Slides for EDUCAUSE - Security Professionals Conference Online https://www.educause.edu/ by https://twitter.com/jorgeorchilles References: Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 MITRE ATT&CK https://attack.mitre.org/ ATT&CK Navigator: https://mitre-attack.github.io/attack-navigator/enterprise/ C2 Matrix: https://www.thec2matrix.com/ VECTR: https://vectr.io/ 2 Day Red Team Exercises and Adversary Emulation SANS Course SEC564: https://www.sans.org/course/red-team-exercises-adversary-emulation

1. Adversary
Emulation JORGE ORCHILLES

2. #WHOAMILed offensive security team at large financial for past 10 years
Industry contributions include:
⑊ Founding member MITRE Engenuity Center
⑊ Co-Author GFMA Threat-led Penetration Testing & Red Team Framework
⑊ SANS Instructor and author of Red Team course: SEC564
⑊ NSI Technologist Fellow; ISSA Fellow
⑊ Common Vulnerability Scoring System (CVSSv3.1)
⑊ Author of Windows 7 Administrators reference (Syngress)
@JORGEORCHILLES

3. WHAT IS RED TEAMING?
⑊ The practice of looking at a problem or situation from the perspective of an
adversary – Red Team Journal
⑊ In information security, it is applied in various formats
- Adversary Emulations: Blind and Non-Blind
- Social engineering
- Tabletop Exercises / Wargaming
▪ Non-Technical
▪ Adversary or Threat Simulation
@JORGEORCHILLES

4. 4
Adversary Blue Team
Command
& Control (C2)
Tactics, Techniques,
& Procedures (TTP’s)
RED TEAM
TERMS
@JORGEORCHILLES

5. 5
VULNERABILITY
SCANNING
VULNERABILITY
ASSESSMENT
PENETRATION
TESTING
RED
TEAM
IN PERSON
PURPLE TEAM
CONTINOUS PURPLE
TEAM
ADVERSARY EMULATION
Definition: A type of Red Team exercise where the Red Team emulates how
an adversary operates, following the same tactics, techniques, and
procedures (TTPs), with a specific objective like those of realistic adversary.
Goal: Emulate an end-to-end attack against a target organization. Obtain a
holistic view of the organization’s preparedness for a real, sophisticated
attack.
@JORGEORCHILLES

6. 6
An end to end assessment of
the entire organization
⑊ Main differentiator from penetration testing
- Tests the defenders not the defenses (detection vs. prevention)
- People, Process, and Technology
- Not a limited scope test targeting just a particular product,
infrastructure, network, application, URL, or domain
⑊ Full Cyber Kill Chain from Recon to Objective
⑊ Often blind, unannounced exercise
⑊ Determine what TTPs would work, undetected if a true attack
occurred and action plan to remediate
@JORGEORCHILLES

7. 7
Measuring the effectiveness of
People, Process, and
Technology
Documented metrics and timeline of entire exercise
⑊ Time and TTPs to obtain initial access
⑊ TTPs that allowed moving laterally
⑊ Identify TTPs not prevented or detected
⑊ Process and time to escalate events into an incident
⑊ Time to contain;
⑊ Time to eradicate
⑊ Process to engage hunt team, coordinate communications, alert
leadership and correlate all events and realize sophisticated,
targeted attack
@JORGEORCHILLES

8. 8
ASSUMPTIONS
That attack won’t work here because…
“We applied all patches”
“We have outbound DLP”
“Our users would never open a macro”
“Our applications have MFA”
“Our network is segmented and only way out
is through proxy”
“We have firewalls, AV, and IDS”
Trust but verify
Can the Iranians breach us?
@JORGEORCHILLES

9. 9
Training and improving the Blue Team
⑊ Every Red Team Exercise will result in Blue Team getting better
⑊ As you measure the people, process, and technology you will see
improvements
⑊ Lessons will be learned, and processes improved
⑊ The more you train, the more you improve
@JORGEORCHILLES

10. 10
FRAMEWORK
&
METHODOLOGIES
⑊ Cyber Kill Chain – Lockheed Martin
⑊ Unified Cyber Kill Chain – Paul Pols
⑊ ATT&CK – MITRE
Regulatory
⑊ CBEST Intelligence Led Testing – Bank of England
⑊ Threat Intelligence-Based Ethical Red Teaming – TIBER-EU
⑊ Red Team: Adversarial Attack Simulation Exercises – ABS (Association
of Banks of Singapore)
⑊ intelligence-led Cyber Attack Simulation Testing (iCAST) – HKMA
(Hong Kong Monetary Authority)
⑊ G-7 Fundamental Elements for Threat-Led Penetration Testing
(G7FE-TLPT)
⑊ A Framework for the Regulatory Use of Penetration
Testing and Red Teaming in the Financial Services
Industry – GFMA (Global Financial Markets Association)
@JORGEORCHILLES

11. INITIAL ACCESS EXECUTION PERSISTENCE PRIVILEGE
ESCALATION
DEFENSIVE EVASION CREDENTIAL ACCESS DISCOVERY LATERAL
MOVEMENT
COLLECTION COMMAND AND
CONTROL
EXFILTRATION IMPACT
DRIVE- BY
COMPROMISE
APPLESCRIPT .BASH_PROFULE
AND .BASHRC
ACCESS TOKEN
MANIPULATION
ACCESS TOKEN
MANIPULATION
ACCOUNT
MANIPULATION
ACCOUNT
DISCOVERY
APPLESCRIPT AUDIO CAPTURE COMMONLY USED
PORT
AUTOMATED
EXFILTRATION
DATA DESTRUCTION
EXPLOIT PUBLIC-
FACING
APPLICATION
CMSTP ACCESIBILITY
FEATURES
ACCESIBILITY
FEATURES
BITS JOBS BASH HISTORY APPLICATION
WINDOW
DISCOVERY
APPLICATION
DEPLOYMENT
SOFTWARE
AUTOMATED
COLLECTION
COMMUINICTION
THROUGH
REMOVABLE DATA
DATA COMPRESSED DATA ENCRYPTED
FOR IMPACT
EXTERNAL REMOTE
SERVICES
COMMAND-LINE
INTERFACE
ACCOUNT
MANIPULATION
APPCERT DLLS DINARY PADDING BRUTE FORCE BROWSER
BOOKMARK
DISCOVERY
DISTRUBETED
COMPONENT
OBJECT MODEL
CLIPBOARD DATA CONNECTION PROXY DATA ENCRYPTED DEFACEMENT
HARDWARE
ADDITIONS
COMPILED HTML
FILE
APPCERT DLLS APPINIT DLLS ACCOUNT CONTROL
BYPASS USER
CREDENTIAL
DUMPING
DOMAIN TRUST
DISCOVERY
EXPLOITATION OF
REMOTE SERVICES
DATA STAGE CUSTOM COMMAND
AND CONTROL
PROTOCOL
DATA TRANSFER SIZE
LIMIT
DISK CONTENT WIPE
REPLICATION
THROUGH
REMOVABLE MEDIA
CONTORL PANEL
ITEMS
APPINIT DLLS APPLICATION
SHIMMIMG
CMSTP CREDENTIALS IN
FILES
FILE AND DIRECTORY
DISCOVERY
LOGON SCRIPT DATA FROM
INFORMATION
REPOSITORIES
CUSTOM
CRYPTOGRAPHIC
PROTOCOL
EXFILTRATION OVER
ALTERNATIVE
PROTOCOL
DISK STRUCTURE
WIPE
SPEARPHISHING
ATTACHMENT
DYNAMIC DATA
EXCHANGE
APPLICATION
SHIMMING
BYPASS USER
ACCOUNT CONTROL
CLEAR COMMAND
HISTORY
CREDENTIALS IN
REGISTRY
NETWORK SERVICE
SCANNING
PASS THE HASH DATA FROM LOCAL
SYSTEM
DATA ENCODING EXFILTRATION OVER
COMMAND AND
CONTROL CHANNEL
ENDPOINT DENIAL
OF SERVICE
SPEARPHISHING
LINK
EXECUTION
THROUGH API
AUTHENTICATION
PACKAGE
DLL SEARCH ORDER
HIJACKING
CODE SIGNING EXPLOITATION FOR
CREDENTIAL ACCESS
NETWORK SHARE
DISCOVERY
PASS THE TICKET DATA FROM
NETWORK SHARE
DRIVE
DATA OBFUSCATION EXFILTRATION OVER
OTHER NETWORK
MEDIUM
FIRMWARE
CORRUPTION
MITRE has developed the ATT&CK Matrix as a central repository for adversary TTPs. It is used by both
red and blue teams. It is rapidly gaining traction as a de facto standard!
@JORGEORCHILLES

12. THE COURSE
FRAMEWORK
Most organizations will take a hybrid approach based on the
frameworks and methodologies just introduced
⑊ Threat Intelligence
⑊ Planning
⑊ Testing
⑊ Red Team Exercise Execution
⑊ Closure
- Analysis & Response
- Report
- Remediation and Action Plan
@JORGEORCHILLES

13. T1086 –
PowerShell
T1068 – Exploitation for
Privilege Escalation
T1003 – Credential
Dumping
S0194 –
PowerSploit
S0192 –
Pupy
S0002 –
Mimikatz
S0129 –
AutoIT
Hash
Value
IP Address
TACTICS | TECHNIQUES | PROCEDURES
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
@JORGEORCHILLES

14. ATT&CK Navigator

15. 15
TRUSTED AGENTS RULES OF
ENGAGEMENT
ATTACK
INFRASTRUCTURE
o Limited number of people with knowledge of
the exercise
o When players find out about exercise their
behavior changes
o Individuals whose daily roles and
responsibilities put them in a position to
contribute to reducing the risk of causing
unintended impact to production systems
and/or inaccurate senior or external escalation
Establish the responsibility, relationship, and
guidelines between Trusted Agents and Players
o Rules for Blue Team
o Carry out all activity as any other incident
o Trusted Agents will report what incidents
are being investigated
o Do not report exercise related items to
regulators
o Rules for Red Team
o Do not bring down any business process
or operation
o Communicate all actions during daily
brief
Red Team is responsible for setting up
infrastructure to emulate TTPs
o Choose and procure
external hosting
service providers
o Purchase domain
names
o Generate domain
certificates
o Setup mail servers
o Setup phishing and
credential theft sites
o Confirm reputation
and categorization
of all domain and
IPs
o Setup Short and
Long Haul C2
infrastructure
o Configure custom
C2 tooling
o Test external C2
communication
PLANNING @JORGEORCHILLES
White Team or White Cell

16. 16
Matrix of command and control
frameworks for Red Teamers
⑊ Google doc of most C2 frameworks: www.thec2matrix.com
⑊ Documents various capabilities of each framework
⑊ There is no right or wrong, better or worse framework
⑊ Find ideal C2 for your current objective
⑊ Wizard like UI to select which one: ask.thec2matrix.com
⑊ How-To Site for using C2s: howto.thec2matrix.com
⑊ SANS Slingshot C2 Matrix Edition
@JORGEORCHILLES

17. 17
Initial Foothold
Compromised System
Network Propagation
Internal Network
Action on Objectives
Critical Asset Access
⑊ Reconnaissance
⑊ Weaponization
⑊ Delivery
⑊ Social engineering
⑊ Exploitation
⑊ Persistence
⑊ Defense evasion
⑊ Command & Control
⑊ Discovery
⑊ Privilege escalation
⑊ Execution
⑊ Credential access
⑊ Lateral movement
⑊ Collection
⑊ Exfiltration
⑊ Target manipulation
⑊ Objectives
PIVOTING ACCESS
Unified Kill Chains – Paul Pols
The Unified Kill Chain is a good answer to some of the Cyber Kill Chain limitations!
@JORGEORCHILLES

18. 18
⑊ What TTPs were prevented? Why? Document these too!
⑊ What was detected? How long did it take?
- Time to contain
- Time to eradicate
⑊ Where processes followed?
- Process and time to escalate events into an incident
- Process to engage hunt team
- Process to coordinate communications & alert leadership
- Process to corelate all events and realize sophisticated, targeted attack
CLOSURE
@JORGEORCHILLES

19. @JORGEORCHILLES

20. 20

21. @JORGEORCHILLES

23. Thank you!