Hacking to Get Caught. (Updated) Thoughts About Adversary Replica?on and Penetra?on Tes?ng

Transcription

1 Hacking to Get Caught (Updated) Thoughts About Adversary Replica?on and Penetra?on Tes?ng

2 Overview Personal Introduc?on Hacking to Get Caught The Conversa?on Adversary Simula?on Challenges

3 Personal Introduc?on Occupa?on: Vendor Primary Skill: SoJware Developer Previous (Related) Problems What When Red Team Collabora?on Capability Development for Red Teams now Threat Emula?on now

4 Cyber Defense Exercises White box approach AVempt to replicate adversary tac?cs Exercise detec?on, response, and mi?ga?ons Takes place in a lab Full disclosure between red and blue ajerwards

5 Hacking to Get Caught An assessment of a customer s post- compromise security posture

6 Why? Exercise post- compromise security controls Train and measure teams responsible for intrusion response and monitoring Validate investment in security products, services, and intelligence subscrip?ons

7 Strand, J. PenTest Prepara?ons: Post Exploita?on hvp://

8 Jacob, N. Threat Models that Exercise your SIEM and Incident Response hvps://

9 Kikta, M. Seeing Purple: Hybrid Security Teams for the Enterprise hvps://

10 VioPoint s Security Exercise Approach.. Build a threat model relevant to customer Construct a story board for a poten?al avack Use a red team to execute story in produc?on Work with customer to improve controls and processes for each observable step of avack

11 Mudge, R. Hacking To Get Caught: A Concept For Adversary Replica?on and Pen Tes?ng hvps:// TXMmvI

12 Cyber Aggressors Red Team = Representa?ve Adversary Threat Intel + TradecraJ = Aggressor Simulate a Real AVack from a Real Actor Exercise customer s analy?cal capability as well as technical controls Validate use of threat intelligence in your security program

13 MicrosoJ s Red Team

14 MicrosoJ s Approach Assume compromise Use same tac?cs as real adversaries Against produc?on infrastructure Without foreknowledge of blue teams Test detec?on and response capability Goal is to reduce: Mean-?me- to- detec?on Mean-?me- to- recovery Requires full disclosure between red and blue ajerwards

15 Does this phenomena have a name? (Threat Adversary) Emula?on (Threat Adversary) Simula?on AVack Simula?on Purple Teaming Red Team- Lite?

16 What s in a name? Purple Teaming Red Team and Blue Team cooperate to understand and improve security posture Adversary Simula?on Expose customers to tac?cs, techniques, and procedures beyond the typical pen tester arsenal! Purple Teaming Adversary Simula?on

17

18 VigneVe: Lateral Movement

19

20 Adversary Simula?on Train and Measure Intrusion Detec?on/Response Assume Breach White box Emulate tac?cs, techniques, and procedures of a specific adversary Adversary Indicators maver too! Use story board to direct red ac?vity Full debrief between red and blue

21 Challenges Capability Gaps Simulated Indicators Story Telling

22 Capability Gaps Need tools [and trained operators] that can perform adversary ac?ons in a credible way

23 Simulated Indicators Traffic Genera?on? Use exis?ng malware? Build custom malware? Customizable Indicators?

24

25 My Dream Adversary Simula?on Tool A post- exploita?on agent that fools an analyst into believing they re working with other malware On- disk Wire Behavior

26

27 Malleable C2

28 Repor?ng Requirements Indicators,?mestamps, and assets File uploads System configura?on changes Network ac?vity (including pivo?ng) Map red ac?vity to blue sensors and tools Avoid ambiguity during discussion.

29 Why I m excited? Adversary Simula?on Cost and Time Effec?ve Repeatable Customers get it Opportunity to expose more organiza?on s to hacking techniques of modern adversary

30 Summary Personal Introduc?on Hacking to Get Caught The Conversa?on Adversary Simula?on Challenges