#BHUSA @BlackHatEvents Better Privacy Through Offense: How To Build a Privacy Red Team Scott Tenaglia Engineering Manager, Privacy Red Team, Meta#BHUSA @BlackHatEvents Information Classification: GeneralAgenda 01 The Case for Offensive Privacy 02 Security and Privacy 03 Meta’s Privacy Red Team 04 Operations Ideas 05 Final Thoughts#BHUSA @BlackHatEvents Information Classification: GeneralThis talk is... ➢The start of a conversation about offensive privacy. ➢Potentially a blueprint for how your company could create a similar team or offering. ➢To help you understand how privacy red teaming fits into a holistic privacy program.This talk is not... ➢A product or service pitch. ➢A conversation about any other aspect of Meta beyond privacy red teaming. ➢About absolutes. ➢The final word on this topic.#BHUSA @BlackHatEvents Information Classification: GeneralAgenda 01 The Case for Offensive Privacy 02 Security and Privacy 03 Meta’s Privacy Red Team 04 Operations Ideas 05 Final Thoughts#BHUSA @BlackHatEvents Information Classification: GeneralHave you ever... ➢Been on an op, come across some PII, but don’t know what to do about it? ➢Been asked to start recording access to user data as a finding? ➢Been asked to perform a more privacy -focused assessment? ➢Had a finding but no one cared because it have enough “security” impact? #BHUSA @BlackHatEvents Information Classification: GeneralSecurity and Privacy programs help mitigate risk. Perceived Risk Mitigations Red Team *Image courtesy of the NIST Privacy Framework https:// www.nist.gov /privacy -framework/privacy -frameworkRed teams identify actual risk by testing mitigations from an adversarial perspective. Mitigations are a combination of people, process, and technology (i.e., a blue team).#BHUSA @BlackHatEvents Information Classification: General Scraping Red TeamScanning Identify the actual risk to systems and networks. *Image courtesy of the NIST Privacy Framework https:// www.nist.gov /privacy -framework/privacy -framework Perceived Risk Mitigations Attack Surface EnumerationLarge Scale Data Access Identify the actual risk to the user’s privacy and their data.#BHUSA @BlackHatEvents Information Classification: GeneralAgenda 01 The Case for Offensive Privacy 02 Security and Privacy 03 Meta’s Privacy Red Team 04 Operations Ideas 05 Final Thoughts