Red Team Tools for the Blue Team

RED TEAM TOOLS FOR THE BLUE TEAM

Darrell Switzer Managing Director, Kudelski Security SPEAKER Darrell Switzer – Managing Director, Incident Response & Cyber Resilience

500+ incidents in last 10 years

100 + Penetration Tests

Law Firms, Cyber Insurance Providers, Government, Aerospace & Defense, Commercial

82nd Airborne – Ft Bragg, NC and Vicenza, Italy

@Forensic_Pro STATE OF THE UNION Standard off the shelf pen testing is 70% + effective.

There is a cyber war happening right now and there are not enough people to man our battle stations.

We make screwdrivers, so what? THERE IS SOME GOOD NEWS I heard we appointed a new Cyber Czar recently.

• Mad Skills

• Battle Tested

• Wants to Make Cyber Great Again! IT’S NOT JUST THE NATION STATES.

1 8 Germany Russia 1 France 1 Syria 1 1 1 2 United States Spain Lebanon 53 North Korea 11 China 2 Iran 1 Tunisia 2 2 Israel India Palestine 1 South Korea 1 Pakistan 102 Attack Groups tracked 1 11 do not have a known location Vietnam EARLY TAKEAWAYS Indicators become stale‐attackers change their methods often

Red Teams provide a realistic test of your security posture

Focus on methods to detect, be prepared to respond, and ask experts for help TERMINOLOGY Vulnerability Scanning Important Requires additional research Never Ending Penetration Testing Focused Validates security controls Great‐now what? TERMINOLOGY Red Team! Act like attackers Toolset is limitless Real World attacks Time based pursuit of specific objectives BREADTH & DEPTH 9

Red Team Time based objectives. Path of 04 least resistance.

Web Application Security Test Authentication and access control. 03 Application Logic

Network Penetration Test Exploit known vulnerabilities for 02 access to sensitive data or networks. Based on scope. Vulnerability Scanning 01 Regular identification of issues that could lead to failure of a security control. HOW DO WE DETECT A RED TEAM? Well, what can you observe now? WHAT’S HAPPENING? MOST LACK VISIBILITY It usually isn’t a lightning strike.

It started before you initially detected.

It continued until something “happened”.

Hindsight is something like 60/40. NEEDLE IN A STACK OF NEEDLES Early indicators of compromise

Common techniques an attacker uses to identify vulnerable systems and avenues of attack.

These include both internal and external network and systems reconnaissance and targeted brute force attacks against authentication prompts. NEEDLE IN A STACK OF NEEDLES Account Abuse Difficult to spot the unauthorized use of authorized credentials.

Misuse scenarios include attempting to gain remote access to the internal network from the Internet, authenticating to customer portals from unknown machines and locations. NEEDLE IN A STACK OF NEEDLES Phishing technical defenses

Many incidents can be detected at this point, IF ONLY…..

Use the filters you have, please. Email authentication, Sender Policy Framework, DomainKeys Identified Mail, and DMARC

I don’t know you but I know this is a weak spot for you. RED TEAM GO! 16 Many avenues of attack

Social Engineering Attack the human—I look lost but I have donuts and coffee.

Network Security Are there any exploitable vulnerabilities on the external Email Security network? 90% of the incidents start here for a reason. The Human.

Application Security Is your database accessible Physical Security through your portal? Can we walk in, pre-text a visit or pick a lock? Goal #4: Obtain Source Code

Cloned RFID Badges  Office Access  Network Drop  Remote Access  Caught by NAC PHYSICAL

Evil Twin Attack  Captured Wi‐Fi Creds  Internal Foothold  RDP to Dev Workstation WI‐FI

Custom Malware  Defeated  Cred Harvesting Phish  Dev Creds  Github Password Reuse PHISHING

XSS Found EXTERNAL NETWORK

OSINT To ID Developers  Call to Dev to Comply with Email VISHING RED TEAM DEFENSE Don’t just do something, stand 18 there!

Prepare Phishing Attack Detect Phishing Attack Detect Phishing Attack

Network Process

Find Users & Emails Know what info is out there User awareness training Identify Targets Deny / log VRY requests Track Firm’s point of presence Create Campaign Deny / log EXPN requests and employee Purchase Domains Log RCPT commands executed exposure. Email Targets Large numbers of HTTP NTLM Buy Domains Collect Credentials Investigate login pages Monitor domain expirations

URLCRAZY, Wombat, SIEM, Dark Web Research, RiskIQ RED TEAM DEFENSE Don’t just do something, stand 19 there! Execute Malware Detect Malware Attack Detect Malware Attack

Endpoint Process

Run Payload Commands Asset Mgt and Patch Config User awareness training Maintain Persistence EDR, AV, IDS, IPS Incident Response Procedures Establish Command & Control Least Privilege Escalate Privileges Application Whitelisting Preform local discovery

Crowdstrike, Cylance, Carbon Black RED TEAM DEFENSE Don’t just do something, stand 20 there! Discover Data Detect Internal Attack Detect Internal Attack

Endpoint/Network Process

Logs / SEIM / Alerts Preform Network Recon Deception Technologies Incident Response Procedures Conduct Lateral Movement Local & Domain User Accounts Admin awareness training Domain Computer Accounts Escalate Privileges Local and Network Files Find sensitive data Firewall Rules / Segmentation Web Filtering / White Listing Authenticated HTTP Proxies

Illusive Networks, Crowdstrike, Cylance, Carbon Black RED TEAM DEFENSE Don’t just do something, stand 21 there! Steal Data Detect Exfil Attack Detect Exfil Attack

Endpoint/Network Process

Egress Traffic Least Privilege Enforcement Daily Threat Hunting Two-Factor Authentication Physical Media Data Encryption and Secure Key Incident Response Procedures Maintain Persistence* Management Admin awareness training File, Application, and Database Auditing Host DLP / Logs / SEIM / Alerts

Digital Guardian, Forcepoint, Symantec LOOKING FOR A RED TEAM

What visibility do you have and what containment controls are in place? TOOLAPOLLOZA CAPABILITIES REQUIRED 24 So many tools, so little time

Network Attacks generally start here but are difficult to identify and correlate. 01 01

Endpoint 02 What are your high risk targets? Are you monitoring them? 02

03 Intelligence Know your “enemy”. Know your public footprint. Understand Red Team methods and objectives 03 (foothold, discovery, exfiltration). . THANK YOU 25 https://github.com/Hack-with-Github/Awesome-Hacking https://www.blackhillsinfosec.com/category/blue-team/tool-blue-team/ https://vectr.io/ https://redteamjournal.com/2015/10/10-red-teaming-lessons-learned-over-20-years/ https://www.oodaloop.com/ https://www.amazon.com/gp/product/1494295504/ Red Team Field Manual

Darrell Switzer [email protected] 415-217-9513