SlideShare a Scribd company logo

External Threat Hunters are Red Teamers

Jorge Orchilles
Jorge Orchilles

This talk will introduce a relatively new concept in Threat Hunting by explaining how external threat hunters use similar techniques to Red teamers to create a repeatable hunting model through the use of an intermediary payload system to provide insight, awareness, and action. David Maynor, @Dave_Maynor, Black Lotus Labs Analysis Lead, Centurylink Jorge Orchilles, @jorgeorchilles, CTO, SCYTHE

Technology
1 of 21
Download to read offline
@DAVE_MAYNOR @JORGEORCHILLES External Threat Hunters are Red Teamers @Dave_Maynor @JorgeOrchilles
@DAVE_MAYNOR @JORGEORCHILLES TL;DR ● Yes, this is talk is about leveraging red team tradecraft to enable external hypothesis-based threat hunting ● No, this talk has nothing to do with phishing :P ● Test case in Purple Teaming - how Red learns from Blue and Blue learns from Red ● Intended audience: skilled practitioners in red and blue team moving to Purple Teaming ~ natural evolution to Purple Teaming in next 2-3 years ● The takeaway from this talk will be: Understand and use Red Team tradecraft (like leveraging C2 frameworks) in an external threat hunting workflow for better insight, repeatability, and refinement 2
@DAVE_MAYNOR @JORGEORCHILLES $whoami (David Maynor) ● 20 years experience in research, systems, offensive consulting, and other security related positions in the private sector ● Leads the Lumens Black Lotus Labs Analysis team ● Recently in news due to TrickBot takedown ● Builds relationships with intel partners, proactively hunting for adversaries ● Entrepreneur 3
@DAVE_MAYNOR @JORGEORCHILLES T1033 - User Discovery (Jorge Orchilles) ● Chief Technology Officer - SCYTHE ● 10 years leading offensive team @Citi ● Wrote a book when I was a sys admin ● Started in Vulnerability Assessment ● Pen Test ● Red Team ● Purple Team 4
@DAVE_MAYNOR @JORGEORCHILLES Agenda ● What is Red Team ● What is External Threat Hunting ● Red Team Tools and Tradecraft ● Attack Infrastructure ● Using C2 ● Analysis and Refinement 5
@DAVE_MAYNOR @JORGEORCHILLES What is Red Team? ● Definition: ○ “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal ● Goal: ○ Make Blue Team better ○ Test and measure people, process, and technology ○ Test assumptions 6 ● Effort: ○ Manual ○ Many tools (C2 Matrix) ○ Some automation for attack infra ● Frequency: ○ Intelligence-led (new exploit, tool, or TTP) ○ Yearly (regulatory) ● Customer: ○ Blue Teams https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
@DAVE_MAYNOR @JORGEORCHILLES What is External Threat Hunting? ● Definition: ○ “Proactive identifaction of threats outside of your perimeter” – BlueVoyant ● Goal: ○ Make Blue Team better ○ To find an understand actor TTPs in the wild Blue/Red/Purple teams have more data driven intelligence for testing ○ Test assumptions 7 ● Effort: ○ Manual ○ Many tools (C2 Matrix) ○ Infrastructure acquisition and maintence ○ Cross domain Threat Intelligence partnerships ● Frequency: ○ Constantly ○ Quarterly refinement of target of interest ● Customer: ○ Blue/Red/Purple Teams ○ Internal Risk officers
@DAVE_MAYNOR @JORGEORCHILLES Why External Threat Hunting? ● This may not be ideal for every organization (we get it) ● The workflow is hard to develop correctly without some amount of “gut” instinct ● Possibility of becoming a boondoggle ● Hard to quantify results and their value to organizational security ● A lot of the same arguments can made about red teaming ● Red Team & External Hunting overlap in more than proving value problems but the need of the operators also means that there is a lot ability for reuse of tools and tradecraft between red team/external hunting 8
@DAVE_MAYNOR @JORGEORCHILLES Needs of Both Teams ● Ability to pivot through infrastructure and keep logs and verifiable evidence in a central searchable repository ● Document, Document, Document (aka logs of every action) ● A toolset that allows for effective use by team members regardless of the underlying environment ● Scaling up as team grows – consistency 9
@DAVE_MAYNOR @JORGEORCHILLES Planning (Comparison) 10 Planning Red Team External Threat Hunting Goals and Objectives Yes Yes Cyber Threat Intelligence Pick Adversary and TTPs to Emulate Formulating a target list Scope Yes Yes Exercise Coordinator/PM Yes Yes Rules of Engagements Don’t bring down infrastructure Don’t affect business processes Don’t break laws Don’t forget the purpose of the exercise Don’t get into a knife fight with a threat actor Don’t break laws Don’t forget the purpose of the exercise Attack Infrastructure Yes Yes Lessons Learned Analysis & Response Analysis & Refinement
@DAVE_MAYNOR @JORGEORCHILLES Formulating a target list ● A list of attacker groups is needed but also a list of attacker capabilities ● Like Cyber Threat Intelligence being used by Red Team in Adversary Emulation ● Identify adversaries with the opportunity, intent, and capability to attack your organization ● Understand current capabilities but also possible future capabilities 11
@DAVE_MAYNOR @JORGEORCHILLES Attack Infrastructure ● Choose and procure external hosting service providers ● Purchase domain names ● Generate domain certificates ● Set up mail servers ● Set up phishing and credential theft sites ● Confirm reputation and categorization of all domain and IPs 12 ● Set up Long and Short Haul C2 infrastructure ● Configure custom C2 tooling ● Test external C2 communication schemes ● Set up RedELK for central logging and Blue Team detection
@DAVE_MAYNOR @JORGEORCHILLES Operational Security ● Ensure all external systems are locked down so that only Red Team members can access administrative interfaces ● Ensure all payloads being generated can only be run from target environment ● Ensure all web properties do not include attributable information ● Ensure all external systems store all operating files using strong encryption ● Vet payloads and techniques for IoCs to aid blue team in lessons learned phase and aid in white cell deconfliction periods ● Can you detect the Blue Team investigating you? 13
@DAVE_MAYNOR @JORGEORCHILLES RedELK ● Goal 1: Ease the work of the RT by aggregating logs and providing central access to all details of ops. E.g. traffic and C2 logs, IOCs, screenshots, etc ● Goal 2: Red Team’s SIEM that alarms when Blue Team is investigating ● Version 2 (pending late 2020) adds hunting capabilities: ○ Data from bluecheck (implants performing blue team recon) ○ Jupyter notebooks – with tons of ready to use playbooks ○ Neo4J (BloodHound data!) ○ Hunt through all these data points at one time, e.g. has current C2 implant user (C2 logs) an access path to system X or user Y (BloodHound logs)? 14
@DAVE_MAYNOR @JORGEORCHILLES Attack Infrastructure Overview 15
@DAVE_MAYNOR @JORGEORCHILLES 16 ● Influence an attacker has over a compromised computer system that they control ● Communication method attacker leverages to manipulate target systems ● Use Heartbeats/Beacons (callbacks) ● Add Jitter to avoid patterns ● Consistent shell ● Log all operator actions and responses Command and Control
@DAVE_MAYNOR @JORGEORCHILLES Acquiring Infrastructure (External Threat Hunt) ● This topic alone could be the subject of a weeklong class ● Nothing illegal ● Purchasing. Your red team tradecraft may state infrastructure should be acquired under a deniable identity. This use case requires deniable identities. ● Resource sharing. Threat intel with out their own hunt teams can “loan” infrastructure to allow you to hunt advertises targeting their org. ○ Docker ○ C2 hosts ○ DNS records 17
@DAVE_MAYNOR @JORGEORCHILLES DEMO 18
@DAVE_MAYNOR @JORGEORCHILLES Analysis and Refinement ● What data is being collected, is it valuable? ● Is it collected in a consistent manner? ● Correlating that data ● D.O.P.E – Data On Previous Engagement ● Answer these questions ○ What did we hunt? ○ Did we find them or similar actors behaving in same manner? ○ Have we collected enough data on their activities to map a trajectory of their activities? ○ Have we collected enough data on our activities to determine what fingerprints we left behind? ○ Are there definable actions for the Blue/Purple/Red Team? 19
@DAVE_MAYNOR @JORGEORCHILLES References 20 ● https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● https://posts.specterops.io/designing-effective-covert-red-team-attack-infrastructure- 767d4289af43 ● https://outflank.nl/blog/2019/02/14/introducing-redelk-part-1-why-we-need-it/ ● https://www.thec2matrix.com/ ● https://howto.thec2matrix.com/ ● https://sans.org/sec564
@DAVE_MAYNOR @JORGEORCHILLES Thank You! @Dave_Maynor @JorgeOrchilles

Recommended

Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
Jorge Orchilles
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeam
Dan Vasile
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
Jorge Orchilles
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 

Recommended

Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
Jorge Orchilles
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeam
Dan Vasile
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
Jorge Orchilles
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
Making a SOC Analyst
Making a SOC AnalystMaking a SOC Analyst
Making a SOC Analyst
PaulAronhalt
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
Jorge Orchilles
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim Schulz
Jorge Orchilles
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security Weekly
Jorge Orchilles
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
Haydn Johnson
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
Indranil Banerjee
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
MITRE ATT&CK
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for you
Toby Kohlenberg
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Joe Vest
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
Jorge Orchilles
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
EC-Council
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
Jorge Orchilles
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV Conference
Jorge Orchilles
 

More Related Content

What's hot

Making a SOC Analyst
Making a SOC AnalystMaking a SOC Analyst
Making a SOC Analyst
PaulAronhalt
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
Jorge Orchilles
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim Schulz
Jorge Orchilles
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security Weekly
Jorge Orchilles
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
Haydn Johnson
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
Indranil Banerjee
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
MITRE ATT&CK
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for you
Toby Kohlenberg
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Joe Vest
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
Jorge Orchilles
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
EC-Council
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 

What's hot (20)

Making a SOC Analyst
Making a SOC AnalystMaking a SOC Analyst
Making a SOC Analyst
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim Schulz
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security Weekly
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for you
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 

Similar to External Threat Hunters are Red Teamers

DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
Jorge Orchilles
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV Conference
Jorge Orchilles
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootCon
Jorge Orchilles
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
Adversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection TechniquesAdversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection Techniques
Justin Berman
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
Jorge Orchilles
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
Tara Arnold
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
Mediacurrent
 
International Cooperative: APT Hunting
International Cooperative: APT HuntingInternational Cooperative: APT Hunting
International Cooperative: APT Hunting
Joshua Lawton, MBA
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
Jorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Jorge Orchilles
 
Network security
Network securityNetwork security
Network security
Jarno Niemela
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking ppt
himanshujoshi238
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Jorge Orchilles
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
fenichawla
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
Iain Dickson
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Jorge Orchilles
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
How to be your Security Team's Best Friend
How to be your Security Team's Best FriendHow to be your Security Team's Best Friend
How to be your Security Team's Best Friend
EmilyGladstoneCole
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 

Similar to External Threat Hunters are Red Teamers (20)

DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV Conference
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootCon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
Adversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection TechniquesAdversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection Techniques
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
 
International Cooperative: APT Hunting
International Cooperative: APT HuntingInternational Cooperative: APT Hunting
International Cooperative: APT Hunting
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
 
Network security
Network securityNetwork security
Network security
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking ppt
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
How to be your Security Team's Best Friend
How to be your Security Team's Best FriendHow to be your Security Team's Best Friend
How to be your Security Team's Best Friend
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 

More from Jorge Orchilles

KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive Security
Jorge Orchilles
 
C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020
Jorge Orchilles
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 Matrix
Jorge Orchilles
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Jorge Orchilles
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
Jorge Orchilles
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
Jorge Orchilles
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
Jorge Orchilles
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
Jorge Orchilles
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 Security
Jorge Orchilles
 

More from Jorge Orchilles (10)

KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive Security
 
C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 Matrix
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 Security
 

Recently uploaded

Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
Federico Razzoli
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 

Recently uploaded (20)

Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 

External Threat Hunters are Red Teamers

  • 1. @DAVE_MAYNOR @JORGEORCHILLES External Threat Hunters are Red Teamers @Dave_Maynor @JorgeOrchilles
  • 2. @DAVE_MAYNOR @JORGEORCHILLES TL;DR ● Yes, this is talk is about leveraging red team tradecraft to enable external hypothesis-based threat hunting ● No, this talk has nothing to do with phishing :P ● Test case in Purple Teaming - how Red learns from Blue and Blue learns from Red ● Intended audience: skilled practitioners in red and blue team moving to Purple Teaming ~ natural evolution to Purple Teaming in next 2-3 years ● The takeaway from this talk will be: Understand and use Red Team tradecraft (like leveraging C2 frameworks) in an external threat hunting workflow for better insight, repeatability, and refinement 2
  • 3. @DAVE_MAYNOR @JORGEORCHILLES $whoami (David Maynor) ● 20 years experience in research, systems, offensive consulting, and other security related positions in the private sector ● Leads the Lumens Black Lotus Labs Analysis team ● Recently in news due to TrickBot takedown ● Builds relationships with intel partners, proactively hunting for adversaries ● Entrepreneur 3
  • 4. @DAVE_MAYNOR @JORGEORCHILLES T1033 - User Discovery (Jorge Orchilles) ● Chief Technology Officer - SCYTHE ● 10 years leading offensive team @Citi ● Wrote a book when I was a sys admin ● Started in Vulnerability Assessment ● Pen Test ● Red Team ● Purple Team 4
  • 5. @DAVE_MAYNOR @JORGEORCHILLES Agenda ● What is Red Team ● What is External Threat Hunting ● Red Team Tools and Tradecraft ● Attack Infrastructure ● Using C2 ● Analysis and Refinement 5
  • 6. @DAVE_MAYNOR @JORGEORCHILLES What is Red Team? ● Definition: ○ “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal ● Goal: ○ Make Blue Team better ○ Test and measure people, process, and technology ○ Test assumptions 6 ● Effort: ○ Manual ○ Many tools (C2 Matrix) ○ Some automation for attack infra ● Frequency: ○ Intelligence-led (new exploit, tool, or TTP) ○ Yearly (regulatory) ● Customer: ○ Blue Teams https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
  • 7. @DAVE_MAYNOR @JORGEORCHILLES What is External Threat Hunting? ● Definition: ○ “Proactive identifaction of threats outside of your perimeter” – BlueVoyant ● Goal: ○ Make Blue Team better ○ To find an understand actor TTPs in the wild Blue/Red/Purple teams have more data driven intelligence for testing ○ Test assumptions 7 ● Effort: ○ Manual ○ Many tools (C2 Matrix) ○ Infrastructure acquisition and maintence ○ Cross domain Threat Intelligence partnerships ● Frequency: ○ Constantly ○ Quarterly refinement of target of interest ● Customer: ○ Blue/Red/Purple Teams ○ Internal Risk officers
  • 8. @DAVE_MAYNOR @JORGEORCHILLES Why External Threat Hunting? ● This may not be ideal for every organization (we get it) ● The workflow is hard to develop correctly without some amount of “gut” instinct ● Possibility of becoming a boondoggle ● Hard to quantify results and their value to organizational security ● A lot of the same arguments can made about red teaming ● Red Team & External Hunting overlap in more than proving value problems but the need of the operators also means that there is a lot ability for reuse of tools and tradecraft between red team/external hunting 8
  • 9. @DAVE_MAYNOR @JORGEORCHILLES Needs of Both Teams ● Ability to pivot through infrastructure and keep logs and verifiable evidence in a central searchable repository ● Document, Document, Document (aka logs of every action) ● A toolset that allows for effective use by team members regardless of the underlying environment ● Scaling up as team grows – consistency 9
  • 10. @DAVE_MAYNOR @JORGEORCHILLES Planning (Comparison) 10 Planning Red Team External Threat Hunting Goals and Objectives Yes Yes Cyber Threat Intelligence Pick Adversary and TTPs to Emulate Formulating a target list Scope Yes Yes Exercise Coordinator/PM Yes Yes Rules of Engagements Don’t bring down infrastructure Don’t affect business processes Don’t break laws Don’t forget the purpose of the exercise Don’t get into a knife fight with a threat actor Don’t break laws Don’t forget the purpose of the exercise Attack Infrastructure Yes Yes Lessons Learned Analysis & Response Analysis & Refinement
  • 11. @DAVE_MAYNOR @JORGEORCHILLES Formulating a target list ● A list of attacker groups is needed but also a list of attacker capabilities ● Like Cyber Threat Intelligence being used by Red Team in Adversary Emulation ● Identify adversaries with the opportunity, intent, and capability to attack your organization ● Understand current capabilities but also possible future capabilities 11
  • 12. @DAVE_MAYNOR @JORGEORCHILLES Attack Infrastructure ● Choose and procure external hosting service providers ● Purchase domain names ● Generate domain certificates ● Set up mail servers ● Set up phishing and credential theft sites ● Confirm reputation and categorization of all domain and IPs 12 ● Set up Long and Short Haul C2 infrastructure ● Configure custom C2 tooling ● Test external C2 communication schemes ● Set up RedELK for central logging and Blue Team detection
  • 13. @DAVE_MAYNOR @JORGEORCHILLES Operational Security ● Ensure all external systems are locked down so that only Red Team members can access administrative interfaces ● Ensure all payloads being generated can only be run from target environment ● Ensure all web properties do not include attributable information ● Ensure all external systems store all operating files using strong encryption ● Vet payloads and techniques for IoCs to aid blue team in lessons learned phase and aid in white cell deconfliction periods ● Can you detect the Blue Team investigating you? 13
  • 14. @DAVE_MAYNOR @JORGEORCHILLES RedELK ● Goal 1: Ease the work of the RT by aggregating logs and providing central access to all details of ops. E.g. traffic and C2 logs, IOCs, screenshots, etc ● Goal 2: Red Team’s SIEM that alarms when Blue Team is investigating ● Version 2 (pending late 2020) adds hunting capabilities: ○ Data from bluecheck (implants performing blue team recon) ○ Jupyter notebooks – with tons of ready to use playbooks ○ Neo4J (BloodHound data!) ○ Hunt through all these data points at one time, e.g. has current C2 implant user (C2 logs) an access path to system X or user Y (BloodHound logs)? 14
  • 16. @DAVE_MAYNOR @JORGEORCHILLES 16 ● Influence an attacker has over a compromised computer system that they control ● Communication method attacker leverages to manipulate target systems ● Use Heartbeats/Beacons (callbacks) ● Add Jitter to avoid patterns ● Consistent shell ● Log all operator actions and responses Command and Control
  • 17. @DAVE_MAYNOR @JORGEORCHILLES Acquiring Infrastructure (External Threat Hunt) ● This topic alone could be the subject of a weeklong class ● Nothing illegal ● Purchasing. Your red team tradecraft may state infrastructure should be acquired under a deniable identity. This use case requires deniable identities. ● Resource sharing. Threat intel with out their own hunt teams can “loan” infrastructure to allow you to hunt advertises targeting their org. ○ Docker ○ C2 hosts ○ DNS records 17
  • 19. @DAVE_MAYNOR @JORGEORCHILLES Analysis and Refinement ● What data is being collected, is it valuable? ● Is it collected in a consistent manner? ● Correlating that data ● D.O.P.E – Data On Previous Engagement ● Answer these questions ○ What did we hunt? ○ Did we find them or similar actors behaving in same manner? ○ Have we collected enough data on their activities to map a trajectory of their activities? ○ Have we collected enough data on our activities to determine what fingerprints we left behind? ○ Are there definable actions for the Blue/Purple/Red Team? 19
  • 20. @DAVE_MAYNOR @JORGEORCHILLES References 20 ● https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● https://posts.specterops.io/designing-effective-covert-red-team-attack-infrastructure- 767d4289af43 ● https://outflank.nl/blog/2019/02/14/introducing-redelk-part-1-why-we-need-it/ ● https://www.thec2matrix.com/ ● https://howto.thec2matrix.com/ ● https://sans.org/sec564