This presentation provides an overview off common adversarial emulation approaches along with attack and detection trends. It should be interesting to penetration testers and professionals in security operations roles.
5. The Problem
Companies spend millions on detective
controls, but don’t know if they can detect
common:
• Indicators of active attack
• Indicators of compromise
• Indicators of data exfiltration
The Problem
7. Understand the company’s ability to identify
and respond to common real-world threats
Understand how to improve detective and
preventative control capabilities
Verify that third party service providers and
products are detecting what they say they can
The Goal
9. Service Overview: Approach
1. Inventory known controls
2. Emulate attacks
3. Monitor security events and alerts
4. Identify gaps in controls
5. Provide actionable feedback and
recommendations
6. Provide Mitre style heat map
The Approach: Summary
10. Service Overview: Approach
Inventory Known Controls
Interview key members of the security and incident response teams
to inventory existing preventative controls, detective controls and
detective control boundaries. Common control placement and
boundaries include:
• External network zones
• Internal network zones
• Wireless network zones
• Email gateways, servers, and clients
• Workstations and Servers
• Network devices
• Applications
• Databases
The Approach: Inventory Known Controls
11. Service Overview: Approach
Emulate Attacks
using common tools, techniques, and tactics used by real-world
attackers in multiple variations of common attack kill chains across
identified detection control boundaries
• Threat agnostic
• Many kill chain variations
• Common tools
• Common techniques
• Common procedures
• Mitre AT&TACK covers post exploitation pretty well
The Approach: Emulate Attacks
12. Service Overview: Approach
Monitor Security Events and Alerts
in real-time with security teams:
• External network zones
• Internal network zones
• Wireless network zones
• Email gateway, servers, and Clients
• Workstations and Servers
• Network devices
• Applications
• Databases
The Approach: Monitor Security Events
13. Service Overview: Approach
Identify major gaps in detective and
preventative controls by working security teams
in real-time during the test to determine which
security events:
• Go completely undetected
• Are logged
• Trigger correlation rules
• Trigger alerts
• Trigger incident response
The Approach: Identify Gaps
14. Service Overview: Identifying Gaps
Provide actionable feedback that includes the information
below so internal security teams can build better defensive
capabilities:
• Log sources
• Generic indicators of attack and compromise
• Generic SEIM correlation rules
• Preventative control options
• Mitigation options
• Existing controls
The Approach: Actionable Feedback
15. Service Overview: Identifying Gaps
Below are some notes from the Chris Gates + Chris Nickerson presentation at Brew con.
Great notes for internal teams!
http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial-
simulation-team-chris-gates-chris-nickerson
• Create a charter
• Provide metrics - readiness/resistance to ttp + Pretty charts
• Build an attack simulation lab with all preventative and detective controls
• Work through the Mitre ATT&CK techniques in the lab
• Continuously validate prod controls
• Work closely with the internal team
• Establish rules of engagement, procedures, workflows with internal team
• Estimate resources people, servers, crack box, vms, access to defensive tools
• document sharing to store and share info
The Approach: Notes from brucon
16. Service Overview: DeliverablesThe Approach: Notes from brucon
Source: http://www.slideshare.net/chrisgates/building-a-successful-internal-
adversarial-simulation-team-chris-gates-chris-nickerson
17. Service Overview: DeliverablesThe Approach: Notes from brucon
1. Gather threat intelligence about and threat
attributes
2. Compare to capabilities map (preventative
and detective)
3. Predict likelihood of successful attacks before
they happen
Source: http://www.slideshare.net/chrisgates/building-a-successful-internal-
adversarial-simulation-team-chris-gates-chris-nickerson
18. Service Overview: DeliverablesThe Approach: Notes from brucon
Source: http://www.slideshare.net/chrisgates/building-a-successful-internal-
adversarial-simulation-team-chris-gates-chris-nickerson
19. Service Overview: Deliverables
Source: http://www.slideshare.net/chrisgates/building-a-successful-internal-
adversarial-simulation-team-chris-gates-chris-nickerson
The Approach: Notes from brucon
22. Service Overview: Providing GuidanceThe Difference: Service Goals
Service Type Service Goals
Network
Vulnerability
Assessment
• Identify known and common configuration, patch, and code related vulnerabilities at the server and web application
layers.
• Meet compliance requirements.
Network
Penetration
Test
• Help company’s determine if identified vulnerabilities can be used to gain unauthorized access to protected networks,
systems, application functionality, and sensitive data.
• Identify known and common configuration, patch, and code related vulnerabilities at the network, server, and web
application layers.
• Meet compliance requirements.
Network
Red Team
Testing
• Attempt to gain unauthorized access to an environment using paths of least resistance without detection and maintain
that access for a pre-determined period of time in order to test the Incident Response Team’s ability to identify and
respond to threats. This often includes non-standard scoping with very specific system, application, and data targets.
Threat Emulation
• Emulate a specific threat and determine the ability to prevent, detect, and respond to it with in a specific
environment.
Defense
Assessment
• Help company’s obtain a more comprehensive understanding of they’re ability to identify and respond to real world
threats and potential breach scenarios. Executing multiple variations of common attack workflows across detective
control boundaries while working with internal security teams to identify detective control gaps and
misconfigurations.
• When blue team and red team members test a company’s environment together to build an understanding of their
company’s ability to prevent, detect, and respond to real world threats at all layers of the organization. This requires
much more collaboration and is broader in scope than a red team engagement. It is intended to test for the most
common tools, techniques, and procedures used by attackers and malware.
• Test capabilities of 3rd party service provider.
The Differences: Service Goals
23. Service Overview: Providing Guidance
The Value: Service Differences
Service
Type
Identify
Server
Issues
Identify
Network
Issues
Identify
Application
Issues
Determine
Impact of
Vulnerabilities
Determine
Ability to
Detect
Attacks
Identify
Missing
Detective
Controls
Determine
Incident
Response
Ability
Vulnerability
Assessment
Yes No Partially No Partially No No
Penetration Test Yes Yes Yes Yes Partially No No
Red Team Test
(Limited to Specific Scenarios)
Partially Partially Partially Partially Partially Partially Partially
Threat Emulation
(Limited to Specific Threat)
Partially Partially Partially Partially Partially Partially Partially
Defense Assessments Yes Yes Yes Yes Yes Yes Yes
The Differences: Service Objectives
26. Service Overview: Deliverables
Deliverables
• Search for known common indicators of
compromise on scale
• Typically does not include EPP, HIDS, NIDS
• PowerShell comes in handy for automation
• Identify sample systems based on information
stored in DNS and Active Directory
• Gather information via WMI, PS Remoting,
schedule task, and psexec (no agent)
The Hunt: Threat Hunting Overview
27. Service Overview: Deliverables
Deliverables
• Get approval
• Some tasks require local and domain
administrator privileges
• Just like scanning be aware of network
boundaries and controls that may block access
the sample of systems
The Hunt: Don’t forget…
28. Service Overview: Deliverables
Deliverables
• Common hunting activities include targeting:
- Files with known malware signatures
- Windows services running unsigned binaries
- Potentially malicious schedule tasks
- Potentially malicious File and folder autoruns
- Potentially malicious Registry autoruns
- Potentially malicious SQL Server autoruns
- Potentially malicious WMI providers and triggers
- Web shells in internet facing web root folders
- VPN or internet log in from strange geographic location or on off
hours
- Suspicious domain level events
The Hunt: Common Targets
30. Service Overview: Deliverables
Deliverables
• Companies don’t know what controls they have and don’t have
• Companies are missing major controls in critical network zones
• Companies don’t configure controls correctly
o No internal resources capable of configuring control
o No vendor was paid to configure control
• Managed service providers are not catching real attack TTPs
• Controls implemented with vendor defaults that don’t detect most
real attacks
• No internal network logging
• Logging, but no correlation
• Alerting, but no response
• No tracking of metrics over time
• Disconnects between systems like AV to controllers
o Completely unmanaged or don’t sync fast enough
The Trends: General Trends
31. Service Overview: Deliverables
Deliverables
• Wireless network zones
• External network zones
• Internal network zones
• Email gateways, servers, and clients
• Windows Endpoints
• Linux Endpoints
• Web Applications
• Databases
The Trends: Control Boundaries
32. Service Overview: Deliverables
Deliverables
• No wireless attack detection (wireless or LAN)
o Detection features not enabled
o Detection features not available
• WEP still used in manufacturing in warehouses
and assembly lines
• WPA2 PSK still used about 25% of the time
• WEP and WPA2 PSK cracking
o No detection
• Evil twin attacks (attacking wireless endpoints)
o No detection
The Trends: Wireless Networks
33. Service Overview: Deliverables
Deliverables
• Minimal ability to detect scanning an attacks
• WAFs are missing or misconfigured
• OWASP top 10 vulnerabilities allow remote
Access
• User and email enumeration via public resources
• Lots of internet facing interfaces that support
single factor authentication that can be used for
pivoting and dictionary attacks
o VPN, Citrix, Terminal Services, VDI, Web applications
The Trends: External Networks
34. Service Overview: Deliverables
Deliverables
• Port scan detection can be avoided in almost all
networks using Nmap –T2 or below
• Port / vulnerability scan detection occurs more
via endpoint protection than via network
IDS/IPS controls
• Null sessions still yield user and computer lists
The Trends: Internal Networks
35. Service Overview: Deliverables
Deliverables
• Almost no one detects network attacks:
o NBNS MITM, LLMNR MITM, ARP MITM, VLAN tag spoof, Switch trunking,
rogue DHCP, rogue PXE servers, unauthorized PXE downloads, etc
• ARP spoofing is never going to die
o Vendors are still creating devices that don’t support ARP spoof detection
o Most companies don’t enabled the detection or prevention features when they
do exist
• PXE downloads have been more common
o Download to VM + Mount HD + Backdoor for access
o Domain deployment account password in sysprep files
o Domain deployment account password parse from VM memory file
o Domain credentials can then be used for to start domain escalation
The Trends: Internal Networks
36. Service Overview: Deliverables
Deliverables
Network Isolation Bypasses
• Direct access to services in isolated environment
directly or though trusted hosts
o Identify trusted hosts via logon events
• Use management systems to execute commands
o Group Policy, patch, and configuration management systems
• Jump hosted are on the user domain and have
accessible non-two factor management ports open
• VLAN hopping
• Switch Trunking
The Trends: Internal Networks
37. Service Overview: Deliverables
Deliverables
• Companies seem to have three goals
- Test click rates / user awareness over time
- Test technical controls
- Inject FUD for budget procurement
The Trends: Email Attacks – General
38. Service Overview: Deliverables
Deliverables
• Service providers – missing some known evil
attachments, doing some test execution of links,
html
• Servers- not blocking evil attachments
• Client – allowing execution of untrusted
clickonce and java apps
• Office – people like to allow macro, those who
don’t often let users change the setting in
security center
The Trends: Email Attacks – General
39. Service Overview: Deliverables
Deliverables
Payloads - Links
• Direct links to executable files
• Links to uncategorized and untrusted sites/IPs
Payloads - Phishing Sites
• Untrusted ClickOnce allowed
• Untrusted Java applets allowed
• Capturing password is handy when there are so many
single factor interfaces exposed to the internet
• Considering looking into XSRF to execute command
on web apps already opening in insecure browsers -
anyone done that?
The Trends: Email Attacks – Payloads
40. Service Overview: Deliverables
Deliverables
Payloads – Images in HTML emails
• Determine physical location of individuals
• Determine firewall egress rules
• Determine allowed file attachments – work about 60%
Payloads – Executable File Attachments
• Only a handful typically get through, but Office Macros still
work a lot
• User’s often have rights to disable office security features
• Interesting that .application ClickOnce apps seem to make
it through.
• Shortcut files + UNC path injection – not tested yet
• Working on basic toolkit for testing links and executable
file types…
The Trends: Email Attacks – Payloads
41. Service Overview: Deliverables
Deliverables
Payloads – Executable Files
Note: This is purple teamy…
1. Send hundreds of executable file types as
attachments
2. Parse inbox on client to determine which ones make
it through service provider, server, and client
3. Cross reference extensions with application file
extension associations on their gold build
4. Create proof on concept payloads to illustrate risk
The Trends: Email Attacks – Payloads
43. Service Overview: Deliverables
Deliverables
- Missing and broken two-factor
- Missing hard drive encryption
- Missing and disabled endpoint protection on servers
- Missing ability to detect common persistence
methods
o File, Registry, Application, and Database autoruns
o Windows Services
o Windows Tasks
o WMI triggers and providers
o Log in from unexpected country
o Log in during unexpected time
The Trends: Windows Endpoints
44. Service Overview: Deliverables
Deliverables
• 80% of companies can a Domain Admin being added
• Most companies are blind to almost everything else
• SPNs are very useful for server and user targeting
• Active session scanning can be useful for user targeting (DC, File, Citrix, and
Exchange servers yield the best immediate results)
• Bloodhound can be very useful if you have enough time to map escalation paths
• Kerberoasting, and ASREPRoast are very used for domain escalation
• Password dumping, DCSync, ntds.dit via Invoke-Ninjacopy.ps1, NTDSUTIL,
VSSADMIN
• Group Policy modifications
• Net logon script modifications
• Sysvol DACL modifications
• User and computer object DACL modifications
• Delegation of privileges – password reset, replication etc
• Group policy passwords are disabled in most environments, but some companies
forget to clean up the XML files and the passwords are still valid
• SID history works in most environments to escalate from child to parent domain
• Lots of user and domain admin password sharing
• Lots of domain admins sharing password between domains
The Trends: Windows Domains
45. Service Overview: Deliverables
Deliverables
Linux Endpoints
- No centralized detection capabilities
- Sudo configuration issues
- World readable/writable daemons and cron scripts
- Common issues like heartbleed and shellshock
- Excessive share privileges
- NFS mountable as root, grab keys, and authenticate
- SMB writable to everyone
- FTP writable by anonymous (web roots are the best)
- Shared NAS between servers for lateral movement
via home directories
The Trends: Linux Endpoints
46. Service Overview: Deliverables
Deliverables
• SQL Injection
• XML entity injection
• Upload functionality
• Application publishing platforms like tomcat, jboss, etc
• Database and domain credentials are stored everywhere
o In code
o In web.config
o In application.config
o Connection string cheat sheet
https://gist.github.com/nullbind/91c573b0e27682733f97d4e6e
ebe36f8
• Code repository auditing can usually be bypassed once you
have system on the box and can run as the service account
The Trends: Web Applications
47. Service Overview: Deliverables
Deliverables
• Common platforms include SQL Server, Oracle,
MySQL and Db2
• Almost no companies audit beyond failed login
attempts
• Database teams seem to identify failed login
attempts more than AD or response teams on
average
• Excessive privileges allow normal domain users rights
to login
• Lots of vendor defaults and unsupported versions
• Escalation via weak passwords, UNC path injection,
shared service accounts, and database links
The Trends: Databases
48. Service Overview: Deliverables
Deliverables
• Servers and DCs with direct access to the internet!
• Tons of options in most environments without
detection:
o TCP Ports 100% Authenticated outbound on 80/443,
reflection through trusted sites, and unauthenticated
outbound on various ports (21, 22, 23, 25, 53,110)
o UDP Ports 50%
o ICMP Tunnel 50%
o DNS Tunnel 80%
o SMTP Tunnel 100%
o Skype Tunnel 100%
The Trends: Data Exfiltration & C2