2. Me
Security consultant with VioPoint
La DoSa Nostra
#misec
Twitter
@b31tf4c3
Freenode (#misec / #burbsec / #ladosanostra)
Beltface
3. The ONE thing
Productivity book
The ONE thing your organization does/has
Protect and build off that
Avoid the easy pentest
4. The Client
$client0 – company in the energy sector
$client1 – company in the financial sector
5. A Cascade of Pebbles
Talk by Josh Little – Bsides Detroit 2013
Performed Pentest at $client0
Leveraged that scenario to create a
program at $client1
6. “
My idea of hacking is
taking the
tactics, techniques,
and
procedures, that
different threats
are using today …
7. Using them against our
organizations, when they have a
mature program, to understand how
our controls stand up when exercised
by a sophisticated thinking adversary.
-- Rapheal Mudge, Armitage and Cobalt Strike, Bsides Detroit
2013 Podcast
15. Red Team - Assessment
Pentesting
Required as part of audits
We break it, you fix it
Higher risk
How do you know remediation is working if its
never been tested?
16. Red Team - Exercise
Select a specific stage in the attack path
Assume all prior controls have failed
Test preventative, detective, corrective
Test both the controls and the response
Minimal risk
17. Example
Stage 4 – Persistence
Popping the Penguin – SecTor 2013
No 1337 hax needed
18. Assessment v. Exercise
Exercise
Assessment
Use real techniques
Use real techniques
Use real objectives
Use real objectives
Model a real attack
Exec an actual attack
Test specific controls
Test overall posture
30. Start with why
TED Talk
Simon Sinek: How great leaders inspire action
Why
How
What
31. Why?
Why this model?
Free
Open
I’m biased (#misec)
Why will $badguy target us (the ONE thing)
$client0 – Access control systems
$client1 – Sensitive financial data
39. Attack Path
Goal: Obtain sensitive, proprietary information
1. External Reconnaissance
– Attacker will perform OSINT on the company to identify targets
2. Initial Breach
– Attacker will have a specially crafted site for user to access containing
either an infected document or a place for entry of credentials
3. Escalate Privileges
– Attacker will attempt to add specially crafted user to group / recover
hashes through trust relationships/responder
4. Persistence
– Attacker will attempt to maintain his or her presence by installing
malware
5. Internal reconnaissance
– Attacker will attempt to enumerate the internal infrastructure in an
attempt to identify more targets that will lead him or her to their goal
8. Achieve Objective
– The attacker dumps the data and exfiltrates it via cloud service
51. $client0:Stage 1 – External Recon
OSINT was used to enumerate the following
information about $client0
-email addresses
-travel agency
-key players
52. $client1:Stage 1 – External Recon
In order to save time, we assumed failure at this
level
Assumed email was sent and opened
53. $client0:Stage 2 – Initial Breach
Email sent out, directed to fake login page
Credentials recorded
to database
Credentials used to
access VPN
54. $client1:Stage 2 – Initial Breach
Visited unique URL on test box
User was able to rdp into box
Having local admin, was able to create other
user
55. $client0:Stage 3 – Escalate Privileges
Escalation unneeded
User had sufficient privileges to
achieve objective
56. $client1:Stage 3 – Escalate Privileges
Assumed failure at this point in interest of time
Multiple exploitation methods assumed to work
Remediation currently in works to create a
Kerberos-only environment
57. Client0:Stage 4 - Persistence
Installed multiple Core agents
Used this to obfuscate origin
58. Client1:Stage 4 - Persistence
Showed ability to install software
In this case, we will installed zenmap
Used this to enable stage 5 testing
59. $client0:Stage 5 – Internal Recon
Very little protection
Enumeration was caught by SIEM using flows
No followup
60. $client1:Stage 5 – Internal Recon
Attempted to scan internal hosts
Looking for file shares or other repositories
Showed ability to enumerate network
61. $client0:Stage 8 – Achieve Objective
Goal: Persistent access to critical control systems
Access was obtained
Length of engagement: 21 days
Length of time in network: 21 days
62. $client1:Stage 8 – Achieve Objective
Goal: Ability to exfiltrate data through cloud
service
Cloud services we successfully reached and test
data uploaded
69. Where to Start
GrrCon 2013:
Scott Thomas(@secureholio): 50 Shades of
Purple (teaming): Getting Penetration Testing
into a Conservative Company
70. Where to Start
Start with threat intelligence
Move to threat models
Get buy in from management
Steve Fox’s Communication plan
Follow @securelexicon on twitter
Slide stolen from @jwgoerlichExactly what we’re going to talk aboutAvoid easy pentest, provides 0 value
Who is the blue team?SysadminsNetwork adminsSIEM analysts etc
Detective – catch attackers in actionPreventative – stop attackersCorrective – raise the costs by disrupting or distracting the attackers
Linux attacks against windows servers (at $client1) as example of correctiveThey didn’t expect the windows part
quickly identify within a few hours evidence of a potential compromise
$client1story here
High business riskhigh financial riskPossibly high professional risk
advantage here is minimalriskgives you a measure of control
Replicate behavior of trojanIdea is to stop behavior not just the installation
Instead of conflicting objectives, realize both teams serve to further the same objectiveThe ongoing quagmire between red and blue makes us forget what our true goal is
Instead of conflicting objectives, realize both teams serve to further the same objective
The idea is to drill down from possible scenarios to the most likely and test it.
Fortress that needs protectionlike a chocolate coated candy -jwgoerlich
Notice how all the actions (document/Develop) happen last
Alert: wall of text
Stake holders gather and talk about the path and response
Explain proactive (ie alerting)
By this time you should have6 attack paths3 tables tops1 exerciseNow we’ll walk through the attack and how we exercised it, optimized where possible