KringleCon 3 Providing Value in Offensive Security
1 like375 views
This document discusses how offensive security tools can provide value when used in a purple team exercise approach. It describes how a purple team consists of a cyber threat intelligence team, red team to emulate adversaries, and a blue team of defenders. The process involves the intelligence team providing adversary tactics, a tabletop discussion on security controls, the red team emulating tactics, the blue team detecting them, and documenting lessons learned to improve controls. The C2 Matrix tool is introduced for collaboratively evaluating command and control frameworks, and Slingshot C2 Matrix Edition is highlighted for easily testing C2 frameworks in purple team exercises. An example purple team exercise improved detection of threats from 0% to 64% without spending on new technology.
KringleCon 3 Providing Value in Offensive Security
- 1. Offensive Security Tools: Providing Value with the C2 Matrix Jorge Orchilles CTO / SCYTHE Twitter @JorgeOrchilles
- 3. T1033 – User Discovery • Chief Technology Officer - SCYTHE • 10 years leading offensive team @Citi • Wrote a book when I was a system admin • Started in Vulnerability Assessment • Pen Test • Red Team • Purple Team @JorgeOrchilles
- 4. Evolution of OffSec Or how I went through this journey in past 10+ years @JorgeOrchilles https://www.scythe.io/library/scythes-ethical-hacking-maturity-model
- 6. Exploitation is valuable! However, there is much more to an attack than exploitation @JorgeOrchilles “It is not all about exploitation” – Ed Skoudis 2011 MITRE has CVE and ATT&CK • CVE is for vulnerabilities (and exploits) • ATT&CK is for adversary behavior • 525 Techniques and Sub techniques • Only 9 reference “exploit”
- 7. Assume Breach Santa operates in assume breach mode Everyone will be compromised at some point • A patch will not be applied in time (exploited) • A user will fall for a phishing campaign (oops) What happens next is what matters @JorgeOrchilles
- 8. Purple Team Full Knowledge Offensive Exercises @JorgeOrchilles A Purple Team is a virtual team where the following teams work together: • Cyber Threat Intelligence - team to research and provide adversary behavior • Red Team - offensive team emulating adversaries • Blue Team - the defenders. Security Operations Center (SOC), Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Provides (MSSP) https://www.scythe.io/ptef
- 9. Cyber Threat Intelligence We are not talking about Indicators of Compromise but about Adversary Behavior (TTPs) @JorgeOrchilles
- 10. Red Team The Offensive Team @JorgeOrchilles “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal Test, measure, and improve people, process, and technology
- 11. Blue Team The Defenders tasks with identifying and responding to attacks @JorgeOrchilles Log • Relevant Events • Locally • Central Log Aggregator Alert • Severity Respond • Process • People • Automation Detect & Respond Prevention != Detection
- 12. The Flow @JorgeOrchilles 1. Cyber Threat Intelligence presents the adversary, TTPs, and technical details 2. Attendees have a table-top discussion of security controls and expectations for TTPs 3. Red Team emulates the TTPs 4. Blue Team analysts follow process to detect and respond to TTP 5. Share screen if TTPs were identified, received alert, logs, or any forensic artifacts 6. Document results - what worked and what did not 7. Perform any adjustments or tuning to security controls to increase visibility 8. Repeat TTPs 9. Document any feedback and/or additional Action Items for Lessons Learned 10. Repeat from step 1 for next TTPs
- 13. Tools @JorgeOrchilles • Collaborative Evaluation • Google Sheet of C2s • 60 frameworks • www.thec2matrix.com • @C2_Matrix • howto.thec2matrix.com
- 14. SANS Slingshot C2 Matrix Edition @JorgeOrchilles • Made in collaboration with SANS and Ryan O'Grady • Goal is to lower the learning curve of installing each C2 framework • Gets you straight to testing C2s • 8 C2s installed by default • VECTR for managing/tracking exercises https://howto.thec2matrix.com/slingshot-c2-matrix-edition
- 15. Provide Value - Baseline @JorgeOrchilles https://vectr.io • 6-week Purple Team Exercise • Assumed Breach scenario • Emulated 4 APTs Baseline Result Known threats have the ability to achieve their objective without being detected
- 16. Provide Value – End State @JorgeOrchilles https://vectr.io • $0 technology spend • Achieved 64% detection rate • Enabled telemetry (Sysmon) • Created logic for alerts on SIEM End State Result Known threats will be detected and responded to before achieving objective