SlideShare a Scribd company logo

Using IOCs to Design and Control Threat Activities During a Red Team Engagement

Download as PPTX, PDF
J
Joe Vest

The term Red Team or Red Teaming has become more prevalent in the security industry. Both commercial and government organizations conduct "Red Team Exercises". What does this mean? What is a Red Team engagement? How is it different that other security tests? Isn't current penetration and vulnerability security testing enough? Red Teaming share many of the fundamentals of other security testing types, yet focuses on specific scenarios and goals that are used to evaluate and measure an organization's overall security defense posture. Organizations spend a great deal of time and money on the security of their systems. Red Teams have a unique goal of testing an organization's ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities can significantly contribute to the improvement an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations. This presentation introduces the Red Teaming concept of IOC management, how a Red Team operator can use specific IOCs to blend in to a target, and how to design specific scenarios to test a Blue Team's defensive posture.

Technology
1 of 24
Using IOCs to Design and Control Threat Activities During a Red Team Engagement (Red Teaming) (Threat Emulation) (Adversarial Assessment) Joe Vest - @joevest
Controlling Threat Activities in a Red Team Engagement Introduction to Red Teaming Define Red Teaming and Red Teaming concepts Why Red Team? Compare and contrast to other security testing types IOC Role In Red Teaming Red Team Training -2-
Background Co-founder of MINIS (recently merged with SpecterOps) 17+ years IT 10+ years InfoSec Red Teamer – Threat Emulator Author of SANS SEC564 Red Team Operations and Threat Emulation Some letters behind my name. OSCP, GMOB,GCFA, GWAPT, GPEN, GCIH, CISSP, CISA, others… -3-
Definitions Blue Team Security team that defends against threats Command and Control / C2 Command and Control (C2) is the influence an attacker has over a compromised computer system they control. Exfiltration Exfiltration is the extraction of information from a target. This is typically through a covert channel. IOC (Indicator of Compromise) Indicators of Compromise (IOC) are artifacts that identify or describe threat actions. OPFOR Opposing Force or enemy force typically used by the military in war gaming scenarios. Red Teams are commonly associated with or support OPFOR in war gaming scenarios. Operational Impact An operational impact is the effect of a goal driven action within a target environment. Red Team A Red Team is an independent group that challenges an organization to improve its effectiveness. -4- ROE (Rules of Engagement) The Rule of Engagement establishes the responsibility, relationship, and guidelines between the Red Team, the customer, the system owner, and any stake holders required for engagement execution. Threat Threat is an expression of intention to inflict evil, injury, or damage. Threat Emulation Threat Emulation is the process of mimicking the TTPs of a specific threat. Tradecraft The techniques and procedures of espionage. Tradecraft is typically associated with the intelligence community. TTPs and Tradecraft are used interchangeably in this course. TTPs TTPs are Tactics, Techniques and Procedures (sometimes called tools, techniques, and procedures)
Red Teaming Definition Red Teaming … is the process of using tactics, techniques, and procedures (TTPs) to emulate a real-world threat with the goals of training and measuring the effectiveness of people, processes, and technology used to defend an environment. -5- Red Team ...an independent group that challenges an organization to improve its effectiveness.
Why Red Team? Isn’t identification and mitigation of vulnerabilities enough? -6-
Why Red Team? Red Teaming… measures the effectiveness of the people, processes, and technology used to defend a network trains and/or measures Blue Teams can test and understand specific threats or threat scenarios -7- "We don't rise to the level of our expectations, we fall to the level of our training.", Archilochus, Greek Poet around 650BC
Red Teaming VS Other Security Tests -8- VULNERABILITY ASSESSMENT PENETRATION TESTING RED TEAMING BREADTH DEPTH
Red Teaming VS Vulnerability Assessment -9- Think About This: A red team(threat) rarely uses vulnerability scanning tools during an engagement Goal Generate list of prioritized vulnerabilities Focus Identification of vulnerabilities Tools Typically automated Risk Identification Induvial Systems vs organizational Skill Novice to Mid-Level
Red Teaming VS Penetration Testing According to the SANS Top 20 Critical Controls a penetration test is defined by the following: Penetration testing involves modeling the techniques used by real- world computer attackers to find vulnerabilities and, under controlled circumstances, to exploit those flaws in a professional, safe manner according to a carefully designed scope and rules of engagement to determine business risk and potential impact all with the goal of helping the organization improve security practices. TLDR… Penetration Testing is an attack against a system designed to identify and measure risks associated with exploitation of a target’s attack surface. Red Teaming is the process of using TTPs to emulate a threat with the goals of training/measuring security operations (Blue Team) -10-
PDRR Observation and Measurement Coverage -11- Vulnerability Assessment Penetration Test Red Team Engagement Respond RestoreProtect Detect • Reduce Attack Surface • Good Security Hygiene • Measure Security Operations as a whole • Train and engage Blue Teams
Red Teaming Take Away Vulnerabilities and exploits may be used, but are only as a means to a end. Focus on goals. Organizational and operational impacts can be extremely valuable (examples) • Measure the ability a threat has to laterally move through out a network • Measure the ability a threat has to escalate privileges • Measure the ability a threat has to exfiltrate sensitive data • Can a threat degrade, disrupt, deny, or destroy operations? Training is key. Blue teams must practice before facing a real threat. -12-
-13- BOTTOM LINE RED TEAMING IS NOT ABOUT VULNERABILITIES AND EXPLOITATION, BUT A FOCUS ON OPERATIONAL GOALS
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) Framework, knowledge base, and model for cyber adversary behavior Focused on threat TTPs and Tradecraft vs exploits and vulnerabilities https://attack.mitre.org/wiki/Main_Page Threat Hunter Playbook https://github.com/Cyb3rWard0g/ThreatHunter-Playbook https://cyberwardog.blogspot.com/ -14-
MITRE ATT&ACK Examples -15- Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript AppleScript Audio Capture Automated Exfiltration Commonly Used Port Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Application Shimming Automated Collection Data Compressed Communication Through Removable Media AppInit DLLs AppInit DLLs Bypass User Account Control Brute Force File and Directory Discovery Exploitation of Vulnerability Command-Line Interface Clipboard Data Data Encrypted Connection Proxy Application Shimming Application Shimming Clear Command History Create Account Network Service Scanning Logon Scripts Execution through API Data Staged Data Transfer Size Limits Custom Command and Control Protocol Authentication Package Bypass User Account Control Code Signing Credential Dumping Network Share Discovery Pass the Hash Execution through Module Load Data from Local System Exfiltration Over Alternative Protocol Custom Cryptographic Protocol Bootkit DLL Injection Component Firmware Credentials in Files Peripheral Device Discovery Pass the Ticket Graphical User Interface Data from Network Shared Drive Exfiltration Over Command and Control Channel Data Encoding Change Default File Association DLL Search Order Hijacking Component Object Model Hijacking Exploitation of Vulnerability Permission Groups Discovery Remote Desktop Protocol InstallUtil Data from Removable Media Exfiltration Over Other Network Medium Data Obfuscation
IOC Usage and Role in a Red Team Engagement IOCs are a means to describe/control a threat actor A Threat will … Get In Stay In Act (exploit) (C2, Persistence, Lateral Movement) (operational impact) Each phase has a variety of opportunities to engage defenders, allowing Blue TTPs to be practiced and tuned. -16- Today’s Focus
Example: Command and Control -17- C2 Server Target HTTP/80 Agent (standard user) SMB Agent (system)
Threat Profile -18- Category Description Description General mid-tiered threat that uses common offensive tools and techniques Goal and Intent Exist in the network to enumerate systems and information in order maintain command and control to support future attacks and to determine if and when a Blue Team can detect and identify the threat’s IOCs Key IOCs • Cobalt Strike HTTP beacon on TCP 80 • Cobalt Strike SMB beacon on TCP 445 C2 Overview HTTPS on port 80Cobalt Strike Beacon with a 1-minute callback time Calling directly to threat owned domains TTPs (Enumeration, Delivery, Lateral Movement, Privilege Escalation, etc.) Assumed breach model, no initial delivery via exploitation. POST exploitation via Cobalt Strike commands. Enumeration and lateral movement via Cobalt Strike and native Windows commands. Privilege escalation limited and determined POST exploitation. Exploitation Assumed breach model, no exploitation. Persistence User level persistence using explorer.exe DLL hijack (linkinfo.dll) WMI Event Persistence (msupdate.exe)
Disk IOC Overview -19- IOCs • HTTP traffic over TCP port 80 beacons every 60 seconds with a 20% jitter (drift) • Payload: linkinfo.dll • Location: c:Windowslinkinfo.dll • Timestamp: 07/13/2009 06:31 PM • Size: 288,768 • MD5: 4a247a94bd215f081c04ef235d158ce1 • Metadata: • Company: Microsoft Corporation • Description: Windows Volume Tracking • Product: Microsoft« Windows« Operating System • Prod version: 6.1.7600.16385 • File version: 6.1.7600.16385 (win7_rtm.090713-1255) IOCs • SMB beacon using on demand access • Payload: msupdate.exe • Location: c:Windowsmsupdate.exe • Timestamp: 07/13/2009 06:31 PM • Size: 290,816 • MD5: 81401996518d462fba52a345b63ef918 • Metadata: • Company: Microsoft Corporation • Description: Host Process for Windows Services • Product: Microsoft« Windows« Operating System • Prod version: 6.1.7600.16385 • File version: 6.1.7600.16385 (win7_rtm.090713-1255)
HTTP Beacon Network IOC Overview -20- HTTP IOC GET /v11/3/windowsupdate/selfupdate/WSUS3/v6- muredir.cab?v=T2Yw28y-t_hTdfBSImdzQw HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9 ,*/*;q=0.8 Host: download.windowsupdate.com Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko HTTP/1.1 200 OK Cache-Control: private, max-age=0 Content-Type: application/octet-stream Vary: Accept-Encoding Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Connection: close Content-Length: 64 ...3..X...T..f.7............&..DZ.p....`./.CG.@..b..h ........C.. HTTP IOC POST /v11/2/windowsupdate/selfupdate/WSUS3/NzIxMg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9 ,*/* Content-Type: application/x-www-form-url-encoded Host: download.windowsupdate.com Content-Length: 29 User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko status=iVtM41G4gRnsNKaocUaOTw HTTP/1.1 200 OK Cache-Control: private, max-age=0 Content-Type: application/octet-stream Vary: Accept-Encoding Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Connection: close Content-Length: 0
SMB Beacon Network IOC Overview -21- SMB IOCs .....SMBr.....S......................x..PC NETWORK PROGRAM 1.0..LANMAN1.0..Windows for Workgroups 3.1a..LM1.2X002..LANMAN2.1..NT LM 0.12..SMB 2.002..SMB 2.???......SMB@...........................................................A....... X.%...N.z.&.&..................!.>6(......)(....*. LM `(..+.......0...0..+.....7....+.....7.....h.SMB@...........................................................$......... ..9_.2.....m..)..n.................SMB@...........................................................A....... X.%...N.z.&.&..................{n.>6(......)(....*. LM `(..+.......0...0..+.....7....+.....7.......SMB@..................................................................... ..X...........`....+......x0v.00..+.....7... *.H....... *.H.......+.....7....B.@NTLMSSP......... . .7.......(...........WIN- MS2JQVF1H0NWORKGROUP...W.SMB@........................................................... ...H.......0..........+.....7........NTLMSSP.........8.........=.U. I..F.........V...........W.I.N.- .M.S.2.J.Q.V.F.1.H.0.N.....W.I.N.-.M.S.2.J.Q.V.F.1.H.0.N.....W.I.N.-.M.S.2.J.Q.V.F.1.H.0.N.....W.I.N.- .M.S.2.J.Q.V.F.1.H.0.N.....W.I.N.- .M.S.2.J.Q.V.F.1.H.0.N.....{n.>6(...........SMB@..................................................................... ..X.y..........w0u.....Z.XNTLMSSP.........X.......X.......X.......X.......X.......X...............].....L{.I.]..v,... .........5........e.SMB@........... ..................................R..u.....E[.i ...H.....0..............z..g_.........h.SMB@........................................................... ...H. ...l.o.c.a.l.h.o.s.t..I.P.C.$....P.SMB@...............................................................0........... .....SMB@...........................................................9.......................................`.@.x.... .......s.v.c.s.v.c......SMB@...........................................................Y............................. ............ .................c.s............................h.SMB@...........................................................)... ....h..................................`.SMB@........................................................... .H....... ........................q.SMB@...........................................................1.P.........................
In Summary Consider what is being done to protect your systems and networks. Are resources used to protect the network working? Being used cost effective? Able to defend the network? Staffed appropriately? Consider applying a threat based approach when testing security of your organization to better understand true risks from a threat and not just vulnerabilities. -22-
Training -23- SANS • SEC 564 Red Team Operations and Threat Emulation https://sans.org/sec564 SpecterOps • Adversary Tactics: Red Team Operations • Adversary Tactics: Active Directory • Adversary Tactics: Powershell • Adversary Tactics: Detection https://specterops.io/resources/upcoming-events
www.specterops.io @joevest joe@specterops.io

Recommended

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE - ATT&CKcon
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 

Recommended

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE - ATT&CKcon
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for youToby Kohlenberg
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHaydn Johnson
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO
 

More Related Content

What's hot

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for youToby Kohlenberg
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHaydn Johnson
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 

What's hot (20)

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for you
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 

Similar to Using IOCs to Design and Control Threat Activities During a Red Team Engagement

Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
 
ITD BSides PDX Slides
ITD BSides PDX SlidesITD BSides PDX Slides
ITD BSides PDX SlidesEricGoldstrom
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_ConclaveNSConclave
 
Awesome redteaming
Awesome redteamingAwesome redteaming
Awesome redteamingUbuntu
 
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019Saeid Atabaki
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]Frode Hommedal
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
The TTPs of hard hat incident response
The TTPs of hard hat incident responseThe TTPs of hard hat incident response
The TTPs of hard hat incident responseHinne Hettema
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Shakas Technologies
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdfRamya Nellutla
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?festival ICT 2016
 

Similar to Using IOCs to Design and Control Threat Activities During a Red Team Engagement (20)

Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
 
ITD BSides PDX Slides
ITD BSides PDX SlidesITD BSides PDX Slides
ITD BSides PDX Slides
 
Red Team P1.pdf
Red Team P1.pdfRed Team P1.pdf
Red Team P1.pdf
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
Awesome redteaming
Awesome redteamingAwesome redteaming
Awesome redteaming
 
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 
Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
 
The TTPs of hard hat incident response
The TTPs of hard hat incident responseThe TTPs of hard hat incident response
The TTPs of hard hat incident response
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdf
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
Red Team P2.pdf
Red Team P2.pdfRed Team P2.pdf
Red Team P2.pdf
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
 

Recently uploaded

UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 

Recently uploaded (20)

UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 

Using IOCs to Design and Control Threat Activities During a Red Team Engagement

  • 1. Using IOCs to Design and Control Threat Activities During a Red Team Engagement (Red Teaming) (Threat Emulation) (Adversarial Assessment) Joe Vest - @joevest
  • 2. Controlling Threat Activities in a Red Team Engagement Introduction to Red Teaming Define Red Teaming and Red Teaming concepts Why Red Team? Compare and contrast to other security testing types IOC Role In Red Teaming Red Team Training -2-
  • 3. Background Co-founder of MINIS (recently merged with SpecterOps) 17+ years IT 10+ years InfoSec Red Teamer – Threat Emulator Author of SANS SEC564 Red Team Operations and Threat Emulation Some letters behind my name. OSCP, GMOB,GCFA, GWAPT, GPEN, GCIH, CISSP, CISA, others… -3-
  • 4. Definitions Blue Team Security team that defends against threats Command and Control / C2 Command and Control (C2) is the influence an attacker has over a compromised computer system they control. Exfiltration Exfiltration is the extraction of information from a target. This is typically through a covert channel. IOC (Indicator of Compromise) Indicators of Compromise (IOC) are artifacts that identify or describe threat actions. OPFOR Opposing Force or enemy force typically used by the military in war gaming scenarios. Red Teams are commonly associated with or support OPFOR in war gaming scenarios. Operational Impact An operational impact is the effect of a goal driven action within a target environment. Red Team A Red Team is an independent group that challenges an organization to improve its effectiveness. -4- ROE (Rules of Engagement) The Rule of Engagement establishes the responsibility, relationship, and guidelines between the Red Team, the customer, the system owner, and any stake holders required for engagement execution. Threat Threat is an expression of intention to inflict evil, injury, or damage. Threat Emulation Threat Emulation is the process of mimicking the TTPs of a specific threat. Tradecraft The techniques and procedures of espionage. Tradecraft is typically associated with the intelligence community. TTPs and Tradecraft are used interchangeably in this course. TTPs TTPs are Tactics, Techniques and Procedures (sometimes called tools, techniques, and procedures)
  • 5. Red Teaming Definition Red Teaming … is the process of using tactics, techniques, and procedures (TTPs) to emulate a real-world threat with the goals of training and measuring the effectiveness of people, processes, and technology used to defend an environment. -5- Red Team ...an independent group that challenges an organization to improve its effectiveness.
  • 6. Why Red Team? Isn’t identification and mitigation of vulnerabilities enough? -6-
  • 7. Why Red Team? Red Teaming… measures the effectiveness of the people, processes, and technology used to defend a network trains and/or measures Blue Teams can test and understand specific threats or threat scenarios -7- "We don't rise to the level of our expectations, we fall to the level of our training.", Archilochus, Greek Poet around 650BC
  • 8. Red Teaming VS Other Security Tests -8- VULNERABILITY ASSESSMENT PENETRATION TESTING RED TEAMING BREADTH DEPTH
  • 9. Red Teaming VS Vulnerability Assessment -9- Think About This: A red team(threat) rarely uses vulnerability scanning tools during an engagement Goal Generate list of prioritized vulnerabilities Focus Identification of vulnerabilities Tools Typically automated Risk Identification Induvial Systems vs organizational Skill Novice to Mid-Level
  • 10. Red Teaming VS Penetration Testing According to the SANS Top 20 Critical Controls a penetration test is defined by the following: Penetration testing involves modeling the techniques used by real- world computer attackers to find vulnerabilities and, under controlled circumstances, to exploit those flaws in a professional, safe manner according to a carefully designed scope and rules of engagement to determine business risk and potential impact all with the goal of helping the organization improve security practices. TLDR… Penetration Testing is an attack against a system designed to identify and measure risks associated with exploitation of a target’s attack surface. Red Teaming is the process of using TTPs to emulate a threat with the goals of training/measuring security operations (Blue Team) -10-
  • 11. PDRR Observation and Measurement Coverage -11- Vulnerability Assessment Penetration Test Red Team Engagement Respond RestoreProtect Detect • Reduce Attack Surface • Good Security Hygiene • Measure Security Operations as a whole • Train and engage Blue Teams
  • 12. Red Teaming Take Away Vulnerabilities and exploits may be used, but are only as a means to a end. Focus on goals. Organizational and operational impacts can be extremely valuable (examples) • Measure the ability a threat has to laterally move through out a network • Measure the ability a threat has to escalate privileges • Measure the ability a threat has to exfiltrate sensitive data • Can a threat degrade, disrupt, deny, or destroy operations? Training is key. Blue teams must practice before facing a real threat. -12-
  • 13. -13- BOTTOM LINE RED TEAMING IS NOT ABOUT VULNERABILITIES AND EXPLOITATION, BUT A FOCUS ON OPERATIONAL GOALS
  • 14. Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) Framework, knowledge base, and model for cyber adversary behavior Focused on threat TTPs and Tradecraft vs exploits and vulnerabilities https://attack.mitre.org/wiki/Main_Page Threat Hunter Playbook https://github.com/Cyb3rWard0g/ThreatHunter-Playbook https://cyberwardog.blogspot.com/ -14-
  • 15. MITRE ATT&ACK Examples -15- Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript AppleScript Audio Capture Automated Exfiltration Commonly Used Port Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Application Shimming Automated Collection Data Compressed Communication Through Removable Media AppInit DLLs AppInit DLLs Bypass User Account Control Brute Force File and Directory Discovery Exploitation of Vulnerability Command-Line Interface Clipboard Data Data Encrypted Connection Proxy Application Shimming Application Shimming Clear Command History Create Account Network Service Scanning Logon Scripts Execution through API Data Staged Data Transfer Size Limits Custom Command and Control Protocol Authentication Package Bypass User Account Control Code Signing Credential Dumping Network Share Discovery Pass the Hash Execution through Module Load Data from Local System Exfiltration Over Alternative Protocol Custom Cryptographic Protocol Bootkit DLL Injection Component Firmware Credentials in Files Peripheral Device Discovery Pass the Ticket Graphical User Interface Data from Network Shared Drive Exfiltration Over Command and Control Channel Data Encoding Change Default File Association DLL Search Order Hijacking Component Object Model Hijacking Exploitation of Vulnerability Permission Groups Discovery Remote Desktop Protocol InstallUtil Data from Removable Media Exfiltration Over Other Network Medium Data Obfuscation
  • 16. IOC Usage and Role in a Red Team Engagement IOCs are a means to describe/control a threat actor A Threat will … Get In Stay In Act (exploit) (C2, Persistence, Lateral Movement) (operational impact) Each phase has a variety of opportunities to engage defenders, allowing Blue TTPs to be practiced and tuned. -16- Today’s Focus
  • 17. Example: Command and Control -17- C2 Server Target HTTP/80 Agent (standard user) SMB Agent (system)
  • 18. Threat Profile -18- Category Description Description General mid-tiered threat that uses common offensive tools and techniques Goal and Intent Exist in the network to enumerate systems and information in order maintain command and control to support future attacks and to determine if and when a Blue Team can detect and identify the threat’s IOCs Key IOCs • Cobalt Strike HTTP beacon on TCP 80 • Cobalt Strike SMB beacon on TCP 445 C2 Overview HTTPS on port 80Cobalt Strike Beacon with a 1-minute callback time Calling directly to threat owned domains TTPs (Enumeration, Delivery, Lateral Movement, Privilege Escalation, etc.) Assumed breach model, no initial delivery via exploitation. POST exploitation via Cobalt Strike commands. Enumeration and lateral movement via Cobalt Strike and native Windows commands. Privilege escalation limited and determined POST exploitation. Exploitation Assumed breach model, no exploitation. Persistence User level persistence using explorer.exe DLL hijack (linkinfo.dll) WMI Event Persistence (msupdate.exe)
  • 19. Disk IOC Overview -19- IOCs • HTTP traffic over TCP port 80 beacons every 60 seconds with a 20% jitter (drift) • Payload: linkinfo.dll • Location: c:Windowslinkinfo.dll • Timestamp: 07/13/2009 06:31 PM • Size: 288,768 • MD5: 4a247a94bd215f081c04ef235d158ce1 • Metadata: • Company: Microsoft Corporation • Description: Windows Volume Tracking • Product: Microsoft« Windows« Operating System • Prod version: 6.1.7600.16385 • File version: 6.1.7600.16385 (win7_rtm.090713-1255) IOCs • SMB beacon using on demand access • Payload: msupdate.exe • Location: c:Windowsmsupdate.exe • Timestamp: 07/13/2009 06:31 PM • Size: 290,816 • MD5: 81401996518d462fba52a345b63ef918 • Metadata: • Company: Microsoft Corporation • Description: Host Process for Windows Services • Product: Microsoft« Windows« Operating System • Prod version: 6.1.7600.16385 • File version: 6.1.7600.16385 (win7_rtm.090713-1255)
  • 20. HTTP Beacon Network IOC Overview -20- HTTP IOC GET /v11/3/windowsupdate/selfupdate/WSUS3/v6- muredir.cab?v=T2Yw28y-t_hTdfBSImdzQw HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9 ,*/*;q=0.8 Host: download.windowsupdate.com Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko HTTP/1.1 200 OK Cache-Control: private, max-age=0 Content-Type: application/octet-stream Vary: Accept-Encoding Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Connection: close Content-Length: 64 ...3..X...T..f.7............&..DZ.p....`./.CG.@..b..h ........C.. HTTP IOC POST /v11/2/windowsupdate/selfupdate/WSUS3/NzIxMg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9 ,*/* Content-Type: application/x-www-form-url-encoded Host: download.windowsupdate.com Content-Length: 29 User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko status=iVtM41G4gRnsNKaocUaOTw HTTP/1.1 200 OK Cache-Control: private, max-age=0 Content-Type: application/octet-stream Vary: Accept-Encoding Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Connection: close Content-Length: 0
  • 21. SMB Beacon Network IOC Overview -21- SMB IOCs .....SMBr.....S......................x..PC NETWORK PROGRAM 1.0..LANMAN1.0..Windows for Workgroups 3.1a..LM1.2X002..LANMAN2.1..NT LM 0.12..SMB 2.002..SMB 2.???......SMB@...........................................................A....... X.%...N.z.&.&..................!.>6(......)(....*. LM `(..+.......0...0..+.....7....+.....7.....h.SMB@...........................................................$......... ..9_.2.....m..)..n.................SMB@...........................................................A....... X.%...N.z.&.&..................{n.>6(......)(....*. LM `(..+.......0...0..+.....7....+.....7.......SMB@..................................................................... ..X...........`....+......x0v.00..+.....7... *.H....... *.H.......+.....7....B.@NTLMSSP......... . .7.......(...........WIN- MS2JQVF1H0NWORKGROUP...W.SMB@........................................................... ...H.......0..........+.....7........NTLMSSP.........8.........=.U. I..F.........V...........W.I.N.- .M.S.2.J.Q.V.F.1.H.0.N.....W.I.N.-.M.S.2.J.Q.V.F.1.H.0.N.....W.I.N.-.M.S.2.J.Q.V.F.1.H.0.N.....W.I.N.- .M.S.2.J.Q.V.F.1.H.0.N.....W.I.N.- .M.S.2.J.Q.V.F.1.H.0.N.....{n.>6(...........SMB@..................................................................... ..X.y..........w0u.....Z.XNTLMSSP.........X.......X.......X.......X.......X.......X...............].....L{.I.]..v,... .........5........e.SMB@........... ..................................R..u.....E[.i ...H.....0..............z..g_.........h.SMB@........................................................... ...H. ...l.o.c.a.l.h.o.s.t..I.P.C.$....P.SMB@...............................................................0........... .....SMB@...........................................................9.......................................`.@.x.... .......s.v.c.s.v.c......SMB@...........................................................Y............................. ............ .................c.s............................h.SMB@...........................................................)... ....h..................................`.SMB@........................................................... .H....... ........................q.SMB@...........................................................1.P.........................
  • 22. In Summary Consider what is being done to protect your systems and networks. Are resources used to protect the network working? Being used cost effective? Able to defend the network? Staffed appropriately? Consider applying a threat based approach when testing security of your organization to better understand true risks from a threat and not just vulnerabilities. -22-
  • 23. Training -23- SANS • SEC 564 Red Team Operations and Threat Emulation https://sans.org/sec564 SpecterOps • Adversary Tactics: Red Team Operations • Adversary Tactics: Active Directory • Adversary Tactics: Powershell • Adversary Tactics: Detection https://specterops.io/resources/upcoming-events