Too often organizations conduct assessments within a vacuum: physical, network, social, or application-layer. Attackers do not confine themselves similarly and avail themselves of whatever combination of techniques most effectively achieves their desired impact. Red team assessments aim to simulate these attacks more realistically and identify risk through composite, cross-domain attack vectors. This talk will cover several shortcomings with the current "model" of red teaming across the industry and how we can more effectively incorporate the application-specific attack surface into a red team effort. War stories will be shared to show the effectiveness of application-centric composite attacks in this new approach.
Robert Wood is a Senior Security Consultant at Cigital and leads the development and execution of the red team assessment practice for the firm. Robert has worked with a number of clients spanning from Fortune 100 financial institutions to gaming companies providing security services at every stage in the SDLC. Prior to Cigital, Robert worked for Secure Network Technologies where he developed the mobile forensic investigation practice and focused his penetration testing efforts on red teaming and network security assessments.