Red Mirror: Bringing Telemetry to Red Teaming

DerbyCon 8.0 - Evolution

Presented by: Zach Grace
Date: Sunday October 07, 2018
Time: 09:00 - 09:50
Location: Marriott VII, VIII, IX, X
Track: Track 2

Providing impact and insights on a red team engagement is crucial to improving the security posture of the target organization. Too often red teams have to comb through log files, pcaps or other disjointed artifacts to tell the whole story making it difficult especially on long-term engagements. The Red Mirror project is the mirror to the blue team’s SIEM; it’s an ELK-based system that captures operator actions, network traffic including C2 and MITRE ATT&CK tactics. By capturing this extensive amount of data, red teams can now easily query, visualize, and report on their actions. The gathered data has the added benefit of enabling red teams to perform infrastructure and operational security monitoring.

Zach Grace

Zach has worked in offensive security for the last eight years focusing on securing financial institutions by breaking into them. He is currently the red team lead for a Fortune 100. Zach is the creator of the open source security projects changeme and Sticky Keys Hunter, and has contributed to several others including Metasploit, Empire and Recon-ng.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats