SlideShare a Scribd company logo
1 of 17
Download to read offline
Modern
Red Teaming
Breaking into the world’s most secure
environments, without a national security budget
$ whoami n Matt Howard
- Hacker turned professional sell out
- 20+ years of experience breaking into things with varying degrees of success
- 10~ years experience doing so professionally
- Spent some time helping improve security products
- Currently: red team operator and R&D
X: @pasv0x7f matt[at sign]shell.fishing
What’s a red team?
- Test detection and response capabilities, not just controls
- Objective-based, objective is never generic: “finding vulnerabilities”
- Depth vs Breadth: Red teaming vs Pentesting
- 2-4 months
- Typically blackbox
- no info given or access provided*
- very limited number of staff aware of the ongoing mission
What’s a good objective?
- The “million/billion dollar problem” (scoping):
- What IT related function is most important to the company’s business?
- What’s valuable to their most likely adversaries? (threat modeling)
- How can we arm infosec department to get shit done?
- Many orgs already know their problems, but can’t prove it outright
- Red team can kick that door, prove those fears are founded in reality
- What’s the biggest unknown unknown?
- Org thinks it’s mature and can no longer see their most gaping holes, pentests have
diminishing returns
Nice cyber response playbook… let’s test it
Examples of objectives:
- Ransomware (#1 today unfortunately, and tbh the most boring)
- Access to install and deploy
- Compromise backups
- Partially demonstrated
- Intellectual Property theft
- Millions of dollars of inhouse R&D? Sure, thanks
- Operational control
- A personal favorite :)
- Prove and demonstrate the ability to affect large scale systems
- Examples:
- Arbitrary SIM swapping without social engineering
- Affect routing for an ISP
- Money movement
How it starts: OSINT
- LinkedIn stalking
- Job posts
- Company news
- Googling (tons)
- SEC filings (M&A, subsidiaries, legal entities and brands)
- Public court documents
- Github
- DNS (registrations, passive records, guessing, cert transparency)
- 3rd party SaaS providers (Microsoft, Google, Slack, Atlassian, JAMF, etc)
- More social media stalking (leading up to the phish)
How we get in (Initial Access)
In order of frequency:
- Phishing
- Smishing
- External DMZ/Employee remote access solutions
- Vishing
- Physical access
- Chats
Because time is $$$ and IA is getting more time consuming:
- Assumed breach (more prevalent nowadays)
- “Simulated click”
- Procured VPN access
- Procured laptop (sometimes even joining the company as employee/contractor fully)
Phishing
- Worst part of the job
- Leverage social engineering:
- Customer to business, B2B, Vendor to business, internal
- Become a really terrible human being, for a short period of time
- Initial access payloads as an art form
- Substantially harder nowadays!
- Force multipliers:
- Leverage insider info from one hack into another
- Attacker in the Mailbox
- 0day exploits (rare and burnable): https://issues.chromium.org/issues/41492103 ;-)
Malware development
– Commercial offerings and OSS are rarer in use as EDR get more wise to them
- In-house red teams *must* develop their own capabilities
- The stronger the R&D, the stronger the team typically
- Maldev stages for red teams:
- stage 0: the method of executing code
- stage 1: minimal viable means of keeping access and loading additional
components
- stage 2: Cobalt Strike, et al. - hands on KB what you typically use to achieve
objectives
Defensive Tech I’m Up Against Daily
- Email filters (Proofpoint)
- Sandboxes (Wildfire, Cuckoo)
- EDR (can’t say, because they’re often litigious)
- NGFW (Palo, Cisco) - Outbound and Inbound traffic
- MFA (RSA, Duo)
- PAM (Privilege Access Management)
Defensive Tech I’m Bypassing Daily
- Email filters (Proofpoint)
- Create high reputation senders
- Learn phish scoring metrics
- Sandboxes (Wildfire, Cuckoo)
- Create “puzzles” for sandboxes to solve - that they cannot
- Detect their presence in various ways - User input, VM detection, etc
- EDR (can’t say, because they’re often litigious)
- Know where they’re looking, don’t go there - Windows vs Mac/Linux EDR
- Know where baselines are, blend in - What makes a similar signal, how can I use it?
- Attempt to completely bypassby removing their ability to inspect - Unhook, compromise
- NGFW (Palo, Cisco) - Outbound and Inbound traffic inspection
- Blend with traffic - Where do their systems typically connect to, what kind of traffic?
- High reputation domains, categorized with real content. - Thank god for LLM
- MFA (RSA, Duo)*
- Session hijacking at the browser or app level
- MFA device enrollment
- Hack the MFA admin/console itself
“Adversarial onboarding”:
what we do on the inside
- No port scanning or noisy tool usage
- Automated tools are for pentesters
- Reading, more reading, reading after that
- Weeks of studying existing documentation
- Essentially the same thing a new employee would do the learn the ropes
- Internal ticketing systems
- Internal asset management systems
- Stalking employees across various internal platforms:
- git, wikis, tickets, workstation, AD groups, chats
- “Know your opponent” - find their security stacks and capability levels
Lateral movement and privilege escalation
In order of frequency (at least for me):
- Information disclosures, credential theft (see: reading)
- Misconfigurations
- Excessive permissioning
- Exploits
- Misc
Total control (Enterprise/Domain Admin) is rarely wanted or needed
- Highly monitored
- Touch less things, intentionally
- Workstation admin is useful to hunt sysadmins for main objective
Obtaining the objective
Methods vary widely
- Credential theft
- Mitigated by MFA sometimes so..
- Session hijacking
- Cookies and tokens are the “single factor” in reality
- Apps can be coerced to share access (ssh)
- Mapping access patterns based off… reading documentation
- “Break glass access” == “backdoor access”
- Find systems that target systems rely on, use those in unexpected ways
Over simplifying:
- Find who has what you want (“I hunt SysAdmins”)
- Find a way to get where they are (workstation, server, git repo, docs/notes storage, etc)
- Follow their access in (if necessary)
Tips for getting into red teaming
- Learn to code in multiple contexts (web, windows, linux, automation,
database, common APIs)
- Learn from threat reports, incident responders, expert vendors
- Reverse engineer everything that interests you
- Most tools are “proof of concept” and not typically great for red teaming,
must be modified
- Eventually you will get ideas or features that are not available:
- Bad red team: “I wish this tool could do this or such a tool existed, oh well”
- Good red team: “I think I can make this happen, but need time”
- Best red team: “Our R&D already anticipated this and we have tools or scaffolding
to do it with less time”
- Study network engineering/IT
- Study a bit of psychology/social psych. “wetware”
<< EOF
Q & A?

More Related Content

Similar to Modern Red Teaming - subverting mature defenses on a budget

Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0Shah Sheikh
 
Introduction to Ethical Hacking (Basics)
Introduction to Ethical Hacking (Basics)Introduction to Ethical Hacking (Basics)
Introduction to Ethical Hacking (Basics)Sumit Satam
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationPa Al
 
Insights Into Modern Day Threat Protection
Insights Into Modern Day Threat ProtectionInsights Into Modern Day Threat Protection
Insights Into Modern Day Threat ProtectionAbhinav Biswas
 
Ethi mini1 - ethical hacking
Ethi mini1 - ethical hackingEthi mini1 - ethical hacking
Ethi mini1 - ethical hackingBeing Uniq Sonu
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Ehtical hacking
Ehtical hackingEhtical hacking
Ehtical hackingUday Verma
 

Similar to Modern Red Teaming - subverting mature defenses on a budget (20)

Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0
 
Introduction to Ethical Hacking (Basics)
Introduction to Ethical Hacking (Basics)Introduction to Ethical Hacking (Basics)
Introduction to Ethical Hacking (Basics)
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/Reputation
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Insights Into Modern Day Threat Protection
Insights Into Modern Day Threat ProtectionInsights Into Modern Day Threat Protection
Insights Into Modern Day Threat Protection
 
Ethi mini1 - ethical hacking
Ethi mini1 - ethical hackingEthi mini1 - ethical hacking
Ethi mini1 - ethical hacking
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Ehtical hacking
Ehtical hackingEhtical hacking
Ehtical hacking
 

Recently uploaded

办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfrajats19920
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirtsrahman018755
 
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...Andreas Sfakianakis
 
2024_hackersuli_mobil_ios_android ______
2024_hackersuli_mobil_ios_android ______2024_hackersuli_mobil_ios_android ______
2024_hackersuli_mobil_ios_android ______hackersuli
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Basic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobielBasic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobielpratamakiki860
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 

Recently uploaded (13)

办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdf
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirts
 
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
 
2024_hackersuli_mobil_ios_android ______
2024_hackersuli_mobil_ios_android ______2024_hackersuli_mobil_ios_android ______
2024_hackersuli_mobil_ios_android ______
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Basic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobielBasic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobiel
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 

Modern Red Teaming - subverting mature defenses on a budget

  • 1. Modern Red Teaming Breaking into the world’s most secure environments, without a national security budget
  • 2. $ whoami n Matt Howard - Hacker turned professional sell out - 20+ years of experience breaking into things with varying degrees of success - 10~ years experience doing so professionally - Spent some time helping improve security products - Currently: red team operator and R&D X: @pasv0x7f matt[at sign]shell.fishing
  • 3. What’s a red team? - Test detection and response capabilities, not just controls - Objective-based, objective is never generic: “finding vulnerabilities” - Depth vs Breadth: Red teaming vs Pentesting - 2-4 months - Typically blackbox - no info given or access provided* - very limited number of staff aware of the ongoing mission
  • 4. What’s a good objective? - The “million/billion dollar problem” (scoping): - What IT related function is most important to the company’s business? - What’s valuable to their most likely adversaries? (threat modeling) - How can we arm infosec department to get shit done? - Many orgs already know their problems, but can’t prove it outright - Red team can kick that door, prove those fears are founded in reality - What’s the biggest unknown unknown? - Org thinks it’s mature and can no longer see their most gaping holes, pentests have diminishing returns
  • 5. Nice cyber response playbook… let’s test it
  • 6. Examples of objectives: - Ransomware (#1 today unfortunately, and tbh the most boring) - Access to install and deploy - Compromise backups - Partially demonstrated - Intellectual Property theft - Millions of dollars of inhouse R&D? Sure, thanks - Operational control - A personal favorite :) - Prove and demonstrate the ability to affect large scale systems - Examples: - Arbitrary SIM swapping without social engineering - Affect routing for an ISP - Money movement
  • 7. How it starts: OSINT - LinkedIn stalking - Job posts - Company news - Googling (tons) - SEC filings (M&A, subsidiaries, legal entities and brands) - Public court documents - Github - DNS (registrations, passive records, guessing, cert transparency) - 3rd party SaaS providers (Microsoft, Google, Slack, Atlassian, JAMF, etc) - More social media stalking (leading up to the phish)
  • 8. How we get in (Initial Access) In order of frequency: - Phishing - Smishing - External DMZ/Employee remote access solutions - Vishing - Physical access - Chats Because time is $$$ and IA is getting more time consuming: - Assumed breach (more prevalent nowadays) - “Simulated click” - Procured VPN access - Procured laptop (sometimes even joining the company as employee/contractor fully)
  • 9. Phishing - Worst part of the job - Leverage social engineering: - Customer to business, B2B, Vendor to business, internal - Become a really terrible human being, for a short period of time - Initial access payloads as an art form - Substantially harder nowadays! - Force multipliers: - Leverage insider info from one hack into another - Attacker in the Mailbox - 0day exploits (rare and burnable): https://issues.chromium.org/issues/41492103 ;-)
  • 10. Malware development – Commercial offerings and OSS are rarer in use as EDR get more wise to them - In-house red teams *must* develop their own capabilities - The stronger the R&D, the stronger the team typically - Maldev stages for red teams: - stage 0: the method of executing code - stage 1: minimal viable means of keeping access and loading additional components - stage 2: Cobalt Strike, et al. - hands on KB what you typically use to achieve objectives
  • 11. Defensive Tech I’m Up Against Daily - Email filters (Proofpoint) - Sandboxes (Wildfire, Cuckoo) - EDR (can’t say, because they’re often litigious) - NGFW (Palo, Cisco) - Outbound and Inbound traffic - MFA (RSA, Duo) - PAM (Privilege Access Management)
  • 12. Defensive Tech I’m Bypassing Daily - Email filters (Proofpoint) - Create high reputation senders - Learn phish scoring metrics - Sandboxes (Wildfire, Cuckoo) - Create “puzzles” for sandboxes to solve - that they cannot - Detect their presence in various ways - User input, VM detection, etc - EDR (can’t say, because they’re often litigious) - Know where they’re looking, don’t go there - Windows vs Mac/Linux EDR - Know where baselines are, blend in - What makes a similar signal, how can I use it? - Attempt to completely bypassby removing their ability to inspect - Unhook, compromise - NGFW (Palo, Cisco) - Outbound and Inbound traffic inspection - Blend with traffic - Where do their systems typically connect to, what kind of traffic? - High reputation domains, categorized with real content. - Thank god for LLM - MFA (RSA, Duo)* - Session hijacking at the browser or app level - MFA device enrollment - Hack the MFA admin/console itself
  • 13. “Adversarial onboarding”: what we do on the inside - No port scanning or noisy tool usage - Automated tools are for pentesters - Reading, more reading, reading after that - Weeks of studying existing documentation - Essentially the same thing a new employee would do the learn the ropes - Internal ticketing systems - Internal asset management systems - Stalking employees across various internal platforms: - git, wikis, tickets, workstation, AD groups, chats - “Know your opponent” - find their security stacks and capability levels
  • 14. Lateral movement and privilege escalation In order of frequency (at least for me): - Information disclosures, credential theft (see: reading) - Misconfigurations - Excessive permissioning - Exploits - Misc Total control (Enterprise/Domain Admin) is rarely wanted or needed - Highly monitored - Touch less things, intentionally - Workstation admin is useful to hunt sysadmins for main objective
  • 15. Obtaining the objective Methods vary widely - Credential theft - Mitigated by MFA sometimes so.. - Session hijacking - Cookies and tokens are the “single factor” in reality - Apps can be coerced to share access (ssh) - Mapping access patterns based off… reading documentation - “Break glass access” == “backdoor access” - Find systems that target systems rely on, use those in unexpected ways Over simplifying: - Find who has what you want (“I hunt SysAdmins”) - Find a way to get where they are (workstation, server, git repo, docs/notes storage, etc) - Follow their access in (if necessary)
  • 16. Tips for getting into red teaming - Learn to code in multiple contexts (web, windows, linux, automation, database, common APIs) - Learn from threat reports, incident responders, expert vendors - Reverse engineer everything that interests you - Most tools are “proof of concept” and not typically great for red teaming, must be modified - Eventually you will get ideas or features that are not available: - Bad red team: “I wish this tool could do this or such a tool existed, oh well” - Good red team: “I think I can make this happen, but need time” - Best red team: “Our R&D already anticipated this and we have tools or scaffolding to do it with less time” - Study network engineering/IT - Study a bit of psychology/social psych. “wetware”