Successfully reported this slideshow.

Assume Compromise

2

Share

Upcoming SlideShare
Hiding in plain sight
Hiding in plain sight
Loading in …3
×
1 of 41
1 of 41

Assume Compromise

2

Share

Download to read offline

The security landscape has changed such that simply focusing on preventing is no longer an effective strategy. This talk will look at the idea of Assume Breach and how detection and response to threats aligns to an attacker methodology. Demonstrations and research will highlight how organizations can achieve more finely tuned detection capabilities through threat simulation and war-game exercises.

The security landscape has changed such that simply focusing on preventing is no longer an effective strategy. This talk will look at the idea of Assume Breach and how detection and response to threats aligns to an attacker methodology. Demonstrations and research will highlight how organizations can achieve more finely tuned detection capabilities through threat simulation and war-game exercises.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Assume Compromise

  1. 1. BEYOND PREVENTION, ASSUME BREACH Zach Grace
  2. 2. whoami /all • Lead Security Consultant at Northwestern Mutual • @MilSec Leader • OWASP Milwaukee Leader • Wisconsin CCDC Red Team member • Team member of the 2015 DerbyCon CTF champs • Twitterz: @ztgrace
  3. 3. Disclaimer The opinions expressed here represent my own and not those of my employer.
  4. 4. It’s not if, but when…
  5. 5. ASSUME COMPROMISE • Protective technologies will fail • Shifts blue team’s focus to the Detect phase • Breach readiness as a mantra
  6. 6. PROTECTION FAILS • Protection tools are often based on signatures • Preventative in nature • Examples of protective technologies: • Anti-virus • Firewalls • IDS & IPS • Web App Firewalls (WAF) • Web Proxies • Sandbox
  7. 7. COMPARED TO ATTACKERS NIST CSF Identify Protect Detect Respond Recover NIST SP800-115 Discovery Gaining Access Escalating Privileges System Browsing Persistence Cyber Kill Chain (1) Recon (3) Delivery
 (4) Exploit (3) Delivery (4) Exploit (5) Install (6) C2
  8. 8. ZoxPNG • Used technet.microsoft.com for command and control https://blogs.rsa.com/wolves-among-us-abusing-trusted-providers-malware-operations/
  9. 9. DETECT ISSUES • Logging too little/much • Poor Security information and event management (SIEM) correlation • Ineffective security monitoring • Insufficient training to create use cases
  10. 10. REFOCUS THE RED TEAM
  11. 11. PEN TESTING/RED TEAMING ISSUES • Vulnerability focused • Reporting doesn’t help defenders • Lack of realistic threat modeling
  12. 12. REPORTS • Vulnerability Focused • “How I PWN’d you” • Vague recommendations
  13. 13. REPORTS BE LIKE
  14. 14. BLUE TEAM NEEDS • Training partner • Indicators of Compromise (IOCs) • Attack signatures • Use cases
  15. 15. Compromise Detection Containment MTD - MTC = ∆
  16. 16. ∆ FORCE
  17. 17. ∆ FORCE OBJECTIVES • Provide IOCs and attack signatures alongside vulns in reports • Perform threat simulations based on threat modeling • Breakdown attacks into stages • Validate detection at each stage, and assist with correlation
  18. 18. PYRAMID OF PAIN http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
  19. 19. HASH VALUES • Summary/signature of bytes • Fuzzy hashing
  20. 20. IP ADDRESSES …the IP addresses used in an engagement
  21. 21. DOMAIN NAMES …domain names used in an engagement
  22. 22. NETWORK ARTIFACTS • Protocol-level artifacts • HTTP • UserAgent strings • Missing host header • DNS
  23. 23. HOST ARTIFACTS • Persistence mechanisms • Command & Control (C2/C&C) • Backdoors
  24. 24. REG ADD "HKLMSOFTWAREMicrosoftWindows NT CurrentVersionImage File Execution Options sethc.exe" /v Debugger /t REG_SZ /d "C:windows system32cmd.exe"
  25. 25. Sticky Keys Hunter v2
  26. 26. TOOLS • Binaries/scripts transferred to host • Built-in administrator tools • Built/compiled on the compromised machine
  27. 27. IN-MEMORY POWERSHELL
  28. 28. TACTICS, TECHNIQUES and PROCEDURES (TTPs) • Detecting and responding to adversarial behaviors • Goes beyond tool detection
  29. 29. LATERAL MOVEMENT • Windows • SMB - Pass the Hash (PTH) • WMI • WinRM • Linux/OS X/Unix • SSH
  30. 30. WIRESHARK CreateServiceW
  31. 31. SNORT DETECTION alert tcp any any -> any 445 (msg:"psexec service created"; flow:to_server,established; content:"|FF 53 4D 42|"; dce_opnum:12; reference:url,https:// www.snort.org/faq/readme-dcerpc2; classtype:bad- unknown; sid:31337; rev:1;)
  32. 32. SERVICE CREATION - 7045
  33. 33. METASPLOIT SERVICE NAME
  34. 34. POWERSHELL PSEXEC SERVICE Service Name: zzVSnCcgDVXwECBU Service File Name: %COMSPEC% /C echo wmic computersystem get username ^> %SYSTEMDRIVE%WINDOWS TempJvuqFpTTakgmRppQ.txt > WINDOWSTemp EtVsuSpjptOYGbwK.bat & %COMSPEC% /C start %COMSPEC% / C WINDOWSTempEtVsuSpjptOYGbwK.bat
  35. 35. TIMELINE
  36. 36. TIMELINE • Log all the commands • HISTTIMEFORMAT="%d/%m/%y %T “ • test "$(ps -ocommand= -p $PPID | awk '{print $1}')" == 'script' || (script -f $HOME/logs/$(date +”%d-%b-%y_%H-%M- %S")_shell.log) • Metasploit: setg PromptTimeFormat "%Y-%m-%d %I:%H:%S" setg Prompt "%T - (S: %S J: %J) " spool /root/.msf4/msfconsole.log
  37. 37. TIPS FOR DEFENSE • Use pen test & red team engagements as training exercises • Ask for more than a vulnerability report (IOCs, PCAPs, logs, etc) • Sit with and learn from the red team • Rotate your testing firms or rotate your testers • Perform root cause analysis on vulnerabilities
  38. 38. TIPS FOR OFFENSE • Be a sparring partner • Provide more data like IOCs, PCAPs, logs, etc. • Incorporate use cases into reports • Provide artifacts to reproduce attacks
  39. 39. THANK YOU! @ztgrace https://github.com/ztgrace/presentations/tree/master/ 20160128_wctc_cyber_security_summit

×