Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013


Published on

Given at BSides Jackson 2013

Published in: Technology
  • Be the first to comment

Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013

  1. 1. Seeing Purple Hybrid security teams for the Enterprise @jwgoerlich
  2. 2. Me Security consultant with VioPoint La DoSa Nostra #misec Twitter @b31tf4c3 Freenode (#misec / #burbsec / #ladosanostra) Beltface
  3. 3. The ONE thing Productivity book The ONE thing your organization does/has Protect and build off that Avoid the easy pentest
  4. 4. The Client $client0 – company in the energy sector $client1 – company in the financial sector
  5. 5. A Cascade of Pebbles Talk by Josh Little – Bsides Detroit 2013 Performed Pentest at $client0 Leveraged that scenario to create a program at $client1
  6. 6. “ My idea of hacking is taking the tactics, techniques, and procedures, that different threats are using today …
  7. 7. Using them against our organizations, when they have a mature program, to understand how our controls stand up when exercised by a sophisticated thinking adversary. -- Rapheal Mudge, Armitage and Cobalt Strike, Bsides Detroit 2013 Podcast
  8. 8. Detect Prevent Correct
  9. 9. Detect, Prevent, Correct Detect – catch attackers in action (SIEM) Prevent – Stop attackers (Vulnerability Management) Correct – raise the costs by disrupting or distracting the attackers (eg. honey pots)
  10. 10. Blue Team - Detect SIEM – Security Incident and Event Monitoring Pool log sources and analyze logs and flows
  11. 11. Blue Team - Prevent VM program Gives visibility into system preparedness Helps with patching schedule Identifies most critical hosts
  12. 12. Blue Team - Correct
  13. 13. Red Team - Assessment Pentesting Required as part of audits We break it, you fix it Higher risk How do you know remediation is working if its never been tested?
  14. 14. Red Team - Exercise Select a specific stage in the attack path Assume all prior controls have failed Test preventative, detective, corrective Test both the controls and the response Minimal risk
  15. 15. Example Stage 4 – Persistence Popping the Penguin – SecTor 2013 No 1337 hax needed
  16. 16. Assessment v. Exercise Exercise Assessment Use real techniques Use real techniques Use real objectives Use real objectives Model a real attack Exec an actual attack Test specific controls Test overall posture
  17. 17. Purple Team
  18. 18. Purple Team Take knowledge of your security (Blue) Take knowledge of your weaknesses (Red) Combine to find what’s most valuable to you (Purple)
  19. 19. Purple Teams Not necessarily just the red and blue teams requires a total picture involving all areas of the organization
  20. 20. From this
  21. 21. To this
  22. 22. The Goal Create scenarios Identify how you would protect yourself Test the scenario Test your environment
  23. 23. Proactive Protection 1. Threat Modeling – Bi-weekly 2. Tabletop exercises – Monthly 3. Red Team exercises – Quarterly 4. Red Team Assessments – Yearly
  24. 24. Our Infrastructure
  25. 25. Threat modeling Least amount of T/E One model bi-weekly Build portfolio of potential attacks
  26. 26. Choosing a model SDLC threat model -Microsoft Cyber Kill Chains of Doom ™ -Lockheed Martin (r), (tm), (etc) Attack Paths -#misec
  27. 27. Attack path @jwgoerlich
  28. 28. Start with why TED Talk Simon Sinek: How great leaders inspire action Why How What
  29. 29. Why? Why this model? Free Open I’m biased (#misec) Why will $badguy target us (the ONE thing) $client0 – Access control systems $client1 – Sensitive financial data
  30. 30. Do what is right for you. But do something.
  31. 31. How? How will the attacker realize their Objective? -Attack path $badguy took through network
  32. 32. What? What can we do to prevent this attack? -Document controls What can we do to be ready? -Develop test cases
  33. 33. Attack Paths 1. 2. 3. 4. 5. 6. 7. 8. External reconnaissance Initial breach Escalate privileges Persistence Internal reconnaissance Lateral breach Maintain presence Achieve objective
  34. 34. Initial generation Start with step 8 Identify ONE thing Work backwards
  35. 35. A blank slate
  36. 36. Attack Path
  37. 37. Attack Path Goal: Obtain sensitive, proprietary information 1. External Reconnaissance – Attacker will perform OSINT on the company to identify targets 2. Initial Breach – Attacker will have a specially crafted site for user to access containing either an infected document or a place for entry of credentials 3. Escalate Privileges – Attacker will attempt to add specially crafted user to group / recover hashes through trust relationships/responder 4. Persistence – Attacker will attempt to maintain his or her presence by installing malware 5. Internal reconnaissance – Attacker will attempt to enumerate the internal infrastructure in an attempt to identify more targets that will lead him or her to their goal 8. Achieve Objective – The attacker dumps the data and exfiltrates it via cloud service
  38. 38. Tabletop
  39. 39. Tabletop Slightly more expensive than modeling. Using more likely of two models, stake holders gather Should be performed monthly
  40. 40. Tabletop Exercise Started with table Gathered $client1’s stake holders Went over attack path used at $client0 Went over potential responses
  41. 41. As simple as SMTP Email was sent out to $client0 User credentials were compromised No detection Allowed total compromise
  42. 42. $client1:Results There were no proactive detective capabilities 1 preventative control
  43. 43. $client1:Results
  44. 44. $client1:Corrective Actions Security Onion installed, configured, and analyzed VM program re-configured
  45. 45. Exercises
  46. 46. Example Persistence -Stage 4 -Tested ability to connect out and ability to detect -minimal risk to infrastructure
  47. 47. Exercises More expensive than tabletop Use most likely of three scenarios Should be performed quarterly
  48. 48. $client0:Stage 1 – External Recon OSINT was used to enumerate the following information about $client0 -email addresses -travel agency -key players
  49. 49. $client1:Stage 1 – External Recon In order to save time, we assumed failure at this level Assumed email was sent and opened
  50. 50. $client0:Stage 2 – Initial Breach Email sent out, directed to fake login page Credentials recorded to database Credentials used to access VPN
  51. 51. $client1:Stage 2 – Initial Breach Visited unique URL on test box User was able to rdp into box Having local admin, was able to create other user
  52. 52. $client0:Stage 3 – Escalate Privileges Escalation unneeded User had sufficient privileges to achieve objective
  53. 53. $client1:Stage 3 – Escalate Privileges Assumed failure at this point in interest of time Multiple exploitation methods assumed to work Remediation currently in works to create a Kerberos-only environment
  54. 54. Client0:Stage 4 - Persistence Installed multiple Core agents Used this to obfuscate origin
  55. 55. Client1:Stage 4 - Persistence Showed ability to install software In this case, we will installed zenmap Used this to enable stage 5 testing
  56. 56. $client0:Stage 5 – Internal Recon Very little protection Enumeration was caught by SIEM using flows No followup
  57. 57. $client1:Stage 5 – Internal Recon Attempted to scan internal hosts Looking for file shares or other repositories Showed ability to enumerate network
  58. 58. $client0:Stage 8 – Achieve Objective Goal: Persistent access to critical control systems Access was obtained Length of engagement: 21 days Length of time in network: 21 days
  59. 59. $client1:Stage 8 – Achieve Objective Goal: Ability to exfiltrate data through cloud service Cloud services we successfully reached and test data uploaded
  60. 60. Results
  61. 61. $client1:Corrective Actions purchased, configured, and analyze Qradar Integrate Qualys into ticketing system Implement Kerberos-only forest Block access to cloud storage
  62. 62. $client1:Corrective Actions
  63. 63. Assessments
  64. 64. Assessment Most expensive Create targeted scenarios to test Avoid arp-cache poison story Sexy
  65. 65. Building Your Program
  66. 66. Where to Start GrrCon 2013: Scott Thomas(@secureholio): 50 Shades of Purple (teaming): Getting Penetration Testing into a Conservative Company
  67. 67. Where to Start Start with threat intelligence Move to threat models Get buy in from management Steve Fox’s Communication plan Follow @securelexicon on twitter
  68. 68. Communication Relevant Distinct Credible Benefit-Driven Aligned with strategy Additional reading(
  69. 69. Do what is right for you. But do something.
  70. 70. Resources Freenode#misec #ladosanostra PeopleJ Wolfgang Goerlich (@jwgoerlich) – Business strategy Steven Fox (@securelexicon) – Communication Scott Thomas (@secureholio) – Process Links (Pixar)
  71. 71. Resources Look for Attack Paths to be published out of #misec soon
  72. 72. @LaDoSaNostra #ladosanostra