Advertisement
Check these out next
Assume Compromise
Feb. 2, 2016•0 likes•900 views
2 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
The security landscape has changed such that simply focusing on preventing is no longer an effective strategy. This talk will look at the idea of Assume Breach and how detection and response to threats aligns to an attacker methodology. Demonstrations and research will highlight how organizations can achieve more finely tuned detection capabilities through threat simulation and war-game exercises.
Zach GraceFollow
Advertisement
Advertisement
Advertisement
Recommended
Hiding in plain sightRob Gillen
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Extending Zeek for ICS DefenseJames Dickenson
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
Assume Compromise
- BEYOND PREVENTION, ASSUME BREACH Zach Grace
- whoami /all • Lead Security Consultant at Northwestern Mutual • @MilSec Leader • OWASP Milwaukee Leader • Wisconsin CCDC Red Team member • Team member of the 2015 DerbyCon CTF champs • Twitterz: @ztgrace
- Disclaimer The opinions expressed here represent my own and not those of my employer.
- It’s not if, but when…
- ASSUME COMPROMISE • Protective technologies will fail • Shifts blue team’s focus to the Detect phase • Breach readiness as a mantra
- PROTECTION FAILS • Protection tools are often based on signatures • Preventative in nature • Examples of protective technologies: • Anti-virus • Firewalls • IDS & IPS • Web App Firewalls (WAF) • Web Proxies • Sandbox
- COMPARED TO ATTACKERS NIST CSF Identify Protect Detect Respond Recover NIST SP800-115 Discovery Gaining Access Escalating Privileges System Browsing Persistence Cyber Kill Chain (1) Recon (3) Delivery (4) Exploit (3) Delivery (4) Exploit (5) Install (6) C2
- ZoxPNG • Used technet.microsoft.com for command and control https://blogs.rsa.com/wolves-among-us-abusing-trusted-providers-malware-operations/
- DETECT ISSUES • Logging too little/much • Poor Security information and event management (SIEM) correlation • Ineffective security monitoring • Insufficient training to create use cases
- REFOCUS THE RED TEAM
- PEN TESTING/RED TEAMING ISSUES • Vulnerability focused • Reporting doesn’t help defenders • Lack of realistic threat modeling
- REPORTS • Vulnerability Focused • “How I PWN’d you” • Vague recommendations
- REPORTS BE LIKE
- BLUE TEAM NEEDS • Training partner • Indicators of Compromise (IOCs) • Attack signatures • Use cases
- Compromise Detection Containment MTD - MTC = ∆
- ∆ FORCE
- ∆ FORCE OBJECTIVES • Provide IOCs and attack signatures alongside vulns in reports • Perform threat simulations based on threat modeling • Breakdown attacks into stages • Validate detection at each stage, and assist with correlation
- PYRAMID OF PAIN http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
- HASH VALUES • Summary/signature of bytes • Fuzzy hashing
- IP ADDRESSES …the IP addresses used in an engagement
- DOMAIN NAMES …domain names used in an engagement
- NETWORK ARTIFACTS • Protocol-level artifacts • HTTP • UserAgent strings • Missing host header • DNS
- HOST ARTIFACTS • Persistence mechanisms • Command & Control (C2/C&C) • Backdoors
- REG ADD "HKLMSOFTWAREMicrosoftWindows NT CurrentVersionImage File Execution Options sethc.exe" /v Debugger /t REG_SZ /d "C:windows system32cmd.exe"
- Sticky Keys Hunter v2
- TOOLS • Binaries/scripts transferred to host • Built-in administrator tools • Built/compiled on the compromised machine
- IN-MEMORY POWERSHELL
- TACTICS, TECHNIQUES and PROCEDURES (TTPs) • Detecting and responding to adversarial behaviors • Goes beyond tool detection
- LATERAL MOVEMENT • Windows • SMB - Pass the Hash (PTH) • WMI • WinRM • Linux/OS X/Unix • SSH
- WIRESHARK CreateServiceW
- SNORT DETECTION alert tcp any any -> any 445 (msg:"psexec service created"; flow:to_server,established; content:"|FF 53 4D 42|"; dce_opnum:12; reference:url,https:// www.snort.org/faq/readme-dcerpc2; classtype:bad- unknown; sid:31337; rev:1;)
- SERVICE CREATION - 7045
- METASPLOIT SERVICE NAME
- POWERSHELL PSEXEC SERVICE Service Name: zzVSnCcgDVXwECBU Service File Name: %COMSPEC% /C echo wmic computersystem get username ^> %SYSTEMDRIVE%WINDOWS TempJvuqFpTTakgmRppQ.txt > WINDOWSTemp EtVsuSpjptOYGbwK.bat & %COMSPEC% /C start %COMSPEC% / C WINDOWSTempEtVsuSpjptOYGbwK.bat
- TIMELINE
- TIMELINE • Log all the commands • HISTTIMEFORMAT="%d/%m/%y %T “ • test "$(ps -ocommand= -p $PPID | awk '{print $1}')" == 'script' || (script -f $HOME/logs/$(date +”%d-%b-%y_%H-%M- %S")_shell.log) • Metasploit: setg PromptTimeFormat "%Y-%m-%d %I:%H:%S" setg Prompt "%T - (S: %S J: %J) " spool /root/.msf4/msfconsole.log
- TIPS FOR DEFENSE • Use pen test & red team engagements as training exercises • Ask for more than a vulnerability report (IOCs, PCAPs, logs, etc) • Sit with and learn from the red team • Rotate your testing firms or rotate your testers • Perform root cause analysis on vulnerabilities
- TIPS FOR OFFENSE • Be a sparring partner • Provide more data like IOCs, PCAPs, logs, etc. • Incorporate use cases into reports • Provide artifacts to reproduce attacks
- THANK YOU! @ztgrace https://github.com/ztgrace/presentations/tree/master/ 20160128_wctc_cyber_security_summit
Advertisement