Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
2. Presenter
Will Pearce
Joined FRSecure in 2014
OSCP, SWCCDC Red Team, OSCE to be.
InfoSec Crushes
◦ Raphael Mudge (@armitagehacker) – blog.Cobaltstrike.com
◦ Matt Weeks (@scriptjunkie) scriptjunkie.us
3. But Why…
•Organizations get penetration tests year after year, yet companies still get breached because
they’re STILL missing the basics.
•Traditional penetration tests are failing to prepare organizations for the threats they actually
face. They’ve become a commodity of compliance and box-checking.
•Remediation steps rarely include management objectives.
•General lack of excitement for Blue Team functions. Red team is sexy, but just a tool.
•Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
4. Our Definition of Purple Teaming
Improving cyber security by leveraging red teams as representative adversaries. Using red
actions, blue teams practice detection and response against active threats.
“Putting more Offense in your Defense”
-Chris Gates
6. Different Focus Cont’d
Military Model (Red vs. Blue)
◦ Military Mindset: National Security
◦ Private Sector Mindset: Security for Cheap
Collaborative Security (Red + Blue)
◦ What did it look like on blue side?
◦ How did red get there?
Exercise IR Plan
◦ Find the gaps in people, technology, and processes.
◦ Detection 50%, Response 50%
Educational
◦ Consultants come on site with expertise, then leave at the end of the day taking their expertise with
them.
7. Different Focus Cont’d
Validates tools/processes.
◦ Certain people not getting alerts/responding to alerts.
Find paths of least resistance.
◦ Repeat.
Assumes a hardened network.
◦ Preparation is key. Doing some research upfront can save $$$
◦ Scope is key
Gets to the point.
◦ Remediation steps are valuable, generally structural in nature (at first)
Practice, Practice, Practice
◦ Gain confidence in IR
◦ Save $$$$
8. Time is the Commodity
CURRENT
Attack Sim.
Full Scope
Penetration Test.
Vulnerability
Assessment
FUTURE
Vulnerability
Assessment
Full Scope
Penetration Test
Attack Sim.
9. Lack of Malware
It’s not all about the malware
◦ Poison Login.bat
◦ Poison other scripts
Spot the Malware (You won’t find it)
◦ PowerShell
◦ Regsvr32
◦ Rundll32
◦ Tracker
◦ notepad
10. Scenario Based
Let’s pretend…
◦ Alice has been CryptoLockered
Results
◦ Alice has access to these shares. 3 of which Alice should not have access to.
◦ Alice is a local admin.
◦ Alice can run macros from internet.
◦ AV failed to detect.
◦ Spam filter worked but Alice moved it out of junk.
◦ Our backups are insufficient.
11. Scenario Based
Let’s pretend
◦ External terminal server has been breached, Bob logged in from Germany after several failed attempts.
Results
◦ Terminal server has access to these systems.
◦ Excessive failed attempts do not generate alerts.
◦ Bob has excessive failed attempts to login on these systems.
◦ Bob successfully logged into these systems.
◦ Bob is a local admin on random webdev system on the domain.
◦ Webdev machine has production data.
12. Scenario Based
Scenario
◦ Sourcefire is alerting on DNS beacons. Internal host communicated 2, 4, and 6 weeks ago.
Results
◦ Several internal IPs are communicating to the same address space.
◦ Traffic has matched known APT signatures.
13. Two Kinds of Customers
Those who think they have everything buttoned up.
◦ Generally get high marks on audits and assessments.
◦ False sense of security.
◦ A lack of humility costs $$$
Those who are working on maturing their processes.
◦ Do research and go beyond what audits and assessments tell them.
◦ Not necessarily assessment focused.
◦ Know they’re are not perfect, put effort in anyway.
14. Common Issues
•Tools that cannot be properly implemented AND maintained.
•Lack of network visibility, knowledge of what is on the network, or what is even supposed to be
on the network – not just devices, software too.
•Lack of real network segmentation.
•Lack of manpower and resources.
• Little knowledge of how attacks happen. Anyone alerting on PowerShell.exe?
•Lack of system hardening.
• STIG it!
•Lack of 2FA for external services.
16. Put Controls Around Admin Tools
•AppLocker, Device Guard, LAPS
•Alert on the use of admin tools.
•Alert on new services.
• (netsrv.exe)
•Accounts logging into systems they shouldn’t be, at odd times.
•Turn on various Windows logging abilities that are off by default.
• Firewall Logs
• PowerShell Logs
• Object Access
• File Access
17. Vulnerabilities an Honorable Mention
Patching is a lagging defense mechanism.
◦ Vuln -> Discovery -> Patch -> Push
Vulnerabilities not a big deal anymore (Internally).
◦ Users still click on stuff.
◦ Whoami /groups
◦ Still patch diligently
Trust Materials, protect them.
◦ 2FA
◦ Remove caching of creds
◦ Remove Local Administrative access from users. Please.
19. First and Foremost
Information Security is NOT and Information Technology function. They may sound the same, but
they’re quite different.
Information Security is NOT about saying no, it’s about finding a secure solution to a business
need.
ALL engagements go better if management willingly involves itself.
Information Security seen as cost center – there is marketing value in being secure.
21. Purple Teaming’s place in an information
security program
Information security: administrative, physical and technical controls which minimize risks
associated to the confidentiality, integrity and availability of data.
Enhances almost every facet of your program, because it places greater emphasis on the human
element.
◦ Enumerates structural issues within the network (technical)
◦ Identifies deficiencies in logging and monitoring capabilities (technical)
◦ Strengthens monitoring and response plans (administrative)
◦ Satisfies audit/vendor management requirements (administrative)
22. Communicating results (without getting
fired)
Effectively communicate outcomes prior to engagement
◦ Level with them - “Given enough time, resources and motivation, any network is susceptible to breach”
◦ Justify the cost - The reason these are so expensive is because they are so good, they will provide
capability we may never see “in the wild”.
◦ Utilize cost/benefit - We’re going to learn our weaknesses in one of two ways: the good guys will find it,
or the bad guys will. The good guys are typically cheaper.
◦ Baffle them with bullshit – We need to know if the MPLS is inherently POODLE’d when IP/TCP traverses
multiple virtual clusters. That’s what they did in Office Space.
Incorporate them in the exercise
◦ Any executive team acting as an incident response committee during a concurrent table-top exercise
derives value, sense of accomplishment and empathy for the difficulties you face. We are more
accepting of “us” mistakes than “them”.
23. Including Executives
Purple Team Exercise – The Bob goes to China
Technical team – Confirm containment and determine severity
◦ Contain the potential breach, as much as possible, ASAP
◦ Determine if a breach occurred, review audit logs (local, gateway, etc), inspect devices
Executive team – Determine appropriate action
◦ Ascertain situation based on streaming information from technical team
24. Speaking of Audit…….
Audits typically test the design and implementation of controls, it does not address the efficacy
of them. Purple teaming does
IPS is in place
IPS is reviewed and tuned on a regular basis
? IPS is actually detecting and correcting realistic adversarial tactics
NMAP is run periodically to enumerate open ports
Results are reviewed by network admin, unnecessary ports closed
? The ports left open are risk free?
Companies fail to look internally at scale.
Penetration tests are supposed to prepare a company for an actual attack.
How many get a list of things to patch, how many get a pentest with SSL vulns listed, how many get a pentest
Critical alert for server/port that the organization doesn’t even have open.
Red doesn’t have to be some elite group, could be a sysadmin and Google. Doesn’t have to be an extended engagement, week long sprints of IR.
I haven’t used an exploit in almost a year, not necessary.
Militaries job isn’t to make money, it’s to protect information. Mission oriented vs money oriented.
Red can’t buy every possible tool to have a test with, similarly blue can’t spend an inordinate amount of time coming up with new threat models.
Alerts for Domain Adm. But not Enterprise Adm. – Logging was wholly insufficient, couldn’t detect anything – Rebooting servers to kill sessions in memory + CFO killed project.
Educating people saves $$$
Does your firewall work?
Low hanging fruit.
Don’t spend money if you’re not prepared. Same for penetration test.
Not going to give you a list of patches.
How many practice the IR plan?
Don’t have to spend cash on IR.
Orgs spend an inordinate time remediating vulns, when they should spend it phishing their users and remediating that.
There isn’t any!
You can be hacked. Catch every attack for a year?
Understand network isn’t perfect. Work to understand and mature.
Be the second kind of customer – learn as much as you can from the offensive side.
Why spend so much on tools if you cannot adequately support them, if it’s for a compliance requirement and you’re not going to use the data, go with something free…Lewis CK weighs himself but isn’t using the information to improve himself. Explore the functionality of the tools you already have.
Not all systems are being logged, alerts aren’t setup, only default logging is implemented.
Is not a small task, an effective at defining attack paths, software solution seems most likely.
Give lesser experienced people a chance, train and mentor. They’re cheaper and work harder.
Open ports, default creds, WPAD, Cached creds, etc. Common stuff that a bit of time and some Googling could solve.
A script to run common methods of privilege escalation.
Checks to see if user is a local admin somewhere on the network. Checks what shares the user has access to, I use it to search for passwords/scripts I can edit.
Microsoft inadvertently released key.
WPAD, SMB MitM/Spoofing
Effectively a Domain Administrator
How many have seen this run, in a report, or run this themselves
1 . It’s not perfect, but it’s free.
2. Alice should not be using PowerShell
3. netsrv.exe
4. Why is Bob logging into Alices system – why can Bob log into Alices system?
5. Genuinely helpful to log stuff.
Vulnerabilities exist and they always will, having 100% patched devices still won’t protect you from unknown vulnerabilities, or users clicking on things they shouldn’t.
2. Should still patch, but patching isn’t be all end all.
3. See Low-Hanging Fruit