1
00:00:00,240 --> 00:00:02,940
Training and Exercises.

2
00:00:02,940 --> 00:00:05,190
We're going to talk about tabletop exercises,

3
00:00:05,190 --> 00:00:06,540
penetration testing,

4
00:00:06,540 --> 00:00:10,260
and red, blue, and white exercises in this lesson.

5
00:00:10,260 --> 00:00:12,180
Now, when we talk about tabletop exercises,

6
00:00:12,180 --> 00:00:14,790
these are exercises that use an incident scenario

7
00:00:14,790 --> 00:00:17,550
against a framework of controls or a red team.

8
00:00:17,550 --> 00:00:18,720
So what we're going to do here

9
00:00:18,720 --> 00:00:20,820
is we are going to carry a discussion

10
00:00:20,820 --> 00:00:24,030
of simulated emergency situations and security events.

11
00:00:24,030 --> 00:00:26,490
These are great because they're really simple to set up,

12
00:00:26,490 --> 00:00:28,770
but they tend to be more theoretical in nature

13
00:00:28,770 --> 00:00:30,420
and they don't provide practical evidence

14
00:00:30,420 --> 00:00:32,790
of what could go wrong during a real event.

15
00:00:32,790 --> 00:00:35,280
For example, how long will a particular task take

16
00:00:35,280 --> 00:00:36,210
to complete?

17
00:00:36,210 --> 00:00:38,400
You really can't gather that from a tabletop,

18
00:00:38,400 --> 00:00:40,440
but if you actually go through the actions in motions,

19
00:00:40,440 --> 00:00:42,270
in something like a penetration test,

20
00:00:42,270 --> 00:00:44,130
you'll be able to see that instead.

21
00:00:44,130 --> 00:00:45,210
Now, I've seen a lot of times

22
00:00:45,210 --> 00:00:47,010
when we're doing tabletop exercises

23
00:00:47,010 --> 00:00:49,290
that people start using their magic wands.

24
00:00:49,290 --> 00:00:50,910
Now this is a bad thing to do

25
00:00:50,910 --> 00:00:52,770
because you can start getting the effect

26
00:00:52,770 --> 00:00:55,590
that something that might take a real team 12 hours to do

27
00:00:55,590 --> 00:00:57,660
can really be solved in 30 minutes.

28
00:00:57,660 --> 00:00:59,430
And so when something really happens,

29
00:00:59,430 --> 00:01:00,547
the managers start going,

30
00:01:00,547 --> 00:01:03,570
"Well, in the tabletop, it only took us 30 minutes to solve.

31
00:01:03,570 --> 00:01:04,739
Why is it taking you 12 hours?

32
00:01:04,739 --> 00:01:06,510
I need this system up right now."

33
00:01:06,510 --> 00:01:08,490
And so you start getting this negative training, I call it,

34
00:01:08,490 --> 00:01:10,140
where you start training your senior leaders

35
00:01:10,140 --> 00:01:12,270
to expect things to happen faster in the real world

36
00:01:12,270 --> 00:01:13,410
than they really can.

37
00:01:13,410 --> 00:01:14,460
So just be careful about that

38
00:01:14,460 --> 00:01:16,920
if you're dealing with a tabletop exercise.

39
00:01:16,920 --> 00:01:18,750
Now, when you're dealing with a penetration test,

40
00:01:18,750 --> 00:01:20,910
this is a test that uses active tools

41
00:01:20,910 --> 00:01:23,460
and security utilities to evaluate security

42
00:01:23,460 --> 00:01:25,620
by simulating an attack on a system

43
00:01:25,620 --> 00:01:27,750
to verify that a threat really does exist,

44
00:01:27,750 --> 00:01:29,970
they actively test that threat and vulnerability,

45
00:01:29,970 --> 00:01:31,530
they bypass security controls,

46
00:01:31,530 --> 00:01:33,600
and then finally, exploit those vulnerabilities

47
00:01:33,600 --> 00:01:35,250
on a given system.

48
00:01:35,250 --> 00:01:36,990
When you're doing a penetration test,

49
00:01:36,990 --> 00:01:39,600
you are going to test the system to discover vulnerabilities

50
00:01:39,600 --> 00:01:41,670
or prove security controls are actually working

51
00:01:41,670 --> 00:01:42,810
as they're supposed to.

52
00:01:42,810 --> 00:01:44,370
You're also going to examine the system

53
00:01:44,370 --> 00:01:46,290
to identify any logical weaknesses

54
00:01:46,290 --> 00:01:48,960
that may be there inside the system architecture.

55
00:01:48,960 --> 00:01:50,460
And you're going to interview personnel

56
00:01:50,460 --> 00:01:51,510
to gather information

57
00:01:51,510 --> 00:01:54,390
and see how prone they are to social engineering attacks.

58
00:01:54,390 --> 00:01:55,470
All of these are things you can do

59
00:01:55,470 --> 00:01:57,420
as part of a penetration test.

60
00:01:57,420 --> 00:01:59,190
Now, when you're dealing with a penetration test,

61
00:01:59,190 --> 00:02:01,260
you have to make sure it is properly scoped

62
00:02:01,260 --> 00:02:03,690
and resourced before you can begin it.

63
00:02:03,690 --> 00:02:04,800
Now, what I mean by this is

64
00:02:04,800 --> 00:02:07,200
you have to figure out exactly what is going to be tested

65
00:02:07,200 --> 00:02:08,880
as part of the penetration test.

66
00:02:08,880 --> 00:02:10,979
If you get a penetration tester to come in

67
00:02:10,979 --> 00:02:12,060
and test your organization,

68
00:02:12,060 --> 00:02:14,370
you say, "Just go at the entire organization."

69
00:02:14,370 --> 00:02:16,110
That's not going to be very effective.

70
00:02:16,110 --> 00:02:17,377
Instead, you should tell them,

71
00:02:17,377 --> 00:02:18,570
"Hey, I'm really concerned

72
00:02:18,570 --> 00:02:20,010
about my Windows domain controller.

73
00:02:20,010 --> 00:02:22,710
I want you to see if you can get root access on that."

74
00:02:22,710 --> 00:02:25,110
And that would allow them to be able to identify exactly

75
00:02:25,110 --> 00:02:26,250
what your concerns are

76
00:02:26,250 --> 00:02:28,710
and verify your systems are working properly.

77
00:02:28,710 --> 00:02:30,690
Now, when you're dealing with a penetration test,

78
00:02:30,690 --> 00:02:33,840
you can use either an internal team or an external team.

79
00:02:33,840 --> 00:02:35,640
I personally like to use third parties

80
00:02:35,640 --> 00:02:37,320
who are external to the organization

81
00:02:37,320 --> 00:02:39,510
or a separate internal red team.

82
00:02:39,510 --> 00:02:41,340
I don't like to use my system administrators

83
00:02:41,340 --> 00:02:42,990
to conduct penetration tests.

84
00:02:42,990 --> 00:02:45,150
It's not that they're not smart enough to do it.

85
00:02:45,150 --> 00:02:46,920
It's that they're biased in their approach.

86
00:02:46,920 --> 00:02:48,240
When you have a system administrator trying

87
00:02:48,240 --> 00:02:49,890
to pen test their own system,

88
00:02:49,890 --> 00:02:52,050
what ends up happening is they start trying

89
00:02:52,050 --> 00:02:53,940
to prove the system is secure

90
00:02:53,940 --> 00:02:56,760
instead of trying to prove the system can be attacked.

91
00:02:56,760 --> 00:02:58,230
As a penetration tester,

92
00:02:58,230 --> 00:03:00,930
our job is to go in and find all the holes.

93
00:03:00,930 --> 00:03:02,550
We want to find all the weaknesses.

94
00:03:02,550 --> 00:03:05,370
And the system administrators tend to try to not do that

95
00:03:05,370 --> 00:03:06,870
because they're trying to prove that their work

96
00:03:06,870 --> 00:03:09,630
that they did securing the system is adequate.

97
00:03:09,630 --> 00:03:10,860
And so it's a different perspective,

98
00:03:10,860 --> 00:03:13,020
and that's why I much prefer a third party

99
00:03:13,020 --> 00:03:15,030
or an internal red team be used

100
00:03:15,030 --> 00:03:16,860
instead of system administrators.

101
00:03:16,860 --> 00:03:18,840
Now, if you want to learn more about pen testing,

102
00:03:18,840 --> 00:03:21,630
you should check out the CompTIA PenTest+ curriculum.

103
00:03:21,630 --> 00:03:23,580
In that course, there is a ton of information

104
00:03:23,580 --> 00:03:24,690
on how you can become a member

105
00:03:24,690 --> 00:03:26,460
of the penetration testing team

106
00:03:26,460 --> 00:03:28,380
and learning how to attack these systems

107
00:03:28,380 --> 00:03:30,750
from that outsider perspective.

108
00:03:30,750 --> 00:03:32,400
Now, the last thing we want to talk about in this lesson

109
00:03:32,400 --> 00:03:35,430
is our red teams, our blue teams, and our white teams.

110
00:03:35,430 --> 00:03:36,690
When we talk about red teams,

111
00:03:36,690 --> 00:03:38,610
these are the hostile or attacking teams

112
00:03:38,610 --> 00:03:41,700
in a penetration test or an incident response exercise.

113
00:03:41,700 --> 00:03:45,210
If you hire that third-party team, that is a red team.

114
00:03:45,210 --> 00:03:47,280
They're trying to attack your systems.

115
00:03:47,280 --> 00:03:48,480
When we're talking about blue teams,

116
00:03:48,480 --> 00:03:49,860
this is our defensive teams

117
00:03:49,860 --> 00:03:51,030
in a penetration test

118
00:03:51,030 --> 00:03:52,950
or an incident response exercise.

119
00:03:52,950 --> 00:03:54,510
This is our system administrators.

120
00:03:54,510 --> 00:03:56,250
This is our network defenders.

121
00:03:56,250 --> 00:03:59,010
This is our cybersecurity analyst, like you.

122
00:03:59,010 --> 00:04:01,080
You're going to be part of the blue team.

123
00:04:01,080 --> 00:04:02,520
And then we have the white team.

124
00:04:02,520 --> 00:04:04,800
This is a staff who administers, evaluates,

125
00:04:04,800 --> 00:04:06,840
and supervises a penetration test

126
00:04:06,840 --> 00:04:08,670
or incident response exercise.

127
00:04:08,670 --> 00:04:09,720
They're also going to be responsible

128
00:04:09,720 --> 00:04:10,830
for building the network

129
00:04:10,830 --> 00:04:12,810
if you're going to be using a third-party network

130
00:04:12,810 --> 00:04:14,130
as part of your test.

131
00:04:14,130 --> 00:04:16,769
Sometimes, organizations don't want to do active testing

132
00:04:16,769 --> 00:04:18,390
on their real live networks,

133
00:04:18,390 --> 00:04:19,740
so they'll build a training ground

134
00:04:19,740 --> 00:04:20,577
and they'll put their red teams

135
00:04:20,577 --> 00:04:21,480
and their blue teams,

136
00:04:21,480 --> 00:04:22,590
if they have internal red teams

137
00:04:22,590 --> 00:04:23,760
and internal blue teams,

138
00:04:23,760 --> 00:04:26,040
against each other in this simulated environment.

139
00:04:26,040 --> 00:04:27,750
Well, somebody has to build

140
00:04:27,750 --> 00:04:29,520
and support this entire ecosystem,

141
00:04:29,520 --> 00:04:31,320
and that's what the white team will do.

142
00:04:31,320 --> 00:04:33,690
I like to think about the white team as the referees.

143
00:04:33,690 --> 00:04:34,523
They're also going to be the ones

144
00:04:34,523 --> 00:04:36,577
who are going to report after the event and say,

145
00:04:36,577 --> 00:04:38,130
"This is what the red team did well.

146
00:04:38,130 --> 00:04:39,420
This is what the blue team did well.

147
00:04:39,420 --> 00:04:41,340
And here's what they both did not so well."

148
00:04:41,340 --> 00:04:43,040
That's the role of the white team.