A2. Red/Blue Teaming In Front Of A Live, Studio Audience
Wednesday, June 5, 2019
9:25 AM - 10:25 AM
How can an IR program be trusted if it is not tested? Many organizations have a hard time doing hands-on testing of production. In some sectors downtime can cost lives. Or maybe management just doesn't provide sufficient resources. We'll present a case study of a client in a heavily regulated industry that added hands-on Red Team events, and greatly improved their security posture (and budget!) along the way. We built multiple drills that distracted Blue Teamers while presenting false readings to operators, causing them to take incorrect "corrective" actions. All in front of regulators and national guard... no pressure.
After completing this session, the learner will: - See how an IR exercise that doesn't go to plan from day one can be an unexpected benefit, revealing security issues that are invisible to a normal compliance-audit program. - Recognize that stress testing Incident Response procedures and workflows can identify gaps in the resources, recipes, and escalation procedures. - Understand the level of effort required to execute a drill like this - but also how the results can be used to gain executive-level buy-in for security program objectives.
Hank Leininger breaks stuff and builds stuff. He wrote Linux kernel hardening patches in the '90's that are now part of GRSecurity. In 2004 he co-founded KoreLogic, an expert security consulting practice. He's spoken at RMISC, ShmooCon, several BSides, and others. He doesn't have any interesting letters after his name.