logo
allArticlesConferencesPresentations

Better Privacy Through Offense: How To Build a Privacy Red Team

Conference:  Black Hat USA 2022

2022-08-10

Summary

The presentation discusses the importance of a privacy red team in addition to a security red team, and how to build and operate one at Meta.
  • Privacy red teams focus on testing user data, while security red teams target the company as a whole
  • Blue teams need to be aware of the activities of privacy red teams to avoid triggering alarms
  • Meta's privacy red team conducts adversarial testing through adversary emulation, purple team operations, and product compromise tests
  • Operations that can be performed include detecting sensitive data leaks and testing the accessibility of contact information
  • The goal is to proactively identify and mitigate risks to user data and privacy
One example of an operation is testing the accessibility of contact information. Low-sophistication adversaries can easily access functionality that allows them to input or output contact information, making it important for blue teams to have detections in place. Another example is detecting sensitive data leaks, which can be caused by absent-minded developers who may unknowingly use external resources to process data. By conducting adversarial testing, Meta's privacy red team aims to proactively identify and mitigate risks to user data and privacy.

Abstract

Red teams are an important component of a holistic cyber security program because they test how well the program stands up to threats from real adversaries. In 2021, Meta created a privacy red team to help improve our privacy posture and preserve the privacy of our ~3 billion users and their data. Based on that experience, we present the case for why a privacy-focused red team is an important part of a holistic privacy program. In this talk, you'll learn what a privacy red team is, how it's different from a security red team, the challenges we faced, and examples of real operations we performed. You'll walk away with a better understanding of how privacy red teaming can benefit your organization, and the role that offense can play in your privacy defense.
Materials:
Tags:

Post a comment

Related work

ELECTRONizing macOS privacy - a new weapon in your red teaming armory

Conference:  Defcon 31
Authors: Wojciech Reguła Principal Security Consultant @ SecuRing
2023-08-01

Blue to Red: Traversing the Spectrum

Conference:  BlackHat EU 2019
Authors:
2019-12-04

Google Reimagined a Phone. It was Our Job to Red Team and Secure it.

Conference:  Black Hat USA 2022
Authors:
2022-08-10

The Enemy Within: Modern Supply Chain Attacks

Conference:  BlackHat USA 2019
Authors:
2019-08-08

Building Trust and Resilience: Privacy Risk Management for SMBs

Conference:  RSA Conference 2021
Authors:
2021-05-17

Get On With The Program: Threat Modeling In and For Your Organization

Conference:  Global AppSec Dublin 2023
Authors: Izar Tarandach
2023-02-16