WEBVTT 00:00:00.000 --> 00:00:06.560 align:middle line:90% 00:00:06.560 --> 00:00:10.090 align:middle line:84% In this video, we're going to be talking about whether your Red 00:00:10.090 --> 00:00:13.210 align:middle line:84% Team or Blue Team should be in-house or contracted, 00:00:13.210 --> 00:00:16.195 align:middle line:84% assuming that you're going to be setting up a Red and Blue Team 00:00:16.195 --> 00:00:18.460 align:middle line:90% - and/or Blue Team, rather. 00:00:18.460 --> 00:00:24.160 align:middle line:84% So before we just go off and either set up our own Red 00:00:24.160 --> 00:00:28.720 align:middle line:84% and Blue Team or begin to go out there and contract, 00:00:28.720 --> 00:00:33.240 align:middle line:84% we need to take some things into consideration. 00:00:33.240 --> 00:00:36.620 align:middle line:84% So what do we need to consider before we even begin? 00:00:36.620 --> 00:00:40.470 align:middle line:84% Well, one major factor is going to be are you a small 00:00:40.470 --> 00:00:42.750 align:middle line:90% organisation or large? 00:00:42.750 --> 00:00:47.430 align:middle line:84% Now, the reason I bring this up is it - having a team 00:00:47.430 --> 00:00:50.490 align:middle line:84% is really going to depend on - well, this is assuming you're 00:00:50.490 --> 00:00:55.050 align:middle line:84% already going to want to have a Red Team and/or Blue Team. 00:00:55.050 --> 00:00:56.760 align:middle line:84% Depending on your organisation size, 00:00:56.760 --> 00:01:00.940 align:middle line:84% this is going to help to make that determination. 00:01:00.940 --> 00:01:03.930 align:middle line:84% So if you have a small organisation, 00:01:03.930 --> 00:01:07.170 align:middle line:84% depending how small you are, it may not make sense to have 00:01:07.170 --> 00:01:10.230 align:middle line:90% a in-house Red Team/Blue Team. 00:01:10.230 --> 00:01:12.720 align:middle line:84% After all, do you have the resources, the staff 00:01:12.720 --> 00:01:14.700 align:middle line:90% to support such a team? 00:01:14.700 --> 00:01:16.620 align:middle line:84% If you have a small IT team, you're 00:01:16.620 --> 00:01:19.860 align:middle line:84% probably better off looking at training your network team. 00:01:19.860 --> 00:01:24.220 align:middle line:90% 00:01:24.220 --> 00:01:28.090 align:middle line:84% Outsourcing is likely going to make more sense for this 00:01:28.090 --> 00:01:31.120 align:middle line:84% because, again, if you have a small IT team, 00:01:31.120 --> 00:01:33.430 align:middle line:84% you're not really going to have the resources, 00:01:33.430 --> 00:01:35.020 align:middle line:90% too, in order to train them. 00:01:35.020 --> 00:01:36.790 align:middle line:84% After all, they're probably going 00:01:36.790 --> 00:01:40.660 align:middle line:84% to be pretty busy with doing their day-to-day work instead 00:01:40.660 --> 00:01:43.570 align:middle line:84% of actually setting up a dedicated team to attack 00:01:43.570 --> 00:01:44.830 align:middle line:90% or defend. 00:01:44.830 --> 00:01:46.840 align:middle line:84% You'll be spreading yourself too thin. 00:01:46.840 --> 00:01:50.590 align:middle line:84% So again, if you're really going to be setting up 00:01:50.590 --> 00:01:54.610 align:middle line:84% a Red Team/Blue Team, you're probably better off outsourcing 00:01:54.610 --> 00:01:57.800 align:middle line:90% at that point. 00:01:57.800 --> 00:01:59.830 align:middle line:84% Now, if you have a large organisation, well, 00:01:59.830 --> 00:02:03.190 align:middle line:90% you do have some more leeway. 00:02:03.190 --> 00:02:05.530 align:middle line:84% You tend to have a larger staff and resources 00:02:05.530 --> 00:02:07.180 align:middle line:90% to support a in-house team. 00:02:07.180 --> 00:02:12.070 align:middle line:84% Larger organisations tend to have a larger pool of IT 00:02:12.070 --> 00:02:13.800 align:middle line:90% personnel. 00:02:13.800 --> 00:02:18.270 align:middle line:84% The larger organisation also tends to have a larger budget 00:02:18.270 --> 00:02:21.190 align:middle line:84% in order to facilitate training or - 00:02:21.190 --> 00:02:23.550 align:middle line:84% and/or the proper pay scale for those positions. 00:02:23.550 --> 00:02:26.970 align:middle line:84% After all, a Red Team member or a Blue Team member 00:02:26.970 --> 00:02:30.870 align:middle line:84% should be making more than, say, a desktop technician 00:02:30.870 --> 00:02:33.030 align:middle line:84% because they are doing a lot more work. 00:02:33.030 --> 00:02:36.470 align:middle line:84% They're doing a very specialised job. 00:02:36.470 --> 00:02:40.370 align:middle line:84% Ultimately, it's going to come down to management, though. 00:02:40.370 --> 00:02:44.960 align:middle line:84% If they see a benefit of having a in-house or contracted - 00:02:44.960 --> 00:02:49.490 align:middle line:84% or even if they don't believe in a Red Team or Blue Team 00:02:49.490 --> 00:02:53.240 align:middle line:84% exercises, unfortunately, it does always come down 00:02:53.240 --> 00:02:53.910 align:middle line:90% to management. 00:02:53.910 --> 00:02:56.780 align:middle line:84% So if it's important to you, you do 00:02:56.780 --> 00:02:59.330 align:middle line:90% need to make the case for it. 00:02:59.330 --> 00:03:01.760 align:middle line:84% But again, large organisations are going to have more 00:03:01.760 --> 00:03:03.770 align:middle line:84% flexibility in this because, again, 00:03:03.770 --> 00:03:05.660 align:middle line:84% they will have a larger IT personnel. 00:03:05.660 --> 00:03:08.150 align:middle line:84% They do tend to have a larger budget. 00:03:08.150 --> 00:03:09.560 align:middle line:90% And they have more to lose. 00:03:09.560 --> 00:03:12.990 align:middle line:90% 00:03:12.990 --> 00:03:15.300 align:middle line:84% So pros and cons - outsourcing means 00:03:15.300 --> 00:03:19.150 align:middle line:84% that you don't have to have staff trained to do this. 00:03:19.150 --> 00:03:22.210 align:middle line:84% That means that your staff, your current IT staff, 00:03:22.210 --> 00:03:25.750 align:middle line:84% could be - well, they could be doing what they were originally 00:03:25.750 --> 00:03:27.760 align:middle line:90% hired to do. 00:03:27.760 --> 00:03:30.670 align:middle line:84% Outsourced companies are specialised, 00:03:30.670 --> 00:03:32.782 align:middle line:84% tend to be specialised, in this type of work. 00:03:32.782 --> 00:03:34.990 align:middle line:84% And there's a lot of really great companies out there 00:03:34.990 --> 00:03:36.990 align:middle line:90% that do this. 00:03:36.990 --> 00:03:41.080 align:middle line:84% Overall, costs can be cheaper outsourcing it. 00:03:41.080 --> 00:03:44.250 align:middle line:84% So depending on how often you run these exercise - 00:03:44.250 --> 00:03:46.980 align:middle line:84% if it's going to be once, if it's going to be, say, once 00:03:46.980 --> 00:03:50.610 align:middle line:84% a year or once a month or whatnot, 00:03:50.610 --> 00:03:54.240 align:middle line:84% it might be cheaper to outsource it. 00:03:54.240 --> 00:03:58.980 align:middle line:84% Having a internal team - well, having an internal team 00:03:58.980 --> 00:04:02.430 align:middle line:84% is, off the bat, they should know your network and company 00:04:02.430 --> 00:04:04.515 align:middle line:84% better than someone coming from the outside. 00:04:04.515 --> 00:04:06.390 align:middle line:84% Someone coming from the outside is going to - 00:04:06.390 --> 00:04:07.740 align:middle line:90% you have to do a Blue Team. 00:04:07.740 --> 00:04:09.157 align:middle line:84% And they're going to have to spend 00:04:09.157 --> 00:04:11.550 align:middle line:84% some time learning your network, learning your policies, 00:04:11.550 --> 00:04:14.270 align:middle line:90% and whatnot. 00:04:14.270 --> 00:04:16.910 align:middle line:84% If you're just doing a Red Team, that doesn't necessarily 00:04:16.910 --> 00:04:19.010 align:middle line:84% apply because a hacker is probably not 00:04:19.010 --> 00:04:23.030 align:middle line:84% going to know everything there is to know about your network 00:04:23.030 --> 00:04:25.880 align:middle line:84% or have someone on the inside briefing 00:04:25.880 --> 00:04:27.660 align:middle line:84% them on the network right off the bat. 00:04:27.660 --> 00:04:33.110 align:middle line:84% So that's going to be more for a Blue Team side. 00:04:33.110 --> 00:04:36.140 align:middle line:84% Internal teams will be able to test as often as you 00:04:36.140 --> 00:04:37.250 align:middle line:90% want or need them to. 00:04:37.250 --> 00:04:38.930 align:middle line:84% After all, they're your employees. 00:04:38.930 --> 00:04:40.910 align:middle line:84% So you could just say, well, I want 00:04:40.910 --> 00:04:46.220 align:middle line:84% you to run a simulation every week, every month, whatnot. 00:04:46.220 --> 00:04:48.890 align:middle line:84% And you can restructure and specialise your Team 00:04:48.890 --> 00:04:50.690 align:middle line:90% as needed if it is in-house. 00:04:50.690 --> 00:04:53.320 align:middle line:90% 00:04:53.320 --> 00:04:59.050 align:middle line:84% There's really no way to say, well, yes, you should run a Red 00:04:59.050 --> 00:05:00.220 align:middle line:90% Team/Blue Team in-house. 00:05:00.220 --> 00:05:03.040 align:middle line:84% You should run a Red Team/Blue Team out. 00:05:03.040 --> 00:05:05.140 align:middle line:84% As you saw in the previous slides, 00:05:05.140 --> 00:05:08.440 align:middle line:84% the answer's going to vary from company to company. 00:05:08.440 --> 00:05:10.940 align:middle line:84% Again, it's going to depend on your resources. 00:05:10.940 --> 00:05:14.980 align:middle line:84% It's going to depend on your company's objectives. 00:05:14.980 --> 00:05:18.790 align:middle line:84% It's going to depend on what your resources are. 00:05:18.790 --> 00:05:23.140 align:middle line:84% It really has a lot of factors to consider over running a Red 00:05:23.140 --> 00:05:24.160 align:middle line:90% Team or Blue Team. 00:05:24.160 --> 00:05:26.440 align:middle line:84% And again, if you make the decision that you do 00:05:26.440 --> 00:05:28.510 align:middle line:84% want to have a Red Team or Blue Team, 00:05:28.510 --> 00:05:32.680 align:middle line:84% how often are you going to be running these exercises? 00:05:32.680 --> 00:05:35.830 align:middle line:84% Is it necessary to have a Red and Blue Team or can 00:05:35.830 --> 00:05:40.390 align:middle line:84% you just get away with a Red Team or just a Blue Team? 00:05:40.390 --> 00:05:42.310 align:middle line:84% And how much resources do you have? 00:05:42.310 --> 00:05:45.310 align:middle line:84% Do you have the resources to train your internal staff 00:05:45.310 --> 00:05:48.203 align:middle line:90% to take on those roles? 00:05:48.203 --> 00:05:50.620 align:middle line:84% If you don't, well, then you should probably outsource it. 00:05:50.620 --> 00:05:53.740 align:middle line:84% Do you have the resources to outsource it? 00:05:53.740 --> 00:05:56.530 align:middle line:84% And also, do you have management's approval 00:05:56.530 --> 00:05:58.930 align:middle line:84% and blessing for this, because that is ultimately 00:05:58.930 --> 00:06:01.240 align:middle line:84% going to determine whether you're able to do this? 00:06:01.240 --> 00:06:04.790 align:middle line:90% 00:06:04.790 --> 00:06:07.750 align:middle line:84% So this was about Red Team/Blue Team, whether they should 00:06:07.750 --> 00:06:11.500 align:middle line:90% be in-house or outsourced. 00:06:11.500 --> 00:06:13.870 align:middle line:84% In the next video, we're going to be talking about one 00:06:13.870 --> 00:06:17.080 align:middle line:84% of my favourite topics, which is OSINT. 00:06:17.080 --> 00:06:20.020 align:middle line:84% And it stands for Open Source Intelligence. 00:06:20.020 --> 00:06:22.270 align:middle line:84% And we're going to be talking about tracking attackers 00:06:22.270 --> 00:06:24.540 align:middle line:90% using this technique. 00:06:24.540 --> 00:06:25.860 align:middle line:90% So thank you for watching. 00:06:25.860 --> 00:06:28.000 align:middle line:90% I'll see you in the next video. 00:06:28.000 --> 00:06:30.000 align:middle line:90%