Open source tool release and updates: this is information for the community and a call to action! We have created an open-source C2 evaluation framework so that teams can easily determine what’s the best tool for penetration testing/red teaming particular scenarios. We’ll talk through why we built the framework, the components (server/agent languages, team vs user types, communication channel coverage, operating systems, capabilities, and support), the decision matrix (a workflow tool we call Ask the Matrix to help you sift through the data for what you need) and how to emulate an adversary (to be announced) across multiple frameworks highlighting the pro’s / con’s of each: infrastructure setup and host/network emulation.
6. @brysonbort
@jorgeorchilles
Who Am I?
● SCYTHE
○ 2016 - Fortune 50 suffered a breach
○ Performed full industry competitive analysis
○ We built it
● The “Bounded Attack Space” Philosophy
○ Exploitation = infinite
○ Communications = finite
○ Capabilities = bounded
6
10. @brysonbort
@jorgeorchilles
Penetration Testing
● Exploitation-focused
○ Popping shells is rewarding
● Crown-jewels or bust
○ Getting Domain Admin = good.
○ Only Getting Domain Admin = less good.
● Engagements are shorter
○ Bound by time & money
● Not intended to emulate “real-world” adversary behavior
10
11. @brysonbort
@jorgeorchilles
Red Team (and Penetration Testing)
Internal Red Teams
● Repeated engagements
○ Remediation tests
● Use privileged/insider
knowledge
○ See resource limits
External Red Team
● Offers new perspective
○ May have other industry
experience
● “Snapshot” engagements
○ Generate report based on
limited window
11
12. @brysonbort
@jorgeorchilles
Emulation vs Simulation
Emulation: reproduction of a function or action on a
different computer or software system.
Simulation: imitation of a situation or process; the action
of pretending; the production of a computer model for
the purpose of study or learning.
False Flag: a covert operation designed to deceive by
creating the appearance of a particular party or group
being responsible for the activity, disguising the true
source of responsibility.
12https://medium.com/@malcomvetter/emulatio
n-simulation-false-flags-b8f660734482
14. @brysonbort
@jorgeorchilles
Moar Simulation
“BAS runs automated attacks, with the market currently having a range of BAS tools. Some BAS
solutions can run surprise mock attacks, while some can conduct scheduled mock attacks.”
14
https://www.cybersecuritycloudexpo.com/2019/09/news/everything-you-need-to-know-about-breach-and-attack-simulation/
“These automated tools run simulated attacks to measure the effectiveness of a company's
prevention, detection and mitigation capabilities.”
https://www.esecurityplanet.com/threats/breach-and-attack-simulation.html
15. @brysonbort
@jorgeorchilles
Adversary Emulation
A flexible and repeatable tool to be used by all teams.
● Customizable
○ Change C2, Actions on Objective, etc.
● Repeatable
○ Same engagements to be repeated & compared
● Kill Chain Insight
○ Find the defensive choke-points and move on
● Automatable
○ Once defined, can be shared & used by others/juniors/etc.
15
16. @brysonbort
@jorgeorchilles
White Box vs Black Box
● White Box: using “insider
knowledge” of:
○ Organization
○ Staff
○ Products
○ Credentials
● Black Box: “external actor” focus:
○ Reconnaissance
○ Discovery
○ Circumvention
○ Stealth
Business-Centric
defense validation
16
17. @brysonbort
@jorgeorchilles
Defense Validation
● Red Team
○ Attempt to emulate threat behavior
■ Any Ransomware > WannaCry
○ Creative & Flexible Adversary
■ Today: APT
■ Tomorrow: Insider Threat
● Blue Team
○ Controls Validation
■ Firewall still blocking ‘badurl.com’?
○ Vendor Validation
■ Monitoring for exfil via DNS?
17
26. @brysonbort
@jorgeorchilles
MITRE ATT&CK
● Common language
○ Periodic Table
○ Red & Blue & Executives
● “Meta-Layer” for behavior
○ Decouple Technique from
Command
● Visualize effectiveness
○ Works well for reports over
time
26
● Examples are abused
○ “We are monitoring for that
command!”
● Rigid Adherence
○ Don’t ignore non-ATT&CK
threats
● Can hinder re-tests
○ “We’ve already tried all-the-
Persistence!”
● Box focus
○ An attack is an iterative chain
of events with context
35. @brysonbort
@jorgeorchilles
35
Emotet
● Started in 2014
● Uses SMTP, HTTP/S
● Changes ~weekly, daily
● Still a threat
Nanocore
● Started ~2013
● Uses HTTP/S
● Changes ~15 days
● Still a threat
Remcos
● Started in 2016
● Uses SOCKS5
● Changed on demand
● Still a threat
TrickBot
● Started in 2016
● Uses HTTP/S
● Changes ~3-5 days
● Still a threat
Notice any trends?
@brysonbort
36. @brysonbort
@jorgeorchilles
Network Activities (aka “Command & Control” or “C2”)
● Tends to be a “finite space”
○ Adversaries use the same wires as you
● Communication/Traffic
○ Network anomalies (& baselines)
● C2 infrastructure
○ The Cloud is your friend (& enemy)
36
37. @brysonbort
@jorgeorchilles
Lateral Movement
● is …
○ Pivoting from endpoint-to-endpoint
○ Password spraying
○ Use of vulnerabilities
● is also …
○ Combination of Network & Host
○ “Should these be talking?”
○ “Should these be on same network?”
37
38. @brysonbort
@jorgeorchilles
Host Activities (aka “Actions on Objective”)
● Destruction: ransomware, wiper
○ But, don’t always need to wipe. Monitor for mass File Creation?
● Escalation
○ Social Engineering & 0/N Days
● Persistence
○ Services & User Space
● Credentials
38
40. @brysonbort
@jorgeorchilles
Benefits & Challenges of “Going Purple”
● Formalizes Red & Blue Joint Goal
○ … secure the organization.
● Structure around engagements
○ Intervals & Durations
● Rules of Engagement
○ … when allowed to bend or
break.
40
● Bureaucracy is hard.
○ … need to formalize
process/documents.
● Scheduling is hard.
○ … many disparate parties
into one room.
● Culture is hard.
○ … “Red vs. Blue is wrong.”
41. @brysonbort
@jorgeorchilles
Purple Team Exercises - Lessons Learned
● It is all about the TTPs
● Test and report the good and
the bad (with an action plan)
● Running a high-value, in person
purple team exercise:
● Xena will be presenting an entire
talk on ideas for high value &
high impact purple team
exercises at Thotcon
41
https://www.slideshare.net/jorgeorchilles/purple-team-work-
it-out-organizing-effective-adversary-emulation-exercises
42. @brysonbort
@jorgeorchilles
For more
SANS SEC 564 Red Team Exercises and Adversary Emulation
"Organizations are maturing their security testing programs to include Red Team
exercises and adversary emulations. These exercises provide a holistic view of an
organization's security posture by emulating a realistic adversary to test security
assumptions, measure the effectiveness of people, processes, and technology,
and improve detection and prevention controls. This course will teach you to plan
Red Team exercises, leverage threat intelligence to map against adversary
tactics, techniques, and procedures, build a Red Team program and plan, execute
a Red Team exercise and report and analyze the results, and improve the overall
security posture of the organization."
42
Editor's Notes
I call half of Pen Test through Continuous Purple Team Adversary Emulation
Dwell time is still 300+ days. Most of these RATS can be bought for <$50 USD or rented.
In between blind adversary emulations, we perform in person purple team end-to-end adversary emulation exercises with TTPs we know will get detected (logged or alert) as well as some that may not. Start with TTPs that will definately be logged and alerted but not prevented. This gives everyone a good psychological boost to start the exercise. Then go into others that may or may not be caught.
We used SCYTHE to create these payloads before the exercise. It lowers the time Red Team needs to execute and allows more time for Blue to find logs, alerts, or forensic evidence. It also allowed us to execute the TTP multiple times over and over as tuning of detective controls was tested.