JARGON ALERT! VULNERABILITY SCAN PENETRATION TEST RED TEAM/BLUE TEAM

Transcription

1

2 DIRECTOR OF TECHNOLOGY AND INFORMATION SYSTEMS 20+ YEARS CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL (CISSP) CERTIFIED GIAC SYSTEM AND NETWORK AUDITOR (GSNA) CERTIFIED GIAC INCIDENT HANDLER (GCIH) M.S. IN COMPUTERS AND TECHNOLOGY IN EDUCATION UNITED STATES MARINE CORPS

3 GOALS EXPLAIN RED TEAM EXERCISES ILLUSTRATE COMMAND AND CONTROL COVERT CHANNELS OUTLINE SOURCES OF DATA TO IDENTIFY COVERT CHANNELS EXAMINE TWO COMMAND AND CONTROL RED TEAM EXERCISES OUTLINE BEGINNING STEPS TO CONDUCTING RED TEAM EXERCISES

4 JARGON ALERT! VULNERABILITY SCAN PENETRATION TEST RED TEAM/BLUE TEAM

5 RED TEAM OPPOSING FORCE (OPFOR) FINISH THE FOLLOWING SENTENCE, THE RED TEAM S GOAL IS TO MAKE THE BLUE TEAM BETTER AT? SKILL BUILDING EXERCISE ESTABLISH CLEAR OBJECTIVE(S) TO TEST PREPARE EXERCISE TO MEET LEARNING OBJECTIVE(S) MEASURES DEFENDERS ABILITY TO MEET OBJECTIVES OF RED TEAM ENGAGEMENT

6 BLUE TEAM DEFENDERS REVIEW INCIDENT RESPONSE PROCEDURES REVIEW SOURCES OF DATA, E.G. LOGS PRACTICE OPERATION OF TOOLS, E.G. NETSNIFF, TCPDUMP, WIRESHARK GATHER NECESSARY EQUIPMENT, TOOLS, AND SUPPLIES, E.G. EXTRA MONITORS AND SNACKS

7 WHAT KEEPS YOU UP AT NIGHT?

8 WHAT KEEPS YOU UP AT NIGHT? LOCKHEED MARTIN CYBER KILL CHAIN IDENTIFY & RECON INITIAL ATTACK COMMAND & CONTROL 2018 VERIZON DBIR-C2 WAS PRESENT IN 19 OUT OF EVERY 100 BREACHES IN EDU 2018 TRUSTWAVE GLOBAL SECURITY REPORT MEDIAN TIME BETWEEN INTRUSION AND DETECTION FOR EXTERNALLY DETECTED COMPROMISES WAS 83 DAYS IN 2017 DISCOVER & SPREAD EXTRACT & EXFILTRATE

9 GOALS OF COMMAND AND CONTROL CREATE TWO WAY COMMUNICATION CHANNEL BETWEEN ATTACKER AND TARGET GATHER INFORMATION HARVEST ACCOUNTS AND PASSWORDS MOVE LATERALLY IN NETWORK TO FIND ADDITIONAL VICTIM DEVICES EXFILTRATE DATA USE DEVICES AND NETWORK FOR FURTHER GAIN

10 COMMAND & CONTROL (C2, CNC) HOW WOULD I KNOW IF A COMPROMISED COMPUTER OR SERVER IS COMMUNICATING THROUGH A C2 COVERT CHANNEL? WHAT SOURCES OF DATA DO I LOG THAT WILL HELP IDENTIFY A C2 COVERT CHANNELS? WHAT SOURCES OF DATA CAN I LOG THAT WILL HELP IDENTIFY A C2 COVERT CHANNELS? WHAT MONITORING SYSTEMS DO I HAVE THAT WILL TRIGGER ON COVERT CHANNELS? WHAT TYPE OF TRIGGERS CAN I DEVELOP TO ALERT ON C2 COVERT CHANNELS?

11 FIREWALL A FIREWALL IS A NETWORK SECURITY DEVICE THAT MONITORS INCOMING AND OUTGOING NETWORK TRAFFIC AND DECIDES WHETHER TO ALLOW OR BLOCK SPECIFIC TRAFFIC BASED ON A DEFINED SET OF SECURITY RULES.

12 JARGON ALERT!

13 http-80 https-443 I have 80/443 open. You can pass. I m listening on 80/443. Here s what I have.

14 smb-445 (Windows File Shares) I do not have port 445 open. You shall not pass.

15 I m stateful. I ll remember what port you use. I ve been configured to permit you access to all 65,535 tcp ports and all 65,535 upd ports. http-80 https-443

16 -25/110/143. You can pass. Outgoing. Sure. I ll remember. I remember you. You can pass.

17

18 +avoid+detection/23573/

19 SOURCES OF DATA FOR C2 DETECTION PREVENTION IS IDEAL, BUT DETECTION IS A MUST -DR. ERIC

20 SOURCES OF DATA FOR C2 DETECTION FIREWALL WEB PROXY DNS (WINDOWS EVENT LOGS) NETFLOW (SESSION DATA) FULL PACKET CAPTURE (IF PERMITTED)

21 SOURCES OF DATA: FIREWALL EMERGENCY (SEVERITY 0) SYSTEM IS UNUSABLE. ALERT (SEVERITY 1) IMMEDIATE ACTION IS NEEDED. CRITICAL (SEVERITY 2) CRITICAL CONDITION. ERROR (SEVERITY 3) ERROR CONDITION. WARNING (SEVERITY 4) WARNING CONDITION. NOTIFICATION (SEVERITY 5) NORMAL BUT SIGNIFICANT CONDITION. INFORMATION (SEVERITY 6) NORMAL INFORMATION MESSAGE. DEBUGGING (SEVERITY 7) DEBUGGING MESSAGE. The firewall is logging. I think...

22 SOURCES OF DATA FOR C2 DETECTION IF YOU HAVEN'T TESTED AND VALIDATED [YOUR SECURITY MONITORING S DETECTION CAPABILITIES], DON'T CONSIDER IT DETECTION, IT'S JUST A RULE WITH A PRAYER. RUSS

23 RED TEAM #1-OBJECTIVES PRACTICE INCIDENT RESPONSE PROCEDURES, E.G. EVENT CORRELATION IDENTIFY AND CONTAIN COMPROMISED DEVICE LOCATE COMPROMISED DEVICE IDENTIFY C2 COVERT CHANNEL(S) DETERMINE LATERAL MOVEMENT TEST OUR MANAGED SECURITY SERVICE

24 RED TEAM #1-OBJECTIVES INCIDENT RESPONSE SANS PICERL MODEL PREPARATION IDENTIFICATION CONTAINMENT ERADICATION RECOVERY LESSONS LEARNED

25 SCOPE OF NETWORK >8500 STUDENTS >1900 EMPLOYEES >14,000 DEVICES ON NETWORK (WIRED AND WIRELESS) 14 LOCATIONS CONNECTED VIA FIBER NETWORK 71 TELECOMMUNICATIONS CLOSETS

26 RED TEAM: LAN TURTLE

27 RED TEAM: HAK5 LAN TURTLE 20 PREINSTALLED MODULES ON LAN TURTLE: AUTOSSH-PORT 22 NETCAT-REVSHELL ANY PORT (6666) METERPRETER (METASPLOIT)-ANY PORT (4444) DIGITAL OCEAN

28

29 Outgoing 22, 4444 and Sure. I ll remember. I remember you. You can pass.

30

31

32 RED TEAM: HAK5 LAN TURTLE RED TEAM KICK OFF: RED TEAM WAS SCHEDULED FOR A DAY GOOD FOR BLUE TEAM MEMBERS DISTRICT IN-SERVICE COMPROMISED DEVICE STARTED LATERAL SCANNING (KNOWN TO TRIGGER ALARMS IN LANCOPE--NETFLOW) COMPROMISED DEVICE PARTIALLY HIDDEN ON CROWDED DESK IN LIBRARY

33 RED TEAM: HAK5 LAN TURTLE LESSONS LEARNED: INITIALLY DISCOVERED ANOTHER DEVICE WITH WEIRD OUTBOUND COMMUNICATIONS REINFORCED ABILITY TO USE TOOLS TO LOCATE DEVICES VIA DHCP, IP SCOPE, MAC ADDRESS, PHYSICAL PORT, E.G. CAN YOU IDENTIFY WHAT DEVICE HAD A SPECIFIC IP ADDRESS TWO WEEKS AGO? IDENTIFIED NEED TO IMPLEMENT EGRESS FILTERING IDENTIFIED NEED TO FURTHER DEVELOP AND PRACTICE INCIDENT RESPONSE PROCEDURES USE OF SHARED TIMELINE TO RECORD IR ACTIONS TEAM BUILDING EXPERIENCE

34 RED TEAM #2-OBJECTIVES PRACTICE INCIDENT RESPONSE PROCEDURES PRACTICE COLLECTING DATA REQUESTED BY MANAGED SECURITY SERVICE PROVIDER DURING INCIDENT IDENTIFY C2 COVERT CHANNEL(S) DETERMINE LATERAL MOVEMENT TEST OUR MANAGED SECURITY SERVICE PROVIDER

35 RED TEAM: DNSCAT2 DNS--DOMAIN NAME SYSTEM UDP (TCP) 53 DNSCAT2 DIRECTLY TO C2 SERVER IF OUTBOUND DNS TRAFFIC IS PERMITTED TO ANY DNS SERVER DNSCAT2 INDIRECTLY TO C2 SERVER THROUGH VICTIM S DNS SERVER IF OUTBOUND DNS TRAFFIC IS PERMITTED BY ONLY VICTIM S INTERNAL DNS SERVERS DNSCAT2 LINUX AND WINDOWS POWERSHELL CLIENTS ARBITRARY COMMANDS, UPLOAD/DOWNLOAD FILES, AND SHELL POLLS EVERY 1 SECOND, NOISY

36 DOMAIN NAME SYSTEM I want to go to DNS

37 DNSCAT2 Client direct communication with DNSCAT2 C2 Server DNSCAT2 Client communication with DNSCAT2 C2 Server via Internal DNS Server

38 DNSCAT2 UNENCRYPTED DIRECT Hex to ASCII= whoami

39 DNSCAT2 UNENCRYPTED DIRECT Hex to ASCII= whoami

40 DNSCAT2 ENCRYPTED AUTHORITATIVE

41 RED TEAM DNSCAT2 RED TEAM KICK OFF: RED TEAM WAS SCHEDULED FOR A DAY GOOD FOR BLUE TEAM MEMBERS DISTRICT IN-SERVICE RULES OF ENGAGEMENT DISCUSSED, DON T MOVE TO CONTAINMENT UNTIL WE FULLY UNDERSTAND COMPROMISE POWERSHELL USED TO DOWNLOAD DNSCAT2-POWERSHELL COMPROMISED DEVICE DOWNLOADED PSEXEC (KNOWN TO TRIGGER ALARMS IN SOPHOS) COMPROMISED DEVICE BEGAN LATERAL SCANNING (KNOWN TO TRIGGER ALARMS IN LANCOPE)

42 RED TEAM: DNSCAT2 LESSONS LEARNED: BAD CONFIGURATION IN WINDOWS CLIENTS PERMITTED ELEVATED POWERSHELL PERMISSIONS IDENTIFIED NEED TO COLLECT DNS LOGS IDENTIFIED NEED TO DEVELOP TRIGGERS FOR DNS ALERTING EGRESS FILTERING SPECIFIC TO IDENTIFIED SERVERS, E.G. ONLY DESIGNATED DNS SERVERS SHOULD HAVE ACCESS TO TCP/UDP 53 NEED TO FURTHER DEVELOP AND PRACTICE INCIDENT RESPONSE PROCEDURES TEAM BUILDING EXPERIENCE

43 THE WORK ISN T OVER... THE WORK ISN T OVER WITH THE COMPROMISED DEVICE IDENTIFIED AND CONTAINED WHAT WERE THE INDICATORS OF COMPROMISE (IOC)? WHAT DATA SOURCES PROVIDED INSIGHT INTO THE COMPROMISE? WHAT ARE THE ROOT CAUSES OF THE EXPLOITED VULNERABILITIES? HOW CAN WE REMEDIATE THE VULNERABILITIES? COMPENSATING CONTROLS? WHAT SKILLS DO WE NEED TO IMPROVE? WHAT INCIDENT RESPONSE PROCEDURES NEED TO BE CREATED OR UPDATED? WHAT MONITORING SYSTEMS MET EXPECTATION? WHAT SYSTEMS DID NOT MEET EXPECTATION?

44 LESSONS LEARNED CONDUCT LESSONS LEARNED MEETING AVOID FINGER POINTING AND BLAMING REVIEW EXISTING INCIDENT RESPONSE PROCEDURE DEVELOP PROCEDURE (IF ONE IS NOT AVAILABLE) FOR TYPE OF INCIDENT BRAINSTORM ADDITIONAL METHODS TO MITIGATE FUTURE RISK IDENTIFY ADDITIONAL REPERCUSSIONS RESULTING FROM IR, E.G. IMPACT OF MITIGATION. UPDATE POLICIES, REGULATIONS, AND PROCEDURES UPDATE CSIR PLAN AND IR PROCEDURES

45 START SIMPLE CIS CONTROL 12: BOUNDARY DEFENSE DENY COMMUNICATION OVER UNAUTHORIZED TCP OR UDP PORTS OR APPLICATION TRAFFIC TO ENSURE THAT ONLY AUTHORIZED PROTOCOLS ARE ALLOWED TO CROSS THE NETWORK BOUNDARY IN OR OUT OF THE NETWORK AT EACH OF THE ORGANIZATION'S NETWORK BOUNDARIES.

46 START SIMPLE-SSH/PORT 22 SSH* TO DEVICE OUTSIDE OF YOUR NETWORK, E.G. DIGITAL OCEAN USE SOURCES OF DATA, LOGS, TO IDENTIFY DEVICE ACTIVITY CORRELATE SOURCES OF DATA IDENTIFY LOCATION OF THE DEVICE, E.G. SWITCH PORT OR AP IDENTIFY OTHER ACTIVITIES, E.G. LATERAL MOVEMENT *SSH BUILT INTO LINUX AND MAC. USE PUTTY FOR WINDOWS.

47 THE MORE I PRACTICE, THE LUCKIER I GET.

48 Questions? GEORGE

49