SlideShare a Scribd company logo

DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker

Jorge Orchilles
Jorge Orchilles

Deep Dive into Adversary Emulation - Ransomware Edition This talk covers the Garmin July 2020 hack by a group called Evil Corp that leveraged a newer ransomware called WastedLocker. We cover Cyber Threat Intelligence, creating an adversary emulation plan for ransomware, demo the emulation, and discuss how to defend against these attacks.

Technology
1 of 36
@JORGEORCHILLES Emulating Ransomware @JorgeOrchilles
@JORGEORCHILLES T1033 - System Owner/User Discovery ● Chief Technology Officer - SCYTHE ● Purple Team Exercise Framework (PTEF) ● C2 Matrix Co-Creator ● 10 years @ Citi leading offensive security team ● Certified SANS Instructor: SEC560, SEC504 ● Author SEC564: Red Team Exercises and Adversary Emulation ● CVSSv3.1 Working Group Voting Member ● GFMA: Threat-Led Pentest Framework ● ISSA Fellow; NSI Technologist Fellow 2
@JORGEORCHILLES Agenda ● What is Adversary Emulation ● What is Ransomware ● Cyber Threat Intelligence ● Adversary Emulation Plan ● Live Demo ● Defending against Ransomware 3
@JORGEORCHILLES Ethical Hacking Maturity Model https://www.scythe.io/library/scythes-ethical-hacking-maturity-model 4 ● Based on my experience and experience in other organizations ● Not a step by step guide but can be used as a blueprint for maturing ● You can skip steps ● Every organization is different ● Don’t stop doing the previous assessment types as you mature
@JORGEORCHILLES Adversary Emulation ● Definition: ○ A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. ● Goal: ○ Emulate an adversary attack chain or scenario ○ Understand organization’s preparedness if under a real, sophisticated attack ● Effort: ○ Manual ● Customer: ○ Entire organization 5 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
@JORGEORCHILLES Red Team ● Definition: ○ “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal ● Goal: ○ Make Blue Team better ○ Test and measure people, process, and technology ○ Test assumptions 6 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Effort: ○ Manual ○ Many tools (C2 Matrix) ● Frequency: ○ Intelligence-led (new exploit, tool, or TTP) ○ Yearly (regulatory) ● Customer: ○ Blue Teams
@JORGEORCHILLES Internal vs. External Teams Internal Red Teams ● Repeated engagements ○ Remediation retesting ● Use privileged/insider knowledge ● Sparring partner External Red Teams ● Offers new perspective ○ May have other industry experience ● “Snapshot” engagements 7
@JORGEORCHILLES Towards a Purple Team
@JORGEORCHILLES Purple Team Exercises 9 ● Virtual, functional team where teams work together to measure and improve defensive security posture ○ CTI provides threat actor with capability, intent, and opportunity to attack ○ Red Team creates adversary emulation plan ○ Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses ○ Emulation of each adversary behavior (TTP) ○ Blue Team look for indicators of behavior ○ Red and Blue work together to create remediation action plan ● Repeat exercises to measure and improve people, process, and technology
@JORGEORCHILLES Did you say Purple? 10
@JORGEORCHILLES Framework & Methodology 11 ● Purple Team Exercise Framework (PTEF) ● Cyber Kill Chain – Lockheed Martin ● Unified Cyber Kill Chain – Paul Pols ● Financial/Regulatory Frameworks ○ CBEST Intelligence Led Testing ○ Threat Intelligence-Based Ethical Red Teaming ○ Red Team: Adversarial Attack Simulation Exercises ○ Intelligence-led Cyber Attack Simulation Testing ○ A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry ● Testing Framework:
@JORGEORCHILLES MITRE ATT&CK https://attack.mitre.org/ 12
@JORGEORCHILLES IMPACT 13 https://attack.mitre.org/tactics/TA0040/ ● The adversary is trying to manipulate, interrupt, or destroy your systems and data - MITRE ATT&CK ● Disrupt availability ● Compromise integrity by manipulating business and operational processes ● Destroying or tampering data ● These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach
@JORGEORCHILLES Ransomware ● Get access to a target system or network (targeted or opportunist) ● Encrypt files - 3 methods: a. Read the file, create an encrypted version of the file, replace the original file with the encrypted one b. Use raw disk access for encryption c. Open the file, encrypt the contents and save the file (no file deletion or creation) ● Steal the files? Sometimes ● Download a ransom note asking for payment in crypto or else!!! ● Get PAID!!! $$$ ฿฿฿ ₿₿₿ 14
@JORGEORCHILLES Garmin ● July 22 - 29, 2020 ● GarminConnect, FlyGarmin, etc. all down -> ● Evil Corp using WastedLocker 15 https://techcrunch.com/2020/07/25/garmin-outage-ransomware-sources/
@JORGEORCHILLES Evil Corp (1) ● SocGholish is delivered to the victim in a zipped file via compromised legitimate websites ● Zip file with malicious JavaScript, masquerading as a browser update ● A second JavaScript file profiles the computer and uses PowerShell to download additional discovery related PowerShell scripts ● Once the attackers gain network access, they use Cobalt Strike commodity malware with living-off-the-land tools to steal credentials, escalate privileges, and move across the network to deploy WastedLocker on multiple computers 16 https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
@JORGEORCHILLES Evil Corp (2) ● PowerShell is used to download and execute a loader from a domain publicly reported as being used to deliver Cobalt Strike as part of WastedLocker attacks ● An injected payload, known as Cobalt Strike Beacon, is used to execute commands, inject other processes, elevate current processes or impersonate other processes, and upload and download files ● Privilege escalation is performed using a publicly documented technique involving the Software Licensing User Interface tool, a command line utility responsible for activating and updating the Windows operating system 17 https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
@JORGEORCHILLES Evil Corp (3) ● The attackers use the Windows Management Instrumentation Command Line Utility to execute commands on remote computers, such as adding a new user or execute additional downloaded PowerShell scripts ● The attackers launch a legitimate command line tool for managing Windows Defender to disable scanning of all downloaded files and attachments, remove all installed definitions, and, in some cases, disable real-time monitoring ● Windows Sysinternals tool PsExec is used to launch the WastedLocker ransomware, which then begins encrypting data and deleting shadow volumes 18 https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
@JORGEORCHILLES Wasted Locker 19 https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/
@JORGEORCHILLES ATT&CK Navigator 20 ● No MITRE ATT&CK Mapping for Evil Corp or WastedLocker ● Manually extracted TTPs from Cyber Threat Intelligence ● Created MITRE ATT&CK Navigator Layer: https://github.com/scythe-io/community-threats/blob/m aster/EvilCorp/EvilCorp-WastedLocker_layer.json
@JORGEORCHILLES Planning ● Goals and Objectives ● Red Team or Purple Team Exercise? ● Exercise Coordinator/Project Manager ● Assume Breach or Full End-to-End? ○ Initial Access takes time ○ Infinite ways in ● Rules of Engagements ○ Don’t encrypt and ransom real business data ○ Create new files, encrypt and/or exfiltrate ● Attack Infrastructure 21
@JORGEORCHILLES Determine Tools to Use - C2 Matrix ● Google Sheet of C2s ● https://www.thec2matrix.com/ ● Find ideal C2 for your needs ● SANS Slingshot C2 Matrix VM ● https://howto.thec2matrix.com ● Follow @C2_Matrix 22
@JORGEORCHILLES Cobalt Strike ● https://cobaltstrike.com/ ● https://attack.mitre.org/software/S0154/ ● Older version was leaked and used by malicious actors: ○ APT19 ○ APT29 ○ APT32 ○ APT41 ○ Cobalt Group/Gang ○ CopyKittens ○ DarkHydrus ○ Leviathan ○ FIN6 23
@JORGEORCHILLES SCYTHE ● Enterprise-Grade platform for Adversary Emulation ○ Creating custom, controlled, synthetic malware ○ Server can be deployed on-premises or your cloud ○ Multiple relays - Docker, Python, Windows MSI ● Emulate known threat actors against enterprise network and systems ○ Consistently execute adversary behaviors ○ Continually assess security controls ○ Decreased evaluation time of security technologies ○ Identify blind spots for blue teams ○ Force-multiplier for red team resources ○ Measure and improve response of people and process ● 24
@JORGEORCHILLES Features & Capabilities ● Trivial installation ● Enterprise C2: ○ HTTP(S), DNS, Google Sheets, Twitter, Stego, SMB ● Automation ○ Build cross-platform synthetic malware via dashboard ○ Synthetic malware emulates chosen behaviors consistently ● Delivery methods ○ Web Page/ Drive-by (T1189) ○ Phishing Link (T1192) ○ Phishing Attachment (T1193) ● 25 ● Reports ○ HTML, CSV, Executive, and Technical Reports ○ ATT&CK Navigator Layer ○ MITRE ATT&CK Heat Map ● Integrations ○ VECTR - Tracking Red and Purple Team Exercises ○ PlexTrac - automated report writing and handling ○ Integrated with Splunk and all other SIEMs with syslog ○ Red Canary’s Atomic Red Team test cases
@JORGEORCHILLES Emulating Ransomware? ● Is emulating ransomware even possible? ● Of course it is! ● The secret is to not encrypt or destroy production data. ● Instead create new files before emulating typical ransomware steps of encrypting, exfiltrating, and obtaining a ransom note. ● This method ensures no data is ever at risk of being encrypted, destroyed, or leaked. 26
@JORGEORCHILLES DEMO 27
@JORGEORCHILLES Defending against Ransomware 28 ● Traditionally the big focus has been on initial access ● With the more sophisticated and recent attacks, we are seeing many more tactics than just Initial Access and Impact ● https://www.scythe.io/library/threatthursday-ransomware ● https://us-cert.cisa.gov/ncas/tips/ST19-001 ● https://medium.com/swlh/detecting-and-responding-to-ransomware-attacks -by-using-free-tools-1873c8510a9e ● https://medium.com/@mergene/defeating-ransomware-by-using-sysmon-an d-powershell-b671920f3bb1
@JORGEORCHILLES Advice from a leaked chat 29 https://twitter.com/jc_stubbs/status/1289199296328298497
@JORGEORCHILLES MOAR Ransomware ● Shadow Intelligence: https://shadowintelligence.io/home ● JCry: https://attack.mitre.org/software/S0389/ ● LockerGoga: https://attack.mitre.org/software/S0372/ ● Maze: https://attack.mitre.org/software/S0449/ ● Netwalker: https://attack.mitre.org/software/S0457/ ● RobbinHood: https://attack.mitre.org/software/S0400/ ● Ryuk: https://attack.mitre.org/software/S0446/ ● SamSam: https://attack.mitre.org/software/S0370/ ● SynAck: https://attack.mitre.org/software/S0242/ ● WannaCry: https://attack.mitre.org/software/S0366/ ● Xbash: https://attack.mitre.org/software/S0341/ 30
@JORGEORCHILLES #ThreatThursday ● Choose an adversary every week ○ Introduce Adversary ○ Consume CTI and map to MITRE ATT&CK w/Navigator Layer ○ Create Adversary Emulation Plan ○ Share the plan on SCYTHE Community Threat Github: https://github.com/scythe-io/community-threats/ ○ Emulate Adversary with video ○ How to defend against adversary ● All free for the community: https://www.scythe.io/threatthursday 31
@JORGEORCHILLES 32 Save the Date!!!
@JORGEORCHILLES SCYTHE Custom Modules & Marketplace ● SCYTHE SDK - https://github.com/scythe-io/sdk ○ Write custom modules in Python or Native code ○ In-memory loading techniques (YES! A Python Runtime) ● Marketplace - https://www.scythe.io/marketplace ○ Ecosystem of third party contributors ○ Create custom modules, share, and/or sell ○ Request custom modules - TTP Bounty 33
@JORGEORCHILLES Architecture 34
@JORGEORCHILLES References 35 ● Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Purple Team Exercise Framework: https://www.scythe.io/ptef ● #ThreatThursday: https://www.scythe.io/threatthursday ● Cyber Threat Intelligence for Evil Corp and WastedLocker: ○ https://techcrunch.com/2020/07/25/garmin-outage-ransomware-sources/ ○ https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-develope d-by-the-evil-corp-group/ ○ https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransom ware-us ○ https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customi zed-ransomware/ ● C2 Matrix: https://thec2matrix.com https://howto.thec2matrix.com ● SCYTHE emulation plans: https://github.com/scythe-io/community-threats/
@JORGEORCHILLES@JORGEORCHILLES Thank you! Questions? 36

Recommended

Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConJorge Orchilles
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceJorge Orchilles
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyJorge Orchilles
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersJorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 

Recommended

Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConJorge Orchilles
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceJorge Orchilles
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyJorge Orchilles
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersJorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatJorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Jorge Orchilles
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzJorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Jorge Orchilles
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Cyber Red Teaming in Airport and Aviation Industry
Cyber Red Teaming in Airport and Aviation IndustryCyber Red Teaming in Airport and Aviation Industry
Cyber Red Teaming in Airport and Aviation IndustrySaeid Atabaki
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesomeSumedt Jitpukdebodin
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Online Sync meetup: Metasploit 101 slides
Online Sync meetup: Metasploit 101 slidesOnline Sync meetup: Metasploit 101 slides
Online Sync meetup: Metasploit 101 slidescyberforgeacademy
 

More Related Content

What's hot

Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatJorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Jorge Orchilles
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzJorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Jorge Orchilles
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Cyber Red Teaming in Airport and Aviation Industry
Cyber Red Teaming in Airport and Aviation IndustryCyber Red Teaming in Airport and Aviation Industry
Cyber Red Teaming in Airport and Aviation IndustrySaeid Atabaki
 

What's hot (20)

Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim Schulz
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Cyber Red Teaming in Airport and Aviation Industry
Cyber Red Teaming in Airport and Aviation IndustryCyber Red Teaming in Airport and Aviation Industry
Cyber Red Teaming in Airport and Aviation Industry
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 

Similar to DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker

CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Online Sync meetup: Metasploit 101 slides
Online Sync meetup: Metasploit 101 slidesOnline Sync meetup: Metasploit 101 slides
Online Sync meetup: Metasploit 101 slidescyberforgeacademy
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
How to be your Security Team's Best Friend
How to be your Security Team's Best FriendHow to be your Security Team's Best Friend
How to be your Security Team's Best FriendEmilyGladstoneCole
 
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseRiskIQ, Inc.
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
 
The Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfThe Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfHacken
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 lokeshpidawekar
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
CodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsCodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsRon Munitz
 

Similar to DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker (20)

CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
Online Sync meetup: Metasploit 101 slides
Online Sync meetup: Metasploit 101 slidesOnline Sync meetup: Metasploit 101 slides
Online Sync meetup: Metasploit 101 slides
 
Network security
Network securityNetwork security
Network security
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking ppt
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
How to be your Security Team's Best Friend
How to be your Security Team's Best FriendHow to be your Security Team's Best Friend
How to be your Security Team's Best Friend
 
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser Defense
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
 
The Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfThe Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdf
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking Competition
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
CodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsCodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallows
 

More from Jorge Orchilles

KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityJorge Orchilles
 
C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020Jorge Orchilles
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixJorge Orchilles
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestJorge Orchilles
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Jorge Orchilles
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksJorge Orchilles
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationJorge Orchilles
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to InfrastructureJorge Orchilles
 

More from Jorge Orchilles (11)

KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive Security
 
C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 Matrix
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 Security
 

Recently uploaded

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker

  • 2. @JORGEORCHILLES T1033 - System Owner/User Discovery ● Chief Technology Officer - SCYTHE ● Purple Team Exercise Framework (PTEF) ● C2 Matrix Co-Creator ● 10 years @ Citi leading offensive security team ● Certified SANS Instructor: SEC560, SEC504 ● Author SEC564: Red Team Exercises and Adversary Emulation ● CVSSv3.1 Working Group Voting Member ● GFMA: Threat-Led Pentest Framework ● ISSA Fellow; NSI Technologist Fellow 2
  • 3. @JORGEORCHILLES Agenda ● What is Adversary Emulation ● What is Ransomware ● Cyber Threat Intelligence ● Adversary Emulation Plan ● Live Demo ● Defending against Ransomware 3
  • 4. @JORGEORCHILLES Ethical Hacking Maturity Model https://www.scythe.io/library/scythes-ethical-hacking-maturity-model 4 ● Based on my experience and experience in other organizations ● Not a step by step guide but can be used as a blueprint for maturing ● You can skip steps ● Every organization is different ● Don’t stop doing the previous assessment types as you mature
  • 5. @JORGEORCHILLES Adversary Emulation ● Definition: ○ A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. ● Goal: ○ Emulate an adversary attack chain or scenario ○ Understand organization’s preparedness if under a real, sophisticated attack ● Effort: ○ Manual ● Customer: ○ Entire organization 5 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
  • 6. @JORGEORCHILLES Red Team ● Definition: ○ “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal ● Goal: ○ Make Blue Team better ○ Test and measure people, process, and technology ○ Test assumptions 6 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Effort: ○ Manual ○ Many tools (C2 Matrix) ● Frequency: ○ Intelligence-led (new exploit, tool, or TTP) ○ Yearly (regulatory) ● Customer: ○ Blue Teams
  • 7. @JORGEORCHILLES Internal vs. External Teams Internal Red Teams ● Repeated engagements ○ Remediation retesting ● Use privileged/insider knowledge ● Sparring partner External Red Teams ● Offers new perspective ○ May have other industry experience ● “Snapshot” engagements 7
  • 9. @JORGEORCHILLES Purple Team Exercises 9 ● Virtual, functional team where teams work together to measure and improve defensive security posture ○ CTI provides threat actor with capability, intent, and opportunity to attack ○ Red Team creates adversary emulation plan ○ Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses ○ Emulation of each adversary behavior (TTP) ○ Blue Team look for indicators of behavior ○ Red and Blue work together to create remediation action plan ● Repeat exercises to measure and improve people, process, and technology
  • 11. @JORGEORCHILLES Framework & Methodology 11 ● Purple Team Exercise Framework (PTEF) ● Cyber Kill Chain – Lockheed Martin ● Unified Cyber Kill Chain – Paul Pols ● Financial/Regulatory Frameworks ○ CBEST Intelligence Led Testing ○ Threat Intelligence-Based Ethical Red Teaming ○ Red Team: Adversarial Attack Simulation Exercises ○ Intelligence-led Cyber Attack Simulation Testing ○ A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry ● Testing Framework:
  • 13. @JORGEORCHILLES IMPACT 13 https://attack.mitre.org/tactics/TA0040/ ● The adversary is trying to manipulate, interrupt, or destroy your systems and data - MITRE ATT&CK ● Disrupt availability ● Compromise integrity by manipulating business and operational processes ● Destroying or tampering data ● These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach
  • 14. @JORGEORCHILLES Ransomware ● Get access to a target system or network (targeted or opportunist) ● Encrypt files - 3 methods: a. Read the file, create an encrypted version of the file, replace the original file with the encrypted one b. Use raw disk access for encryption c. Open the file, encrypt the contents and save the file (no file deletion or creation) ● Steal the files? Sometimes ● Download a ransom note asking for payment in crypto or else!!! ● Get PAID!!! $$$ ฿฿฿ ₿₿₿ 14
  • 15. @JORGEORCHILLES Garmin ● July 22 - 29, 2020 ● GarminConnect, FlyGarmin, etc. all down -> ● Evil Corp using WastedLocker 15 https://techcrunch.com/2020/07/25/garmin-outage-ransomware-sources/
  • 16. @JORGEORCHILLES Evil Corp (1) ● SocGholish is delivered to the victim in a zipped file via compromised legitimate websites ● Zip file with malicious JavaScript, masquerading as a browser update ● A second JavaScript file profiles the computer and uses PowerShell to download additional discovery related PowerShell scripts ● Once the attackers gain network access, they use Cobalt Strike commodity malware with living-off-the-land tools to steal credentials, escalate privileges, and move across the network to deploy WastedLocker on multiple computers 16 https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
  • 17. @JORGEORCHILLES Evil Corp (2) ● PowerShell is used to download and execute a loader from a domain publicly reported as being used to deliver Cobalt Strike as part of WastedLocker attacks ● An injected payload, known as Cobalt Strike Beacon, is used to execute commands, inject other processes, elevate current processes or impersonate other processes, and upload and download files ● Privilege escalation is performed using a publicly documented technique involving the Software Licensing User Interface tool, a command line utility responsible for activating and updating the Windows operating system 17 https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
  • 18. @JORGEORCHILLES Evil Corp (3) ● The attackers use the Windows Management Instrumentation Command Line Utility to execute commands on remote computers, such as adding a new user or execute additional downloaded PowerShell scripts ● The attackers launch a legitimate command line tool for managing Windows Defender to disable scanning of all downloaded files and attachments, remove all installed definitions, and, in some cases, disable real-time monitoring ● Windows Sysinternals tool PsExec is used to launch the WastedLocker ransomware, which then begins encrypting data and deleting shadow volumes 18 https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
  • 20. @JORGEORCHILLES ATT&CK Navigator 20 ● No MITRE ATT&CK Mapping for Evil Corp or WastedLocker ● Manually extracted TTPs from Cyber Threat Intelligence ● Created MITRE ATT&CK Navigator Layer: https://github.com/scythe-io/community-threats/blob/m aster/EvilCorp/EvilCorp-WastedLocker_layer.json
  • 21. @JORGEORCHILLES Planning ● Goals and Objectives ● Red Team or Purple Team Exercise? ● Exercise Coordinator/Project Manager ● Assume Breach or Full End-to-End? ○ Initial Access takes time ○ Infinite ways in ● Rules of Engagements ○ Don’t encrypt and ransom real business data ○ Create new files, encrypt and/or exfiltrate ● Attack Infrastructure 21
  • 22. @JORGEORCHILLES Determine Tools to Use - C2 Matrix ● Google Sheet of C2s ● https://www.thec2matrix.com/ ● Find ideal C2 for your needs ● SANS Slingshot C2 Matrix VM ● https://howto.thec2matrix.com ● Follow @C2_Matrix 22
  • 23. @JORGEORCHILLES Cobalt Strike ● https://cobaltstrike.com/ ● https://attack.mitre.org/software/S0154/ ● Older version was leaked and used by malicious actors: ○ APT19 ○ APT29 ○ APT32 ○ APT41 ○ Cobalt Group/Gang ○ CopyKittens ○ DarkHydrus ○ Leviathan ○ FIN6 23
  • 24. @JORGEORCHILLES SCYTHE ● Enterprise-Grade platform for Adversary Emulation ○ Creating custom, controlled, synthetic malware ○ Server can be deployed on-premises or your cloud ○ Multiple relays - Docker, Python, Windows MSI ● Emulate known threat actors against enterprise network and systems ○ Consistently execute adversary behaviors ○ Continually assess security controls ○ Decreased evaluation time of security technologies ○ Identify blind spots for blue teams ○ Force-multiplier for red team resources ○ Measure and improve response of people and process ● 24
  • 25. @JORGEORCHILLES Features & Capabilities ● Trivial installation ● Enterprise C2: ○ HTTP(S), DNS, Google Sheets, Twitter, Stego, SMB ● Automation ○ Build cross-platform synthetic malware via dashboard ○ Synthetic malware emulates chosen behaviors consistently ● Delivery methods ○ Web Page/ Drive-by (T1189) ○ Phishing Link (T1192) ○ Phishing Attachment (T1193) ● 25 ● Reports ○ HTML, CSV, Executive, and Technical Reports ○ ATT&CK Navigator Layer ○ MITRE ATT&CK Heat Map ● Integrations ○ VECTR - Tracking Red and Purple Team Exercises ○ PlexTrac - automated report writing and handling ○ Integrated with Splunk and all other SIEMs with syslog ○ Red Canary’s Atomic Red Team test cases
  • 26. @JORGEORCHILLES Emulating Ransomware? ● Is emulating ransomware even possible? ● Of course it is! ● The secret is to not encrypt or destroy production data. ● Instead create new files before emulating typical ransomware steps of encrypting, exfiltrating, and obtaining a ransom note. ● This method ensures no data is ever at risk of being encrypted, destroyed, or leaked. 26
  • 28. @JORGEORCHILLES Defending against Ransomware 28 ● Traditionally the big focus has been on initial access ● With the more sophisticated and recent attacks, we are seeing many more tactics than just Initial Access and Impact ● https://www.scythe.io/library/threatthursday-ransomware ● https://us-cert.cisa.gov/ncas/tips/ST19-001 ● https://medium.com/swlh/detecting-and-responding-to-ransomware-attacks -by-using-free-tools-1873c8510a9e ● https://medium.com/@mergene/defeating-ransomware-by-using-sysmon-an d-powershell-b671920f3bb1
  • 29. @JORGEORCHILLES Advice from a leaked chat 29 https://twitter.com/jc_stubbs/status/1289199296328298497
  • 30. @JORGEORCHILLES MOAR Ransomware ● Shadow Intelligence: https://shadowintelligence.io/home ● JCry: https://attack.mitre.org/software/S0389/ ● LockerGoga: https://attack.mitre.org/software/S0372/ ● Maze: https://attack.mitre.org/software/S0449/ ● Netwalker: https://attack.mitre.org/software/S0457/ ● RobbinHood: https://attack.mitre.org/software/S0400/ ● Ryuk: https://attack.mitre.org/software/S0446/ ● SamSam: https://attack.mitre.org/software/S0370/ ● SynAck: https://attack.mitre.org/software/S0242/ ● WannaCry: https://attack.mitre.org/software/S0366/ ● Xbash: https://attack.mitre.org/software/S0341/ 30
  • 31. @JORGEORCHILLES #ThreatThursday ● Choose an adversary every week ○ Introduce Adversary ○ Consume CTI and map to MITRE ATT&CK w/Navigator Layer ○ Create Adversary Emulation Plan ○ Share the plan on SCYTHE Community Threat Github: https://github.com/scythe-io/community-threats/ ○ Emulate Adversary with video ○ How to defend against adversary ● All free for the community: https://www.scythe.io/threatthursday 31
  • 33. @JORGEORCHILLES SCYTHE Custom Modules & Marketplace ● SCYTHE SDK - https://github.com/scythe-io/sdk ○ Write custom modules in Python or Native code ○ In-memory loading techniques (YES! A Python Runtime) ● Marketplace - https://www.scythe.io/marketplace ○ Ecosystem of third party contributors ○ Create custom modules, share, and/or sell ○ Request custom modules - TTP Bounty 33
  • 35. @JORGEORCHILLES References 35 ● Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Purple Team Exercise Framework: https://www.scythe.io/ptef ● #ThreatThursday: https://www.scythe.io/threatthursday ● Cyber Threat Intelligence for Evil Corp and WastedLocker: ○ https://techcrunch.com/2020/07/25/garmin-outage-ransomware-sources/ ○ https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-develope d-by-the-evil-corp-group/ ○ https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransom ware-us ○ https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customi zed-ransomware/ ● C2 Matrix: https://thec2matrix.com https://howto.thec2matrix.com ● SCYTHE emulation plans: https://github.com/scythe-io/community-threats/