Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
BEYOND PREVENTION,
ASSUME BREACH
Zach Grace
whoami /all
• Lead Security Consultant at Northwestern Mutual
• @MilSec Leader
• OWASP Milwaukee Leader
• Wisconsin CCDC R...
Disclaimer
The opinions expressed here represent my own and not those of my
employer.
It’s not if, but when…
ASSUME COMPROMISE
• Protective technologies will fail
• Shifts blue team’s focus to the Detect phase
• Breach readiness as...
PROTECTION FAILS
• Protection tools are often based on signatures
• Preventative in nature
• Examples of protective techno...
COMPARED TO ATTACKERS
NIST CSF Identify Protect Detect Respond Recover
NIST SP800-115 Discovery
Gaining
Access
Escalating
...
ZoxPNG
• Used technet.microsoft.com for command and control
https://blogs.rsa.com/wolves-among-us-abusing-trusted-provider...
DETECT ISSUES
• Logging too little/much
• Poor Security information and event management (SIEM) correlation
• Ineffective ...
REFOCUS THE RED TEAM
PEN TESTING/RED TEAMING ISSUES
• Vulnerability focused
• Reporting doesn’t help defenders
• Lack of realistic threat model...
REPORTS
• Vulnerability Focused
• “How I PWN’d you”
• Vague recommendations
REPORTS BE LIKE
BLUE TEAM NEEDS
• Training partner
• Indicators of Compromise (IOCs)
• Attack signatures
• Use cases
Compromise
Detection
Containment
MTD - MTC = ∆
∆ FORCE
∆ FORCE OBJECTIVES
• Provide IOCs and attack signatures alongside vulns in reports
• Perform threat simulations based on t...
PYRAMID OF PAIN
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
HASH VALUES
• Summary/signature of bytes
• Fuzzy hashing
IP ADDRESSES
…the IP addresses used in an engagement
DOMAIN NAMES
…domain names used in an engagement
NETWORK ARTIFACTS
• Protocol-level artifacts
• HTTP
• UserAgent strings
• Missing host header
• DNS
HOST ARTIFACTS
• Persistence mechanisms
• Command & Control (C2/C&C)
• Backdoors
REG ADD "HKLMSOFTWAREMicrosoftWindows NT
CurrentVersionImage File Execution Options
sethc.exe" /v Debugger /t REG_SZ /d "C...
Sticky Keys Hunter v2
TOOLS
• Binaries/scripts transferred to host
• Built-in administrator tools
• Built/compiled on the compromised machine
IN-MEMORY POWERSHELL
TACTICS, TECHNIQUES and PROCEDURES (TTPs)
• Detecting and responding to adversarial behaviors
• Goes beyond tool detection
LATERAL MOVEMENT
• Windows
• SMB - Pass the Hash (PTH)
• WMI
• WinRM
• Linux/OS X/Unix
• SSH
WIRESHARK CreateServiceW
SNORT DETECTION
alert tcp any any -> any 445 (msg:"psexec service
created"; flow:to_server,established; content:"|FF
53 4D...
SERVICE CREATION - 7045
METASPLOIT SERVICE NAME
POWERSHELL PSEXEC SERVICE
Service Name: zzVSnCcgDVXwECBU
Service File Name: %COMSPEC% /C echo wmic
computersystem get user...
TIMELINE
TIMELINE
• Log all the commands
• HISTTIMEFORMAT="%d/%m/%y %T “
• test "$(ps -ocommand= -p $PPID | awk '{print $1}')" == '...
TIPS FOR DEFENSE
• Use pen test & red team engagements as training exercises
• Ask for more than a vulnerability report (I...
TIPS FOR OFFENSE
• Be a sparring partner
• Provide more data like IOCs, PCAPs, logs, etc.
• Incorporate use cases into rep...
THANK YOU!
@ztgrace
https://github.com/ztgrace/presentations/tree/master/
20160128_wctc_cyber_security_summit
Assume Compromise
Assume Compromise
Upcoming SlideShare
Loading in …5
×

Assume Compromise

516 views

Published on

The security landscape has changed such that simply focusing on preventing is no longer an effective strategy. This talk will look at the idea of Assume Breach and how detection and response to threats aligns to an attacker methodology. Demonstrations and research will highlight how organizations can achieve more finely tuned detection capabilities through threat simulation and war-game exercises.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Assume Compromise

  1. 1. BEYOND PREVENTION, ASSUME BREACH Zach Grace
  2. 2. whoami /all • Lead Security Consultant at Northwestern Mutual • @MilSec Leader • OWASP Milwaukee Leader • Wisconsin CCDC Red Team member • Team member of the 2015 DerbyCon CTF champs • Twitterz: @ztgrace
  3. 3. Disclaimer The opinions expressed here represent my own and not those of my employer.
  4. 4. It’s not if, but when…
  5. 5. ASSUME COMPROMISE • Protective technologies will fail • Shifts blue team’s focus to the Detect phase • Breach readiness as a mantra
  6. 6. PROTECTION FAILS • Protection tools are often based on signatures • Preventative in nature • Examples of protective technologies: • Anti-virus • Firewalls • IDS & IPS • Web App Firewalls (WAF) • Web Proxies • Sandbox
  7. 7. COMPARED TO ATTACKERS NIST CSF Identify Protect Detect Respond Recover NIST SP800-115 Discovery Gaining Access Escalating Privileges System Browsing Persistence Cyber Kill Chain (1) Recon (3) Delivery
 (4) Exploit (3) Delivery (4) Exploit (5) Install (6) C2
  8. 8. ZoxPNG • Used technet.microsoft.com for command and control https://blogs.rsa.com/wolves-among-us-abusing-trusted-providers-malware-operations/
  9. 9. DETECT ISSUES • Logging too little/much • Poor Security information and event management (SIEM) correlation • Ineffective security monitoring • Insufficient training to create use cases
  10. 10. REFOCUS THE RED TEAM
  11. 11. PEN TESTING/RED TEAMING ISSUES • Vulnerability focused • Reporting doesn’t help defenders • Lack of realistic threat modeling
  12. 12. REPORTS • Vulnerability Focused • “How I PWN’d you” • Vague recommendations
  13. 13. REPORTS BE LIKE
  14. 14. BLUE TEAM NEEDS • Training partner • Indicators of Compromise (IOCs) • Attack signatures • Use cases
  15. 15. Compromise Detection Containment MTD - MTC = ∆
  16. 16. ∆ FORCE
  17. 17. ∆ FORCE OBJECTIVES • Provide IOCs and attack signatures alongside vulns in reports • Perform threat simulations based on threat modeling • Breakdown attacks into stages • Validate detection at each stage, and assist with correlation
  18. 18. PYRAMID OF PAIN http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
  19. 19. HASH VALUES • Summary/signature of bytes • Fuzzy hashing
  20. 20. IP ADDRESSES …the IP addresses used in an engagement
  21. 21. DOMAIN NAMES …domain names used in an engagement
  22. 22. NETWORK ARTIFACTS • Protocol-level artifacts • HTTP • UserAgent strings • Missing host header • DNS
  23. 23. HOST ARTIFACTS • Persistence mechanisms • Command & Control (C2/C&C) • Backdoors
  24. 24. REG ADD "HKLMSOFTWAREMicrosoftWindows NT CurrentVersionImage File Execution Options sethc.exe" /v Debugger /t REG_SZ /d "C:windows system32cmd.exe"
  25. 25. Sticky Keys Hunter v2
  26. 26. TOOLS • Binaries/scripts transferred to host • Built-in administrator tools • Built/compiled on the compromised machine
  27. 27. IN-MEMORY POWERSHELL
  28. 28. TACTICS, TECHNIQUES and PROCEDURES (TTPs) • Detecting and responding to adversarial behaviors • Goes beyond tool detection
  29. 29. LATERAL MOVEMENT • Windows • SMB - Pass the Hash (PTH) • WMI • WinRM • Linux/OS X/Unix • SSH
  30. 30. WIRESHARK CreateServiceW
  31. 31. SNORT DETECTION alert tcp any any -> any 445 (msg:"psexec service created"; flow:to_server,established; content:"|FF 53 4D 42|"; dce_opnum:12; reference:url,https:// www.snort.org/faq/readme-dcerpc2; classtype:bad- unknown; sid:31337; rev:1;)
  32. 32. SERVICE CREATION - 7045
  33. 33. METASPLOIT SERVICE NAME
  34. 34. POWERSHELL PSEXEC SERVICE Service Name: zzVSnCcgDVXwECBU Service File Name: %COMSPEC% /C echo wmic computersystem get username ^> %SYSTEMDRIVE%WINDOWS TempJvuqFpTTakgmRppQ.txt > WINDOWSTemp EtVsuSpjptOYGbwK.bat & %COMSPEC% /C start %COMSPEC% / C WINDOWSTempEtVsuSpjptOYGbwK.bat
  35. 35. TIMELINE
  36. 36. TIMELINE • Log all the commands • HISTTIMEFORMAT="%d/%m/%y %T “ • test "$(ps -ocommand= -p $PPID | awk '{print $1}')" == 'script' || (script -f $HOME/logs/$(date +”%d-%b-%y_%H-%M- %S")_shell.log) • Metasploit: setg PromptTimeFormat "%Y-%m-%d %I:%H:%S" setg Prompt "%T - (S: %S J: %J) " spool /root/.msf4/msfconsole.log
  37. 37. TIPS FOR DEFENSE • Use pen test & red team engagements as training exercises • Ask for more than a vulnerability report (IOCs, PCAPs, logs, etc) • Sit with and learn from the red team • Rotate your testing firms or rotate your testers • Perform root cause analysis on vulnerabilities
  38. 38. TIPS FOR OFFENSE • Be a sparring partner • Provide more data like IOCs, PCAPs, logs, etc. • Incorporate use cases into reports • Provide artifacts to reproduce attacks
  39. 39. THANK YOU! @ztgrace https://github.com/ztgrace/presentations/tree/master/ 20160128_wctc_cyber_security_summit

×