Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013

2,785 views

Published on

Given at BSides Jackson 2013

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,785
On SlideShare
0
From Embeds
0
Number of Embeds
133
Actions
Shares
0
Downloads
50
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • LDN - collective
  • Tell pentest story
  • Goals:PatchingSystem HardeningUptimeInitial Incident response
  • Goals:PatchingSystem HardeningUptimeInitial Incident response
  • Slide stolen from @jwgoerlichExactly what we’re going to talk aboutAvoid easy pentest, provides 0 value
  • Who is the blue team?SysadminsNetwork adminsSIEM analysts etc
  • Detective – catch attackers in actionPreventative – stop attackersCorrective – raise the costs by disrupting or distracting the attackers
  • Linux attacks against windows servers (at $client1) as example of correctiveThey didn’t expect the windows part
  • quickly identify within a few hours evidence of a potential compromise
  • $client1story here
  • High business riskhigh financial riskPossibly high professional risk
  • advantage here is minimalriskgives you a measure of control
  • Replicate behavior of trojanIdea is to stop behavior not just the installation
  • Instead of conflicting objectives, realize both teams serve to further the same objectiveThe ongoing quagmire between red and blue makes us forget what our true goal is
  • Instead of conflicting objectives, realize both teams serve to further the same objective
  • The idea is to drill down from possible scenarios to the most likely and test it.
  • Fortress that needs protectionlike a chocolate coated candy -jwgoerlich
  • Notice how all the actions (document/Develop) happen last
  • Alert: wall of text
  • Stake holders gather and talk about the path and response
  • Explain proactive (ie alerting)
  • By this time you should have6 attack paths3 tables tops1 exerciseNow we’ll walk through the attack and how we exercised it, optimized where possible
  • Walk through it myself each time
  • Walk through it myself each time
  • Created fake user with typical permissions
  • Arp-cacheTrustwave responderWindows trust relationships
  • Locate areas that will assist in achieving objectivesNo prevention, nothing done with detection
  • Locate areas that will assist in achieving objectives There was no detection or prevention
  • Unexpected benefit was noticing lots of dropbox traffic, a problem within the company^this is the point of exercises, test known, discover unknowns
  • We could add application white listing which would give us stage 4prot
  • Not going to talk too much about this, has been done ad-nauseum
  • These are words your boss love to hearIn other words, how does this help the businessImgur link are pixars 22 criteria to a story
  • These are words your boss love to hear
  • Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013

    1. 1. Seeing Purple Hybrid security teams for the Enterprise @jwgoerlich
    2. 2. Me Security consultant with VioPoint La DoSa Nostra #misec Twitter @b31tf4c3 Freenode (#misec / #burbsec / #ladosanostra) Beltface
    3. 3. The ONE thing Productivity book The ONE thing your organization does/has Protect and build off that Avoid the easy pentest
    4. 4. The Client $client0 – company in the energy sector $client1 – company in the financial sector
    5. 5. A Cascade of Pebbles Talk by Josh Little – Bsides Detroit 2013 Performed Pentest at $client0 Leveraged that scenario to create a program at $client1
    6. 6. “ My idea of hacking is taking the tactics, techniques, and procedures, that different threats are using today …
    7. 7. Using them against our organizations, when they have a mature program, to understand how our controls stand up when exercised by a sophisticated thinking adversary. -- Rapheal Mudge, Armitage and Cobalt Strike, Bsides Detroit 2013 Podcast
    8. 8. Detect Prevent Correct
    9. 9. Detect, Prevent, Correct Detect – catch attackers in action (SIEM) Prevent – Stop attackers (Vulnerability Management) Correct – raise the costs by disrupting or distracting the attackers (eg. honey pots)
    10. 10. Blue Team - Detect SIEM – Security Incident and Event Monitoring Pool log sources and analyze logs and flows
    11. 11. Blue Team - Prevent VM program Gives visibility into system preparedness Helps with patching schedule Identifies most critical hosts
    12. 12. Blue Team - Correct
    13. 13. Red Team - Assessment Pentesting Required as part of audits We break it, you fix it Higher risk How do you know remediation is working if its never been tested?
    14. 14. Red Team - Exercise Select a specific stage in the attack path Assume all prior controls have failed Test preventative, detective, corrective Test both the controls and the response Minimal risk
    15. 15. Example Stage 4 – Persistence Popping the Penguin – SecTor 2013 No 1337 hax needed
    16. 16. Assessment v. Exercise Exercise Assessment Use real techniques Use real techniques Use real objectives Use real objectives Model a real attack Exec an actual attack Test specific controls Test overall posture
    17. 17. Purple Team
    18. 18. Purple Team Take knowledge of your security (Blue) Take knowledge of your weaknesses (Red) Combine to find what’s most valuable to you (Purple)
    19. 19. Purple Teams Not necessarily just the red and blue teams requires a total picture involving all areas of the organization
    20. 20. From this
    21. 21. To this
    22. 22. The Goal Create scenarios Identify how you would protect yourself Test the scenario Test your environment
    23. 23. Proactive Protection 1. Threat Modeling – Bi-weekly 2. Tabletop exercises – Monthly 3. Red Team exercises – Quarterly 4. Red Team Assessments – Yearly
    24. 24. Our Infrastructure
    25. 25. Threat modeling Least amount of T/E One model bi-weekly Build portfolio of potential attacks
    26. 26. Choosing a model SDLC threat model -Microsoft Cyber Kill Chains of Doom ™ -Lockheed Martin (r), (tm), (etc) Attack Paths -#misec
    27. 27. Attack path @jwgoerlich
    28. 28. Start with why TED Talk Simon Sinek: How great leaders inspire action Why How What
    29. 29. Why? Why this model? Free Open I’m biased (#misec) Why will $badguy target us (the ONE thing) $client0 – Access control systems $client1 – Sensitive financial data
    30. 30. Do what is right for you. But do something.
    31. 31. How? How will the attacker realize their Objective? -Attack path $badguy took through network
    32. 32. What? What can we do to prevent this attack? -Document controls What can we do to be ready? -Develop test cases
    33. 33. Attack Paths 1. 2. 3. 4. 5. 6. 7. 8. External reconnaissance Initial breach Escalate privileges Persistence Internal reconnaissance Lateral breach Maintain presence Achieve objective
    34. 34. Initial generation Start with step 8 Identify ONE thing Work backwards
    35. 35. A blank slate
    36. 36. Attack Path
    37. 37. Attack Path Goal: Obtain sensitive, proprietary information 1. External Reconnaissance – Attacker will perform OSINT on the company to identify targets 2. Initial Breach – Attacker will have a specially crafted site for user to access containing either an infected document or a place for entry of credentials 3. Escalate Privileges – Attacker will attempt to add specially crafted user to group / recover hashes through trust relationships/responder 4. Persistence – Attacker will attempt to maintain his or her presence by installing malware 5. Internal reconnaissance – Attacker will attempt to enumerate the internal infrastructure in an attempt to identify more targets that will lead him or her to their goal 8. Achieve Objective – The attacker dumps the data and exfiltrates it via cloud service
    38. 38. Tabletop
    39. 39. Tabletop Slightly more expensive than modeling. Using more likely of two models, stake holders gather Should be performed monthly
    40. 40. Tabletop Exercise Started with table Gathered $client1’s stake holders Went over attack path used at $client0 Went over potential responses
    41. 41. As simple as SMTP Email was sent out to $client0 User credentials were compromised No detection Allowed total compromise
    42. 42. $client1:Results There were no proactive detective capabilities 1 preventative control
    43. 43. $client1:Results
    44. 44. $client1:Corrective Actions Security Onion installed, configured, and analyzed VM program re-configured
    45. 45. Exercises
    46. 46. Example Persistence -Stage 4 -Tested ability to connect out and ability to detect -minimal risk to infrastructure
    47. 47. Exercises More expensive than tabletop Use most likely of three scenarios Should be performed quarterly
    48. 48. $client0:Stage 1 – External Recon OSINT was used to enumerate the following information about $client0 -email addresses -travel agency -key players
    49. 49. $client1:Stage 1 – External Recon In order to save time, we assumed failure at this level Assumed email was sent and opened
    50. 50. $client0:Stage 2 – Initial Breach Email sent out, directed to fake login page Credentials recorded to database Credentials used to access VPN
    51. 51. $client1:Stage 2 – Initial Breach Visited unique URL on test box User was able to rdp into box Having local admin, was able to create other user
    52. 52. $client0:Stage 3 – Escalate Privileges Escalation unneeded User had sufficient privileges to achieve objective
    53. 53. $client1:Stage 3 – Escalate Privileges Assumed failure at this point in interest of time Multiple exploitation methods assumed to work Remediation currently in works to create a Kerberos-only environment
    54. 54. Client0:Stage 4 - Persistence Installed multiple Core agents Used this to obfuscate origin
    55. 55. Client1:Stage 4 - Persistence Showed ability to install software In this case, we will installed zenmap Used this to enable stage 5 testing
    56. 56. $client0:Stage 5 – Internal Recon Very little protection Enumeration was caught by SIEM using flows No followup
    57. 57. $client1:Stage 5 – Internal Recon Attempted to scan internal hosts Looking for file shares or other repositories Showed ability to enumerate network
    58. 58. $client0:Stage 8 – Achieve Objective Goal: Persistent access to critical control systems Access was obtained Length of engagement: 21 days Length of time in network: 21 days
    59. 59. $client1:Stage 8 – Achieve Objective Goal: Ability to exfiltrate data through cloud service Cloud services we successfully reached and test data uploaded
    60. 60. Results
    61. 61. $client1:Corrective Actions purchased, configured, and analyze Qradar Integrate Qualys into ticketing system Implement Kerberos-only forest Block access to cloud storage
    62. 62. $client1:Corrective Actions
    63. 63. Assessments
    64. 64. Assessment Most expensive Create targeted scenarios to test Avoid arp-cache poison story Sexy
    65. 65. Building Your Program
    66. 66. Where to Start GrrCon 2013: Scott Thomas(@secureholio): 50 Shades of Purple (teaming): Getting Penetration Testing into a Conservative Company
    67. 67. Where to Start Start with threat intelligence Move to threat models Get buy in from management Steve Fox’s Communication plan Follow @securelexicon on twitter
    68. 68. Communication Relevant Distinct Credible Benefit-Driven Aligned with strategy Additional reading(http://imgur.com/a/fPLnM)
    69. 69. Do what is right for you. But do something.
    70. 70. Resources Freenode#misec #ladosanostra PeopleJ Wolfgang Goerlich (@jwgoerlich) – Business strategy Steven Fox (@securelexicon) – Communication Scott Thomas (@secureholio) – Process Linkshttp://imgur.com/a/fPLnM (Pixar)
    71. 71. Resources Look for Attack Paths to be published out of #misec soon
    72. 72. @LaDoSaNostra #ladosanostra

    ×