1 of 37

ADVERSARIAL EMULATION

@brysonbort

2 of 37

AKA

Win-Centric

(Ego)

Business-Centric

(Results)

2

@brysonbort

3 of 37

@brysonbort

4 of 37

Who Am I?

  • SCYTHE
    • 2016 - Fortune 50 suffered a breach
    • Performed full industry competitive analysis
    • We built it
  • The “Bounded Attack Space” Philosophy
    • Exploitation = infinite
    • Communications = finite
    • Capabilities = bounded

4

@brysonbort

5 of 37

The Value of Post Exploitation

5

@brysonbort

6 of 37

RED TEAM

VS.

ADVERSARY EMULATION

6

@brysonbort

7 of 37

Definitions - Maturity Model

7

@brysonbort

8 of 37

Red Team (and Penetration Testing)

  • Exploitation-focused
    • Popping shells is rewarding
  • Crown-jewels or bust
    • Getting Domain Admin = good.
    • Only Getting Domain Admin = less good.
  • Engagements are shorter
    • Bound by time & money
  • Not intended to emulate “real-world” adversary behavior
    • Exfiltrating documents immediately vs. sitting, combing, waiting, then stealing

8

@brysonbort

9 of 37

Red Team (and Penetration Testing)

Internal Red Teams

  • Repeated engagements
    • Remediation tests
  • Use privileged/insider knowledge
    • See resource limits

External Red Team

  • Offers new perspective
    • May have other industry experience
  • “Snapshot” engagements
    • Generate report based on limited window

9

@brysonbort

10 of 37

Adversary Emulation

A flexible and repeatable tool to be used by all teams.

  • Customizable
    • Change C2, Actions on Objective, etc.
  • Repeatable
    • Same engagements to be repeated & compared
  • Kill Chain Insight
    • Find the defensive choke-points and move on
  • Automatable
    • Once defined, can be shared & used by others/juniors/etc.

10

@brysonbort

11 of 37

White Box vs Black Box

  • White Box: using “insider knowledge” of:
    • Organization
    • Staff
    • Products
    • Credentials
  • Black Box: “external actor” focus:
    • Reconnaissance
    • Discovery
    • Circumvention
    • Stealth

Business-Centric

defense validation

11

@brysonbort

12 of 37

Defense Validation

  • Red Team
    • Attempt to emulate threat behavior
      • Any Ransomware > WannaCry
    • Creative & Flexible Adversary
      • Today: APT
      • Tomorrow: Insider Threat
  • Blue Team
    • Controls Validation
      • Firewall still blocking ‘badurl.com’?
    • Vendor Validation
      • Monitoring for exfil via DNS?

12

@brysonbort

13 of 37

Defense Validation

Executives

    • Validate Investments in Products
      • Testing People and Process
      • Value vs. Snake Oil
    • Validate Investments in People
      • Is SOC awake?
      • What am I getting for that MSSP?

13

@brysonbort

14 of 37

THREAT INTELLIGENCE

&�MITRE ATT&CK

14

@brysonbort

15 of 37

Threat Intelligence Today

  • Static Identifiers == Disappointing
    • Ch-ch-ch-changes
    • Machine read for emulation
  • Analyst reports == “Sigh …
    • Have to read them…
  • Breaking Imphash by Chris Balles/Ateeq Sharfuddin https://arxiv.org/abs/1909.07630

15

@brysonbort

16 of 37

Threat Intelligence

Breaking Imphash by Chris Balles/Ateeq Sharfuddin https://arxiv.org/abs/1909.07630

16

@brysonbort

17 of 37

Threat Intelligence Today

  • Neutered Malware == Awesome(?)
    • Risky work
    • Intensive
    • Signature-based bias

David Bianco: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

17

@brysonbort

18 of 37

Threat Intelligence

Graphic derived from idea by Katie Nickels, MITRE

18

S0129 – AutoIT

T1068 – Exploitation for Privilege Escalation

S0194 - PowerSploit

T1003 - Credential Dumping

IP Address

S0002 - Mimikatz

S0192 - Pupy

Hash Value

T1086 - Powershell

@brysonbort

19 of 37

MITRE ATT&CK

19

@brysonbort

20 of 37

MITRE ATT&CK

https://attack.mitre.org/

20

@brysonbort

21 of 37

MITRE ATT&CK

https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a

--Blake Strom

21

@brysonbort

22 of 37

MITRE ATT&CK

  • Common language
    • Periodic Table
    • Red & Blue & Executives
  • “Meta-Layer” for behavior
    • Decouple Technique from Command
  • Visualize effectiveness
    • Works well for reports over time
  • Examples are abused
    • We are monitoring for that command!
  • Rigid Adherence
    • Don’t ignore non-ATT&CK threats
  • Can hinder re-tests
    • We’ve already tried all-the-Persistence!
  • Box focus
    • An attack is an iterative chain of events with context

22

@brysonbort

23 of 37

OPEN SOURCE OPTIONS

23

@brysonbort

24 of 37

The C2 Matrix Project

  • Collaborative Evaluation
  • 24 platforms
  • 19 in scope as open source
  • Initial Release - November
  • Roadmap
  • #TheC2Matrix

24

@brysonbort

25 of 37

CALDERA

  • ATT&CK from Day 1
  • Adversary Behaviors out of the box
  • Open Source & Active Development
  • Agent Based
  • Deployment Issues & Bugs
  • Customization is Non-Trivial

25

@brysonbort

26 of 37

Powershell & Empire

  • Modular
  • General Purpose
  • Easy(-ish) to Use
  • Python Deprecation
  • No Longer Maintained
  • Powershell is (becoming) burned
  • Command Line != Turn Key

26

@brysonbort

27 of 37

LOLBAS (Living Off The Land Binaries and Scripts)

  • Open Source
  • Not (Yet) Completely Burned
  • Great (Re-)Validation Options
  • Windows Only
  • Tempting to focus on Signature
  • Not Turn-Key

27

@brysonbort

28 of 37

BEHAVIORS

28

@brysonbort

29 of 37

29

Emotet

  • Started in 2014
  • Uses SMTP, HTTP/S
  • Changes ~weekly, daily
  • Still a threat

Nanocore

  • Started ~2013
  • Uses HTTP/S
  • Changes ~15 days
  • Still a threat

Remcos

  • Started in 2016
  • Uses SOCKS5
  • Changed on demand
  • Still a threat

TrickBot

  • Started in 2016
  • Uses HTTP/S
  • Changes ~3-5 days
  • Still a threat

Notice any trends?

@brysonbort

30 of 37

Host Activities (aka “Actions on Objective”)

  • Destruction: ransomware, wiper
    • But, don’t always need to wipe. Monitor for mass File Creation?
  • Escalation
    • Social Engineering & 0/N Days
  • Persistence
    • Services & User Space
  • Credentials

30

@brysonbort

31 of 37

Network Activities (aka “Command & Control” or “C2”)

  • Tends to be a “finite space”
    • Adversaries use the same wires as you
  • Communication/Traffic
    • Network anomalies (& baselines)
  • C2 infrastructure
    • The Cloud is your friend (& enemy)

31

@brysonbort

32 of 37

Lateral Movement

  • is …
    • Pivoting from endpoint-to-endpoint
    • Password spraying
    • Use of vulnerabilities
  • is also …
    • Combination of Network & Host
    • Should these be talking?
    • Should these be on same network?

32

@brysonbort

33 of 37

TOWARD A

“PURPLE” TEAM

33

@brysonbort

34 of 37

Benefits & Challenges of “Going Purple”

  • Formalizes Red & Blue Joint Goal
    • … secure the organization.
  • Structure around engagements
    • Intervals & Durations
  • Rules of Engagement
    • … when allowed to bend or break.
  • Bureaucracy is hard.
    • … need to formalize process/documents.
  • Scheduling is hard.
    • … many disparate parties into one room.
  • Culture is hard.
    • … “Red vs. Blue is wrong.

34

@brysonbort

35 of 37

For more - @jorgeorchilles

SANS SEC 564 Red Team Exercises and Adversary Emulation

"Organizations are continually investing more and more in securing their digital assets. Whether investing in talent or technology, most organizations are maturing in their approach to security. While many organizations are performing basic security testing, few are performing end-to-end, threat intelligence-led adversary emulation Red Team exercises. These exercises provide a holistic view of an organization's security posture by emulating a realistic adversary to test security assumptions, measure the effectiveness of people, processes, and technology, and ultimately improve the overall security posture of the organization."

35

@brysonbort

36 of 37

<insert end slide>

36

@brysonbort

@brysonbort

37 of 37

Sources

  1. Source…

37

@brysonbort