Given at BSides Jackson 2013

1. Seeing Purple
Hybrid security teams for the
Enterprise
@jwgoerlich

2. Me
Security consultant with VioPoint
La DoSa Nostra
#misec
Twitter
@b31tf4c3
Freenode (#misec / #burbsec / #ladosanostra)
Beltface

3. The ONE thing
Productivity book
The ONE thing your organization does/has
Protect and build off that
Avoid the easy pentest

4. The Client
$client0 – company in the energy sector
$client1 – company in the financial sector

5. A Cascade of Pebbles
Talk by Josh Little – Bsides Detroit 2013
Performed Pentest at $client0
Leveraged that scenario to create a
program at $client1

6. “
My idea of hacking is
taking the
tactics, techniques,
and
procedures, that
different threats
are using today …

7. Using them against our
organizations, when they have a
mature program, to understand how
our controls stand up when exercised
by a sophisticated thinking adversary.
-- Rapheal Mudge, Armitage and Cobalt Strike, Bsides Detroit
2013 Podcast

9. Detect
Prevent
Correct

10. Detect, Prevent, Correct
Detect – catch attackers in action (SIEM)
Prevent – Stop attackers (Vulnerability
Management)
Correct – raise the costs by disrupting or
distracting the attackers (eg. honey
pots)

11. Blue Team - Detect
SIEM – Security Incident and Event Monitoring
Pool log sources and analyze logs and flows

12. Blue Team - Prevent
VM program
Gives visibility into system preparedness
Helps with patching schedule
Identifies most critical hosts

13. Blue Team - Correct

15. Red Team - Assessment
Pentesting
Required as part of audits
We break it, you fix it
Higher risk
How do you know remediation is working if its
never been tested?

16. Red Team - Exercise
Select a specific stage in the attack path
Assume all prior controls have failed
Test preventative, detective, corrective
Test both the controls and the response
Minimal risk

17. Example
Stage 4 – Persistence
Popping the Penguin – SecTor 2013
No 1337 hax needed

18. Assessment v. Exercise
Exercise
Assessment
Use real techniques
Use real techniques
Use real objectives
Use real objectives
Model a real attack
Exec an actual attack
Test specific controls
Test overall posture

19. Purple Team

20. Purple Team
Take knowledge of your security (Blue)
Take knowledge of your weaknesses (Red)
Combine to find what’s most valuable to you
(Purple)

21. Purple Teams
Not necessarily just the red and blue teams
requires a total picture involving all areas of the
organization

22. From this

23. To this

24. The Goal
Create scenarios
Identify how you would protect yourself
Test the scenario
Test your environment

25. Proactive Protection
1. Threat Modeling – Bi-weekly
2. Tabletop exercises – Monthly
3. Red Team exercises – Quarterly
4. Red Team Assessments – Yearly

26. Our Infrastructure

27. Threat modeling
Least amount of T/E
One model bi-weekly
Build portfolio of potential attacks

28. Choosing a model
SDLC threat model
-Microsoft
Cyber Kill Chains of Doom ™
-Lockheed Martin (r), (tm), (etc)
Attack Paths
-#misec

29. Attack path
@jwgoerlich

30. Start with why
TED Talk
Simon Sinek: How great leaders inspire action
Why
How
What

31. Why?
Why this model?
Free
Open
I’m biased (#misec)
Why will $badguy target us (the ONE thing)
$client0 – Access control systems
$client1 – Sensitive financial data

32. Do what is right for you.
But do something.

33. How?
How will the attacker realize their Objective?
-Attack path $badguy took through network

34. What?
What can we do to prevent this attack?
-Document controls
What can we do to be ready?
-Develop test cases

35. Attack Paths
1.
2.
3.
4.
5.
6.
7.
8.
External reconnaissance
Initial breach
Escalate privileges
Persistence
Internal reconnaissance
Lateral breach
Maintain presence
Achieve objective

36. Initial generation
Start with step 8
Identify ONE thing
Work backwards

37. A blank slate

38. Attack Path

39. Attack Path
Goal: Obtain sensitive, proprietary information
1. External Reconnaissance
– Attacker will perform OSINT on the company to identify targets
2. Initial Breach
– Attacker will have a specially crafted site for user to access containing
either an infected document or a place for entry of credentials
3. Escalate Privileges
– Attacker will attempt to add specially crafted user to group / recover
hashes through trust relationships/responder
4. Persistence
– Attacker will attempt to maintain his or her presence by installing
malware
5. Internal reconnaissance
– Attacker will attempt to enumerate the internal infrastructure in an
attempt to identify more targets that will lead him or her to their goal
8. Achieve Objective
– The attacker dumps the data and exfiltrates it via cloud service

40. Tabletop

41. Tabletop
Slightly more expensive than modeling.
Using more likely of two models, stake holders
gather
Should be performed monthly

42. Tabletop Exercise
Started with table
Gathered $client1’s stake holders
Went over attack path used at $client0
Went over potential responses

43. As simple as SMTP
Email was sent out to $client0
User credentials were compromised
No detection
Allowed total compromise

45. $client1:Results
There were no proactive detective capabilities
1 preventative control

46. $client1:Results

47. $client1:Corrective Actions
Security Onion installed, configured, and
analyzed
VM program re-configured

48. Exercises

49. Example
Persistence
-Stage 4
-Tested ability to connect out
and ability to detect
-minimal risk to infrastructure

50. Exercises
More expensive than tabletop
Use most likely of three scenarios
Should be performed quarterly

51. $client0:Stage 1 – External Recon
OSINT was used to enumerate the following
information about $client0
-email addresses
-travel agency
-key players

52. $client1:Stage 1 – External Recon
In order to save time, we assumed failure at this
level
Assumed email was sent and opened

53. $client0:Stage 2 – Initial Breach
Email sent out, directed to fake login page
Credentials recorded
to database
Credentials used to
access VPN

54. $client1:Stage 2 – Initial Breach
Visited unique URL on test box
User was able to rdp into box
Having local admin, was able to create other
user

55. $client0:Stage 3 – Escalate Privileges
Escalation unneeded
User had sufficient privileges to
achieve objective

56. $client1:Stage 3 – Escalate Privileges
Assumed failure at this point in interest of time
Multiple exploitation methods assumed to work
Remediation currently in works to create a
Kerberos-only environment

57. Client0:Stage 4 - Persistence
Installed multiple Core agents
Used this to obfuscate origin

58. Client1:Stage 4 - Persistence
Showed ability to install software
In this case, we will installed zenmap
Used this to enable stage 5 testing

59. $client0:Stage 5 – Internal Recon
Very little protection
Enumeration was caught by SIEM using flows
No followup

60. $client1:Stage 5 – Internal Recon
Attempted to scan internal hosts
Looking for file shares or other repositories
Showed ability to enumerate network

61. $client0:Stage 8 – Achieve Objective
Goal: Persistent access to critical control systems
Access was obtained
Length of engagement: 21 days
Length of time in network: 21 days

62. $client1:Stage 8 – Achieve Objective
Goal: Ability to exfiltrate data through cloud
service
Cloud services we successfully reached and test
data uploaded

63. Results

64. $client1:Corrective Actions
purchased, configured, and analyze Qradar
Integrate Qualys into ticketing system
Implement Kerberos-only forest
Block access to cloud storage

65. $client1:Corrective Actions

66. Assessments

67. Assessment
Most expensive
Create targeted scenarios to test
Avoid arp-cache poison story
Sexy

68. Building Your Program

69. Where to Start
GrrCon 2013:
Scott Thomas(@secureholio): 50 Shades of
Purple (teaming): Getting Penetration Testing
into a Conservative Company

70. Where to Start
Start with threat intelligence
Move to threat models
Get buy in from management
Steve Fox’s Communication plan
Follow @securelexicon on twitter

71. Communication
Relevant
Distinct
Credible
Benefit-Driven
Aligned with strategy
Additional reading(http://imgur.com/a/fPLnM)

73. Do what is right for you.
But do something.

75. Resources
Freenode#misec
#ladosanostra
PeopleJ Wolfgang Goerlich (@jwgoerlich) – Business strategy
Steven Fox (@securelexicon) – Communication
Scott Thomas (@secureholio) – Process
Linkshttp://imgur.com/a/fPLnM (Pixar)

76. Resources
Look for Attack Paths to be published out of
#misec soon

77. @LaDoSaNostra
#ladosanostra