Deep Dive into Adversary Emulation - Ransomware Edition
This talk covers the Garmin July 2020 hack by a group called Evil Corp that leveraged a newer ransomware called WastedLocker. We cover Cyber Threat Intelligence, creating an adversary emulation plan for ransomware, demo the emulation, and discuss how to defend against these attacks.
2. @JORGEORCHILLES
T1033 - System Owner/User Discovery
● Chief Technology Officer - SCYTHE
● Purple Team Exercise Framework (PTEF)
● C2 Matrix Co-Creator
● 10 years @ Citi leading offensive security team
● Certified SANS Instructor: SEC560, SEC504
● Author SEC564: Red Team Exercises and Adversary Emulation
● CVSSv3.1 Working Group Voting Member
● GFMA: Threat-Led Pentest Framework
● ISSA Fellow; NSI Technologist Fellow
2
3. @JORGEORCHILLES
Agenda
● What is Adversary
Emulation
● What is Ransomware
● Cyber Threat Intelligence
● Adversary Emulation Plan
● Live Demo
● Defending against
Ransomware
3
4. @JORGEORCHILLES
Ethical Hacking Maturity Model
https://www.scythe.io/library/scythes-ethical-hacking-maturity-model
4
● Based on my experience and experience in other organizations
● Not a step by step guide but can be used as a blueprint for maturing
● You can skip steps
● Every organization is different
● Don’t stop doing the previous assessment types as you mature
5. @JORGEORCHILLES
Adversary Emulation
● Definition:
○ A type of Red Team exercise where the Red Team emulates how an adversary operates,
following the same tactics, techniques, and procedures (TTPs), with a specific objective similar
to those of realistic threats or adversaries.
● Goal:
○ Emulate an adversary attack chain or scenario
○ Understand organization’s preparedness if under a real, sophisticated attack
● Effort:
○ Manual
● Customer:
○ Entire organization
5
https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
6. @JORGEORCHILLES
Red Team
● Definition:
○ “The practice of looking at a problem or
situation from the perspective of an
adversary”
– Red Team Journal
● Goal:
○ Make Blue Team better
○ Test and measure people, process, and
technology
○ Test assumptions
6
https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
● Effort:
○ Manual
○ Many tools (C2 Matrix)
● Frequency:
○ Intelligence-led (new exploit, tool, or TTP)
○ Yearly (regulatory)
● Customer:
○ Blue Teams
7. @JORGEORCHILLES
Internal vs. External Teams
Internal Red Teams
● Repeated engagements
○ Remediation retesting
● Use privileged/insider knowledge
● Sparring partner
External Red Teams
● Offers new perspective
○ May have other industry
experience
● “Snapshot” engagements
7
9. @JORGEORCHILLES
Purple Team Exercises
9
● Virtual, functional team where teams work together to
measure and improve defensive security posture
○ CTI provides threat actor with capability, intent, and opportunity to
attack
○ Red Team creates adversary emulation plan
○ Tabletop discussion with defenders about the attacker tactics,
techniques, and procedures (TTPs) and expected defenses
○ Emulation of each adversary behavior (TTP)
○ Blue Team look for indicators of behavior
○ Red and Blue work together to create remediation action plan
● Repeat exercises to measure and improve people,
process, and technology
11. @JORGEORCHILLES
Framework & Methodology
11
● Purple Team Exercise Framework (PTEF)
● Cyber Kill Chain – Lockheed Martin
● Unified Cyber Kill Chain – Paul Pols
● Financial/Regulatory Frameworks
○ CBEST Intelligence Led Testing
○ Threat Intelligence-Based Ethical Red Teaming
○ Red Team: Adversarial Attack Simulation
Exercises
○ Intelligence-led Cyber Attack Simulation Testing
○ A Framework for the Regulatory Use of
Penetration Testing in the Financial Services
Industry
● Testing Framework:
13. @JORGEORCHILLES
IMPACT
13
https://attack.mitre.org/tactics/TA0040/
● The adversary is trying to manipulate, interrupt,
or destroy your systems and data - MITRE
ATT&CK
● Disrupt availability
● Compromise integrity by manipulating
business and operational processes
● Destroying or tampering data
● These techniques might be used by
adversaries to follow through on their end goal
or to provide cover for a confidentiality breach
14. @JORGEORCHILLES
Ransomware
● Get access to a target system or network (targeted or opportunist)
● Encrypt files - 3 methods:
a. Read the file, create an encrypted version of the file, replace the original file with the
encrypted one
b. Use raw disk access for encryption
c. Open the file, encrypt the contents and save the file (no file deletion or creation)
● Steal the files? Sometimes
● Download a ransom note asking for payment in crypto or else!!!
● Get PAID!!! $$$ ฿฿฿ ₿₿₿
14
15. @JORGEORCHILLES
Garmin
● July 22 - 29, 2020
● GarminConnect, FlyGarmin, etc. all down ->
● Evil Corp using WastedLocker
15
https://techcrunch.com/2020/07/25/garmin-outage-ransomware-sources/
16. @JORGEORCHILLES
Evil Corp (1)
● SocGholish is delivered to the victim in a zipped file via compromised
legitimate websites
● Zip file with malicious JavaScript, masquerading as a browser update
● A second JavaScript file profiles the computer and uses PowerShell to
download additional discovery related PowerShell scripts
● Once the attackers gain network access, they use Cobalt Strike commodity
malware with living-off-the-land tools to steal credentials, escalate privileges,
and move across the network to deploy WastedLocker on multiple computers
16
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
17. @JORGEORCHILLES
Evil Corp (2)
● PowerShell is used to download and execute a loader from a domain publicly
reported as being used to deliver Cobalt Strike as part of WastedLocker
attacks
● An injected payload, known as Cobalt Strike Beacon, is used to execute
commands, inject other processes, elevate current processes or impersonate
other processes, and upload and download files
● Privilege escalation is performed using a publicly documented technique
involving the Software Licensing User Interface tool, a command line utility
responsible for activating and updating the Windows operating system
17
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
18. @JORGEORCHILLES
Evil Corp (3)
● The attackers use the Windows Management Instrumentation Command
Line Utility to execute commands on remote computers, such as adding a
new user or execute additional downloaded PowerShell scripts
● The attackers launch a legitimate command line tool for managing Windows
Defender to disable scanning of all downloaded files and attachments,
remove all installed definitions, and, in some cases, disable real-time
monitoring
● Windows Sysinternals tool PsExec is used to launch the WastedLocker
ransomware, which then begins encrypting data and deleting shadow
volumes
18
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
20. @JORGEORCHILLES
ATT&CK Navigator
20
● No MITRE ATT&CK Mapping for
Evil Corp or WastedLocker
● Manually extracted TTPs from
Cyber Threat Intelligence
● Created MITRE ATT&CK
Navigator Layer:
https://github.com/scythe-io/community-threats/blob/m
aster/EvilCorp/EvilCorp-WastedLocker_layer.json
21. @JORGEORCHILLES
Planning
● Goals and Objectives
● Red Team or Purple Team Exercise?
● Exercise Coordinator/Project Manager
● Assume Breach or Full End-to-End?
○ Initial Access takes time
○ Infinite ways in
● Rules of Engagements
○ Don’t encrypt and ransom real business data
○ Create new files, encrypt and/or exfiltrate
● Attack Infrastructure
21
22. @JORGEORCHILLES
Determine Tools to Use - C2 Matrix
● Google Sheet of C2s
● https://www.thec2matrix.com/
● Find ideal C2 for your needs
● SANS Slingshot C2 Matrix VM
● https://howto.thec2matrix.com
● Follow @C2_Matrix
22
23. @JORGEORCHILLES
Cobalt Strike
● https://cobaltstrike.com/
● https://attack.mitre.org/software/S0154/
● Older version was leaked and used by
malicious actors:
○ APT19
○ APT29
○ APT32
○ APT41
○ Cobalt Group/Gang
○ CopyKittens
○ DarkHydrus
○ Leviathan
○ FIN6
23
24. @JORGEORCHILLES
SCYTHE
● Enterprise-Grade platform for Adversary Emulation
○ Creating custom, controlled, synthetic malware
○ Server can be deployed on-premises or your cloud
○ Multiple relays - Docker, Python, Windows MSI
● Emulate known threat actors against enterprise network
and systems
○ Consistently execute adversary behaviors
○ Continually assess security controls
○ Decreased evaluation time of security technologies
○ Identify blind spots for blue teams
○ Force-multiplier for red team resources
○ Measure and improve response of people and process
● 24
25. @JORGEORCHILLES
Features & Capabilities
● Trivial installation
● Enterprise C2:
○ HTTP(S), DNS, Google Sheets,
Twitter, Stego, SMB
● Automation
○ Build cross-platform synthetic malware
via dashboard
○ Synthetic malware emulates chosen
behaviors consistently
● Delivery methods
○ Web Page/ Drive-by (T1189)
○ Phishing Link (T1192)
○ Phishing Attachment (T1193)
●
25
● Reports
○ HTML, CSV, Executive, and
Technical Reports
○ ATT&CK Navigator Layer
○ MITRE ATT&CK Heat Map
● Integrations
○ VECTR - Tracking Red and Purple
Team Exercises
○ PlexTrac - automated report writing
and handling
○ Integrated with Splunk and all other
SIEMs with syslog
○ Red Canary’s Atomic Red Team test
cases
26. @JORGEORCHILLES
Emulating Ransomware?
● Is emulating ransomware even possible?
● Of course it is!
● The secret is to not encrypt or destroy
production data.
● Instead create new files before emulating
typical ransomware steps of encrypting,
exfiltrating, and obtaining a ransom note.
● This method ensures no data is ever at risk
of being encrypted, destroyed, or leaked.
26
28. @JORGEORCHILLES
Defending against Ransomware
28
● Traditionally the big focus has been on initial access
● With the more sophisticated and recent attacks, we are seeing many more
tactics than just Initial Access and Impact
● https://www.scythe.io/library/threatthursday-ransomware
● https://us-cert.cisa.gov/ncas/tips/ST19-001
● https://medium.com/swlh/detecting-and-responding-to-ransomware-attacks
-by-using-free-tools-1873c8510a9e
● https://medium.com/@mergene/defeating-ransomware-by-using-sysmon-an
d-powershell-b671920f3bb1
31. @JORGEORCHILLES
#ThreatThursday
● Choose an adversary every week
○ Introduce Adversary
○ Consume CTI and map to MITRE ATT&CK w/Navigator Layer
○ Create Adversary Emulation Plan
○ Share the plan on SCYTHE Community Threat Github:
https://github.com/scythe-io/community-threats/
○ Emulate Adversary with video
○ How to defend against adversary
● All free for the community: https://www.scythe.io/threatthursday
31