WEBVTT 0:00:03.500000 --> 0:00:06.380000 Hello everyone and welcome to this video. 0:00:06.380000 --> 0:00:09.880000 In this video, we're going to be taking a look at Red teams and threat 0:00:09.880000 --> 0:00:12.000000 intelligence teams. 0:00:12.000000 --> 0:00:15.400000 You may be wondering, asking yourself, why is this important? 0:00:15.400000 --> 0:00:25.620000 Well, these two teams or groups of individuals, as it were, are quite 0:00:25.620000 --> 0:00:27.260000 common within organizations. 0:00:27.260000 --> 0:00:33.540000 Not always common, but it's very important that you understand both of 0:00:33.540000 --> 0:00:37.940000 these teams in terms of what they do within an organization, as well as 0:00:37.940000 --> 0:00:41.140000 how they interact and collaborate with the SOC. 0:00:41.140000 --> 0:00:49.020000 So, let's get started by understanding how they all come together. 0:00:49.020000 --> 0:00:53.280000 Now, in a mature cybersecurity environment, the SOC team, Red team and 0:00:53.280000 --> 0:00:58.240000 threat intelligence team work collaboratively to enhance an organization's 0:00:58.240000 --> 0:01:01.260000 detection response and defense capabilities. 0:01:01.260000 --> 0:01:05.460000 Their interaction ensures that security controls are continuously tested, 0:01:05.460000 --> 0:01:11.120000 refined, and improved based on real -world threats and attack techniques. 0:01:11.120000 --> 0:01:17.600000 So, how does a Red team, or what's the interaction between the SOC and 0:01:17.600000 --> 0:01:22.740000 a Red team? Well, Red teams, if you know anything about them, usually 0:01:22.740000 --> 0:01:26.380000 called in, if a company doesn't have their own dedicated Red team, they 0:01:26.380000 --> 0:01:28.220000 usually hire a Red team. 0:01:28.220000 --> 0:01:33.640000 But the Red team simulates or emulates a real-world cyber attack or a 0:01:33.640000 --> 0:01:38.020000 particular APT group in order to test and challenge an organization's 0:01:38.020000 --> 0:01:41.640000 security defenses, in essence, to test the SOC. 0:01:41.640000 --> 0:01:46.620000 And their goal is to identify weaknesses by emulating the TTPs, tactics, 0:01:46.620000 --> 0:01:50.920000 techniques, and procedures used by actual threat actors or threat groups, 0:01:50.920000 --> 0:01:52.520000 APT groups, etc. 0:01:52.520000 --> 0:01:57.460000 So, in this particular comparison table, we have the Red team role, SOC 0:01:57.460000 --> 0:01:59.700000 role, and the interaction purpose. 0:01:59.700000 --> 0:02:05.220000 So, Red team role, A, simulate realistic cyber attacks, for example, phishing, 0:02:05.220000 --> 0:02:07.480000 lateral movement, data exfiltration. 0:02:07.480000 --> 0:02:09.580000 What is the SOCs role here? 0:02:09.580000 --> 0:02:13.560000 Well, their job is to detect and respond to these simulated attacks in 0:02:13.560000 --> 0:02:17.180000 real time. And what's the purpose of this interaction? 0:02:17.180000 --> 0:02:22.180000 Well, this is done to test the SOCs detection and response capabilities. 0:02:22.180000 --> 0:02:27.060000 In the case of the second one here, the second Red team role or activity, 0:02:27.060000 --> 0:02:31.400000 we have identifying vulnerabilities and providing post-engagement reports. 0:02:31.400000 --> 0:02:36.780000 In terms of the SOC, they analyze attack patterns and use this information 0:02:36.780000 --> 0:02:39.560000 to improve detection rules. 0:02:39.560000 --> 0:02:45.800000 What's the interaction purpose to enhance the SOCs ability to identify 0:02:45.800000 --> 0:02:50.040000 advanced threats? 0:02:50.040000 --> 0:02:54.520000 Other Red team role here provides insights into gaps in defenses and bypass 0:02:54.520000 --> 0:02:57.900000 techniques. So, what's the SOC role here? 0:02:57.900000 --> 0:03:00.360000 How do they use this information from the Red team? 0:03:00.360000 --> 0:03:05.100000 Will they use it to update and fine -tune the Seam rules, saw playbooks 0:03:05.100000 --> 0:03:06.940000 and detection strategies? 0:03:06.940000 --> 0:03:08.960000 What's the purpose of the interaction? 0:03:08.960000 --> 0:03:14.640000 Again, if it isn't obvious already, well, it's to improve the accuracy 0:03:14.640000 --> 0:03:17.360000 of alerting and to reduce false positives. 0:03:17.360000 --> 0:03:22.960000 So, what the Red team does is they perform adverse remulation or just 0:03:22.960000 --> 0:03:24.820000 a standard Red team operation. 0:03:24.820000 --> 0:03:28.980000 And they simulate realistic cyber attacks, they identify vulnerabilities 0:03:28.980000 --> 0:03:33.700000 and provide post-engagement reports to the SOC team or the blue team. 0:03:33.700000 --> 0:03:38.280000 They provide insights into gaps in defenses and bypass techniques. 0:03:38.280000 --> 0:03:41.840000 And of course, I mentioned it or they conduct adverse remulation exercises 0:03:41.840000 --> 0:03:43.780000 based on known APTs. 0:03:43.780000 --> 0:03:49.340000 So, in that case, in the case of adverse remulation, what was the SOCs 0:03:49.340000 --> 0:03:54.040000 role here? Well, they use the attack data to strengthen response strategies 0:03:54.040000 --> 0:03:58.900000 and playbooks. And what's the purpose of interaction between the Red and 0:03:58.900000 --> 0:04:05.180000 blue team with regards to that particular activity, which is adverse remulation? 0:04:05.180000 --> 0:04:09.800000 Well, you know, the purpose of interaction is to test and validate SOC 0:04:09.800000 --> 0:04:12.620000 response processes, generally speaking. 0:04:12.620000 --> 0:04:15.880000 Of course, I've simplified this a little bit, but we'll be touching a 0:04:15.880000 --> 0:04:21.340000 little bit on Red and purple team exercises or operations towards the 0:04:21.340000 --> 0:04:22.160000 end of this course. 0:04:22.160000 --> 0:04:24.820000 But let's proceed here. 0:04:24.820000 --> 0:04:27.940000 So, I just wanted to touch on the collaboration points and provide you 0:04:27.940000 --> 0:04:28.820000 with a bit more detail. 0:04:28.820000 --> 0:04:33.900000 So, the first collaboration point that's arguably the most important is 0:04:33.900000 --> 0:04:35.860000 attack simulation and emulation. 0:04:35.860000 --> 0:04:38.260000 So, what's going on here? 0:04:38.260000 --> 0:04:42.840000 Well, the Red team's conduct covert attack simulations or emulation to 0:04:42.840000 --> 0:04:46.100000 test the SOCs real-time detection and response capabilities. 0:04:46.100000 --> 0:04:50.240000 So, companies usually hire Red team if they don't have one already and 0:04:50.240000 --> 0:04:54.740000 they tell them, hey, could you emulate this particular APT group because 0:04:54.740000 --> 0:04:59.040000 our threat intelligence team tells us that this particular APT group is 0:04:59.040000 --> 0:05:03.800000 targeting organizations like us within our region. 0:05:03.800000 --> 0:05:07.740000 So, you emulate an APT group like, let's say, APT 29, of course, that's 0:05:07.740000 --> 0:05:12.000000 not going to be, that's just an example. 0:05:12.000000 --> 0:05:18.160000 But so, the Red team emulates APT 29s known TTPs. 0:05:18.160000 --> 0:05:21.940000 And the reason this is done is because the company wants to know whether 0:05:21.940000 --> 0:05:28.500000 the SOC can actually detect a real world attack by a group like APT 29 0:05:28.500000 --> 0:05:34.620000 and whether they can respond to the attack adequately. 0:05:34.620000 --> 0:05:39.440000 Now, if the SOC fails to detect an attack, the Red teams provide detailed 0:05:39.440000 --> 0:05:43.760000 post-engagement reports, essentially telling the blue team or the SOC 0:05:43.760000 --> 0:05:46.100000 team, this is where you guys fail. 0:05:46.100000 --> 0:05:48.260000 You fail to detect this technique. 0:05:48.260000 --> 0:05:53.040000 And then the SOC team uses this info to, you know, make to write better 0:05:53.040000 --> 0:05:57.840000 rules for detection, to implement mitigations, stuff like this. 0:05:57.840000 --> 0:05:59.780000 So, it's very, very useful. 0:05:59.780000 --> 0:06:01.840000 You then have purple teaming, right? 0:06:01.840000 --> 0:06:03.580000 Another collaboration point. 0:06:03.580000 --> 0:06:05.040000 So, what happens here? 0:06:05.040000 --> 0:06:10.080000 Well, in this case, a Red and SOC, which is the blue team, collaborate 0:06:10.080000 --> 0:06:13.660000 closely to simulate detect and improve defenses in real time. 0:06:13.660000 --> 0:06:17.400000 So, the way this works is that the Red team executes an attack while the 0:06:17.400000 --> 0:06:23.240000 SOC team observes detects and tunes systems to enhance detection capabilities. 0:06:23.240000 --> 0:06:26.700000 And this collaborative approach helps to identify detection gaps and improve 0:06:26.700000 --> 0:06:33.660000 alert accuracy. The difference between, you know, adverse simulation or 0:06:33.660000 --> 0:06:37.400000 simulation and purple teaming will become apparent when we get to that 0:06:37.400000 --> 0:06:43.620000 point. But purple teaming is sort of thought as a very organized or structured 0:06:43.620000 --> 0:06:48.360000 plan that includes both the Red team, the blue team, and they're both 0:06:48.360000 --> 0:06:50.460000 aware of it, if that makes sense. 0:06:50.460000 --> 0:06:55.760000 Now, as I said, I'm making that very, very simple in terms of the differences, 0:06:55.760000 --> 0:06:59.080000 but we'll be getting into a purple team exercise. 0:06:59.080000 --> 0:07:03.840000 So, we then have another collaboration point, which is feedback and process 0:07:03.840000 --> 0:07:07.960000 improvement. So, Red team share findings from their simulated attacks 0:07:07.960000 --> 0:07:13.940000 with the SOC to help a fine-tune the same correlation rules, B, develop 0:07:13.940000 --> 0:07:20.780000 new saw playbooks, C, improve instant triage and response workflows. 0:07:20.780000 --> 0:07:26.840000 So, over here, I have developed a very nice, in at least in my opinion, 0:07:26.840000 --> 0:07:33.580000 a diagram or a tact flow diagram that sort of outlines using a fictional 0:07:33.580000 --> 0:07:39.480000 attack, or in this case, an adversary simulation or just a standard Red 0:07:39.480000 --> 0:07:44.980000 team operation. In this case, it is an adverse simulation campaign being 0:07:44.980000 --> 0:07:48.760000 that's been performed by the Red team. 0:07:48.760000 --> 0:08:01.820000 And I've sort of used the various steps that you'll typically see or the 0:08:01.820000 --> 0:08:04.360000 various actions or activities that typically occur. 0:08:04.360000 --> 0:08:06.880000 So, to the left, you have the Red team here. 0:08:06.880000 --> 0:08:11.180000 So, you have Red team operators and they have a command and control server. 0:08:11.180000 --> 0:08:14.020000 And you then have the target network or target environment. 0:08:14.020000 --> 0:08:17.740000 And you have the SOC over here, a couple of workstations within the organization. 0:08:17.740000 --> 0:08:21.360000 There's a SEAM, there's a mail server, etc. 0:08:21.360000 --> 0:08:26.340000 So, what happens, step one, the Red team simulates an advanced persistent 0:08:26.340000 --> 0:08:32.000000 threat or an APT using known MITRE ATT&CK TTPs of that particular APT 0:08:32.000000 --> 0:08:37.200000 group. And in this particular case, initial access is obtained via spearfishing 0:08:37.200000 --> 0:08:40.520000 or that's the technique that is utilized. 0:08:40.520000 --> 0:08:45.420000 We can also see persistence being established and lateral movement. 0:08:45.420000 --> 0:08:51.600000 So, they target or they gain access via spearfishing and then they establish 0:08:51.600000 --> 0:08:54.280000 persistence and then move laterally. 0:08:54.280000 --> 0:08:57.440000 So, step three, this is where the SOC comes in. 0:08:57.440000 --> 0:09:00.980000 So, the SOC actually detects this initial phishing attempt. 0:09:00.980000 --> 0:09:05.900000 However, they fail to identify lateral movement onto other systems within 0:09:05.900000 --> 0:09:08.060000 the target network. 0:09:08.060000 --> 0:09:11.480000 So, they fail to do that. 0:09:11.480000 --> 0:09:15.560000 And then, step four over here, SOC updates the detection rules in the 0:09:15.560000 --> 0:09:19.120000 SEAM to better identify similar tactics. 0:09:19.120000 --> 0:09:23.400000 And then, over here, really, this should be step four before the SOC actually 0:09:23.400000 --> 0:09:25.500000 updates the detection rules. 0:09:25.500000 --> 0:09:29.340000 But post engagement, the Red team shares details of the bypass detection 0:09:29.340000 --> 0:09:33.840000 mechanisms and then the SOC updates the detection rules so that they can 0:09:33.840000 --> 0:09:37.800000 detect these tactics or similar tactics. 0:09:37.800000 --> 0:09:41.500000 So, just wanted to give you an idea as to what this collaboration looks 0:09:41.500000 --> 0:09:45.060000 like. Because again, the likelihood that you'll be involved in one of 0:09:45.060000 --> 0:09:49.860000 these exercises is very high, especially if you get into or you become 0:09:49.860000 --> 0:09:51.460000 an incident responder. 0:09:51.460000 --> 0:09:55.080000 Now, that begs the question, what's the interaction between the SOC and 0:09:55.080000 --> 0:09:57.180000 threat intelligence teams? 0:09:57.180000 --> 0:10:00.700000 But before we even get into that, what is a threat intelligence team to 0:10:00.700000 --> 0:10:05.060000 begin with? Well, a threat intelligence team gathers, analyzes, and distributes 0:10:05.060000 --> 0:10:10.100000 threat intelligence, also known as TI or CTI, Cyber Threat Intelligence, 0:10:10.100000 --> 0:10:13.900000 to help the organization understand, detect, and respond to emerging threats. 0:10:13.900000 --> 0:10:16.780000 Key word there is emerging threats. 0:10:16.780000 --> 0:10:20.720000 And their role is to enrich security data, inform detection strategies, 0:10:20.720000 --> 0:10:23.380000 and support proactive threat hunting. 0:10:23.380000 --> 0:10:31.340000 So, this comparison table here that outlines the threat intelligence role, 0:10:31.340000 --> 0:10:34.500000 the role of the SOC and the interaction purpose similar to what we have 0:10:34.500000 --> 0:10:37.960000 with the Red team and SOC section. 0:10:37.960000 --> 0:10:42.440000 This table just outlines pretty much all uses the same format. 0:10:42.440000 --> 0:10:47.920000 So, the threat intelligence role A, collect indicators of compromise, 0:10:47.920000 --> 0:10:50.620000 TTPs, and threat actor profiles. 0:10:50.620000 --> 0:10:52.840000 How does the SOC use this? 0:10:52.840000 --> 0:10:57.540000 Well, the SOC uses these IOCs and TTPs to enrich, see them alerts, and 0:10:57.540000 --> 0:10:59.140000 improve threat detection. 0:10:59.140000 --> 0:11:02.340000 What's the purpose of interaction here with regards to this particular 0:11:02.340000 --> 0:11:04.640000 role or activity? 0:11:04.640000 --> 0:11:10.360000 Well, fairly obvious to enhance the accuracy of alerting and correlation. 0:11:10.360000 --> 0:11:16.260000 You then have, analyzing global threat landscapes and tracking adversary 0:11:16.260000 --> 0:11:19.780000 behavior. Well, how does a SOC benefit from this? 0:11:19.780000 --> 0:11:23.480000 Well, it uses this intelligence to prioritize alerts and conduct more 0:11:23.480000 --> 0:11:25.680000 effective investigations. 0:11:25.680000 --> 0:11:29.220000 And what's the purpose of interaction here to improve threat identification 0:11:29.220000 --> 0:11:31.580000 and response processes? 0:11:31.580000 --> 0:11:36.000000 You then have providing early warnings about emerging threats. 0:11:36.000000 --> 0:11:38.020000 How does the SOC use this? 0:11:38.020000 --> 0:11:42.220000 Well, they use it to prepare detection systems to identify and block threats 0:11:42.220000 --> 0:11:46.260000 proactively. Of course, what's the purpose of interaction here? 0:11:46.260000 --> 0:11:52.020000 A, to reduce the time to detection, also known as TTP, and or as well 0:11:52.020000 --> 0:11:57.300000 as the time to response abbreviated as TTR. 0:11:57.300000 --> 0:12:01.800000 And then of course, you have sharing intelligence reports on new vulnerabilities 0:12:01.800000 --> 0:12:05.840000 and exploits. How does the SOC use this information? 0:12:05.840000 --> 0:12:09.980000 It uses it to ensure that vulnerable systems are identified and patched. 0:12:09.980000 --> 0:12:12.520000 What's the purpose of interaction here? 0:12:12.520000 --> 0:12:18.480000 Obvious to reduce exposure to known threat to known threat, or I should 0:12:18.480000 --> 0:12:20.760000 say, attack vectors. 0:12:20.760000 --> 0:12:23.860000 So what are the collaboration points here? 0:12:23.860000 --> 0:12:28.280000 So you have IOC sharing and enrichment, threat landscape analysis, vulnerability 0:12:28.280000 --> 0:12:30.580000 alerts, and adversary profiling. 0:12:30.580000 --> 0:12:35.140000 Those are sort of the key collaboration points, and now sort of succinctly 0:12:35.140000 --> 0:12:39.220000 defined. And I'm going to sort of describe them a little bit better in 0:12:39.220000 --> 0:12:40.580000 terms of what they involve. 0:12:40.580000 --> 0:12:45.620000 So in the case of IOC sharing and enrichment, threat intelligence teams 0:12:45.620000 --> 0:12:54.960000 provide the SOC with into SEAM systems. 0:12:54.960000 --> 0:12:58.980000 And the SOC uses this data to enhance alert correlation and detection 0:12:58.980000 --> 0:13:03.820000 accuracy. You then have the other collaboration point, which is threat 0:13:03.820000 --> 0:13:04.720000 landscape analysis. 0:13:04.720000 --> 0:13:09.000000 So threat intelligence teams provide reports about emerging threats and 0:13:09.000000 --> 0:13:11.380000 attack campaigns to the SOC team. 0:13:11.380000 --> 0:13:15.580000 The SOC uses these insights to prioritize investigations and fine-tune 0:13:15.580000 --> 0:13:16.940000 detection rules. 0:13:16.940000 --> 0:13:19.720000 You then have the other collaboration point of the third one, which is 0:13:19.720000 --> 0:13:20.660000 vulnerability alerts. 0:13:20.660000 --> 0:13:22.560000 So what's this all about? 0:13:22.560000 --> 0:13:25.720000 Well, the threat intel teams identify zero-day vulnerabilities or exploits 0:13:25.720000 --> 0:13:28.220000 targeting specific industries. 0:13:28.220000 --> 0:13:31.820000 And what does the SOC do with this info or intelligence? 0:13:31.820000 --> 0:13:36.980000 They ensure vulnerable systems are isolated, patched, or monitored closely. 0:13:36.980000 --> 0:13:39.180000 You then have adversary profiling, right? 0:13:39.180000 --> 0:13:43.440000 So the threat intel teams provide details about APT groups and they prefer 0:13:43.440000 --> 0:13:44.980000 to attack techniques. 0:13:44.980000 --> 0:13:46.520000 TTPs, I should say. 0:13:46.520000 --> 0:13:48.320000 How does the SOC use this information? 0:13:48.320000 --> 0:13:52.260000 Well, they use this information to map detection rules to adversary TTPs 0:13:52.260000 --> 0:13:55.380000 using frameworks like the MITRE attack framework. 0:13:55.380000 --> 0:14:01.280000 So very, very simple in terms of A, how the red team and the SOC collaborate. 0:14:01.280000 --> 0:14:05.120000 But more importantly, because you'll be working very closely with a threat 0:14:05.120000 --> 0:14:09.520000 intelligence analyst or a threat intelligence team, regardless as to whether 0:14:09.520000 --> 0:14:14.620000 you're a tier one, two, three analyst, more so tier two or three, and 0:14:14.620000 --> 0:14:18.740000 more importantly, if you're in Zinn and responder, this is very important 0:14:18.740000 --> 0:14:25.440000 to understand because the threat intelligence team will be providing a 0:14:25.440000 --> 0:14:27.860000 lot of information to you. 0:14:27.860000 --> 0:14:33.480000 And as you can see here, that information can be used for in a variety 0:14:33.480000 --> 0:14:38.000000 of ways, but all with the objective of improving the organization's ability 0:14:38.000000 --> 0:14:45.920000 to detect and of course defend against threats, threat actors, etc. 0:14:45.920000 --> 0:14:50.500000 So I have another example scenario that sort of explains the interaction 0:14:50.500000 --> 0:14:55.560000 between the SOC and the threat, the threat intel team. 0:14:55.560000 --> 0:15:00.260000 So over here, you have the threat intel team to the left and you have 0:15:00.260000 --> 0:15:01.800000 your threat intel analyst. 0:15:01.800000 --> 0:15:05.280000 So it could just be one a threat intelligence analyst. 0:15:05.280000 --> 0:15:08.440000 And on the right, you have your the target network. 0:15:08.440000 --> 0:15:11.560000 In this case, I haven't added those borders because they generally speaking 0:15:11.560000 --> 0:15:16.120000 are working in the same organization, generally speaking. 0:15:16.120000 --> 0:15:21.440000 So what happens is step one, the threat intelligence team identifies a 0:15:21.440000 --> 0:15:25.460000 new ransomware variant targeting the financial sector. 0:15:25.460000 --> 0:15:29.580000 And let's say the target organization or this organization is a company, 0:15:29.580000 --> 0:15:33.620000 is a financial organization or company. 0:15:33.620000 --> 0:15:38.300000 Step two, they share the IOCs and attack vectors with a SOC. 0:15:38.300000 --> 0:15:45.320000 So what's next? Step three, the SOC integrates the IOCs into the SEAM 0:15:45.320000 --> 0:15:47.480000 detection rules. 0:15:47.480000 --> 0:15:52.700000 Step four, analysts start monitoring for suspicious file hashes or unusual 0:15:52.700000 --> 0:15:54.220000 partial activity. 0:15:54.220000 --> 0:15:58.820000 Again, this is sort of designed or customized for this particular example. 0:15:58.820000 --> 0:16:03.800000 But the bottom line is that with this newly integrated IOCs into the SEAM, 0:16:03.800000 --> 0:16:08.900000 they then start monitoring for suspicious for these IOCs indicators of 0:16:08.900000 --> 0:16:14.660000 compromise. So let's say again, for the sake of this example, step five, 0:16:14.660000 --> 0:16:19.480000 the SOC identifies suspicious behavior on an endpoint or on a system within 0:16:19.480000 --> 0:16:27.100000 the network that matches the shared DTPs or IOCs as it were. 0:16:27.100000 --> 0:16:30.220000 Well, in that case, it has worked. 0:16:30.220000 --> 0:16:35.300000 The integration of the IOCs into the SEAM detection rules has worked and 0:16:35.300000 --> 0:16:38.520000 the SOC has identified the suspicious behavior. 0:16:38.520000 --> 0:16:40.800000 So what do they do next? 0:16:40.800000 --> 0:16:46.600000 The quarantine, the system and the incident is escalated. 0:16:46.600000 --> 0:16:50.620000 And then step seven, SOC provides attack details back to the threat intel 0:16:50.620000 --> 0:16:56.860000 team, which enriches the internal threat database, but also the global 0:16:56.860000 --> 0:16:57.920000 threat database. 0:16:57.920000 --> 0:17:02.980000 If the threat intel team is actually sharing the intelligence or IOCs 0:17:02.980000 --> 0:17:08.520000 globally. So hopefully this example sort of explains the interaction using 0:17:08.520000 --> 0:17:15.560000 just a very basic attack, well, in this case, not an attack, but just 0:17:15.560000 --> 0:17:17.920000 a simple workflow here. 0:17:17.920000 --> 0:17:22.300000 So with that being said, that brings us to the end of this video. 0:17:22.300000 --> 0:17:26.080000 And there's really nothing much to add. 0:17:26.080000 --> 0:17:29.940000 And so with that being said, I'll be seeing you in the next video.