Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector 2016


Published on

Sector 2016 Chris Gates & Haydn Johnson

Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.

Published in: Technology
  • link to the talk video
    Are you sure you want to  Yes  No
    Your message goes here

Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector 2016

  1. 1. @haydnjohnson @carnal0wnage Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone
  2. 2. @haydnjohnson @carnal0wnage whoami
  3. 3. @haydnjohnson @carnal0wnage Chris Gates - Sr. Incident Response Engineer - Uber Inc. Twitter: @carnal0wnage Blog: Talks:
  4. 4. @haydnjohnson @carnal0wnage Haydn Johnson - Security Consultant - “Researcher” Twitter: @haydnjohnson Talks: BsidesTO, Circle City Con, BsidesLV Big 4 experience
  5. 5. @haydnjohnson @carnal0wnage Overview 1.  Terminology for our discussion 2.  Explain this Cyber Kill Chain (CKC) thing 3.  Use CKC to plan possible Purple Team exercises 4.  Purple Team Story Time
  6. 6. @haydnjohnson @carnal0wnage Terminology
  7. 7. @haydnjohnson @carnal0wnage Terminology Vulnerability Assessment Person - Run Vuln Scanner….hey client you suck Penetration Tester - Metasploit /MSF PRO (FTW)...hey client you suck Red Teaming - Phish, move laterally, find “sensitive stuff”, maybe custom implant...hey client you suck Purple Teaming - You did all the above, but got to charge for an extra body and to tell the client how they suck in person
  8. 8. @haydnjohnson @carnal0wnage No Really... Red Teaming - “Red Team engagements are the full spectrum warfare of security assessments. In a red team engagement, the consultants attack the client organization using physical means, social engineering, and technological avenues. “ From:
  9. 9. @haydnjohnson @carnal0wnageFrom: Chris Nickerson Lares Consulting
  10. 10. @haydnjohnson @carnal0wnage You can’t Red Team yourself But you sure as hell can conduct training...and detection/protection validation
  11. 11. @haydnjohnson @carnal0wnage Purple Team Process
  12. 12. @haydnjohnson @carnal0wnage No Really... Purple Teaming - Conducting focused pentesting (up to Red Teaming) with clear training objectives for the Blue Team. It isn't a "can you get access to X" exercise it is a "train the Blue Team on X" exercise. The pentesting activities are a means to conduct realistic training. More here: teaming.html
  13. 13. @haydnjohnson @carnal0wnage Purple Teaming Process Training Exercise! 1.  Primary result of the exercise is to create an intrusion event (aka get caught) to test instrumentation (host/ network), validate detection processes and procedures, validate protections in place, force response procedures and post mortems. Differs from Red Team where primary goal is to NOT get caught
  14. 14. @haydnjohnson @carnal0wnage Purple Teaming Process Training Exercise + work the IR process Investigate Logging vs Alert + action ○  Is the event logged at all? ○  Logged event != alert ○  Does alert == action taken? ○  Purple Team it!
  15. 15. @haydnjohnson @carnal0wnage But I need ideas for scenarios!
  16. 16. @haydnjohnson @carnal0wnage TRANSITION SLIDE Handy transition slide
  17. 17. @haydnjohnson @carnal0wnage Pyramid of Pain
  18. 18. @haydnjohnson @carnal0wnage Lockheed Martin Cyber Kill Chain Worst. Name. Ever. “The seven steps of the Lockheed Martin Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures.”
  19. 19. @haydnjohnson @carnal0wnage CKC is a great idea! This is an integrated, end-to-end process described as a “chain” because any one deficiency will interrupt the entire process. AKA: Any deficiency in the attackers chain, will interrupt the entire process
  20. 20. @haydnjohnson @carnal0wnage How to use CKC
  21. 21. @haydnjohnson @carnal0wnage
  22. 22. @haydnjohnson @carnal0wnage
  23. 23. @haydnjohnson @carnal0wnage Using the CKC to drive Exercises
  24. 24. @haydnjohnson @carnal0wnage Using the CKC to drive Exercises ●  Rather than consolidate all attacker activities into a single chart. We **could** create charts for various attack types or CKC steps. ●  This would force us to identify and DOCUMENT an organization’s methods to Detect, Deny, Disrupt, Degrade, Deceive & Contain (Destroy) for any attack type. ●  As an added bonus, it creates Purple Team exercises for us when we create a plan to validate the info in the chart.
  25. 25. @haydnjohnson @carnal0wnage Example Attack Types W I N D O W S
  26. 26. @haydnjohnson @carnal0wnage Example Attack Types
  27. 27. @haydnjohnson @carnal0wnage Example Attack Types
  28. 28. @haydnjohnson @carnal0wnage Example Attack Types
  29. 29. @haydnjohnson @carnal0wnage Mimikatz Example ●  Mimikatz affects almost all organizations ●  Outline your defenses against the tool ○  AV ○  Md5 ○  Command line usage ○  Code certificate details ○  Windows Hardening ○  Detection (via ATA) ●
  30. 30. @haydnjohnson @carnal0wnage Mimikatz Example
  31. 31. @haydnjohnson @carnal0wnage Mimikatz Example Purple Team ●  Pack, Recompile, Sign with different code sign certificate ●  Powershell mimikatz ●  Various whitelist bypass techniques ●  Validate ○  Protected User Groups ○  LSA Protection ○  Registry changes prevent wdigest clear text ○  Alerting!
  32. 32. @haydnjohnson @carnal0wnage Lateral Movement Example ●  We could attempt to document every Lateral Movement tool / technique ●  Instead focus on how you detect/protect/respond to a tool or suite of tools ○  Ex: impacket
  33. 33. @haydnjohnson @carnal0wnage Lateral Movement -- Place holder for lateral movement example
  34. 34. @haydnjohnson @carnal0wnage Lateral Movement Example Purple Team ●  Run in default config ○  Did you detect it? ○  Tweak detection/deny/etc until you do! ●  Let your Red Team modify impacket ○  Repeat the detect/deny process until the tool is unusable in your org ●  Do your GPO settings prevent most use cases?
  35. 35. @haydnjohnson @carnal0wnage Malicious Attachments ●  Everyone employs’ some sort of malicious attachment protection ○  Google mail for business ○  Office 365 ○  Proofpoint ○  FireEye ●  Do you test it? Or do you just hope for the best?
  36. 36. @haydnjohnson @carnal0wnage Malicious Attachments
  37. 37. @haydnjohnson @carnal0wnage Malicious Attachments
  38. 38. @haydnjohnson @carnal0wnage Malicious Attachments
  39. 39. @haydnjohnson @carnal0wnage Malicious Attachments Purple Team •  Send various types of malicious attachments via multiple sources •  Compare to your chart of assumptions •  How many emails does it take to block a sender? •  What types of attachments generate alerts? •  Does suspicious stuff get moved to spam or deleted; do people open spam emails? •  If sent to employees, do they report? •  Did any automated actions take place?
  40. 40. @haydnjohnson @carnal0wnage CKC Exercise Outcomes ●  Mental exercise of how we Detect/Respond/etc to attacks ●  Document defense posture ●  Answer the “Do the Blinky Boxes work?” question The Purple Team component ●  Validate the spreadsheet is accurate ●  Validate the blinky box is doing “something” ●  Identify training and coverage gaps for the org ○  Test plan for the above
  41. 41. @haydnjohnson @carnal0wnage CKC Exercise Outcomes ●  ITERATIVE PROCESS ○  Starts as simple detection validation exercises ○  Based on maturity, moves into gap analysis/detection evasion by your attack team ○  You build up to Red Teaming ●  Does what we have for detection/protection work? ○  Then how easy is it to bypass ○  Track last test date, drive exercises and training
  42. 42. @haydnjohnson @carnal0wnage Story Time #1 Privilege Escalation Assume Breach Meterpreter C2 Exfiltration - FTP “Red Team” @ $canadian Bank
  43. 43. @haydnjohnson @carnal0wnage Story Time #1 •  Receive call “Check this IP address” •  $secretpoliceinvestigation •  IP address seen - Investigators go to meeting + lunch •  2 hours later, identify data exfil •  Sh*t hits fan •  Log into FTP server to delete data •  Execute processes Alerts triggered purposely
  44. 44. @haydnjohnson @carnal0wnage Story Time #1 Debrief Red TeamBlue Team What we saw What was done The GAP Improvements==
  45. 45. @haydnjohnson @carnal0wnage Story Time #1 •  Process not as effective as it looks •  Road Blocks in communication Lessons learned
  46. 46. @haydnjohnson @carnal0wnage Story Time #1 •  Process bypassed •  Hard to collaborate •  Rotating Shifts Lessons learned
  47. 47. @haydnjohnson @carnal0wnage Story Time #1 •  IR equipment == slow •  Infrastructure out of date Lessons learned
  48. 48. @haydnjohnson @carnal0wnage Story Time #1 •  Big company hard to change quickly •  Issues clearly acknowledged •  Long term plans Nothing changed in short term
  49. 49. @haydnjohnson @carnal0wnage Story Time #1 •  Create defined and clear process for hierarchy •  Training on hacking back - DON’T •  Budget for prioritized upgrade of Lab •  Shift style lunches Solutions
  50. 50. @haydnjohnson @carnal0wnage Story Time #1 •  Better equipment •  Better processes •  Better security culture •  Better collaboration 2nd time around
  51. 51. @haydnjohnson @carnal0wnage Story Time #1 •  Faster detection •  Faster containment •  Faster win 2nd time improvements
  52. 52. @haydnjohnson @carnal0wnage The Point •  What you think works, probably doesn’t •  Test it •  Humans will be humans, including your Blue Team
  53. 53. @haydnjohnson @carnal0wnage Story Time #2 •  IR Manager had identified some gaps plus had new incident responders •  Mobile Forensics •  Response to Golden Ticket attack •  Work thru IR process as a team •  Fully internal -- No external Contractors •  Partnered with senior Blue Team member •  Took things I found pentesting…chained together story for the exercise •  “Create internal havoc” attackers Overview of a Purple Teaming Exercise
  54. 54. @haydnjohnson @carnal0wnage Story Time #2 SMS Phish**
  55. 55. @haydnjohnson @carnal0wnage Story Time #2
  56. 56. @haydnjohnson @carnal0wnage Story Time #2
  57. 57. @haydnjohnson @carnal0wnage Story Time #2
  58. 58. @haydnjohnson @carnal0wnage Story Time #2
  59. 59. @haydnjohnson @carnal0wnage Story Time #2
  60. 60. @haydnjohnson @carnal0wnage Story Time #2
  61. 61. @haydnjohnson @carnal0wnage Story Time #2
  62. 62. @haydnjohnson @carnal0wnage Story Time #2
  63. 63. @haydnjohnson @carnal0wnage Story Time #2
  64. 64. @haydnjohnson @carnal0wnage Story Time #2
  65. 65. @haydnjohnson @carnal0wnage Story Time #2
  66. 66. @haydnjohnson @carnal0wnage Story Time #2
  67. 67. @haydnjohnson @carnal0wnage Story Time #2
  68. 68. @haydnjohnson @carnal0wnage Story Time #2
  69. 69. @haydnjohnson @carnal0wnage Purple Bucket
  70. 70. @haydnjohnson @carnal0wnage Story Time #2
  71. 71. @haydnjohnson @carnal0wnage Story Time #2
  72. 72. @haydnjohnson @carnal0wnage Story Time #2
  73. 73. @haydnjohnson @carnal0wnage So the take away!
  74. 74. @haydnjohnson @carnal0wnage Please remember: •  Document your defenses and protections •  Find a way to (iteratively) build your attacks/validation •  Start simple, grow to more complex attacks/scenarios •  Pwn all the things...but in a way that helps your organization