SlideShare a Scribd company logo

Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Adversary Simulation - Olaf Hartong & Mauricio Velazco

Mauricio Velazco
Mauricio Velazco

Demo 1: https://www.youtube.com/watch?v=cpnrCkj1308 Demo 2: https://www.youtube.com/watch?v=JmtjtiI3-fc Demo 2 1/2: https://www.youtube.com/watch?v=KRdNbYbJSiI Demo 3: https://www.youtube.com/watch?v=6gB-upKXTZ4 Automated adversary simulation is often perceived as a hard, dangerous and complicated program to implement and run. Fear no longer, our methodology and tooling will let you test and measure your defenses throughout your production environment to test not only your detection rule’s resilience but the whole event pipeline as well as your team’s response procedures. In this talk, we’ll share with the audience the open source tools we built and the methodology we use that will allow them to hit the ground running at nearly no cost.

Technology
1 of 38
Download to read offline
Purple on my mind: setting up a cost effective automated adversary simulation program Mauricio Velazco @mvelazco Olaf Hartong @olafhartong
Olaf Hartong ● @olafhartong ● Defensive Specialist @ FalconForce ● https://github.com/olafhartong #whoarewe Mauricio Velazco ● @mvelazco ● Threat Management team lead @ Fortune 500 ● https://github.com/mvelazc0
1. Intro
● You’ve spent a lot of money constructing a solid defense program ● Ingesting, transforming and indexing network/endpoint telemetry ● Buying all kinds of amazing tools: AI, ML, CTI, etc ● Creating detection logic ● Takes effort to deploy a program but once you deploy it …. Detection Program @olafhartong @mvelazco
Truth or Myth? @olafhartong @mvelazco
● How do you know if your event pipeline is working? ● Did that GPO change last week break anything in terms of security? ● Is that detection you’ve built last year still working? Problem Statement ● How do you know if your detection vendor is doing what they are supposed to? ● How can you convince your stakeholders you’re in control? ● How do you know if your detection is resilient ? @olafhartong @mvelazco
The Approach @olafhartong @mvelazco Risk Controls Effectiveness Control effectiveness Advanced simulation on select scope Purple teaming Automated Adversarial Simulation
2. 2: Automated Adversary Simulation
What is it ● A valuable way to validate your environment on a continuous basis ● It allows you to measure progress of your effort ● It exposes unintended security implications of an ever changing environment ● A cost effective methodology ● Means to generate sample data Automated attack simulation What is it NOT ● Red team replacement ● Pentesting ● Skynet ● Impacting continuity (by design) ● The new holy grail or buzz @olafhartong @mvelazco
Our approach Governance Reference Framework Scope selection Campaign design Run the campaign Validation/ Reporting @olafhartong @mvelazco
Integration into your detection engineering process 1. Hypothesize •Develop general theories •Use Threat Intelligence, ATT&CK, Industry reports and internal knowledge •Develop interesting queries •Determine timespan 2. Investigate & research •Find ways how a technique can be executed, scripts/samples/procedures •Determine what data you will need •Investigate what it looks like when the technique has been executed •Develop initial validation script options 3. Develop analytics •Build a set of analytics •Cast a wide net, then narrow it •Be efficient 4. Analyze and implement •Review results •Enrich where possible •Tune the query if needed, keep it resilient •Implement analytics in production Implement validation script 5. Report and revise •Report to IR/TI/Management •Measure efficiency •Measure scope @olafhartong @mvelazco
End to end Test your detection logic, data pipeline, mitigations anywhere...in production @olafhartong @mvelazco
✘ A defensive capability ✘ Ideally, some knowledge of the threats your company is facing ✘ Tools to execute and orchestrate these crafted scenario’s Requirements ✘ An adversarial mindset ✘ Management buy-in, or say sorry later :) ✘ In case of a MSSP get their involvement ✘ @olafhartong @mvelazco
3: State of The Art
Commercial ● Scythe ● AttackIQ ● Safebreach ● Verodin ● XM Cyber ● Cymulate ● [more] Adversary Simulation Tools Open Source ● Red team tools: Msf, Empire, etc. ● Caldera ● Reternal ● Metta ● Atomic Red Team ● APTSimulator ● [more] @olafhartong @mvelazco
4. 4: Our Tooling
PurpleSharp ✘ Executes attack techniques within Windows AD Environments ✘ C# ✘ MITRE ATT&CK ✘ Goal: Generate telemetry to build, test & enhance detection controls https://github.com/mvelazc0/PurpleSharp
Why PurpleSharp ✘ Simplicity ✘ Verbose Logging ✘ Remote simulations ✘ Credible simulations ✘ Randomness ✘ Attack variations
PurpleSharp ✘ Orchestrator ✘ Scout ✘ Simulator
Attack Variations: PowerShell - 4688 - New process created - EDR - 4104 - Execute command
Attack Variations - 4688 - New process created - EDR - 4697 - New service installed
Attack Variations - Kerberos - 4771 - Preauth failed - NTLM - 4776 - attempt to validate cred
Threat Hunting App ✘ Free Splunk application ✘ Very graphically oriented ✘ Built for threat hunting and detection engineering https://github.com/olafhartong/ThreatHunting
Threat Hunting App ✘ Loads of detections for attack techniques within Windows Environments ✘ Utilizes Sysmon and native Windows Event log data ✘ MITRE ATT&CK focussed ✘ Goal: Create an investigative workflow for hunters and provide as much context as possible https://github.com/olafhartong/ThreatHunting
Automated Adversary Simulation
5. 5: Demos
Demo 1 Execution - TA0002 PowerShell - T1059.001 Windows Command Shell - T1059.003 JavaScript/JScript - T1059.007
Demo 2 Persistence - TA0003 Registry Run Keys - T1547.001 Scheduled Task - T1053.005 Defense Evasion - TA0003 Portable Executable Injection - T1055.002 Credential Access - TA0006 LSASS Memory - T1003.001
Demo 2 1/2 ATT&CK Navigator
Demo 3 Persistence - TA0003 Registry Run Keys - T1547.001 Scheduled Task - T1053.005 Defense Evasion - TA0005 Portable Executable Injection - T1055.002 Credential Access - TA0006 LSASS Memory - T1003.001
Huge value in terms of control and reportability It does not have to be an expensive program Implementing a way of testing into your detection engineering efforts Takeaways Use it for developing new detections or improve your current analytics It should not be a grading mechanism @olafhartong @mvelazco
Thank You https://github.com/olafhartong/ThreatHunting https://github.com/mvelazc0/PurpleSharp @olafhartong @mvelazco
Purple on my mind: setting up a cost effective automated adversary simulation program Mauricio Velazco @mvelazco Olaf Hartong @olafhartong

Recommended

BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue TeamBlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
Mauricio Velazco
 
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
Mauricio Velazco
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
Mauricio Velazco
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
Mauricio Velazco
 
Bsides Long Island 2019
Bsides Long Island 2019Bsides Long Island 2019
Bsides Long Island 2019
Mauricio Velazco
 
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Mauricio Velazco
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE - ATT&CKcon
 

Recommended

BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue TeamBlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
Mauricio Velazco
 
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
Mauricio Velazco
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
Mauricio Velazco
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
Mauricio Velazco
 
Bsides Long Island 2019
Bsides Long Island 2019Bsides Long Island 2019
Bsides Long Island 2019
Mauricio Velazco
 
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Mauricio Velazco
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE - ATT&CKcon
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
Satria Ady Pradana
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response Roles
Florian Roth
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE - ATT&CKcon
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
Jayesh Patel
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
Sumedt Jitpukdebodin
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
Kaspersky
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 
Secure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer SolitaSecure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer Solita
Joona Immonen
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
Jorge Orchilles
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
Thomas Roccia
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia InsuranceSplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
Splunk
 

More Related Content

What's hot

Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
Kaspersky
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 

What's hot (20)

Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response Roles
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Secure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer SolitaSecure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer Solita
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 

Similar to Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Adversary Simulation - Olaf Hartong & Mauricio Velazco

Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
NoNameCon
 
Design and Implement Security Operat.docx
Design and Implement Security Operat.docxDesign and Implement Security Operat.docx
Design and Implement Security Operat.docx
theodorelove43763
 

Similar to Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Adversary Simulation - Olaf Hartong & Mauricio Velazco (20)

Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia InsuranceSplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking Competition
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
 
How Best Practices Enable Rapid Implementation of Intelligence Portals
How Best Practices Enable Rapid Implementation of Intelligence PortalsHow Best Practices Enable Rapid Implementation of Intelligence Portals
How Best Practices Enable Rapid Implementation of Intelligence Portals
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
Design and Implement Security Operat.docx
Design and Implement Security Operat.docxDesign and Implement Security Operat.docx
Design and Implement Security Operat.docx
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
 
Let's Make Pentesting Fun Again! Report writing in 5 minutes.
Let's Make Pentesting Fun Again! Report writing in 5 minutes.Let's Make Pentesting Fun Again! Report writing in 5 minutes.
Let's Make Pentesting Fun Again! Report writing in 5 minutes.
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and Orchestration
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT Signatures
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 

More from Mauricio Velazco

PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
Mauricio Velazco
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
Mauricio Velazco
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Mauricio Velazco
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
Mauricio Velazco
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Mauricio Velazco
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Mauricio Velazco
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Mauricio Velazco
 

More from Mauricio Velazco (16)

PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
 
Detection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdfDetection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdf
 
BSides Panama 2022
BSides Panama 2022BSides Panama 2022
BSides Panama 2022
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
 
LimaHack 2011 - Stuxnet : El arma del futuro
LimaHack 2011 - Stuxnet : El arma del futuroLimaHack 2011 - Stuxnet : El arma del futuro
LimaHack 2011 - Stuxnet : El arma del futuro
 
Peruhack 2015 - Cyberespionaje de Naciones
Peruhack 2015 - Cyberespionaje de NacionesPeruhack 2015 - Cyberespionaje de Naciones
Peruhack 2015 - Cyberespionaje de Naciones
 
PeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos WindowsPeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos Windows
 
Limahack 2010 - Creando exploits para GNU/Linux
Limahack 2010 - Creando exploits para GNU/LinuxLimahack 2010 - Creando exploits para GNU/Linux
Limahack 2010 - Creando exploits para GNU/Linux
 
Limahack 2009 - SSL no esta roto ... o si ?
Limahack 2009 - SSL no esta roto ... o si ?Limahack 2009 - SSL no esta roto ... o si ?
Limahack 2009 - SSL no esta roto ... o si ?
 
Bsides Latam 2019
Bsides Latam 2019Bsides Latam 2019
Bsides Latam 2019
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
 
LinuxWeek 2010 - Client Side Attacks
LinuxWeek 2010 - Client Side AttacksLinuxWeek 2010 - Client Side Attacks
LinuxWeek 2010 - Client Side Attacks
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Adversary Simulation - Olaf Hartong & Mauricio Velazco

  • 1. Purple on my mind: setting up a cost effective automated adversary simulation program Mauricio Velazco @mvelazco Olaf Hartong @olafhartong
  • 2. Olaf Hartong ● @olafhartong ● Defensive Specialist @ FalconForce ● https://github.com/olafhartong #whoarewe Mauricio Velazco ● @mvelazco ● Threat Management team lead @ Fortune 500 ● https://github.com/mvelazc0
  • 4. ● You’ve spent a lot of money constructing a solid defense program ● Ingesting, transforming and indexing network/endpoint telemetry ● Buying all kinds of amazing tools: AI, ML, CTI, etc ● Creating detection logic ● Takes effort to deploy a program but once you deploy it …. Detection Program @olafhartong @mvelazco
  • 6. ● How do you know if your event pipeline is working? ● Did that GPO change last week break anything in terms of security? ● Is that detection you’ve built last year still working? Problem Statement ● How do you know if your detection vendor is doing what they are supposed to? ● How can you convince your stakeholders you’re in control? ● How do you know if your detection is resilient ? @olafhartong @mvelazco
  • 7. The Approach @olafhartong @mvelazco Risk Controls Effectiveness Control effectiveness Advanced simulation on select scope Purple teaming Automated Adversarial Simulation
  • 9. What is it ● A valuable way to validate your environment on a continuous basis ● It allows you to measure progress of your effort ● It exposes unintended security implications of an ever changing environment ● A cost effective methodology ● Means to generate sample data Automated attack simulation What is it NOT ● Red team replacement ● Pentesting ● Skynet ● Impacting continuity (by design) ● The new holy grail or buzz @olafhartong @mvelazco
  • 11. Integration into your detection engineering process 1. Hypothesize •Develop general theories •Use Threat Intelligence, ATT&CK, Industry reports and internal knowledge •Develop interesting queries •Determine timespan 2. Investigate & research •Find ways how a technique can be executed, scripts/samples/procedures •Determine what data you will need •Investigate what it looks like when the technique has been executed •Develop initial validation script options 3. Develop analytics •Build a set of analytics •Cast a wide net, then narrow it •Be efficient 4. Analyze and implement •Review results •Enrich where possible •Tune the query if needed, keep it resilient •Implement analytics in production Implement validation script 5. Report and revise •Report to IR/TI/Management •Measure efficiency •Measure scope @olafhartong @mvelazco
  • 12. End to end Test your detection logic, data pipeline, mitigations anywhere...in production @olafhartong @mvelazco
  • 13. ✘ A defensive capability ✘ Ideally, some knowledge of the threats your company is facing ✘ Tools to execute and orchestrate these crafted scenario’s Requirements ✘ An adversarial mindset ✘ Management buy-in, or say sorry later :) ✘ In case of a MSSP get their involvement ✘ @olafhartong @mvelazco
  • 14. 3: State of The Art
  • 15. Commercial ● Scythe ● AttackIQ ● Safebreach ● Verodin ● XM Cyber ● Cymulate ● [more] Adversary Simulation Tools Open Source ● Red team tools: Msf, Empire, etc. ● Caldera ● Reternal ● Metta ● Atomic Red Team ● APTSimulator ● [more] @olafhartong @mvelazco
  • 17. PurpleSharp ✘ Executes attack techniques within Windows AD Environments ✘ C# ✘ MITRE ATT&CK ✘ Goal: Generate telemetry to build, test & enhance detection controls https://github.com/mvelazc0/PurpleSharp
  • 18. Why PurpleSharp ✘ Simplicity ✘ Verbose Logging ✘ Remote simulations ✘ Credible simulations ✘ Randomness ✘ Attack variations
  • 20.
  • 21. Attack Variations: PowerShell - 4688 - New process created - EDR - 4104 - Execute command
  • 22. Attack Variations - 4688 - New process created - EDR - 4697 - New service installed
  • 23. Attack Variations - Kerberos - 4771 - Preauth failed - NTLM - 4776 - attempt to validate cred
  • 24. Threat Hunting App ✘ Free Splunk application ✘ Very graphically oriented ✘ Built for threat hunting and detection engineering https://github.com/olafhartong/ThreatHunting
  • 25. Threat Hunting App ✘ Loads of detections for attack techniques within Windows Environments ✘ Utilizes Sysmon and native Windows Event log data ✘ MITRE ATT&CK focussed ✘ Goal: Create an investigative workflow for hunters and provide as much context as possible https://github.com/olafhartong/ThreatHunting
  • 28. Demo 1 Execution - TA0002 PowerShell - T1059.001 Windows Command Shell - T1059.003 JavaScript/JScript - T1059.007
  • 29.
  • 30. Demo 2 Persistence - TA0003 Registry Run Keys - T1547.001 Scheduled Task - T1053.005 Defense Evasion - TA0003 Portable Executable Injection - T1055.002 Credential Access - TA0006 LSASS Memory - T1003.001
  • 31.
  • 32. Demo 2 1/2 ATT&CK Navigator
  • 33.
  • 34. Demo 3 Persistence - TA0003 Registry Run Keys - T1547.001 Scheduled Task - T1053.005 Defense Evasion - TA0005 Portable Executable Injection - T1055.002 Credential Access - TA0006 LSASS Memory - T1003.001
  • 35.
  • 36. Huge value in terms of control and reportability It does not have to be an expensive program Implementing a way of testing into your detection engineering efforts Takeaways Use it for developing new detections or improve your current analytics It should not be a grading mechanism @olafhartong @mvelazco
  • 38. Purple on my mind: setting up a cost effective automated adversary simulation program Mauricio Velazco @mvelazco Olaf Hartong @olafhartong