Building a Successful Internal Adversarial Simulation Team - Chris Gates & Chris Nickerson
8 likes2,854 views
The document discusses the importance of adversarial simulations in cybersecurity, detailing the various roles involved in red teaming, blue teaming, and purple teaming. It outlines the structure, processes, and metrics necessary for a successful internal adversarial simulation team and highlights the need for clarity in terminology and task execution. Key steps include creating a problem statement, defining project execution, and assessing both offensive and defensive capabilities to enhance organizational security readiness.
![Technique Func0on Methods for detec0on Methods for protec0on Detec0on Mat
urity
Protec0on Mat
urity
Last Test
Date
LSASS password/
hash recovery
Local Security
Authority Subsystem
Service (LSASS) is a
process in MicrosoH
Windows opera0ng
systems that is
responsible for
enforcing the security
policy on the system.
It verifies users
logging on to a
Windows computer or
server, handles
password changes,
and creates access
tokens. (from
Wikipedia)
For the purposes of
Single Sign On (SSO) in
Windows
environments, lsass
also stores the NT
hash and some0mes,
in the case of wdigest,
the cleartext
creden0als of users
who have logged into
the system. These can
be recovered by
dumping the contents
of the process in
memory through use
tools such as
procdump and
mimikatz.
The most op0mal way to detect this is to
iden0fy processes that are crossproc'd
into lsass. The signal to noise ra0o here is
high, due to the nature of lsass' func0on.
Typically meterpreter uses rundll32 to
run, so iden0fying rundll32 into lsass
along with processes injected into
winlogon that cross process into lsass will
reliably iden0fy malicious ac0vity
An automated password management
tool such as CyberArk can be used to
randomize passwords and change them
aHer every use, thus decreasing the
efficacy of mimikatz as any recovered
creden0al will likely be expired.
Further, on all windows 8/2012+ desktops
and servers, wdigest should be disabled in
accordance with the following KB ar0cle
from MicrosoH:
h]ps://support.microsoH.com/en-us/kb/
2871997
Enforcing the principle of Least User
Access will also help mi0gate the
effec0veness of mimikatz as it will limit
the access provided by the compromised
creden0als.
Lastly, adding some form of Two Factor
Authen0ca0on, such as smart cards, can
further limit the usefulness of the
recovered creden0als.
Rules wri]en
in carbon
black to detect
cross process
ac0vity from
rundll32 into
lsass
Rule wri]en to
iden0fy
PowerShell
crossproc into
lsass.
Addi0onal rule
wri]en to
detect an
injected
process into
winlogon with
cross process
ac0vity into
lsass
.
32FA (user-land
only), some
CyberArk
usage, some
creden0als
flushed every
24 hours
1
4/7/2016](https://image.slidesharecdn.com/chrisgateschrisnickerson-adversarialsimulationteam-161213160110/85/Building-a-Successful-Internal-Adversarial-Simulation-Team-Chris-Gates-Chris-Nickerson-54-320.jpg)
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Chris Nickerson
- 1. aka: Some new term to use because we keep screwing up terminology and treating people like children with a crayon box Adversarial Modeling Exercises Simulation
- 3. HI…I’m Chris
- 6. • Cursing • Racism • Religious Prejudice • Sex • Drugs • Daddy / Abandonment issues • Socio Economic Hate crimes • Thin Skin • Lack of sense of humor • Sexual orientation • Sexism • Violence • Vomiting • Abuse • Truth • Fear • Honesty • Facts • Emotions • Opinions
- 9. Chris Gates - Sr. Incident Response Engineer - Uber Twitter: @carnal0wnage Blog: carnal0wnage.attackresearch.com Talks: slideshare.net/chrisgates
- 19. A story • Got Red Teamed at work • It was not fun • I’m usually the person bringing the pain, not receiving it • Tons of thoughts and emotions
- 22. A story Then… realization • I was probably that a$$hole on the phone • Actually, I’m sure of it • Super difficult to give valid recommendations in a generic way • I’m blind to internal processes, roadmaps, politics
- 23. A story We give recommendations like these:
- 24. A story • Do a bunch of complex recommendations, then you’ll be “secure” • Most org fail at the basics, but basics aren’t sexy • In fact tell an org they need to do a bunch of basic hardening and see if you get follow-on work
- 26. Problems With Testing Today • Limited metrics • Increased Tech debt • Fracturing of TEAM mentality • Looks NOTHING like an attack • Gives limited experience • Is a step above Vuln Assessment • Is NOT essential to the success of the organization • Is REALLY just a glorified internal pentest team
- 27. Building a successful internal Adversarial Simulation Team
- 28. Easy! Standard players: (limited scope, limited flexibility) Step #1: Get people who can do the hack Step #1.5: Complain about the scope Step #2: Hack all the things! Step #3: Write up stuff to tell people why the hax iz bad. Advanced players: ( increased scope and flexibility) Step #4: Tell Defense Team how u did hax Step #5: Defense team does defensive’y stuff or blames team that refuses to patch the thing Step #6: repeat
- 30. Terminology: Gotta get a few things straight first • We keep screwing up terms • Vulnerability Assessment person ( U ran a Vuln scanner?) • Penetration Tester ( U hit autopwn) • Red Teamer ( U hit autopwn and moved laterally? Maybe even found “sensitive stuff”) • Purple Teamer (U did all of the above but charged more to talk with the defense teams during the test) • ADVERSARIAL ENGINEER (U exist to simulate real world TTP’s, generate experience, and provide metric scoring of corporate readiness/resistance to attack)
- 35. #1 You need a charter and a Problem statement
- 36. Charter • Analyze real world threats against $Company. • Develop attack models which validate our detection capabilities. • Validate our detection, prevention, and response against real world threats. • Provide metrics around $Company’s corporate readiness/ resistance to various attacks across a broad set of threat tactics, techniques, and procedures (TTPs) via table top exercises, automated, and manual testing. • GOAL: Predict likelihood of successful attacks before they happen
- 37. #2 Define how you will accomplish solving the problem and how the team will get/consume projects
- 39. #3 Create a repeatable strategy for execution of simulations
- 42. • Unit testing for you detection rules • You don’t deploy untested code to prod do you? • Automate attacks and verify responses
- 43. Example
- 44. Example
- 45. Example
- 46. #4 Creation of an information sharing platform and knowledgebase
- 48. #5 Assemble your team and tools Think ahead, This is not your normal pentest team! • Servers • Storage • Hardware • Tools • Implants • Customizations • Virtualization infrastructure • Access to all defensive tools • Built out lab environments to recreate / replicate • Cracking Rigs and more…
- 49. #6 Create formal collateral • Introduction of the team and it’s capabilities • Services Line Card • Engineering bios and availability • Scoping documentation/questionnaires • Rules of engagement • Internal information handling policy, procedure, process • Engagement request process • Defensive Team Collaboration Workflow • Threat Intel Team Collaboration Workflow • Approval notification Protocols • Templated / Automated reporting output • Team Member Skill matrix
- 52. #8 Provide Metrics that evaluate each TTP from a protective, detective and response perspective
- 53. Color Key: Detec-on Maturity Protec-on Maturity 0 No Detec-on Controls No Protec-on Controls 1 Non-Centralized Logging Par-ally Deployed 2 Centralized Logging, but no Alerts Fully Deployed but Defeatable 3 Centralized Logs, Reac-ve, Insufficient Alerts, false nega-ves or posi-ves (Func-onal) Fully Deployed, Non-Defeatable 4 Centralized, Automated Alerts, Proac-ve, Requires response, no false posi-ves (Stable) Fully Deployed, Non-Defeatable, and Aler-ng in place
- 54. Technique Func0on Methods for detec0on Methods for protec0on Detec0on Mat urity Protec0on Mat urity Last Test Date LSASS password/ hash recovery Local Security Authority Subsystem Service (LSASS) is a process in MicrosoH Windows opera0ng systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. (from Wikipedia) For the purposes of Single Sign On (SSO) in Windows environments, lsass also stores the NT hash and some0mes, in the case of wdigest, the cleartext creden0als of users who have logged into the system. These can be recovered by dumping the contents of the process in memory through use tools such as procdump and mimikatz. The most op0mal way to detect this is to iden0fy processes that are crossproc'd into lsass. The signal to noise ra0o here is high, due to the nature of lsass' func0on. Typically meterpreter uses rundll32 to run, so iden0fying rundll32 into lsass along with processes injected into winlogon that cross process into lsass will reliably iden0fy malicious ac0vity An automated password management tool such as CyberArk can be used to randomize passwords and change them aHer every use, thus decreasing the efficacy of mimikatz as any recovered creden0al will likely be expired. Further, on all windows 8/2012+ desktops and servers, wdigest should be disabled in accordance with the following KB ar0cle from MicrosoH: h]ps://support.microsoH.com/en-us/kb/ 2871997 Enforcing the principle of Least User Access will also help mi0gate the effec0veness of mimikatz as it will limit the access provided by the compromised creden0als. Lastly, adding some form of Two Factor Authen0ca0on, such as smart cards, can further limit the usefulness of the recovered creden0als. Rules wri]en in carbon black to detect cross process ac0vity from rundll32 into lsass Rule wri]en to iden0fy PowerShell crossproc into lsass. Addi0onal rule wri]en to detect an injected process into winlogon with cross process ac0vity into lsass . 32FA (user-land only), some CyberArk usage, some creden0als flushed every 24 hours 1 4/7/2016
- 58. #9 Evaluate adversarial skill to determine urgency of simulation
- 61. #10 Re-prioritize workload of Adversarial team based on TTP last test date (decay) or based on other external drivers (ex. TTP is used in a current attack campaign)
- 63. #11 Defensive Measurement Now that we have measured RT ability to conduct attacks Now we need to gather defensive metrics • Total Coverage • Mean Time to Detection • Mean Time to Remediation • % Successful Eradication • Protection Metrics • Automated vs Manual Detection • Automated vs Manual Response
- 70. Total Protection/Detection/Response Potential P/D/R Actual P/D/R $Company asks “What do we do next, buy more stuff?” Execution Gap Coverage Gap
- 71. Future Work
- 72. The Future • Automate Red Team / Blue Team correlation • Automate Attack Path simulation • Predict impact of new attacks without running them • Predicting probability of attack chains • Reduced risk testing model • Zero testing debt • Response metrics via API queries of security tooling • Tracking defensive TTPs • Understand how all security tooling come together