This document discusses moving beyond just prevention of cyber attacks and instead assuming that networks will be breached. It argues that protective technologies will inevitably fail and the focus should shift to detection of breaches. Red team assessments are suggested to shift from just finding vulnerabilities to acting as training partners for blue teams by providing indicators of compromise, attack signatures, and use cases to help improve detection capabilities. A pyramid of pain model is presented to show moving up from just tools to full tactics, techniques and procedures used by attackers.

1. BEYOND PREVENTION,
ASSUME BREACH
Zach Grace

2. whoami /all
• Lead Security Consultant at Northwestern Mutual
• @MilSec Leader
• OWASP Milwaukee Leader
• Wisconsin CCDC Red Team member
• Team member of the 2015 DerbyCon CTF champs
• Twitterz: @ztgrace

3. Disclaimer
The opinions expressed here represent my own and not those of my
employer.

5. It’s not if, but when…

6. ASSUME COMPROMISE
• Protective technologies will fail
• Shifts blue team’s focus to the Detect phase
• Breach readiness as a mantra

7. PROTECTION FAILS
• Protection tools are often based on signatures
• Preventative in nature
• Examples of protective technologies:
• Anti-virus
• Firewalls
• IDS & IPS
• Web App Firewalls (WAF)
• Web Proxies
• Sandbox

8. COMPARED TO ATTACKERS
NIST CSF Identify Protect Detect Respond Recover
NIST SP800-115 Discovery
Gaining
Access
Escalating
Privileges
System
Browsing
Persistence
Cyber Kill Chain (1) Recon
(3)
Delivery
(4)
Exploit
(3) Delivery
(4) Exploit
(5) Install
(6) C2

10. ZoxPNG
• Used technet.microsoft.com for command and control
https://blogs.rsa.com/wolves-among-us-abusing-trusted-providers-malware-operations/

11. DETECT ISSUES
• Logging too little/much
• Poor Security information and event management (SIEM) correlation
• Ineffective security monitoring
• Insufficient training to create use cases

12. REFOCUS THE RED TEAM

13. PEN TESTING/RED TEAMING ISSUES
• Vulnerability focused
• Reporting doesn’t help defenders
• Lack of realistic threat modeling

14. REPORTS
• Vulnerability Focused
• “How I PWN’d you”
• Vague recommendations

15. REPORTS BE LIKE

16. BLUE TEAM NEEDS
• Training partner
• Indicators of Compromise (IOCs)
• Attack signatures
• Use cases

17. Compromise
Detection
Containment
MTD - MTC = ∆

18. ∆ FORCE

19. ∆ FORCE OBJECTIVES
• Provide IOCs and attack signatures alongside vulns in reports
• Perform threat simulations based on threat modeling
• Breakdown attacks into stages
• Validate detection at each stage, and assist with correlation

20. PYRAMID OF PAIN
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

21. HASH VALUES
• Summary/signature of bytes
• Fuzzy hashing

22. IP ADDRESSES
…the IP addresses used in an engagement

23. DOMAIN NAMES
…domain names used in an engagement

24. NETWORK ARTIFACTS
• Protocol-level artifacts
• HTTP
• UserAgent strings
• Missing host header
• DNS

25. HOST ARTIFACTS
• Persistence mechanisms
• Command & Control (C2/C&C)
• Backdoors

26. REG ADD "HKLMSOFTWAREMicrosoftWindows NT
CurrentVersionImage File Execution Options
sethc.exe" /v Debugger /t REG_SZ /d "C:windows
system32cmd.exe"

27. Sticky Keys Hunter v2

28. TOOLS
• Binaries/scripts transferred to host
• Built-in administrator tools
• Built/compiled on the compromised machine

29. IN-MEMORY POWERSHELL

30. TACTICS, TECHNIQUES and PROCEDURES (TTPs)
• Detecting and responding to adversarial behaviors
• Goes beyond tool detection

31. LATERAL MOVEMENT
• Windows
• SMB - Pass the Hash (PTH)
• WMI
• WinRM
• Linux/OS X/Unix
• SSH

32. WIRESHARK CreateServiceW

33. SNORT DETECTION
alert tcp any any -> any 445 (msg:"psexec service
created"; flow:to_server,established; content:"|FF
53 4D 42|"; dce_opnum:12; reference:url,https://
www.snort.org/faq/readme-dcerpc2; classtype:bad-
unknown; sid:31337; rev:1;)

34. SERVICE CREATION - 7045

35. METASPLOIT SERVICE NAME

36. POWERSHELL PSEXEC SERVICE
Service Name: zzVSnCcgDVXwECBU
Service File Name: %COMSPEC% /C echo wmic
computersystem get username ^> %SYSTEMDRIVE%WINDOWS
TempJvuqFpTTakgmRppQ.txt > WINDOWSTemp
EtVsuSpjptOYGbwK.bat & %COMSPEC% /C start %COMSPEC% /
C WINDOWSTempEtVsuSpjptOYGbwK.bat

37. TIMELINE

38. TIMELINE
• Log all the commands
• HISTTIMEFORMAT="%d/%m/%y %T “
• test "$(ps -ocommand= -p $PPID | awk '{print $1}')" == 'script' ||
(script -f $HOME/logs/$(date +”%d-%b-%y_%H-%M-
%S")_shell.log)
• Metasploit:
setg PromptTimeFormat "%Y-%m-%d %I:%H:%S"
setg Prompt "%T - (S: %S J: %J) "
spool /root/.msf4/msfconsole.log

39. TIPS FOR DEFENSE
• Use pen test & red team engagements as training exercises
• Ask for more than a vulnerability report (IOCs, PCAPs, logs, etc)
• Sit with and learn from the red team
• Rotate your testing firms or rotate your testers
• Perform root cause analysis on vulnerabilities

40. TIPS FOR OFFENSE
• Be a sparring partner
• Provide more data like IOCs, PCAPs, logs, etc.
• Incorporate use cases into reports
• Provide artifacts to reproduce attacks

41. THANK YOU!
@ztgrace
https://github.com/ztgrace/presentations/tree/master/
20160128_wctc_cyber_security_summit