 align:middle line:84% securing your network from end users 00:05:24.990 --> 00:05:27.090 align:middle line:90% from a actual malicious attack. 00:05:27.090 --> 00:05:30.960 align:middle line:84% So that's really important to you to get that across. 00:05:30.960 --> 00:05:34.620 align:middle line:84% Because when you bring up Red Teams to, say, management 00:05:34.620 --> 00:05:38.040 align:middle line:84% that don't necessarily know network security, 00:05:38.040 --> 00:05:41.130 align:middle line:84% the idea of a Red Team may be scary and sound 00:05:41.130 --> 00:05:42.670 align:middle line:90% like a horrible idea. 00:05:42.670 --> 00:05:45.940 align:middle line:84% Why are we hiring hackers to break into our network? 00:05:45.940 --> 00:05:50.030 align:middle line:84% Well, again, they're there working for you 00:05:50.030 --> 00:05:53.090 align:middle line:84% in order to test your network security, not only 00:05:53.090 --> 00:05:56.540 align:middle line:84% your workstations, your servers, your IPSs, your antivirus, 00:05:56.540 --> 00:05:59.720 align:middle line:90% et cetera, but also your users. 00:05:59.720 --> 00:06:04.410 align:middle line:84% And even going beyond that in some scopes. 00:06:04.410 --> 00:06:07.110 align:middle line:84% They may physically break into your building 00:06:07.110 --> 00:06:09.120 align:middle line:90% and test your door locks. 00:06:09.120 --> 00:06:12.720 align:middle line:84% How your security measures are set up. 00:06:12.720 --> 00:06:15.030 align:middle line:90% Can someone tailgate in? 00:06:15.030 --> 00:06:16.950 align:middle line:84% Is there vulnerable entry points? 00:06:16.950 --> 00:06:19.050 align:middle line:84% Are your dumpsters exposed where you're 00:06:19.050 --> 00:06:21.180 align:middle line:84% throwing out important information that 00:06:21.180 --> 00:06:23.010 align:middle line:90% can be used against you? 00:06:23.010 --> 00:06:23.800 align:middle line:90% Things like that. 00:06:23.800 --> 00:06:26.940 align:middle line:84% A Red Team's scope will vary depending 00:06:26.940 --> 00:06:28.740 align:middle line:90% on what you want them to test. 00:06:28.740 --> 00:06:31.410 align:middle line:90% 00:06:31.410 --> 00:06:34.382 align:middle line:90% So benefits. 00:06:34.382 --> 00:06:36.340 align:middle line:84% It's going to depend on your organisation size. 00:06:36.340 --> 00:06:39.160 align:middle line:84% Is your organization large enough to have a Red Team? 00:06:39.160 --> 00:06:41.200 align:middle line:84% One benefit of having a Red Team is you 00:06:41.200 --> 00:06:43.330 align:middle line:84% can see how your staff and network hold up 00:06:43.330 --> 00:06:44.495 align:middle line:90% against real world attacks. 00:06:44.495 --> 00:06:46.922 align:middle line:90% 00:06:46.922 --> 00:06:49.380 align:middle line:84% Doesn't make sense to have a Red Team to test your network. 00:06:49.380 --> 00:06:52.830 align:middle line:84% So though a Red Team is trying to circumvent 00:06:52.830 --> 00:06:56.700 align:middle line:84% the security of your network that your team puts in place, 00:06:56.700 --> 00:07:00.550 align:middle line:84% they ultimately are on the same side. 00:07:00.550 --> 00:07:03.075 align:middle line:84% Now, do you want to have an in-house or contract. 00:07:03.075 --> 00:07:05.390 align:middle line:84% If that Red Team is something that makes sense, 00:07:05.390 --> 00:07:08.320 align:middle line:84% you need to determine if it's going to be smarter 00:07:08.320 --> 00:07:11.160 align:middle line:90% to be in-house or contracted. 00:07:11.160 --> 00:07:17.750 align:middle line:84% And Red Teams can help test things like policy, security, 00:07:17.750 --> 00:07:20.750 align:middle line:84% network security, help run the company's overall security 00:07:20.750 --> 00:07:23.090 align:middle line:84% awareness, and how to approach security. 00:07:23.090 --> 00:07:26.600 align:middle line:90% 00:07:26.600 --> 00:07:28.447 align:middle line:84% So this was all about Red Teaming. 00:07:28.447 --> 00:07:30.280 align:middle line:84% In the next video, we're going to be talking 00:07:30.280 --> 00:07:32.680 align:middle line:90% about what a Blue Team is. 00:07:32.680 --> 00:07:34.010 align:middle line:90% So thank you for watching. 00:07:34.010 --> 00:07:36.120 align:middle line:90% I'll see you in the next video. 00:07:36.120 --> 00:07:38.000 align:middle line:90%