
Red Team's SIEM - 1nvalid
https://github.com/outflanknl/RedELK
======
raesene9
It's interesting to see the development of Red team tooling over the last
couple of years.

It's obviously necessary for red teamers to continue to advance to be able to
cope with improving Blue team technology.

However Red Team tech. is, by it's nature, dual-use. It's equally useful for
"real" attackers to have these capabilities as it is for people emulating real
attackers. The nature of open source makes these capabilities quickly
distributable.

So these capabilities will help "real" attackers in the same way they help red
teams...

 __Terminology - Red Team - Set of security professionals who emulate "real
world" attackers in an attempt to find exploitable flaws in organizations
systems. Blue Team - defensive security professionals who's job it is to
detect and respond to attack from real atteckers and red teamers.

~~~
freehunter
As someone who has spent their entire life on the blue team, I've used some of
these red team tools to assess my effectiveness. I can remember using
Metasploit to make as much noise as possible to test my team's responsiveness
to our SIEM going crazy with alerts. We've used Burp and similar tools to
perform security audits of the company's custom code, and audits of software
we're doing a PoC with to ensure quality.

I've never once worried that the tools I'm using would end up in the hands of
more sophisticated hackers. If anything, I'm glad for the basic red team tools
because it makes script kiddies easier to find. They're not going to do custom
exploits anymore when Metasploit exists. On the other side, it's almost always
a safe bet that the actual bad guys are going to skip the off-the-shelf
tools...

... assuming, of course, you have a decent enough security posture as-is. If
script kiddies and ransomware and Zeus can get into your network unnoticed,
you've got a much larger problem on your hands. Unfortunately, most companies
still fall into this category because even companies that spend tens of
millions of dollars on security don't take basic security seriously.

~~~
raesene9
So as a Blue teamer your perspective makes sense, as presumably you only work
in organizations who can afford dedicated blue teams :)

Where I think most of the re/mis-use of red team tools would be effective is
in the many organizations who are not yet mature enough to staff a dedicated
blue team capability...

------
swalsh
Am I alone in seeing a trend of Corporations really tooling up their security?
I realize that in the age of digital transformation, securing your digital
infrastructure is critical. And you have to do it, or your business is at a
serious risk... but it keeps getting bigger, additionally so much of security
is also physical.

I guess my concern is if you combine this with the longer term trend of the
dominance of corporations in our lives in that they seem to be increasingly
becoming small nation states of their own. it just seems like we're a few
steps away from corporations having their own standing armies, digital and
physical... and all the potential problems associated with that.

~~~
freehunter
I've spent a decade in information security and I've been working as a
consultant from a security vendor for the past few years, and yeah there's
been a big outpouring of cash for security. Unfortunately it's almost never
spent right and most of it goes to waste. So you don't need to worry about a
corporation having a standing army when it comes to information security,
because that army doesn't have guns and isn't allowed to engage the enemy. An
army, yes, but they're defending the Maginot Line [1]

I have a customer whose SIEM generates several hundred high severity alerts
every month, and they've told me that those alerts are 90% accurate and it's a
real actual high severity security incident on every true positive. We've
tried to get them to put controls in place to prevent the activity rather than
merely responding to the incident after it was detected, but doing so would
cause a workflow change for some business units, and they can't do that. All
they can do is detect and respond, not prevent. To compensate, they hired more
security analysts to respond faster, and bought more tools to detect
quicker... but they're still just responding after the fact. The security
incident already happened. Millions of dollars per year wasted. And this isn't
uncommon.

[1]
[https://en.wikipedia.org/wiki/Maginot_Line](https://en.wikipedia.org/wiki/Maginot_Line)

------
rsanheim
ELI5 please. why should I care about this.

~~~
O_H_E
TLDR: highly sophisticated tools for cyber security analysts.

Yeah had the same reaction. It takes some background to get what they are
taking about.

Red Team: A team that try to exploit an organisation to find weakness before
black hackers find them. [1] Blue Team: A team that tries to protect the org
from the red team and fix the exploits. [2] SIEM: Security Information and
Event Management. Usually used by Blue teams. [3]

[1]
[https://en.wikipedia.org/wiki/Red_team](https://en.wikipedia.org/wiki/Red_team)
[2]
[https://en.wikipedia.org/wiki/Blue_team_(computer_security)](https://en.wikipedia.org/wiki/Blue_team_\(computer_security\))
[3]
[https://en.wikipedia.org/wiki/Security_information_and_event...](https://en.wikipedia.org/wiki/Security_information_and_event_management)

PS: search skills are really important these days.

~~~
oblio
I did the searching you mention, and I found the info you mention. But the
link sucks on its own, for it to the #1 on HN, in my opinion.

The page is written with the philosophy: if you don't know what all these
terms are, you don't belong here. Which is fine for a random Github repo.

I'd be curious to know about HN's sorting algorithms, this topic seems such a
niche thing that I'm amazed this page reached #1...

~~~
coldtea
> _The page is written with the philosophy: if you don 't know what all these
> terms are, you don't belong here. Which is fine for a random Github repo._

It's also fine for a page meant for a specific audience. It's not like they
want to attract random developers working outside security.

Whenever someone says something akin to "Hey that project's page didn't
explain/market their offering well enough for me!", an obvious counter
question is "and who said their intention was to promote it to you?".

Sometimes the complain is legitimate (e.g. a programming language or project
that wants wide adoption should explain what it is clearly and attractively in
its webpage). Other times it's just that not everybody is the intended
audience, and they explain what they do well already if you're the intended
audience (in which case you know the terms the use, etc).

> _I 'd be curious to know about HN's sorting algorithms, this topic seems
> such a niche thing that I'm amazed this page reached #1..._

Perhaps enough people know about this stuff already and voted it as soon as
they saw it? I didn't know what Red/Blue teams are, but there are several
security people here that do.

~~~
rsanheim
I actually assumed it was from the GitHub blog from the front page link, so
assumed it was from former colleagues / friends (I worked at GH, and know many
of the fine people there).

Then I realized it was just a random GH repo and some sort of security tools
software. And even then, was full of its own jargon -- blue team / red team /
white team. So I could only ask wtf is this even doing here. Like how does
this particular security software impact my life as a generalist software
developer, or even if I was just some random technologist person.

~~~
freehunter
I work in information security and do you know the number of articles I see
here on a daily basis that have their own jargon and doesn't help my life I
wonder WTF is this doing here? This is a big forum with lots of people who do
lots of things. This isn't "Rsanheim News", not everything needs to be custom
tailored to your desires.

Since you work in the tech industry, you should be aware that Google exists
and you can very quickly find out what a SIEM is (if you don't do log
management you should look into it) and what a red team is (if you don't do
security audits you should look into it) and hey, now you know what the
subject is.

~~~
rsanheim
"rsanheim news" is all lowercase, btw

