Talk given at the ISSA Charleston conference on creating highly functional internal offensive security teams. --snip-- Too many times do I hear the tales of PenTesters and “Red Teamers” awesomeness but never hear of the fight the “Blue Teamers” put up. Let’s face it, the value of most PenTesting is as good as being pushed down a flight of stairs then being told you are vulnerable to a “Sneak Attack Stair Renegotiation Vulnerability” or known in the media as SASR. this creates a massive level of trauma in an organization. They are left with an overwhelming number of vulnerabilities and flaws and sometimes at such an amount that it paralyzes the org's ability to move forward. In this talk I will explore what it is like to build, manage and operate a red team that is a VALUE to the organization not just a gang of PenTesters pointing out flaws. We will cover numerous engagements and 1000’s of simulation hours that show a clear and repeatable method to measure the success of a program. We will cover the setup and goals of the team, integration into the overall ecosystem of the company and the tricky metrics that actually let you answer the fabled question “How secure are we?”

1. Vulnerabilit
y
Paralysis

4. HI…I’m Chris

6. • Cursing
• Racism
• Religious Prejudice
• Sex
• Drugs
• Daddy / Abandonment
issues
• Socio Economic Hate
crimes
• Thin Skin
• Lack of sense of humor
• Sexual orientation
• Sexism
• Violence
• Vomiting
• Abuse
• Truth
• Fear
• Honesty
• Facts
• Emotions
• Opinions

9. http://www.pentest-standard.org/

20. Risk ….
what???

22. 106,000 currently graded vulns

24. Terminology:
Gotta get a few things
straight first
• We keep screwing up terms
• Penetration Tester ( U hit
autopwn)
• Red Teamer ( U hit autopwn and
moved laterally? Maybe even
found “sensitive stuff”)
• Purple Teamer (U did all of
the above but charged more to
talk with the defense teams
during the test)

26. Problems With Testing Today
• Limited metrics
• Increased Tech debt
• Fracturing of TEAM mentality
• Looks NOTHING like an attack
• Gives limited experience
• Is NOT essential to the success
of the organization
• Follow-up is BLAME

27. 0
-20
-15
-25
-20
-15
-10
-5
0
START DELIVERABLEPOST TEST
TESTING METRICS

34. Easy!
Step #1: Get people who can do the hack
Step #1.5: Complain about the scope
Step #2: Hack all the things!
Step #3: Write up stuff to tell people why the hax
iz bad.
Advanced players: ( increased scope and
flexibility)
Step #4: Tell Defense Team how u did hax
Step #5: Defense team does defensive’y stuff or
blames team that refuses to patch the thing
Step #6: repeat

35. Time to stop with the
Color talk
& get to REAL measurement

39. https://attack.mitre.org/wiki/Main_Page

40. Charter
• Analyze real world threats against $Company.
• Develop attack models which validate our detection capabilities.
• Validate our detection, prevention, and response against real
world threats.
• Provide metrics around $Company’s corporate
readiness/resistance to various attacks across a broad set of
threat tactics, techniques, and procedures (TTPs) via table top
exercises, automated, and manual testing.
• Create a SOC of scary beasts
• Automate defense and offense by training the MACHINE
• GOAL: Predict likelihood of successful
attacks before they happen

41. Red Team
Management
Blue Team
Add Item to
Concerns List
Collaboration,
Prioritization, and
Sequencing Meeting
Categorize Type of
Work and Time
Requirement.
Penetration
Testing and
Adversary
Simulation
Assessment
(Full or Mini)
TTP Replay
Consulting and
Assistance
Assign Work to
appropriate
resources
Summarize,
Document, and
Report Findings
Update Internal
Documentation,
Processes, and
Methodology
Threat Intel
New Vuln
or Technique?
Enter into Vuln DBVuln?
Enter into Matrix
Technique? End
Gather Budget
Information and
Approvals
Notify affected
groups of requested
work and expected
timeline
Update Attack Wiki
TTP Matrix

42. Create a repeatable
strategy for
execution of
simulations

44. 0
-20
15
-25
-20
-15
-10
-5
0
5
10
15
20
Start Deliverable Post Test
Simulated Testing Loop
Start Deliverable Post Test

45. Controls Coverage
Assessment

49. CAR

51. Example

52. Example
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-
attackers.html

53. Example

54. Simulate each TTP
and track results
from a protective,
detective, response
and TIME
perspective

58. Technique Function Methods for
detection
Methods for protection Sophisticatio
n
Detection Maturity Timing Protection Maturit
y
Confidence Last Test Date
LSASS
password/h
ash
recovery
Local Security
Authority
Subsystem Service
(LSASS) is a process
in Microsoft
Windows operating
systems that is
responsible for
enforcing the
security policy on
the system. It
verifies users
logging on to a
Windows computer
or server, handles
password changes,
and creates access
tokens. (from
Wikipedia)
For the purposes of
Single Sign On (SSO)
in Windows
environments, lsass
also stores the NT
hash and
sometimes, in the
case of wdigest, the
cleartext
credentials of users
who have logged
into the system.
These can be
recovered by
dumping the
contents of the
process in memory
through use tools
such as procdump
and mimikatz.
The most optimal
way to detect this is
to identify processes
that are crossproc'd
into lsass. The signal
to noise ratio here is
high, due to the
nature of lsass'
function.
Typically meterpreter
uses rundll32 to run,
so identifying
rundll32 into lsass
along with processes
injected into
winlogon that cross
process into lsass will
reliably identify
malicious activity
An automated password
management tool such as
CyberArk can be used to
randomize passwords and
change them after every
use, thus decreasing the
efficacy of mimikatz as
any recovered credential
will likely be expired.
Further, on all windows
8/2012+ desktops and
servers, wdigest should
be disabled in accordance
with the following KB
article from Microsoft:
https://support.microsoft
.com/en-us/kb/2871997
Enforcing the principle of
Least User Access will also
help mitigate the
effectiveness of mimikatz
as it will limit the access
provided by the
compromised credentials.
Lastly, adding some form
of Two Factor
Authentication, such as
smart cards, can further
limit the usefulness of the
recovered credentials.
2
Rules written in carbon
black to detect cross
process activity from
rundll32 into lsass
Rule written to identify
PowerShell crossproc into
lsass.
Additional rule written to
detect an injected process
into winlogon with cross
process activity into lsass
3 00:00:18
2FA (user-
land only),
some
CyberArk
usage,
some
credentials
flushed
every 24
hours
1 1 1/15/17

62. Defining the most
likely campaign /
Attack Chain

65. ADDED BONUS!! Advanced Predictability and
Timing. APT
AND… Threat Harm Understanding and
Graphing of Likelihood of Intrinsic
Failure or Excellence

67. Defensive Measurement
MetricsNow that we have measured RT ability to conduct attacks
Now we need to gather defensive metrics
• Total Coverage
• Mean Time to Detection
• Mean Time to Remediation
• % Successful Eradication
• Protection Metrics
• Automated vs Manual Detection
• Automated vs Manual Response
• **Defender proficency

71. Adversarial Simulation Dashboard

74. Answer the magic question we
have all been trying to prove

75. Total Protection/Detection/Response
Potential P/D/R
Actual P/D/R
$Company asks “What do we do next, buy more stuff?”
Execution Gap Coverage
Gap

76. Future Work

77. The Future

78. I’m Chris
AKA
@indi303
cnickerson@laresconsulting.com
https://vimeo.com/laresconsulting
http://www.scribd.com/Lares_
Exoticliability.com