Skip to main content

One post tagged with "red team"

View All Tags

· 10 min read

TL;DR

Previous blog: https://jstnk9.github.io/jstnk9/blog/TIBER-EU-ES-Threat-Intelligence-Series-01

After posting the first post in relation to TIBER-EU/ES from the point of view of the threat intelligence provider, now is the time to talk about the figure of the red team provider.

The purpose of the red team provider is to execute the final security test on the Entity. This execution will be supported by an extensive analysis previously carried out by the threat intelligence team where, among other cases, different scenarios are provided that should be executed, all of them with the perspective of a real attacker. Additionally, as we saw in the previous blog, the threat intelligence team provides a series of flags for the red team to obtain during its execution, thus motivating the execution.

As I did in the previous case, I have developed some cases in the The Hive tool so that red team teams can import them quickly and know the different actions that they have to carry out, thus allowing the use of the Task logs to document and attach everything that they carry out on the test.

The developed cases contemplate all the phases that TIBER-EU mentions in its documentation, in addition I have also included good practices and ways of facing some phases.

The fact of using The Hive is due to the following reasons:

  • Allows to merge cases
  • Can be integrated with MISP
  • Can be integrated with Cortex and its analyzers
  • Case templates can be created

GitHub project: https://github.com/jstnk9/TIBER-Cases