Embed Size (px)
Citation preview
Hacking to Get Caught… (Updated) Thoughts About Adversary Replica?on and Penetra?on Tes?ng
Overview
• Personal Introduc?on • Hacking to Get Caught • The “Conversa?on” • Adversary Simula?on • Challenges
Personal Introduc?on
• Occupa?on: Vendor • Primary Skill: SoJware Developer • Previous (Related) Problems…
What When Red Team Collabora?on 2011 -‐ 2013 Capability Development for Red Teams 2012 -‐ now… Threat Emula?on 2014 -‐ now…
Cyber Defense Exercises
• White box approach • AVempt to replicate adversary tac?cs • Exercise detec?on, response, and mi?ga?ons • Takes place in a lab • Full disclosure between red and blue aJerwards
Hacking to Get Caught…
An assessment of a customer’s “post-‐compromise” security posture
Why?
• Exercise post-‐compromise security controls • Train and measure teams responsible for intrusion response and monitoring • Validate investment in security products, services, and intelligence subscrip?ons
Strand, J. “PenTest Prepara?ons: Post Exploita?on” hVp://www.blackhillsinfosec.com/media.php
Jacob, N. “Threat Models that Exercise your SIEM and Incident Response” hVps://www.youtube.com/watch?v=xysJl2cSHS8
Kikta, M. “Seeing Purple: Hybrid Security Teams for the Enterprise” hVps://www.youtube.com/watch?v=xysJl2cSHS8
VioPoint’s Security Exercise Approach..
• Build a threat model relevant to customer… • Construct a story board for a poten?al aVack • Use a red team to execute story in produc?on • Work with customer to improve controls and processes for each observable step of aVack
Mudge, R. “Hacking To Get Caught: A Concept For Adversary Replica?on and Pen Tes?ng” hVps://www.youtube.com/watch?v=RtAk-‐TXMmvI
Cyber Aggressors
• Red Team = Representa?ve Adversary • Threat Intel + TradecraJ = Aggressor • Simulate a Real AVack from a Real Actor • Exercise customer’s analy?cal capability as well as technical controls
• Validate use of threat intelligence in your security program…
MicrosoJ’s Red Team…
MicrosoJ’s Approach
• Assume compromise • Use same tac?cs as real adversaries… – Against produc?on infrastructure – Without foreknowledge of blue teams
• Test detec?on and response capability • Goal is to reduce: – Mean-‐?me-‐to-‐detec?on – Mean-‐?me-‐to-‐recovery
• Requires – full disclosure between red and blue aJerwards
Does this phenomena have a name?
• (Threat|Adversary) Emula?on • (Threat|Adversary) Simula?on • AVack Simula?on • Purple Teaming • Red Team-‐Lite?
What’s in a name?
• Purple Teaming – Red Team and Blue Team cooperate to understand and improve security posture
• Adversary Simula?on – Expose customers to tac?cs, techniques, and procedures beyond the typical pen tester arsenal!
Purple Teaming
Adversary Simula?on
VigneVe: Lateral Movement
Adversary Simula?on…
• Train and Measure Intrusion Detec?on/Response • Assume Breach • White box • Emulate tac?cs, techniques, and procedures of a specific adversary – Adversary Indicators maVer too!
• Use story board to direct red ac?vity • Full debrief between red and blue
Challenges
• Capability Gaps • Simulated Indicators • Story Telling
Capability Gaps…
• Need tools [and trained operators] that can perform adversary ac?ons in a credible way…
Simulated Indicators
• Traffic Genera?on? • Use exis?ng malware? • Build custom malware? • Customizable Indicators?
My Dream Adversary Simula?on Tool
• A post-‐exploita?on agent that fools an analyst into believing they’re working with other malware… – On-‐disk – Wire – Behavior
Malleable C2
Repor?ng Requirements
• Indicators, ?mestamps, and assets – File uploads – System configura?on changes – Network ac?vity (including pivo?ng)
• Map red ac?vity to blue sensors and tools • Avoid ambiguity during discussion….
Why I’m excited?
• Adversary Simula?on… – Cost and Time Effec?ve – Repeatable – Customers “get it”
• Opportunity to expose more organiza?on’s to hacking techniques of modern adversary
Summary
• Personal Introduc?on • Hacking to Get Caught • The “Conversa?on” • Adversary Simula?on • Challenges
