Threat Gets a Vote Applying a Threat Based Approach to Security Testing Joe Vest - @joevest
Background 17+ years IT (10+ InfoSec) Who is SpecterOps? Co-founder of MINIS (Merged with SpecterOps late 2017) Red Teamer – Threat Emulator Author of SANS SEC564 Red Team Operations and Threat Emulation Some letters behind my name. OSCP, GMOB,GCFA, GWAPT, GPEN, GCIH, CISSP, CISA, others… Who is SpecterOps? BloodHound Empire PowerSploit KeeThief CobaltStrike DomainHunter Many others -2-
Outline Security Operations Design What is a threat? Introduction to threat based testing Compare and contrast to other security testing types How to apply threat focused engagements -3-
Security Operations Design Comprehensive security programs are not an easy Pressures from every direction customers, compliance, management, peers, budget, public opinion, and news. Organizations are generally able to overcome challenges and implement what is considered to be a robust security program Able to please various parties and describe a strong security program designed to stop malicious cyber-attack Audit and compliance checks pass with a green light Robust patch management systems are deployed Vulnerability assessments and penetration tests are conducted. In general, the organizations have good security hygiene. -4-
What is one of the most significant drivers on information security spending? -5-
Protection of Sensitive Data Reference: https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697 Protection of Sensitive Data Often include standard security products and user education. Regulatory Compliance IT Security Spending Trends, Barbara Filkins, February 2016 (https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697) -6-
Security Misconception: Compliance == Security Definitions Security (se·cu·ri·ty) [si-kyoor-i-tee] noun Precautions taken to guard against crime, attack, sabotage, espionage. Compliance (com·pli·ance)[kuhm-plahy-uhns] noun Conformity; accordance: in compliance with orders. Why are we spending on compliance? To Be Secure ! So, if I am compliant, I will be secure from attack? well, not exactly… Then why do compliance? to be secure ? Leadership Compliance -7-
Shortcomings to Security Operations Design Who is responsible for design and implementation? Where does the information come from? Have you (or someone on the team) attacked and compromised a network? To what extent? Do you include the threat on security decision making? -8-
Are organizations really building security programs designed to address the threat? -9-
Risk = Threat X Vulnerability What is a Threat? Threat /THret/ Noun: threat, plural noun: threats a person or thing likely to cause damage or danger. Defense commonly focuses on a threat as a ‘thing’ (Malware, botnet, virus, etc) What about the person (threat-actor) behind the malware? Risk = Threat X Vulnerability -10-
Where is the Threat in Security Planning? Good intentions by intelligent people do not add up to understanding threats or how they operate. If the goal of security operations is to protect against malicious attack from a threat, it only makes sense to include the opinions of those who you are defending against. -11-
Why do Threats Succeed? Consider a threat as an intelligent person bent on causing harm NOT an exploit of a vulnerability NOT a piece of malware NOT a phishing attack Organizations use audit and compliance, vulnerability assessments, and penetration testing to evaluate and measure risk to cyber-attack Threat-actors know tools are deployed to stop cyber-attacks Real threat-actors often take actions that may NOT be used during standard security assessments -12-
Why Bother with a Threat Based Approach? Isn’t identification and mitigation of vulnerabilities enough? -13-
Consider This Scenario Users File Share Threat Data base DC After evaluating a target network, a threat-actor decides a phishing attack is their chosen method to gain access. A phish is sent to a small number of people. The phish contains an excel attachment with a DDE2 based attack. One of the email recipients opens the attachment, and malicious code is executed on the target providing C2 to the threat-actor. The threat-actor begins a series of steps where situational awareness of current access is performed, enumeration of potential targets, and lateral movement to those targets. The threat finds clear text credentials of database passwords on webapp backup in a public share. The credentials are used to laterally move to a database server, where code execution provides elevated access to the database server. C2 is established at the database server and the situational awareness cycle repeats. The threat-actor discovers elevated credentials stored in memory on the database server. The credentials are used to laterally extract credential material from a Windows domain controller. Using the new credential material, the threat-actor performs additional situational awareness and enumeration, and uses this information to locate their target, data on a sensitive file repository. Using the elevated access and c2 channels, the threat-actor achieve their final objective and exfiltrates the data outside the network. -14-
Think About Could your current security program prevent, detect, or respond to this threat? Are you sure? Have you verified this? What are the key indictors left by the threat that may aid Blue? Can you identify the threat by their actions or indicators? -15-
A Threat Will… -16-
Organizations often have the wrong mindset of security defense Vulnerable / Not Vulnerable Do not click links Policies, procedures, and compliance measure security Log everything (You never know what you need) Patch, patch, patch. Threats only use exploits Our security tools will save use -17-
Intelligent Threat Actor Common Threat Actors Criminals Hacktivists State Sponsored Insider Does the type really matter? Behind every piece of malware, there is a person Behind every hack, there is a person Does this person know you have a comprehensive security program? Where do we focus on threat’s actions? -18-
-19-
Definitions Blue Team Security team that defends against threats Command and Control / C2 Command and Control (C2) is the influence an attacker has over a compromised computer system they control. Exfiltration Exfiltration is the extraction of information from a target. This is typically through a covert channel. IOC (Indicator of Compromise) Indicators of Compromise (IOC) are artifacts that identify or describe threat actions. OPFOR Opposing Force or enemy force typically used by the military in war gaming scenarios. Red Teams are commonly associated with or support OPFOR in war gaming scenarios. Operational Impact An operational impact is the effect of a goal driven action within a target environment. Red Team A Red Team is an independent group that challenges an organization to improve its effectiveness. ROE (Rules of Engagement) The Rule of Engagement establishes the responsibility, relationship, and guidelines between the Red Team, the customer, the system owner, and any stake holders required for engagement execution. Threat Threat is an expression of intention to inflict evil, injury, or damage. Threat Emulation Threat Emulation is the process of mimicking the TTPs of a specific threat. Tradecraft The techniques and procedures of espionage. Tradecraft is typically associated with the intelligence community. TTPs and Tradecraft are used interchangeably in this course. TTPs TTPs are Tactics, Techniques and Procedures (sometimes called tools, techniques, and procedures) -20-
Red Teaming Definition … is the process of using tactics, techniques, and procedures (TTPs) to emulate a real-world threat with the goals of training and measuring the effectiveness of people, processes, and technology used to defend an environment. Red Team ...an independent group that challenges an organization to improve its effectiveness. Source: SANS SEC 564 Red Team Operations and Threat Emulation -21-
Threat Based Assessments through Red Teaming measures the effectiveness of the people, processes, and technology used to defend a network trains and/or measures Blue Teams can test and understand specific threats or threat scenarios "We don't rise to the level of our expectations, we fall to the level of our training.", Archilochus, Greek Poet around 650BC -22-
Red Teaming VS Other Security Tests DEPTH Vulnerability Assessment Penetration Testing Red Teaming BREADTH -23-
Red Teaming VS Vulnerability Assessment According to the NIST, a Vulnerability Assessment is a “… Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.” Think About This: A red team(threat) rarely uses vulnerability scanning tools during an engagement -24-
Red Teaming VS Penetration Testing According to the NIST Special Publication 800-53 (Rev. 4) CA-8, Penetration testing is defined as “… a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries….” VS Red Teaming is the process of using TTPs to emulate a threat with the goals of training/measuring security operations (Blue Team). -25-
PDRR Observation and Measurement Coverage Protect Detect Reduce Attack Surface Good Security Hygiene Measure Security Operations as a whole Train and engage Blue Teams -26-
Red Teaming Take Away Vulnerabilities and exploits may be used, but are only as a means to a end. Focus on goals and organizational impacts! Organizational and operational impacts can be extremely valuable (examples) Measure the ability a threat has to laterally move through out a network Measure the ability a threat has to escalate privileges Measure the ability a threat has to exfiltrate sensitive data Can a threat degrade, disrupt, deny, or destroy operations? Training is key. Blue teams must practice before facing a real threat. -27-
Understanding Risk Through Threat Actions Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) Framework, knowledge base, and model for cyber adversary behavior Focused on threat TTPs and Tradecraft vs exploits and vulnerabilities https://attack.mitre.org/wiki/Main_Page Threat Hunter Playbook https://github.com/Cyb3rWard0g/ThreatHunter-Playbook https://cyberwardog.blogspot.com/ -28-
MITRE ATT&CK -29-
Using IOCs to Measure Security Workstation HTTP/80 Agent (standard user) SMB Agent (system user) Workstations Workstations Workstations Workstations Servers Data -30-
Threat Profile Category Description General mid-tiered threat that uses common offensive tools and techniques Goal and Intent Exist in the network to enumerate systems and information in order maintain command and control to support future attacks and to determine if and when a Blue Team can detect and identify the threat’s IOCs Key IOCs Cobalt Strike HTTP beacon on TCP 80 Cobalt Strike SMB beacon on TCP 445 C2 Overview HTTP on port 80 Cobalt Strike Beacon with a 1-minute callback time Calling directly to threat owned domains TTPs (Enumeration, Delivery, Lateral Movement, Privilege Escalation, etc.) Assumed breach model, no initial delivery via exploitation. POST exploitation via Cobalt Strike commands. Enumeration and lateral movement via Cobalt Strike and native Windows commands. Privilege escalation limited and determined POST exploitation. Exploitation Assumed breach model, no exploitation. Persistence User level persistence using explorer.exe DLL hijack (linkinfo.dll) WMI Event Persistence (msupdate.exe) -31-
Disk IOC Overview IOCs IOCs HTTP traffic over TCP port 80 beacons every 60 seconds with a 20% jitter (drift) Payload: linkinfo.dll Location: c:\Windows\linkinfo.dll Timestamp: 07/13/2009 06:31 PM Size: 288,768 MD5: 4a247a94bd215f081c04ef235d158ce1 Metadata: Company: Microsoft Corporation Description: Windows Volume Tracking Product: Microsoft« Windows« Operating System Prod version: 6.1.7600.16385 File version: 6.1.7600.16385 (win7_rtm.090713-1255) IOCs SMB beacon using on demand access Payload: msupdate.exe Location: c:\Windows\msupdate.exe Timestamp: 07/13/2009 06:31 PM Size: 290,816 MD5: 81401996518d462fba52a345b63ef918 Metadata: Company: Microsoft Corporation Description: Host Process for Windows Services Product: Microsoft« Windows« Operating System Prod version: 6.1.7600.16385 File version: 6.1.7600.16385 (win7_rtm.090713-1255) -32-
HTTP Beacon Network IOC Overview HTTP IOC GET /v11/3/windowsupdate/selfupdate/WSUS3/v6-muredir.cab?v=T2Yw28y-t_hTdfBSImdzQw HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Host: download.windowsupdate.com Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko HTTP/1.1 200 OK Cache-Control: private, max-age=0 Content-Type: application/octet-stream Vary: Accept-Encoding Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Connection: close Content-Length: 64 ...3..X...T..f.7............&..DZ.p....`./.CG.@..b..h........C.. HTTP IOC POST /v11/2/windowsupdate/selfupdate/WSUS3/NzIxMg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/* Content-Type: application/x-www-form-url-encoded Host: download.windowsupdate.com Content-Length: 29 User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko status=iVtM41G4gRnsNKaocUaOTw HTTP/1.1 200 OK Cache-Control: private, max-age=0 Content-Type: application/octet-stream Vary: Accept-Encoding Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Connection: close Content-Length: 0 -33-
In Conclusion Threat should have a vote to what is implemented in security operations Red teaming may identify vulnerabilities and exploits, but they are only a means to an end. Focus on threat-actor Goals !! Measuring a threat’s ability impact to an organization’s operations can be extremely valuable What ability does a threat have to degrade, disrupt, deny, or destroy operations? MITRE ATT&CK can help Training is key. Blue teams (defensive teams) must practice before they can or should be expected to deal with a real threat! -34-
Red Teaming and Threat Emulation Training SANS SEC 564 Red Team Operations and Threat Emulation https://sans.org/sec564 SpecterOps Adversary Tactics: Red Team Operations Adversary Tactics: Active Directory Adversary Tactics: Powershell Adversary Tactics: Detection https://specterops.io/resources/upcoming-events -35-
Twitter: @joevest Email: joe@specterops.io Blog: threatexpress.com https://www.linkedin.com/in/joe-vest -36-