Introduction to Adversary Evaluation Tools

Aj MaChInE
Aj MaChInE
Introduction to Adversary Evaluation Tools @uccu 2018.6.30 <ajblane0612@gmail.com> AjMaChInE
Outline - Adversary Evaluation Tools ● What ● Why ● How ● CVE-based Adervasry Emulation ● ATT&CK-Based CALDERA ● Metasploit-based Deep Exploit
Market: Endpoint Security [0] 2017, Gartner EndPoint Protection + Endpoint Detection and Respose
IThome 2018
Why Market Exists "When taken together, these issues of cost, time, personnel, training, and design have created a muddied arena where the meaning and utility of red teaming can be extensively debated, making it difficult for organizations to incorporate red teaming into their internal security procedures." [4]
Defensive security goes hand in hand with automation
modern enterprises largely rely on autonomous security software able to block and address threats without needing constant human supervision. Examples include firewalls, intrusion detection/prevention systems, network proxies, host anti-viruses, access control mechanisms, etc. While system administrators are still needed to configure, manage, and operate these suites, automation has taken much of the grunt work out, making the task of securely defending a network much easier. Automation here provides significant advances when assessing network security posture, measuring software patch levels, security controls, known threat indicators, and others with ease." [4]
Automation of defensive tools is not enough
These approaches, while successful in identifying potential vulnerabilities, fail to consider the network’s response in the face of a real-world cyber adversary. Attacks are not limited to vulnerability exploits: after the initial compromise, adversaries commonly leverage intrinsic security dependencies to strengthen and expand their footholds on a system. In these scenarios, select actions that the adversary executes may be benign by themselves – such as using internal Windows commands – but when combined or used maliciously, can cause significant damage. Adversaries often execute complex attacks that are missed by simple scanning tools; because adversaries do not always exploit vulnerabilities, their actions will often go unnoticed." [4]
The False Negative Problem for blue teams who have no idea what blue teams miss
Idea: Adversary Emulation - Pentesting and red teams is out - Automation - Improve false negative problem, But ...
[5]
[5] adversary evaluation tools 1. 在什麼樣的平台 ? 2. 在什麼情境下 ? e.g. post-compromise, exploit hosts 3. 有哪些 Tactics 與 Techniques 可使用 ? 4. 如何找到一個可行的攻擊 ? 5. Reports ?
Automated Exploit Execution V.S. Automated Red Teaming "More interesting than automated exploit execution is the general automated red teaming problem – here, the task is not to execute a single exploit (interfacing with an operator or not), but rather to conduct a lengthy, in-depth analysis of the security of the network via real-world testing, exposing the intrinsic security dependencies of the target system" [4]
Adversary Emulation Tools ● CALDERA ● Metta ● APT Simulator ● Red Team Automation ● Invoke-Adversary ● Atomic Red Team ● Infection Monkey ● Blue Team Training Toolkit (BT3) ● DumpsterFire AutoTTP ● ... [6]
1. 在什麼樣的平台 ? 2. 在什麼情境下 ? e.g.: post-compromise, exploit hosts 3. 有哪些 Tactics 與 Techniques 可使用 ? 4. 如何找到一個可行的攻擊 ? 5. Reports ?
adversary evaluation tools 1. 在什麼樣的平台 ? 2. 在什麼情境下 ? e.g. post-compromise, exploit hosts 3. 有哪些 Tactics 與 Techniques 可使用 ? 4. 如何找到一個可行的攻擊 ? 5. Reports ? https://attack.mitre.org/wiki/Main_Page or Metasploit or CVE
powershell_args.py in Red Team Automation [1] E.G. Let’s Quickly Map these Generic Tactics to the ATT&CK™ matrix (techniques)
1. 在什麼樣的平台 ? 2. 在什麼情境下 ? e.g. post-compromise, exploit hosts 3. 有哪些 Tactics 與 Techniques 可使用 ? 4. 如何找到一個可行的攻擊 ? 5. Reports logic and decision engine
Finite State Machie(FSM) to Implement Logic and Decision Engine ● Need to be explicitly told what to do ● Hard to extend to new techniques (software engineer view) ● Action needs to be coded into FSM ● FSM logic needs to be recomputed ● Inflexible in operation; hard to configure
FSM
FSM?
Reports – E.G. Attack Graph 1. 在什麼樣的平台 ? 2. 在什麼情境下 ? e.g. post-compromise, exploit hosts 3. 有哪些 Tactics 與 Techniques 可使用 ? 4. 如何找到一個可行的攻擊 ? 5. Reports Host Exploit Technique
Reports – E.G. CALDERD
Adversary Emulation Tools ● CALDERA ● Metta ● APT Simulator ● Red Team Automation ● Invoke-Adversary ● Atomic Red Team ● Infection Monkey ● Blue Team Training Toolkit (BT3) ● DumpsterFire AutoTTP ● ... [6] 實作上不完整
Implementation Reference ● CVE-based Adervasry Emulation [7] ● ATT&CK-Based CALDERA [5] ● Metasploit-based Deep Exploit [3] ● ...
CVE-based Adervasry Emulation [7]
Reducing Action Arsenal [7] critical action critical action
ATT&CK-Based CALDERA – The Targeted Platform [5]
ATT&CK-Based CALDERA - Designing an Adversary Decision Engine - Example Scenario [5] action
ATT&CK-Based CALDERA - Designing an Adversary Decision Engine - Example Scenario [5]
ATT&CK-Based CALDERA - Designing an Adversary Decision Engine new actions choose actions (planner.py) data model Finite State Machine
ATT&CK-Based CALDERA - Designing an Adversary Decision Engine – Data Model operation.py objects.py
ATT&CK-Based CALDERA - Designing an Adversary Decision Engine – Declaring Actions operation_steps.py
ATT&CK-Based CALDERA - Designing an Adversary Decision Engine – Declaring Actions operation_steps.py
ATT&CK-Based CALDERA - Designing an Adversary Decision Engine – Heuristic [5]?
ATT&CK-Based CALDERA - Designing an Adversary Decision Engine – Planning Algorithm
Emulation (world.py) functions in new environments? In reality – handling uncertainty is a very hard problem Your environment
Dijkstra Turing Test++ (uncertainty) [10] Assumptions: Known network graph Known host configurations Static network Monotonic actions (Partially Observable Markov Decision Process: 部分可觀察馬可 夫決策過程 ) POMDP model * action 給機率是否成功
e.g. Metasploit-based Deep Exploit Adversary simulation Tools * Design a model of the system at hand * Use model-based attack planning to generate the attacks
[3]
similar to Caldera's data model similar to Caldera's actions
GyoiThon [3]
Reference ● [0] 2017, Putting the P, D, & R back into Endpoint Protection Detection and Response ● [1] 2018, Introducing Endgame Red Team Automation ● [2] 2018, Metasploit Meets Machine Learning ● [3] 2018, GyoiThon/ Deep Expoloit ● [4] 2016, MITRE, Intelligent, automated red team emulation ● [5] 2017, blackhat, The MITRE Corporation, CALDERA Automating Adversary Emulation ● [6] 2018, List of Adversary Emulation Tools ● [7] 2009, Tools for Generating and Analyzing Attack Graphs
Reference ● [8] "Adding New Adversary Techniques", caldera/docs/add_technique.rst ● [9] Getting CALDERA to do What You Want, caldera/docs/getting_to_do.rst ● [10] 2015, Simulated Penetration Testing: From "Dijkstra" to "Turing Test++"
1 of 45

Introduction to Adversary Evaluation Tools

Download to read offline
Education

對於設計防禦產品來說,Adversary Evaluation Tools可以設計某環境下自動化產生出攻擊計畫並且告訴你攻擊細節,你可以針對這些細節做出相對應的防禦措施,而證實對抗哪一個攻擊。Adversary Evaluation Tools可以解決防禦產品的false negative problem。

Aj MaChInE
Aj MaChInE

Recommended

[RAT資安小聚] Study on Automatically Evading Malware Detection by
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware DetectionAj MaChInE
795 views71 slides
A study on NetSpectre by
A study on NetSpectreA study on NetSpectre
A study on NetSpectreAj MaChInE
211 views27 slides
Defending The Castle Rwsp by
Defending The Castle RwspDefending The Castle Rwsp
Defending The Castle Rwspjmoquendo
1.2K views21 slides
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation... by
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
482 views55 slides
Cyber_Attack_Forecasting_Jones_2015 by
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Malachi Jones
946 views27 slides
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In... by
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
1.1K views58 slides

More Related Content

What's hot

BlueHat v18 || Improving security posture through increased agility with meas... by
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat Security Conference
234 views32 slides
Paranoia 2018: A Process is No One by
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No OneJared Atkinson
539 views63 slides
The Lambda Defense Functional Paradigms for Cyber Security by
The Lambda Defense Functional Paradigms for Cyber SecurityThe Lambda Defense Functional Paradigms for Cyber Security
The Lambda Defense Functional Paradigms for Cyber SecurityRod Soto
698 views11 slides
Automating Analysis and Exploitation of Embedded Device Firmware by
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
554 views55 slides
The Heatmap
 - Why is Security Visualization so Hard? by
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
2.5K views74 slides
Virtual Machine Introspection - Future of the Cloud by
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudTjylen Veselyj
4.5K views49 slides

What's hot(20)

BlueHat v18 || Improving security posture through increased agility with meas... by BlueHat Security Conference
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat Security Conference234 views
Paranoia 2018: A Process is No One by Jared Atkinson
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
Jared Atkinson539 views
The Lambda Defense Functional Paradigms for Cyber Security by Rod Soto
The Lambda Defense Functional Paradigms for Cyber SecurityThe Lambda Defense Functional Paradigms for Cyber Security
The Lambda Defense Functional Paradigms for Cyber Security
Rod Soto698 views
Automating Analysis and Exploitation of Embedded Device Firmware by Malachi Jones
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones554 views
The Heatmap
 - Why is Security Visualization so Hard? by Raffael Marty
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty2.5K views
Virtual Machine Introspection - Future of the Cloud by Tjylen Veselyj
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the Cloud
Tjylen Veselyj4.5K views
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt... by BlueHat Security Conference
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat Security Conference1.1K views
RSA 2006 - Visual Security Event Analysis by Raffael Marty
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
Raffael Marty1.8K views
Careful Packing by Flavio Toffalini
Careful PackingCareful Packing
Careful Packing
Flavio Toffalini68 views
Spectre & Meltdown by Murray Security Services
Spectre & MeltdownSpectre & Meltdown
Spectre & Meltdown
Murray Security Services2.6K views
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware by Lastline, Inc.
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.1.5K views
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca... by MITRE - ATT&CKcon
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE - ATT&CKcon2K views
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S... by Graeme Jenkinson
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Graeme Jenkinson110 views
The Heatmap
 - Why is Security Visualization so Hard? by Raffael Marty
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty8K views
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in... by a001
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
a001206 views
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin... by Malachi Jones
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones1.1K views
Mitigating Java Deserialization attacks from within the JVM by Apostolos Giannakidis
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
Apostolos Giannakidis362 views
Cloud Security with LibVMI by Tamas K Lengyel
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMI
Tamas K Lengyel3.4K views
SAST and Application Security: how to fight vulnerabilities in the code by Andrey Karpov
SAST and Application Security: how to fight vulnerabilities in the codeSAST and Application Security: how to fight vulnerabilities in the code
SAST and Application Security: how to fight vulnerabilities in the code
Andrey Karpov344 views
Code review for secure web applications by silviad74
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
silviad742.2K views

Similar to Introduction to Adversary Evaluation Tools

Adversary Emulation using CALDERA by
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
7.8K views56 slides
Exploits Attack on Windows Vulnerabilities by
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
594 views44 slides
how-to-bypass-AM-PPL by
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
304 views46 slides
IRJET- A Study on Penetration Testing using Metasploit Framework by
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
16 views8 slides
Penetration testing using metasploit framework by
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit frameworkPawanKesharwani
89 views8 slides
Adversary Emulation using CALDERA by
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
1.4K views45 slides

Similar to Introduction to Adversary Evaluation Tools(20)

Adversary Emulation using CALDERA by Erik Van Buggenhout
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout7.8K views
Exploits Attack on Windows Vulnerabilities by Amit Kumbhar
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar594 views
how-to-bypass-AM-PPL by nitinscribd
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
nitinscribd304 views
IRJET- A Study on Penetration Testing using Metasploit Framework by IRJET Journal
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET Journal16 views
Penetration testing using metasploit framework by PawanKesharwani
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit framework
PawanKesharwani89 views
Adversary Emulation using CALDERA by Erik Van Buggenhout
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout1.4K views
Integris Security - Hacking With Glue ℠ by Integris Security LLC
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠
Integris Security LLC1.2K views
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team... by Marcin Ludwiszewski
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
Marcin Ludwiszewski35 views
The Diabolical Developers Guide to Performance Tuning by jClarity
The Diabolical Developers Guide to Performance TuningThe Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance Tuning
jClarity359 views
Up is Down, Black is White: Using SCCM for Wrong and Right by enigma0x3
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
enigma0x36.5K views
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf by Gabriel Mathenge
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
Gabriel Mathenge207 views
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def... by Chris Gates
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates2.8K views
How to build a proper software staging environment for testing by TestCampRO
How to build a proper software staging environment for testing How to build a proper software staging environment for testing
How to build a proper software staging environment for testing
TestCampRO1.5K views
Breach and attack simulation tools by Bangladesh Network Operators Group
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group4.3K views
Agile Development in Aerospace and Defense by Jim Nickel
Agile Development in Aerospace and DefenseAgile Development in Aerospace and Defense
Agile Development in Aerospace and Defense
Jim Nickel139 views
Machine programming by DESMOND YUEN
Machine programmingMachine programming
Machine programming
DESMOND YUEN53 views
Mind the gap - Troopers 2016 by Casey Smith
Mind the gap - Troopers 2016Mind the gap - Troopers 2016
Mind the gap - Troopers 2016
Casey Smith2.9K views
Highly dependable automotive software by Alan Tatourian
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
Alan Tatourian254 views
Testing Autonomous Cars for Feature Interaction Failures using Many-Objective... by Lionel Briand
Testing Autonomous Cars for Feature Interaction Failures using Many-Objective...Testing Autonomous Cars for Feature Interaction Failures using Many-Objective...
Testing Autonomous Cars for Feature Interaction Failures using Many-Objective...
Lionel Briand136 views
How to measure your security response readiness? by Tomasz Jakubowski
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
Tomasz Jakubowski130 views

More from Aj MaChInE

An Intro on Data-oriented Attacks by
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAj MaChInE
301 views18 slides
A Study on .NET Framework for Red Team - Part I by
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IAj MaChInE
493 views28 slides
[若渴] A preliminary study on attacks against consensus in bitcoin by
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoinAj MaChInE
345 views46 slides
[若渴] Preliminary Study on Design and Exploitation of Trustzone by
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of TrustzoneAj MaChInE
281 views25 slides
[若渴]Study on Side Channel Attacks and Countermeasures by
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures Aj MaChInE
858 views60 slides
[若渴計畫] Challenges and Solutions of Window Remote Shellcode by
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
981 views39 slides

More from Aj MaChInE(17)

An Intro on Data-oriented Attacks by Aj MaChInE
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
Aj MaChInE301 views
A Study on .NET Framework for Red Team - Part I by Aj MaChInE
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
Aj MaChInE493 views
[若渴] A preliminary study on attacks against consensus in bitcoin by Aj MaChInE
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
Aj MaChInE345 views
[若渴] Preliminary Study on Design and Exploitation of Trustzone by Aj MaChInE
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
Aj MaChInE281 views
[若渴]Study on Side Channel Attacks and Countermeasures by Aj MaChInE
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
Aj MaChInE858 views
[若渴計畫] Challenges and Solutions of Window Remote Shellcode by Aj MaChInE
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE981 views
[若渴計畫] Introduction: Formal Verification for Code by Aj MaChInE
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
Aj MaChInE718 views
[若渴計畫] Studying ASLR^cache by Aj MaChInE
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
Aj MaChInE430 views
[若渴計畫] Black Hat 2017之過去閱讀相關整理 by Aj MaChInE
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE434 views
[若渴計畫] Studying Concurrency by Aj MaChInE
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
Aj MaChInE4K views
閱讀文章分享@若渴 2016.1.24 by Aj MaChInE
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
Aj MaChInE1.3K views
[若渴計畫2015.8.18] SMACK by Aj MaChInE
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
Aj MaChInE1.2K views
[SITCON2015] 自己的異質多核心平台自己幹 by Aj MaChInE
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
Aj MaChInE2.6K views
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU by Aj MaChInE
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
Aj MaChInE1.3K views
[若渴計畫]由GPU硬體概念到coding CUDA by Aj MaChInE
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
Aj MaChInE4.8K views
[若渴計畫]64-bit Linux Return-Oriented Programming by Aj MaChInE
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
Aj MaChInE2.2K views
[MOSUT] Format String Attacks by Aj MaChInE
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
Aj MaChInE2.6K views

Recently uploaded

Psychology KS5 by
Psychology KS5Psychology KS5
Psychology KS5WestHatch
93 views5 slides
The Open Access Community Framework (OACF) 2023 (1).pptx by
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxJisc
110 views7 slides
MIXING OF PHARMACEUTICALS.pptx by
MIXING OF PHARMACEUTICALS.pptxMIXING OF PHARMACEUTICALS.pptx
MIXING OF PHARMACEUTICALS.pptxAnupkumar Sharma
77 views35 slides
Solar System and Galaxies.pptx by
Solar System and Galaxies.pptxSolar System and Galaxies.pptx
Solar System and Galaxies.pptxDrHafizKosar
91 views26 slides
Google solution challenge..pptx by
Google solution challenge..pptxGoogle solution challenge..pptx
Google solution challenge..pptxChitreshGyanani1
131 views18 slides
Classification of crude drugs.pptx by
Classification of crude drugs.pptxClassification of crude drugs.pptx
Classification of crude drugs.pptxGayatriPatra14
86 views13 slides

Recently uploaded(20)

Psychology KS5 by WestHatch
Psychology KS5Psychology KS5
Psychology KS5
WestHatch93 views
The Open Access Community Framework (OACF) 2023 (1).pptx by Jisc
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
Jisc110 views
MIXING OF PHARMACEUTICALS.pptx by Anupkumar Sharma
MIXING OF PHARMACEUTICALS.pptxMIXING OF PHARMACEUTICALS.pptx
MIXING OF PHARMACEUTICALS.pptx
Anupkumar Sharma77 views
Solar System and Galaxies.pptx by DrHafizKosar
Solar System and Galaxies.pptxSolar System and Galaxies.pptx
Solar System and Galaxies.pptx
DrHafizKosar91 views
Google solution challenge..pptx by ChitreshGyanani1
Google solution challenge..pptxGoogle solution challenge..pptx
Google solution challenge..pptx
ChitreshGyanani1131 views
Classification of crude drugs.pptx by GayatriPatra14
Classification of crude drugs.pptxClassification of crude drugs.pptx
Classification of crude drugs.pptx
GayatriPatra1486 views
Narration ppt.pptx by TARIQ KHAN
Narration ppt.pptxNarration ppt.pptx
Narration ppt.pptx
TARIQ KHAN135 views
Gopal Chakraborty Memorial Quiz 2.0 Prelims.pptx by Debapriya Chakraborty
Gopal Chakraborty Memorial Quiz 2.0 Prelims.pptxGopal Chakraborty Memorial Quiz 2.0 Prelims.pptx
Gopal Chakraborty Memorial Quiz 2.0 Prelims.pptx
Debapriya Chakraborty655 views
ICS3211_lecture 08_2023.pdf by Vanessa Camilleri
ICS3211_lecture 08_2023.pdfICS3211_lecture 08_2023.pdf
ICS3211_lecture 08_2023.pdf
Vanessa Camilleri149 views
Dance KS5 Breakdown by WestHatch
Dance KS5 BreakdownDance KS5 Breakdown
Dance KS5 Breakdown
WestHatch79 views
The Accursed House by Émile Gaboriau by DivyaSheta
The Accursed House by Émile GaboriauThe Accursed House by Émile Gaboriau
The Accursed House by Émile Gaboriau
DivyaSheta201 views
Create a Structure in VBNet.pptx by Breach_P
Create a Structure in VBNet.pptxCreate a Structure in VBNet.pptx
Create a Structure in VBNet.pptx
Breach_P75 views
UWP OA Week Presentation (1).pptx by Jisc
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
Jisc88 views
2022 CAPE Merit List 2023 by Caribbean Examinations Council
2022 CAPE Merit List 2023 2022 CAPE Merit List 2023
2022 CAPE Merit List 2023
Caribbean Examinations Council5K views
ACTIVITY BOOK key water sports.pptx by Mar Caston Palacio
ACTIVITY BOOK key water sports.pptxACTIVITY BOOK key water sports.pptx
ACTIVITY BOOK key water sports.pptx
Mar Caston Palacio605 views
Psychology KS4 by WestHatch
Psychology KS4Psychology KS4
Psychology KS4
WestHatch84 views
Scope of Biochemistry.pptx by shoba shoba
Scope of Biochemistry.pptxScope of Biochemistry.pptx
Scope of Biochemistry.pptx
shoba shoba133 views
REPRESENTATION - GAUNTLET.pptx by iammrhaywood
REPRESENTATION - GAUNTLET.pptxREPRESENTATION - GAUNTLET.pptx
REPRESENTATION - GAUNTLET.pptx
iammrhaywood100 views
AUDIENCE - BANDURA.pptx by iammrhaywood
AUDIENCE - BANDURA.pptxAUDIENCE - BANDURA.pptx
AUDIENCE - BANDURA.pptx
iammrhaywood84 views
Structure and Functions of Cell.pdf by Nithya Murugan
Structure and Functions of Cell.pdfStructure and Functions of Cell.pdf
Structure and Functions of Cell.pdf
Nithya Murugan545 views

Introduction to Adversary Evaluation Tools

  • 1. Introduction to Adversary Evaluation Tools @uccu 2018.6.30 <ajblane0612@gmail.com> AjMaChInE
  • 2. Outline - Adversary Evaluation Tools ● What ● Why ● How ● CVE-based Adervasry Emulation ● ATT&CK-Based CALDERA ● Metasploit-based Deep Exploit
  • 3. Market: Endpoint Security [0] 2017, Gartner EndPoint Protection + Endpoint Detection and Respose
  • 5. Why Market Exists "When taken together, these issues of cost, time, personnel, training, and design have created a muddied arena where the meaning and utility of red teaming can be extensively debated, making it difficult for organizations to incorporate red teaming into their internal security procedures." [4]
  • 6. Defensive security goes hand in hand with automation
  • 7. modern enterprises largely rely on autonomous security software able to block and address threats without needing constant human supervision. Examples include firewalls, intrusion detection/prevention systems, network proxies, host anti-viruses, access control mechanisms, etc. While system administrators are still needed to configure, manage, and operate these suites, automation has taken much of the grunt work out, making the task of securely defending a network much easier. Automation here provides significant advances when assessing network security posture, measuring software patch levels, security controls, known threat indicators, and others with ease." [4]
  • 9. These approaches, while successful in identifying potential vulnerabilities, fail to consider the network’s response in the face of a real-world cyber adversary. Attacks are not limited to vulnerability exploits: after the initial compromise, adversaries commonly leverage intrinsic security dependencies to strengthen and expand their footholds on a system. In these scenarios, select actions that the adversary executes may be benign by themselves – such as using internal Windows commands – but when combined or used maliciously, can cause significant damage. Adversaries often execute complex attacks that are missed by simple scanning tools; because adversaries do not always exploit vulnerabilities, their actions will often go unnoticed." [4]
  • 10. The False Negative Problem for blue teams who have no idea what blue teams miss
  • 11. Idea: Adversary Emulation - Pentesting and red teams is out - Automation - Improve false negative problem, But ...
  • 12. [5]
  • 13. [5] adversary evaluation tools 1. 在什麼樣的平台 ? 2. 在什麼情境下 ? e.g. post-compromise, exploit hosts 3. 有哪些 Tactics 與 Techniques 可使用 ? 4. 如何找到一個可行的攻擊 ? 5. Reports ?
  • 14. Automated Exploit Execution V.S. Automated Red Teaming "More interesting than automated exploit execution is the general automated red teaming problem – here, the task is not to execute a single exploit (interfacing with an operator or not), but rather to conduct a lengthy, in-depth analysis of the security of the network via real-world testing, exposing the intrinsic security dependencies of the target system" [4]
  • 15. Adversary Emulation Tools ● CALDERA ● Metta ● APT Simulator ● Red Team Automation ● Invoke-Adversary ● Atomic Red Team ● Infection Monkey ● Blue Team Training Toolkit (BT3) ● DumpsterFire AutoTTP ● ... [6]
  • 16. 1. 在什麼樣的平台 ? 2. 在什麼情境下 ? e.g.: post-compromise, exploit hosts 3. 有哪些 Tactics 與 Techniques 可使用 ? 4. 如何找到一個可行的攻擊 ? 5. Reports ?
  • 17. adversary evaluation tools 1. 在什麼樣的平台 ? 2. 在什麼情境下 ? e.g. post-compromise, exploit hosts 3. 有哪些 Tactics 與 Techniques 可使用 ? 4. 如何找到一個可行的攻擊 ? 5. Reports ? https://attack.mitre.org/wiki/Main_Page or Metasploit or CVE
  • 18. powershell_args.py in Red Team Automation [1] E.G. Let’s Quickly Map these Generic Tactics to the ATT&CK™ matrix (techniques)
  • 19. 1. 在什麼樣的平台 ? 2. 在什麼情境下 ? e.g. post-compromise, exploit hosts 3. 有哪些 Tactics 與 Techniques 可使用 ? 4. 如何找到一個可行的攻擊 ? 5. Reports logic and decision engine
  • 20. Finite State Machie(FSM) to Implement Logic and Decision Engine ● Need to be explicitly told what to do ● Hard to extend to new techniques (software engineer view) ● Action needs to be coded into FSM ● FSM logic needs to be recomputed ● Inflexible in operation; hard to configure
  • 21. FSM
  • 22. FSM?
  • 23. Reports – E.G. Attack Graph 1. 在什麼樣的平台 ? 2. 在什麼情境下 ? e.g. post-compromise, exploit hosts 3. 有哪些 Tactics 與 Techniques 可使用 ? 4. 如何找到一個可行的攻擊 ? 5. Reports Host Exploit Technique
  • 24. Reports – E.G. CALDERD
  • 25. Adversary Emulation Tools ● CALDERA ● Metta ● APT Simulator ● Red Team Automation ● Invoke-Adversary ● Atomic Red Team ● Infection Monkey ● Blue Team Training Toolkit (BT3) ● DumpsterFire AutoTTP ● ... [6] 實作上不完整
  • 26. Implementation Reference ● CVE-based Adervasry Emulation [7] ● ATT&CK-Based CALDERA [5] ● Metasploit-based Deep Exploit [3] ● ...
  • 28. Reducing Action Arsenal [7] critical action critical action
  • 29. ATT&CK-Based CALDERA – The Targeted Platform [5]
  • 30. ATT&CK-Based CALDERA - Designing an Adversary Decision Engine - Example Scenario [5] action
  • 31. ATT&CK-Based CALDERA - Designing an Adversary Decision Engine - Example Scenario [5]
  • 32. ATT&CK-Based CALDERA - Designing an Adversary Decision Engine new actions choose actions (planner.py) data model Finite State Machine
  • 33. ATT&CK-Based CALDERA - Designing an Adversary Decision Engine – Data Model operation.py objects.py
  • 34. ATT&CK-Based CALDERA - Designing an Adversary Decision Engine – Declaring Actions operation_steps.py
  • 35. ATT&CK-Based CALDERA - Designing an Adversary Decision Engine – Declaring Actions operation_steps.py
  • 36. ATT&CK-Based CALDERA - Designing an Adversary Decision Engine – Heuristic [5]?
  • 37. ATT&CK-Based CALDERA - Designing an Adversary Decision Engine – Planning Algorithm
  • 38. Emulation (world.py) functions in new environments? In reality – handling uncertainty is a very hard problem Your environment
  • 39. Dijkstra Turing Test++ (uncertainty) [10] Assumptions: Known network graph Known host configurations Static network Monotonic actions (Partially Observable Markov Decision Process: 部分可觀察馬可 夫決策過程 ) POMDP model * action 給機率是否成功
  • 40. e.g. Metasploit-based Deep Exploit Adversary simulation Tools * Design a model of the system at hand * Use model-based attack planning to generate the attacks
  • 41. [3]
  • 42. similar to Caldera's data model similar to Caldera's actions
  • 44. Reference ● [0] 2017, Putting the P, D, & R back into Endpoint Protection Detection and Response ● [1] 2018, Introducing Endgame Red Team Automation ● [2] 2018, Metasploit Meets Machine Learning ● [3] 2018, GyoiThon/ Deep Expoloit ● [4] 2016, MITRE, Intelligent, automated red team emulation ● [5] 2017, blackhat, The MITRE Corporation, CALDERA Automating Adversary Emulation ● [6] 2018, List of Adversary Emulation Tools ● [7] 2009, Tools for Generating and Analyzing Attack Graphs
  • 45. Reference ● [8] "Adding New Adversary Techniques", caldera/docs/add_technique.rst ● [9] Getting CALDERA to do What You Want, caldera/docs/getting_to_do.rst ● [10] 2015, Simulated Penetration Testing: From "Dijkstra" to "Turing Test++"