root@ssh1:~#whoami

• DIRECTOR OF TECHNOLOGY AND INFORMATION SYSTEMS 20+ YEARS

• CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL (CISSP)

• CERTIFIED GIAC SYSTEM AND NETWORK AUDITOR (GSNA)

• CERTIFIED GIAC INCIDENT HANDLER (GCIH)

• M.S. IN COMPUTERS AND TECHNOLOGY IN EDUCATION

• UNITED STATES MARINE CORPS

GOALS

• EXPLAIN RED TEAM EXERCISES

• ILLUSTRATE COMMAND AND CONTROL COVERT CHANNELS

• OUTLINE SOURCES OF DATA TO IDENTIFY COVERT CHANNELS

• EXAMINE TWO COMMAND AND CONTROL RED TEAM EXERCISES

• OUTLINE BEGINNING STEPS TO CONDUCTING RED TEAM EXERCISES

JARGON ALERT!

•VULNERABILITY SCAN

•PENETRATION TEST

•RED TEAM/BLUE TEAM

RED TEAM—OPPOSING FORCE (OPFOR)

• FINISH THE FOLLOWING SENTENCE, “THE RED TEAM’S GOAL IS TO

MAKE THE BLUE TEAM BETTER AT ________?”

• SKILL BUILDING EXERCISE

• ESTABLISH CLEAR OBJECTIVE(S) TO TEST

• PREPARE EXERCISE TO MEET LEARNING OBJECTIVE(S)

• MEASURES DEFENDERS’ ABILITY TO MEET OBJECTIVES OF RED

TEAM ENGAGEMENT

BLUE TEAM—DEFENDERS

• REVIEW INCIDENT RESPONSE PROCEDURES

• REVIEW SOURCES OF DATA, E.G. LOGS

• PRACTICE OPERATION OF TOOLS, E.G. NETSNIFF, TCPDUMP, WIRESHARK

• GATHER NECESSARY EQUIPMENT, TOOLS, AND SUPPLIES, E.G. EXTRA MONITORS AND SNACKS

WHAT KEEPS YOU UP AT NIGHT?

https://github.com/NextronSystems/APTSimulator

WHAT KEEPS YOU UP AT NIGHT? LOCKHEED MARTIN CYBER KILL CHAIN

• IDENTIFY & RECON

• INITIAL ATTACK

• COMMAND & CONTROL

• 2018 VERIZON DBIR-C2 WAS PRESENT IN 19 OUT OF EVERY 100 “BREACHES” IN EDU

• 2018 TRUSTWAVE GLOBAL SECURITY REPORT—MEDIAN TIME BETWEEN INTRUSION AND DETECTION FOR

EXTERNALLY DETECTED COMPROMISES WAS 83 DAYS IN 2017

• DISCOVER & SPREAD

• EXTRACT & EXFILTRATE

https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

GOALS OF COMMAND AND CONTROL

• CREATE TWO WAY COMMUNICATION CHANNEL BETWEEN ATTACKER AND TARGET

• GATHER INFORMATION

• HARVEST ACCOUNTS AND PASSWORDS

• MOVE LATERALLY IN NETWORK TO FIND ADDITIONAL VICTIM DEVICES

• EXFILTRATE DATA

• USE DEVICES AND NETWORK FOR FURTHER GAIN

COMMAND & CONTROL (C2, CNC)

• HOW WOULD I KNOW IF A COMPROMISED COMPUTER OR SERVER IS COMMUNICATING THROUGH A C2

COVERT CHANNEL?

• WHAT SOURCES OF DATA DO I LOG THAT WILL HELP IDENTIFY A C2 COVERT CHANNELS?

• WHAT SOURCES OF DATA CAN I LOG THAT WILL HELP IDENTIFY A C2 COVERT CHANNELS?

• WHAT MONITORING SYSTEMS DO I HAVE THAT WILL TRIGGER ON COVERT CHANNELS?

• WHAT TYPE OF TRIGGERS CAN I DEVELOP TO ALERT ON C2 COVERT CHANNELS?

FIREWALL

• A FIREWALL IS A NETWORK SECURITY

DEVICE THAT MONITORS INCOMING AND

OUTGOING NETWORK TRAFFIC AND

DECIDES WHETHER TO ALLOW OR BLOCK

SPECIFIC TRAFFIC BASED ON A DEFINED

SET OF SECURITY RULES.

https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html

JARGON ALERT!

http-80

https-443

I have 80/443 open.

You can pass.

I’m listening on 80/443.

Here’s what I have.

smb-445

(Windows File

Shares)

I do not have port 445 open.

“You shall not pass.”

I’m stateful. I’ll

remember what port

you use. I’ve been

configured to permit

you access to all

65,535 tcp ports and

all 65,535 upd ports.

http-80

https-443

Email-25/110/143. You can pass.

Outgoing. Sure. I’ll remember.

I remember you. You can pass.

https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/

https://isc.sans.edu/forums/diary/Malspam+pushing+ransomware+using+two+layers+of+password+protection+to

+avoid+detection/23573/

SOURCES OF DATA FOR C2 DETECTION

“PREVENTION IS IDEAL, BUT DETECTION IS A MUST”

-DR. ERIC COLE @DRERICCOLE

SOURCES OF DATA FOR C2 DETECTION

• FIREWALL

•WEB PROXY

• DNS (WINDOWS EVENT LOGS)

• NETFLOW (SESSION DATA)

• FULL PACKET CAPTURE (IF PERMITTED)

SOURCES OF DATA: FIREWALL

• EMERGENCY (SEVERITY 0) SYSTEM IS UNUSABLE.

• ALERT (SEVERITY 1) IMMEDIATE ACTION IS NEEDED.

• CRITICAL (SEVERITY 2) CRITICAL CONDITION.

• ERROR (SEVERITY 3) ERROR CONDITION.

• WARNING (SEVERITY 4) WARNING CONDITION.

• NOTIFICATION (SEVERITY 5) NORMAL BUT SIGNIFICANT CONDITION.

• INFORMATION (SEVERITY 6) NORMAL INFORMATION MESSAGE.

• DEBUGGING (SEVERITY 7) DEBUGGING MESSAGE.

The firewall is

logging.

I think....

SOURCES OF DATA FOR C2 DETECTION

“IF YOU HAVEN'T TESTED AND VALIDATED [YOUR SECURITY MONITORING’S DETECTION

CAPABILITIES], DON'T CONSIDER IT DETECTION, IT'S JUST A RULE WITH A PRAYER.”

–RUSS MCREE @HOLISTICINFOSEC

RED TEAM #1-OBJECTIVES

• PRACTICE INCIDENT RESPONSE PROCEDURES, E.G. EVENT CORRELATION

• IDENTIFY AND CONTAIN COMPROMISED DEVICE

• LOCATE COMPROMISED DEVICE

• IDENTIFY C2 COVERT CHANNEL(S)

• DETERMINE LATERAL MOVEMENT

• TEST OUR MANAGED SECURITY SERVICE

RED TEAM #1-OBJECTIVES

INCIDENT RESPONSE—SANS “PICERL” MODEL

• PREPARATION

• IDENTIFICATION

• CONTAINMENT

• ERADICATION

• RECOVERY

• LESSONS LEARNED

SCOPE OF NETWORK

• >8500 STUDENTS

• >1900 EMPLOYEES

• >14,000 DEVICES ON NETWORK (WIRED AND WIRELESS)

• 14 LOCATIONS CONNECTED VIA FIBER NETWORK

• 71 TELECOMMUNICATIONS CLOSETS

RED TEAM: “LAN TURTLE”

RED TEAM: HAK5 LAN TURTLE20 PREINSTALLED MODULES ON LAN TURTLE:

• AUTOSSH-PORT 22

• NETCAT-REVSHELL ANY PORT (6666)

• HTTPS://WWW.SANS.ORG/READING-ROOM/WHITEPAPERS/TOOLS/NETCAT-TCP-IP-SWISS-ARMY-KNIFE-952

• METERPRETER (METASPLOIT)-ANY PORT (4444)

• HTTPS://WWW.DARKOPERATOR.COM/INSTALLING-METASPLOIT-IN-UBUNT/

DIGITAL OCEAN

• HTTPS://WWW.DIGITALOCEAN.COM/

I remember you. You can pass.

Outgoing 22, 4444 and 6666. Sure. I’ll remember.

RED TEAM: HAK5 LAN TURTLE

RED TEAM KICK OFF:

• RED TEAM WAS SCHEDULED FOR A DAY GOOD FOR

BLUE TEAM MEMBERS—DISTRICT IN-SERVICE

• COMPROMISED DEVICE STARTED LATERAL

SCANNING (KNOWN TO TRIGGER ALARMS IN

LANCOPE--NETFLOW)

• COMPROMISED DEVICE PARTIALLY HIDDEN ON

CROWDED DESK IN LIBRARY

RED TEAM: HAK5 LAN TURTLELESSONS LEARNED:

• INITIALLY DISCOVERED ANOTHER DEVICE WITH WEIRD OUTBOUND COMMUNICATIONS

• REINFORCED ABILITY TO USE TOOLS TO LOCATE DEVICES VIA DHCP, IP SCOPE, MAC ADDRESS, PHYSICAL PORT,

E.G. CAN YOU IDENTIFY WHAT DEVICE HAD A SPECIFIC IP ADDRESS TWO WEEKS AGO?

• IDENTIFIED NEED TO IMPLEMENT EGRESS FILTERING

• IDENTIFIED NEED TO FURTHER DEVELOP AND PRACTICE INCIDENT RESPONSE PROCEDURES

• USE OF SHARED TIMELINE TO RECORD IR ACTIONS

• TEAM BUILDING EXPERIENCE

RED TEAM #2-OBJECTIVES

• PRACTICE INCIDENT RESPONSE PROCEDURES

• PRACTICE COLLECTING DATA REQUESTED BY MANAGED SECURITY SERVICE PROVIDER DURING INCIDENT

• IDENTIFY C2 COVERT CHANNEL(S)

• DETERMINE LATERAL MOVEMENT

• TEST OUR MANAGED SECURITY SERVICE PROVIDER

RED TEAM: DNSCAT2

• DNS--DOMAIN NAME SYSTEM UDP (TCP) 53

• DNSCAT2 DIRECTLY TO C2 SERVER IF OUTBOUND DNS TRAFFIC IS PERMITTED TO ANY DNS SERVER

• DNSCAT2 INDIRECTLY TO C2 SERVER THROUGH VICTIM’S DNS SERVER IF OUTBOUND DNS TRAFFIC IS

PERMITTED BY ONLY VICTIM’S INTERNAL DNS SERVERS

• DNSCAT2 LINUX AND WINDOWS POWERSHELL CLIENTS

• ARBITRARY COMMANDS, UPLOAD/DOWNLOAD FILES, AND SHELL

• POLLS EVERY 1 SECOND, NOISY

DNS

DOMAIN NAME SYSTEM

I want to go to www.bucks.edu

DNSCAT2 Client direct communication with DNSCAT2 C2 Server

DNSCAT2 Client communication with DNSCAT2 C2 Server via Internal DNS Server

DNSCAT2 UNENCRYPTED DIRECT

Hex to ASCII=“whoami”

DNSCAT2 UNENCRYPTED DIRECT

Hex to ASCII=“whoami”

DNSCAT2 ENCRYPTED AUTHORITATIVE

RED TEAM DNSCAT2RED TEAM KICK OFF:

• RED TEAM WAS SCHEDULED FOR A DAY GOOD FOR BLUE TEAM MEMBERS—DISTRICT IN-SERVICE

• RULES OF ENGAGEMENT DISCUSSED, “DON’T MOVE TO CONTAINMENT UNTIL WE FULLY UNDERSTAND

COMPROMISE”

• POWERSHELL USED TO DOWNLOAD DNSCAT2-POWERSHELL

• COMPROMISED DEVICE DOWNLOADED PSEXEC (KNOWN TO TRIGGER ALARMS IN SOPHOS)

• COMPROMISED DEVICE BEGAN LATERAL SCANNING (KNOWN TO TRIGGER ALARMS IN LANCOPE)

RED TEAM: DNSCAT2LESSONS LEARNED:

• BAD CONFIGURATION IN WINDOWS CLIENTS PERMITTED ELEVATED POWERSHELL PERMISSIONS

• IDENTIFIED NEED TO COLLECT DNS LOGS

• IDENTIFIED NEED TO DEVELOP TRIGGERS FOR DNS ALERTING

• EGRESS FILTERING SPECIFIC TO IDENTIFIED SERVERS, E.G. ONLY DESIGNATED DNS SERVERS SHOULD HAVE

ACCESS TO TCP/UDP 53

• NEED TO FURTHER DEVELOP AND PRACTICE INCIDENT RESPONSE PROCEDURES

• TEAM BUILDING EXPERIENCE

THE WORK ISN’T OVER...

THE WORK ISN’T OVER WITH THE COMPROMISED DEVICE IDENTIFIED AND CONTAINED

• WHAT WERE THE INDICATORS OF COMPROMISE (IOC)?

• WHAT DATA SOURCES PROVIDED INSIGHT INTO THE COMPROMISE?

• WHAT ARE THE ROOT CAUSES OF THE EXPLOITED VULNERABILITIES?

• HOW CAN WE REMEDIATE THE VULNERABILITIES? COMPENSATING CONTROLS?

• WHAT SKILLS DO WE NEED TO IMPROVE?

• WHAT INCIDENT RESPONSE PROCEDURES NEED TO BE CREATED OR UPDATED?

• WHAT MONITORING SYSTEMS MET EXPECTATION? WHAT SYSTEMS DID NOT MEET EXPECTATION?

LESSONS LEARNED

• CONDUCT LESSONS LEARNED MEETING

• AVOID FINGER POINTING AND BLAMING

• REVIEW EXISTING INCIDENT RESPONSE PROCEDURE

• DEVELOP PROCEDURE (IF ONE IS NOT AVAILABLE) FOR TYPE OF INCIDENT

• BRAINSTORM ADDITIONAL METHODS TO MITIGATE FUTURE RISK

• IDENTIFY ADDITIONAL REPERCUSSIONS RESULTING FROM IR, E.G. IMPACT OF MITIGATION.

• UPDATE POLICIES, REGULATIONS, AND PROCEDURES

• UPDATE CSIR PLAN AND IR PROCEDURES

START SIMPLE

CIS CONTROL 12: BOUNDARY DEFENSE

• DENY COMMUNICATION OVER UNAUTHORIZED TCP OR UDP PORTS OR APPLICATION TRAFFIC TO ENSURE

THAT ONLY AUTHORIZED PROTOCOLS ARE ALLOWED TO CROSS THE NETWORK BOUNDARY IN OR OUT OF

THE NETWORK AT EACH OF THE ORGANIZATION'S NETWORK BOUNDARIES.

• HTTPS://WWW.CISECURITY.ORG/CONTROLS/

START SIMPLE-SSH/PORT 22

• SSH* TO DEVICE OUTSIDE OF YOUR NETWORK, E.G. DIGITAL OCEAN

• USE SOURCES OF DATA, LOGS, TO IDENTIFY DEVICE ACTIVITY

• CORRELATE SOURCES OF DATA

• IDENTIFY LOCATION OF THE DEVICE, E.G. SWITCH PORT OR AP

• IDENTIFY OTHER ACTIVITIES, E.G. LATERAL MOVEMENT

*SSH BUILT INTO LINUX AND MAC. USE PUTTY FOR WINDOWS.

“THE MORE I PRACTICE, THE LUCKIER I GET.”

Questions?

•GEORGE FRAZIER

•FRAZIER@LMSD.ORG

•@GEOFRAZIER