Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest 2020
•
1 like•883 views
Open source tool release and updates: this is information for the community and a call to action! We have created an open-source C2 evaluation framework so that teams can easily determine what’s the best tool for penetration testing/red teaming particular scenarios. We’ll talk through why we built the framework, the components (server/agent languages, team vs user types, communication channel coverage, operating systems, capabilities, and support), the decision matrix (a workflow tool we call Ask the Matrix to help you sift through the data for what you need) and how to emulate an adversary (to be announced) across multiple frameworks highlighting the pro’s / con’s of each: infrastructure setup and host/network emulation.
Recommended
Recommended
More Related Content
Similar to Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest 2020
Similar to Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest 2020 (20)
More from Jorge Orchilles
More from Jorge Orchilles (20)
Recently uploaded
Recently uploaded (20)
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest 2020
- 6. @brysonbort @jorgeorchilles Who Am I? ● SCYTHE ○ 2016 - Fortune 50 suffered a breach ○ Performed full industry competitive analysis ○ We built it ● The “Bounded Attack Space” Philosophy ○ Exploitation = infinite ○ Communications = finite ○ Capabilities = bounded 6
- 7. @brysonbort @jorgeorchilles The Value of Post Exploitation 7
- 9. @brysonbort @jorgeorchilles Definitions - Maturity Model 9https://www.youtube.com/watch?v=yEv1A1Bt6Y0
- 10. @brysonbort @jorgeorchilles Penetration Testing ● Exploitation-focused ○ Popping shells is rewarding ● Crown-jewels or bust ○ Getting Domain Admin = good. ○ Only Getting Domain Admin = less good. ● Engagements are shorter ○ Bound by time & money ● Not intended to emulate “real-world” adversary behavior 10
- 11. @brysonbort @jorgeorchilles Red Team (and Penetration Testing) Internal Red Teams ● Repeated engagements ○ Remediation tests ● Use privileged/insider knowledge ○ See resource limits External Red Team ● Offers new perspective ○ May have other industry experience ● “Snapshot” engagements ○ Generate report based on limited window 11
- 12. @brysonbort @jorgeorchilles Emulation vs Simulation Emulation: reproduction of a function or action on a different computer or software system. Simulation: imitation of a situation or process; the action of pretending; the production of a computer model for the purpose of study or learning. False Flag: a covert operation designed to deceive by creating the appearance of a particular party or group being responsible for the activity, disguising the true source of responsibility. 12https://medium.com/@malcomvetter/emulatio n-simulation-false-flags-b8f660734482
- 13. @brysonbort @jorgeorchilles Emulation vs Simulation “Emulation: sort of in the spirit of, but we can never match adversaries exactly.” “Simulation: implies it’s an exact match.” -Katie Nickels 13https://youtu.be/-Bh1uhPJ6j0?t=1261
- 14. @brysonbort @jorgeorchilles Moar Simulation “BAS runs automated attacks, with the market currently having a range of BAS tools. Some BAS solutions can run surprise mock attacks, while some can conduct scheduled mock attacks.” 14 https://www.cybersecuritycloudexpo.com/2019/09/news/everything-you-need-to-know-about-breach-and-attack-simulation/ “These automated tools run simulated attacks to measure the effectiveness of a company's prevention, detection and mitigation capabilities.” https://www.esecurityplanet.com/threats/breach-and-attack-simulation.html
- 15. @brysonbort @jorgeorchilles Adversary Emulation A flexible and repeatable tool to be used by all teams. ● Customizable ○ Change C2, Actions on Objective, etc. ● Repeatable ○ Same engagements to be repeated & compared ● Kill Chain Insight ○ Find the defensive choke-points and move on ● Automatable ○ Once defined, can be shared & used by others/juniors/etc. 15
- 16. @brysonbort @jorgeorchilles White Box vs Black Box ● White Box: using “insider knowledge” of: ○ Organization ○ Staff ○ Products ○ Credentials ● Black Box: “external actor” focus: ○ Reconnaissance ○ Discovery ○ Circumvention ○ Stealth Business-Centric defense validation 16
- 17. @brysonbort @jorgeorchilles Defense Validation ● Red Team ○ Attempt to emulate threat behavior ■ Any Ransomware > WannaCry ○ Creative & Flexible Adversary ■ Today: APT ■ Tomorrow: Insider Threat ● Blue Team ○ Controls Validation ■ Firewall still blocking ‘badurl.com’? ○ Vendor Validation ■ Monitoring for exfil via DNS? 17
- 18. @brysonbort @jorgeorchilles Defense Validation Executives ○ Validate Investments in Products ■ Testing People and Process ■ Value vs. Snake Oil ○ Validate Investments in People ■ Is SOC awake? ■ What am I getting for that MSSP? 18
- 20. @brysonbort @jorgeorchilles Threat Intelligence Today ● Static Identifiers == Disappointing ○ Ch-ch-ch-changes ○ Machine read for emulation ● Analyst reports == “Sigh …” ○ Have to read them… ● Breaking Imphash by Chris Balles/Ateeq Sharfuddin https://arxiv.org/abs/1909.07630 20
- 21. @brysonbort @jorgeorchilles Threat Intelligence Today ● Neutered Malware == Awesome(?) ○ Risky work ○ Intensive ○ Signature-based bias 21 David Bianco: http://detect-respond.blogspot.com/2013/03/the- pyramid-of-pain.html
- 22. @brysonbort @jorgeorchilles Threat Intelligence 22 S0129 – AutoIT T1068 – Exploitation for Privilege Escalation S0194 - PowerSploit T1003 - Credential Dumping IP Address S0002 - Mimikatz S0192 - Pupy Hash Value T1086 - Powershell Graphic derived from idea by Katie Nickels, MITRE
- 26. @brysonbort @jorgeorchilles MITRE ATT&CK ● Common language ○ Periodic Table ○ Red & Blue & Executives ● “Meta-Layer” for behavior ○ Decouple Technique from Command ● Visualize effectiveness ○ Works well for reports over time 26 ● Examples are abused ○ “We are monitoring for that command!” ● Rigid Adherence ○ Don’t ignore non-ATT&CK threats ● Can hinder re-tests ○ “We’ve already tried all-the- Persistence!” ● Box focus ○ An attack is an iterative chain of events with context
- 28. @brysonbort @jorgeorchilles C2 Matrix ● Collaborative Evaluation ● Google Sheet of C2s ○ 35 frameworks ● Find ideal C2 for your needs ● Wizard like UI to select ● www.thec2matrix.com ● @C2_Matrix 28
- 29. @brysonbort @jorgeorchilles C2 Matrix - Roadmap Released today ● howto.thec2matrix.com Coming soon! ● SANS Slingshot C2 Matrix Edition - 10 C2s ● Kali Linux - 11 C2s ● ATT&CK Mapping ● Adversary Mapping 29
- 32. @brysonbort @jorgeorchilles Execution Planning 32 Plugin Notes Sandcat (54ndc47) Default agent, GoLang. Requires port 8888 Terminal GUI, Reverse Shell, manual operations SSL HTTPS Stockpile Abilities, Adversaries, Planner, Facts
- 35. @brysonbort @jorgeorchilles 35 Emotet ● Started in 2014 ● Uses SMTP, HTTP/S ● Changes ~weekly, daily ● Still a threat Nanocore ● Started ~2013 ● Uses HTTP/S ● Changes ~15 days ● Still a threat Remcos ● Started in 2016 ● Uses SOCKS5 ● Changed on demand ● Still a threat TrickBot ● Started in 2016 ● Uses HTTP/S ● Changes ~3-5 days ● Still a threat Notice any trends? @brysonbort
- 36. @brysonbort @jorgeorchilles Network Activities (aka “Command & Control” or “C2”) ● Tends to be a “finite space” ○ Adversaries use the same wires as you ● Communication/Traffic ○ Network anomalies (& baselines) ● C2 infrastructure ○ The Cloud is your friend (& enemy) 36
- 37. @brysonbort @jorgeorchilles Lateral Movement ● is … ○ Pivoting from endpoint-to-endpoint ○ Password spraying ○ Use of vulnerabilities ● is also … ○ Combination of Network & Host ○ “Should these be talking?” ○ “Should these be on same network?” 37
- 38. @brysonbort @jorgeorchilles Host Activities (aka “Actions on Objective”) ● Destruction: ransomware, wiper ○ But, don’t always need to wipe. Monitor for mass File Creation? ● Escalation ○ Social Engineering & 0/N Days ● Persistence ○ Services & User Space ● Credentials 38
- 40. @brysonbort @jorgeorchilles Benefits & Challenges of “Going Purple” ● Formalizes Red & Blue Joint Goal ○ … secure the organization. ● Structure around engagements ○ Intervals & Durations ● Rules of Engagement ○ … when allowed to bend or break. 40 ● Bureaucracy is hard. ○ … need to formalize process/documents. ● Scheduling is hard. ○ … many disparate parties into one room. ● Culture is hard. ○ … “Red vs. Blue is wrong.”
- 41. @brysonbort @jorgeorchilles Purple Team Exercises - Lessons Learned ● It is all about the TTPs ● Test and report the good and the bad (with an action plan) ● Running a high-value, in person purple team exercise: ● Xena will be presenting an entire talk on ideas for high value & high impact purple team exercises at Thotcon 41 https://www.slideshare.net/jorgeorchilles/purple-team-work- it-out-organizing-effective-adversary-emulation-exercises
- 42. @brysonbort @jorgeorchilles For more SANS SEC 564 Red Team Exercises and Adversary Emulation "Organizations are maturing their security testing programs to include Red Team exercises and adversary emulations. These exercises provide a holistic view of an organization's security posture by emulating a realistic adversary to test security assumptions, measure the effectiveness of people, processes, and technology, and improve detection and prevention controls. This course will teach you to plan Red Team exercises, leverage threat intelligence to map against adversary tactics, techniques, and procedures, build a Red Team program and plan, execute a Red Team exercise and report and analyze the results, and improve the overall security posture of the organization." 42
Editor's Notes
- I call half of Pen Test through Continuous Purple Team Adversary Emulation
- Dwell time is still 300+ days. Most of these RATS can be bought for <$50 USD or rented.
- In between blind adversary emulations, we perform in person purple team end-to-end adversary emulation exercises with TTPs we know will get detected (logged or alert) as well as some that may not. Start with TTPs that will definately be logged and alerted but not prevented. This gives everyone a good psychological boost to start the exercise. Then go into others that may or may not be caught. We used SCYTHE to create these payloads before the exercise. It lowers the time Red Team needs to execute and allows more time for Blue to find logs, alerts, or forensic evidence. It also allowed us to execute the TTP multiple times over and over as tuning of detective controls was tested.