assume compromise
TRANSCRIPT
BEYOND PREVENTION, ASSUME BREACH
Zach Grace
whoami /all• Lead Security Consultant at Northwestern Mutual
• @MilSec Leader
• OWASP Milwaukee Leader
• Wisconsin CCDC Red Team member
• Team member of the 2015 DerbyCon CTF champs
• Twitterz: @ztgrace
Disclaimer
The opinions expressed here represent my own and not those of my employer.
It’s not if, but when…
ASSUME COMPROMISE
• Protective technologies will fail
• Shifts blue team’s focus to the Detect phase
• Breach readiness as a mantra
PROTECTION FAILS• Protection tools are often based on signatures
• Preventative in nature
• Examples of protective technologies:
• Anti-virus
• Firewalls
• IDS & IPS
• Web App Firewalls (WAF)
• Web Proxies
• Sandbox
COMPARED TO ATTACKERSNIST CSF Identify Protect Detect Respond Recover
NIST SP800-115 Discovery Gaining Access
Escalating Privileges
System Browsing
Persistence
Cyber Kill Chain (1) Recon(3)
Delivery(4)
Exploit
(3) Delivery (4) Exploit (5) Install
(6) C2
ZoxPNG
• Used technet.microsoft.com for command and control https://blogs.rsa.com/wolves-among-us-abusing-trusted-providers-malware-operations/
DETECT ISSUES
• Logging too little/much
• Poor Security information and event management (SIEM) correlation
• Ineffective security monitoring
• Insufficient training to create use cases
REFOCUS THE RED TEAM
PEN TESTING/RED TEAMING ISSUES
• Vulnerability focused
• Reporting doesn’t help defenders
• Lack of realistic threat modeling
REPORTS
• Vulnerability Focused
• “How I PWN’d you”
• Vague recommendations
REPORTS BE LIKE
BLUE TEAM NEEDS
• Training partner
• Indicators of Compromise (IOCs)
• Attack signatures
• Use cases
Compromise
Detection
Containment
MTD - MTC = ∆
∆ FORCE
∆ FORCE OBJECTIVES
• Provide IOCs and attack signatures alongside vulns in reports
• Perform threat simulations based on threat modeling
• Breakdown attacks into stages
• Validate detection at each stage, and assist with correlation
PYRAMID OF PAIN
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
HASH VALUES• Summary/signature of bytes
• Fuzzy hashing
IP ADDRESSES
…the IP addresses used in an engagement
DOMAIN NAMES
…domain names used in an engagement
NETWORK ARTIFACTS• Protocol-level artifacts
• HTTP
• UserAgent strings
• Missing host header
• DNS
HOST ARTIFACTS
• Persistence mechanisms
• Command & Control (C2/C&C)
• Backdoors
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
Sticky Keys Hunter v2
TOOLS
• Binaries/scripts transferred to host
• Built-in administrator tools
• Built/compiled on the compromised machine
IN-MEMORY POWERSHELL
TACTICS, TECHNIQUES and PROCEDURES (TTPs)
• Detecting and responding to adversarial behaviors
• Goes beyond tool detection
LATERAL MOVEMENT• Windows
• SMB - Pass the Hash (PTH)
• WMI
• WinRM
• Linux/OS X/Unix
• SSH
WIRESHARK CreateServiceW
SNORT DETECTIONalert tcp any any -> any 445 (msg:"psexec service created"; flow:to_server,established; content:"|FF 53 4D 42|"; dce_opnum:12; reference:url,https://www.snort.org/faq/readme-dcerpc2; classtype:bad-unknown; sid:31337; rev:1;)
SERVICE CREATION - 7045
METASPLOIT SERVICE NAME
POWERSHELL PSEXEC SERVICE
Service Name: zzVSnCcgDVXwECBU Service File Name: %COMSPEC% /C echo wmic computersystem get username ^> %SYSTEMDRIVE%\WINDOWS\Temp\JvuqFpTTakgmRppQ.txt > \WINDOWS\Temp\EtVsuSpjptOYGbwK.bat & %COMSPEC% /C start %COMSPEC% /C \WINDOWS\Temp\EtVsuSpjptOYGbwK.bat
TIMELINE
TIMELINE• Log all the commands
• HISTTIMEFORMAT="%d/%m/%y %T “
• test "$(ps -ocommand= -p $PPID | awk '{print $1}')" == 'script' || (script -f $HOME/logs/$(date +”%d-%b-%y_%H-%M-%S")_shell.log)
• Metasploit: setg PromptTimeFormat "%Y-%m-%d %I:%H:%S" setg Prompt "%T - (S: %S J: %J) " spool /root/.msf4/msfconsole.log
TIPS FOR DEFENSE
• Use pen test & red team engagements as training exercises
• Ask for more than a vulnerability report (IOCs, PCAPs, logs, etc)
• Sit with and learn from the red team
• Rotate your testing firms or rotate your testers
• Perform root cause analysis on vulnerabilities
TIPS FOR OFFENSE
• Be a sparring partner
• Provide more data like IOCs, PCAPs, logs, etc.
• Incorporate use cases into reports
• Provide artifacts to reproduce attacks
THANK YOU! @ztgrace
https://github.com/ztgrace/presentations/tree/master/20160128_wctc_cyber_security_summit