Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat Gets a Vote Applying a Threat Based Approach to Security Testing Joe Vest - @joevest.

Published byPierre-Louis Forget Modified over 6 years ago

Similar presentations

Presentation on theme: "Threat Gets a Vote Applying a Threat Based Approach to Security Testing Joe Vest - @joevest."— Presentation transcript:

1 Threat Gets a Vote Applying a Threat Based Approach to Security Testing
Joe Vest

2 Background 17+ years IT (10+ InfoSec) Who is SpecterOps?
Co-founder of MINIS (Merged with SpecterOps late 2017) Red Teamer – Threat Emulator Author of SANS SEC564 Red Team Operations and Threat Emulation Some letters behind my name. OSCP, GMOB,GCFA, GWAPT, GPEN, GCIH, CISSP, CISA, others… Who is SpecterOps? BloodHound Empire PowerSploit KeeThief CobaltStrike DomainHunter Many others -2-

3 Outline Security Operations Design What is a threat?
Introduction to threat based testing Compare and contrast to other security testing types How to apply threat focused engagements -3-

4 Security Operations Design
Comprehensive security programs are not an easy Pressures from every direction customers, compliance, management, peers, budget, public opinion, and news. Organizations are generally able to overcome challenges and implement what is considered to be a robust security program Able to please various parties and describe a strong security program designed to stop malicious cyber-attack Audit and compliance checks pass with a green light Robust patch management systems are deployed Vulnerability assessments and penetration tests are conducted. In general, the organizations have good security hygiene. -4-

5 What is one of the most significant drivers on information security spending?
-5-

6 Protection of Sensitive Data
Reference: Protection of Sensitive Data Often include standard security products and user education. Regulatory Compliance IT Security Spending Trends, Barbara Filkins, February 2016 ( -6-

7 Security Misconception: Compliance == Security
Definitions Security (se·cu·ri·ty) [si-kyoor-i-tee] noun Precautions taken to guard against crime, attack, sabotage, espionage. Compliance (com·pli·ance)[kuhm-plahy-uhns] noun Conformity; accordance: in compliance with orders. Why are we spending on compliance? To Be Secure ! So, if I am compliant, I will be secure from attack? well, not exactly… Then why do compliance? to be secure ? Leadership Compliance -7-

8 Shortcomings to Security Operations Design
Who is responsible for design and implementation? Where does the information come from? Have you (or someone on the team) attacked and compromised a network? To what extent? Do you include the threat on security decision making? -8-

9 Are organizations really building security programs designed to address the threat?
-9-

10 Risk = Threat X Vulnerability
What is a Threat? Threat /THret/ Noun: threat, plural noun: threats a person or thing likely to cause damage or danger. Defense commonly focuses on a threat as a ‘thing’ (Malware, botnet, virus, etc) What about the person (threat-actor) behind the malware? Risk = Threat X Vulnerability -10-

11 Where is the Threat in Security Planning?
Good intentions by intelligent people do not add up to understanding threats or how they operate. If the goal of security operations is to protect against malicious attack from a threat, it only makes sense to include the opinions of those who you are defending against. -11-

12 Why do Threats Succeed? Consider a threat as an intelligent person bent on causing harm NOT an exploit of a vulnerability NOT a piece of malware NOT a phishing attack Organizations use audit and compliance, vulnerability assessments, and penetration testing to evaluate and measure risk to cyber-attack Threat-actors know tools are deployed to stop cyber-attacks Real threat-actors often take actions that may NOT be used during standard security assessments -12-

13 Why Bother with a Threat Based Approach?
Isn’t identification and mitigation of vulnerabilities enough? -13-

14 Consider This Scenario
Users File Share Threat Data base DC After evaluating a target network, a threat-actor decides a phishing attack is their chosen method to gain access. A phish is sent to a small number of people. The phish contains an excel attachment with a DDE2 based attack. One of the recipients opens the attachment, and malicious code is executed on the target providing C2 to the threat-actor. The threat-actor begins a series of steps where situational awareness of current access is performed, enumeration of potential targets, and lateral movement to those targets. The threat finds clear text credentials of database passwords on webapp backup in a public share. The credentials are used to laterally move to a database server, where code execution provides elevated access to the database server. C2 is established at the database server and the situational awareness cycle repeats. The threat-actor discovers elevated credentials stored in memory on the database server. The credentials are used to laterally extract credential material from a Windows domain controller. Using the new credential material, the threat-actor performs additional situational awareness and enumeration, and uses this information to locate their target, data on a sensitive file repository. Using the elevated access and c2 channels, the threat-actor achieve their final objective and exfiltrates the data outside the network. -14-

15 Think About Could your current security program prevent, detect, or respond to this threat? Are you sure? Have you verified this? What are the key indictors left by the threat that may aid Blue? Can you identify the threat by their actions or indicators? -15-

16 A Threat Will… -16-

17 Organizations often have the wrong mindset of security defense
Vulnerable / Not Vulnerable Do not click links Policies, procedures, and compliance measure security Log everything (You never know what you need) Patch, patch, patch. Threats only use exploits Our security tools will save use -17-

18 Intelligent Threat Actor
Common Threat Actors Criminals Hacktivists State Sponsored Insider Does the type really matter? Behind every piece of malware, there is a person Behind every hack, there is a person Does this person know you have a comprehensive security program? Where do we focus on threat’s actions? -18-

19 -19-

20 Definitions Blue Team Security team that defends against threats Command and Control / C2 Command and Control (C2) is the influence an attacker has over a compromised computer system they control. Exfiltration Exfiltration is the extraction of information from a target. This is typically through a covert channel. IOC (Indicator of Compromise) Indicators of Compromise (IOC) are artifacts that identify or describe threat actions. OPFOR Opposing Force or enemy force typically used by the military in war gaming scenarios. Red Teams are commonly associated with or support OPFOR in war gaming scenarios. Operational Impact An operational impact is the effect of a goal driven action within a target environment. Red Team A Red Team is an independent group that challenges an organization to improve its effectiveness. ROE (Rules of Engagement) The Rule of Engagement establishes the responsibility, relationship, and guidelines between the Red Team, the customer, the system owner, and any stake holders required for engagement execution. Threat Threat is an expression of intention to inflict evil, injury, or damage. Threat Emulation Threat Emulation is the process of mimicking the TTPs of a specific threat. Tradecraft The techniques and procedures of espionage. Tradecraft is typically associated with the intelligence community. TTPs and Tradecraft are used interchangeably in this course. TTPs TTPs are Tactics, Techniques and Procedures (sometimes called tools, techniques, and procedures) -20-

21 Red Teaming Definition
… is the process of using tactics, techniques, and procedures (TTPs) to emulate a real-world threat with the goals of training and measuring the effectiveness of people, processes, and technology used to defend an environment. Red Team ...an independent group that challenges an organization to improve its effectiveness. Source: SANS SEC 564 Red Team Operations and Threat Emulation -21-

22 Threat Based Assessments through Red Teaming
measures the effectiveness of the people, processes, and technology used to defend a network trains and/or measures Blue Teams can test and understand specific threats or threat scenarios "We don't rise to the level of our expectations, we fall to the level of our training.", Archilochus, Greek Poet around 650BC -22-

23 Red Teaming VS Other Security Tests
DEPTH Vulnerability Assessment Penetration Testing Red Teaming BREADTH -23-

24 Red Teaming VS Vulnerability Assessment
According to the NIST, a Vulnerability Assessment is a “… Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.” Think About This: A red team(threat) rarely uses vulnerability scanning tools during an engagement -24-

25 Red Teaming VS Penetration Testing
According to the NIST Special Publication (Rev. 4) CA-8, Penetration testing is defined as “… a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries….” VS Red Teaming is the process of using TTPs to emulate a threat with the goals of training/measuring security operations (Blue Team). -25-

26 PDRR Observation and Measurement Coverage
Protect Detect Reduce Attack Surface Good Security Hygiene Measure Security Operations as a whole Train and engage Blue Teams -26-

27 Red Teaming Take Away Vulnerabilities and exploits may be used, but are only as a means to a end. Focus on goals and organizational impacts! Organizational and operational impacts can be extremely valuable (examples) Measure the ability a threat has to laterally move through out a network Measure the ability a threat has to escalate privileges Measure the ability a threat has to exfiltrate sensitive data Can a threat degrade, disrupt, deny, or destroy operations? Training is key. Blue teams must practice before facing a real threat. -27-

28 Understanding Risk Through Threat Actions
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) Framework, knowledge base, and model for cyber adversary behavior Focused on threat TTPs and Tradecraft vs exploits and vulnerabilities Threat Hunter Playbook -28-

29 MITRE ATT&CK -29-

30 Using IOCs to Measure Security
Workstation HTTP/80 Agent (standard user) SMB Agent (system user) Workstations Workstations Workstations Workstations Servers Data -30-

31 Threat Profile Category Description
General mid-tiered threat that uses common offensive tools and techniques Goal and Intent Exist in the network to enumerate systems and information in order maintain command and control to support future attacks and to determine if and when a Blue Team can detect and identify the threat’s IOCs Key IOCs Cobalt Strike HTTP beacon on TCP 80 Cobalt Strike SMB beacon on TCP 445 C2 Overview HTTP on port 80 Cobalt Strike Beacon with a 1-minute callback time Calling directly to threat owned domains TTPs (Enumeration, Delivery, Lateral Movement, Privilege Escalation, etc.) Assumed breach model, no initial delivery via exploitation. POST exploitation via Cobalt Strike commands. Enumeration and lateral movement via Cobalt Strike and native Windows commands. Privilege escalation limited and determined POST exploitation. Exploitation Assumed breach model, no exploitation. Persistence User level persistence using explorer.exe DLL hijack (linkinfo.dll) WMI Event Persistence (msupdate.exe) -31-

32 Disk IOC Overview IOCs IOCs
HTTP traffic over TCP port 80 beacons every 60 seconds with a 20% jitter (drift) Payload: linkinfo.dll Location: c:\Windows\linkinfo.dll Timestamp: 07/13/ :31 PM Size: 288,768 MD5: 4a247a94bd215f081c04ef235d158ce1 Metadata: Company: Microsoft Corporation Description: Windows Volume Tracking Product: Microsoft« Windows« Operating System Prod version: File version: (win7_rtm ) IOCs SMB beacon using on demand access Payload: msupdate.exe Location: c:\Windows\msupdate.exe Timestamp: 07/13/ :31 PM Size: 290,816 MD5: d462fba52a345b63ef918 Metadata: Company: Microsoft Corporation Description: Host Process for Windows Services Product: Microsoft« Windows« Operating System Prod version: File version: (win7_rtm ) -32-

33 HTTP Beacon Network IOC Overview
HTTP IOC GET /v11/3/windowsupdate/selfupdate/WSUS3/v6-muredir.cab?v=T2Yw28y-t_hTdfBSImdzQw HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Host: download.windowsupdate.com Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko HTTP/ OK Cache-Control: private, max-age=0 Content-Type: application/octet-stream Vary: Accept-Encoding Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Connection: close Content-Length: 64 HTTP IOC POST /v11/2/windowsupdate/selfupdate/WSUS3/NzIxMg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/* Content-Type: application/x-www-form-url-encoded Host: download.windowsupdate.com Content-Length: 29 User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko status=iVtM41G4gRnsNKaocUaOTw HTTP/ OK Cache-Control: private, max-age=0 Content-Type: application/octet-stream Vary: Accept-Encoding Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Connection: close Content-Length: 0 -33-

34 In Conclusion Threat should have a vote to what is implemented in security operations Red teaming may identify vulnerabilities and exploits, but they are only a means to an end. Focus on threat-actor Goals !! Measuring a threat’s ability impact to an organization’s operations can be extremely valuable What ability does a threat have to degrade, disrupt, deny, or destroy operations? MITRE ATT&CK can help Training is key. Blue teams (defensive teams) must practice before they can or should be expected to deal with a real threat! -34-

35 Red Teaming and Threat Emulation Training
SANS SEC 564 Red Team Operations and Threat Emulation SpecterOps Adversary Tactics: Red Team Operations Adversary Tactics: Active Directory Adversary Tactics: Powershell Adversary Tactics: Detection -35-

36 Blog: threatexpress.com -36-

Download ppt "Threat Gets a Vote Applying a Threat Based Approach to Security Testing Joe Vest - @joevest."

Similar presentations

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Ahmad Radaideh.  Abstract  Introduction  Google Cached Content  GOOGLE HACKING Procedures  Google Advance Operators  Google hacking Result Categories.

Ahmad Radaideh.  Abstract  Introduction  Google Cached Content  GOOGLE HACKING Procedures  Google Advance Operators  Google hacking Result Categories.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Introduction to Network Defense

Introduction to Network Defense
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.

Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Part 1: Corporate Operational benefits, Non-technical information for FSOs and ISSMs/ISSOs Part 2: Technical Tips on how to conduct a better audit review.

Part 1: Corporate Operational benefits, Non-technical information for FSOs and ISSMs/ISSOs Part 2: Technical Tips on how to conduct a better audit review.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.

Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.

Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Similar presentations

Ads by Google