Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Infiltrate 2015 - Data Driven Offense

2,590 views

Published on

How to use Big Data and Machine Learning for attacks - specifically to achieve large scale attack planning and automatic attack execution.

This talk was given at Infiltrate 2015.

Published in: Technology
  • Login to see the comments

Infiltrate 2015 - Data Driven Offense

  1. 1. Sacha Faust @sachafaust / Azure Red Team | Ram Shankar @ram_ssk / Azure Security Data Science DATA DRIVEN OFFENSE
  2. 2. KeyTakeAways 2 Use data to drive common scenarios How ML can be used Strategic advantages
  3. 3. Our Reality
  4. 4. Context 4 •Cloud vs Cloud •Red vs Blue focus  Increase - MTTC and MTTP  Decrease - MTTD and MTTR •Engineering heavy •Single target
  5. 5. “Advanced”PersistentThreats 5 Specific/sequential targeting Effective reconnaissance Practiced tool usage Sophisticated planning Social engineering Advanced & persistent
  6. 6. Infrastructure 6 Feed Forward Observations Decision (Hypothesis) Action (Test) Cultural Traditions Genetic Heritage New Information Previous Experience Analyses & Synthesis Feed Forward Feed Forward Implicit Guidance & Control Implicit Guidance & Control Unfolding Interaction With EnvironmentUnfolding Interaction With Environment Feedback Feedback Outside Information Unfolding Circumstances Observe Orient Decide Act StorageService Bus Big Data ML Auto Scaling
  7. 7. NextGenerationAPT™ 7 Diversionary Tactics Machine Learning Varied PersistenceIntelligence Driven Multi-FrontAssaults
  8. 8. IntelligenceDriven 8 Pivoting Scenario
  9. 9. ProblemStatement 9 Compromised User Target Servers with Administrator access 0
  10. 10. Context Data available to all authenticated users Identity used - 1 Exfiltration Size - ~4Gb Data Sources Active Directory User/Groups Machines Local group membership Implementation • SQL Azure • Service Bus • Azure Worker Role • Remote Powershell 10
  11. 11. RouteDiscovery 11 Pivoting Opportunities Dashboard # Actions – 0 # Routes – 0 # Routes to eval - 7 Assets # Identities - 1 # Servers - 7 0
  12. 12. OneLevelDeep 12 Dashboard # Actions – 7 # Routes – 12 # Routes to eval - 11 Assets # Servers - 23 # Identities - 4 0 1 2 3 Untouched
  13. 13. Outcome 13 Pwned Report – PtH Pivoting MTTP – seconds # Actions to target - 9 # Min Pivots required – 2 # Routes - 12 Blue Learnings Comprehensive TTP exposure analysis Increased awareness Measure mitigation impact Measureable (KPI)
  14. 14. Examples 14
  15. 15. Examples 15
  16. 16. Examples 16
  17. 17. StrategicAdvantages 17 • Surgical • Fly under most radar • Limited TTP exposure • Routes can be saved/replayed/measured • Long shelve life • Not bound to PtH only
  18. 18. BeyondPtHPivoting 18 •Paving Egress routes •Path avoidance •Beachhead candidates •Cloud Pivoting
  19. 19. MachineLearning 19 Feed Forward Observations Decision (Hypothesis) Action (Test) Cultural Traditions Genetic Heritage New Information Previous Experience Analyses & Synthesis Feed Forward Feed Forward Implicit Guidance & Control Implicit Guidance & Control Unfolding Interaction With EnvironmentUnfolding Interaction With Environment Feedback Feedback Outside Information Unfolding Circumstances Observe Orient Decide Act StorageService Bus Big Data ML Auto Scaling
  20. 20. Computer System Data Program Output Computer System Data Output Program Traditional Programming Machine Learning Source: Lectures by Pedro Domingos
  21. 21. Introduction 21 Why is Machine Learning Relevant to red teams?
  22. 22. Introduction 22 Why is Machine Learning Relevant to red teams?
  23. 23. Introduction 23 Why is Machine Learning Relevant to red teams?
  24. 24. MLDrivenSpearPhishing 24 How can Red Teams use Machine Learning • Subvert existing ML algorithms that defenders have put in place • Classic “Adversarial Machine Learning” • Key goal: Game the ML System • Check out: http://www.slideshare.net/RamShankarSivaKumar/subverting- machine-learning-detections-for-fun-and-profit (Derbycon2014) • Think of attacks as a large scale optimization problem and ML to solve it
  25. 25. MachineLearning 25 ML driven Spear Phishing
  26. 26. ML-Approach 26 • Problem: Which phishing mail should be sent to a victim? • Why Use Machine Learning? -> Targeted Phishing emails increase likelihood of compromise • Distinguished Engineer: Subj: Country Club Invitation • Program Manager: Subj: Kanban Notes • Developer: Subj: Code check In? -> Makes blue team’s job of building attacker’s TTP and IOC much more difficult • Machine Learning task: How to pick the right email per person?
  27. 27. ML-Approach 27 Recommender Engines!
  28. 28. Contextual Bandit arms -- Intuition •The world announces some context information (Program Managers like meetings). •A policy chooses arm a from 1 of k arms (i.e. 1 of k phishing emails). •The world reveals the reward ra of the chosen arm (i.e. whether the message is clicked on).
  29. 29. Experiment 29 Objective - Recommend the most appropriate email for the user, based on his role Data Set: 1) Leverage data from (previously/currently) compromised hosts 2) Input: Email Corpus , context (title of role), action (clicked, not-click), featurization (time of click, number of words…) Tooling - Vowpal Wabbit (- I/O bound, parallelizable, specific for large scale learning) Result - Overall Click through rate (CTR) increased by 23%, with the highest increase in Program Managers (+22%) and least in Developer (5.4%)
  30. 30. RedAdvantages 30 Takeaways 1) Embedding intelligence into attacks, can make it more effective. ML can make attacks adaptive too! 2) The tricky part is mapping the attack goals to the right kind of problem - Short, but steep learning curve. -> Tip: Borrow the blue team’s behavorial detections and use the same tools, against them.
  31. 31. Parting Thoughts
  32. 32. Advantages Strategic  Targeting and Surveillance  Monitoring (IOM)  Detection (IOD)  Recovery (IOR)  Automated and reusable attack planning  Decreased MTTC & MTTP  Increase MTTD & MTTR  Controlled exposure  Small footprint  TTP/Actor Emulation/Impersonation Operational  Autonomous stages  Measurable efficiency  Reduce Capabilities Exposure  Flexible  Improve IP retention  Efficiency increased over time 32
  33. 33. PossibleDefense 33 •Adopt “Assume Breach” mindset •Accelerate growth – War Games •Consider Moving Target Defense •Understand pivoting opportunities •Sharing TTP/IOC
  34. 34. Thank you Sacha Faust @sachafaust Ram Shankar @ram_ssk

×