A D V E R S A R I A L A P P R O A C H T O I M P R O V E D E T E C - PowerPoint PPT Presentation

A D V E R S A R I A L A P P R O A C H T O I M P R O V E D E T E C T I O N C A P A B I L I T I E S

Massimo Bozza Ethical Hacker Senior Security Engineer @maxbozza Pietro Romano Principal Security Engineer @tribal_sec

AGENDA Adversarial approach Scenario - Simulation vs emulation - APT3 - KovCoreG IoC & IoA - Fusion Adversary Simultation Framework Next Steps - Threat analysis - Attack - Detection

A D V E R S A R I A L A P P R O A C H

ADVERSARIAL APPROACH – WHAT IS & ISN’T White-boxactivity Classic Red Teaming Cross team Penetration Test Cooperative process Black-box activity Repetitively process One shot activity

ADVERSARIAL APPROACH - GET STARTED No standard definition for adversary simulation Purple teaming • Threat emulation • Attack simulation • Main goals Improve security Detection and Response underlining blind spots • KPI for budget allocation • Train Blue Team against targeted attacks • Evaluate blinky boxes / detection tools •

ADVERSARIAL APPROACH – SIMULATE vs EMULATE SIMULATE EMULATE Almost Same TTP of attackers Same TTP of attackers Tools with same behavior Attacker’s custom Tools Automation

ADVERSARIAL APPROACH – SIMULATE vs EMULATE SIMULATE EMULATE Less accurate More accurate Re-use of available tools More time consuming Sometimes attacker’s More scalable behaviors are undisclosed

I O C - I O A F U S I O N

CLASH: IoC vs IoA Indicator of Compromise Indicator of Attack • IP address • Pattern • Hash • Lateral Movement • Exploits • Code Execution • Malware • C&C • Signatures • Persistence actions

FUSION: IoC & IoA Re Reactive Indicators Lo Logs Pr Proactive Indica cators De Detect ctions & Response

Cyber KILL CHAIN & MITRE ATT&CK Reconnaissance Lateral Movement Installation Delivery Command & Control Weaponization Exploitation Initial Access Defense Evasion Collection Credential Access Exfiltration Execution Persistence Discovery Command & Control Privilege Escalation Lateral Movement

A D V E R S A R Y S I M U L AT I O N F R A M E W O R K

Adversary Simulation Framework Framework Modules Threat Analysis Attack & Kill Chain simulation Detection Points of Contact Testing Results analysis Sharing

THREAT ANALYSIS OSINT Feed Threat Intel Human-led process Custom Feed Enriches existing security measures Threat Analysis Contextual insight data Threat Group Attack Scenario Attack Path Tools/Weapons Knowledge Base

THREAT ANALYSIS - Overview Th Threat I Intelligence 01 • Data collection As Service • OSINT Da Data Filtering • Filtering by Industry 02 • Filtering by target technology • Threat Groups Data Analysis Da • Tactics • Techniques identification 03 • Weapons / Tools used • Attack paths • Operational flows / Procedure Re Reporting/KB • Data Presentation 04 • Data Sharing • Data Assessment Con Continuou ous Improvement • Maintenance 05 • Contents integration

THREAT ANALYSIS – Data Analysis & Reporting LE LENA Malware

ATTACK / KILL CHAIN SIMULATION TTP Extraction TTP Mapping Simulation Environment setup Custom toolset Engineering Automation engine Knowledge Base Knowledge Base Execution Reporting

ATTACK / KILL CHAIN SIMULATION - Overview TTP extraction Mapping TTP • Custom tools • Attacker’s tool Analysis • OS commands • Attacker’s behavior Open Source tools • Environment Engineering Setup target • Custom modules • Automation engine • Custom tools • Repositories • • Attack flow Reporting Execution Playbook run • KB enrichment • Log collection • Log reporting •

ATTACK / KILL CHAIN SIMULATION – TTP Mapping Category / Techniques Description Attacker’s tool Simulation Privilege Escalation This steals the access token from another process and uses it to gain T1134 PlugX Tokenvator access to other services or computers. Credentials Scrape LSASS memory to obtain logon Mimikatz T1003 PlugX passwords Procdump Lateral Movement and Execution T1075 Lateral movement with harvested PlugX Mimikatz + custom module credentials T1077

ATTACK / KILL CHAIN SIMULATION – Environment Setup Internet File repository Ansible Engine Vault Modules Inventory Targets Technology stack Playbooks – hosted on Git

ATTACK / KILL CHAIN SIMULATION – Engineering 1/2 Ansible Engine Playbook Roles Txxx Txxx Library Custom Module

ATTACK / KILL CHAIN SIMULATION – Engineering 2/2 Ansible Engine Custom Module When? • It’s not already present in Ansible library / community • More specific than a role • Output re-usable in other tasks Mimikatz Credential Dump + Output Parser Execute mimikatz sekurlsa::logonpasswords to scrape • credentials from LSASS Parse output in an Ansible Readable format •

ATTACK / KILL CHAIN SIMULATION – Custom Toolset 1/2 • Python - Payload for Over-Pass-the-Hash • Python - C2 Protocol simulator • Powershell - Obfuscated Powersploit script • Powershell - Modded MS16-032 exploit • C++ - Mimikatz custom build • C# - Dropper with obfuscated and runtime payload compiling • C# - Reverse shell • C++ - MS 0Day ALPC-LPE custom build

ATTACK / KILL CHAIN SIMULATION – Custom Toolset 2/2 C# - Dropper with obfuscated and runtime payload compiling Droppy Hardcoded payload • Modded version –download payload at runtime • Runtime payload compiling and run • Low AV detection (only EDR) •

DETECTION Metrics & Human-led capability Detection Capabilities Tecnology addiction Knowledge Base Pro-active / Re-active IoA - IoC Content Engineering on SIEM Monitoring Content Validation

DETECTION - Overview Report Analysis Logs Collection/Assessment TTP extraction • • Technologies identification Behaviour analysis • • Logs to use • Target tipologies invetory • Fields / Artifacts Visibility Improvement Contents engineering • Logs integration • Correlation rules based on IoA • Technologies integration • IoA / IoC Cross-correlation Tuning / Filtering • • Contents validation Reporting/KB Continuous Improvement Logs / Technologies used • • KB Maintenance Contents inventory • • Contents evolution • Validation results

DETECTION – Logs Collection/Assessment Endpoints WECutil WEC Splunk Sysmon Security PowerShell System Sto Storage In Indexing Co Correlation Engine Subscription Su Lo Logs Network Splunk Universal Forwarder Active Directory Group Policy Object (GPO) Threat Intelligence Sysmon Custom Config File IoC IoC IoC

Filtering - Tools: Tips and Tricks Create Subscription via Event Viewer • Create subscription via WEC Server Event Viewer 1 Log Registry à 1 Subscription • 1 Log Registry à more Subscriptions • Manage subscriptions via Wecutil Edit Subscription XML Conf file • Windows Event Log supports XML Path Language (XPath) • Allowed actions / log not useful or verbose à Filtering • 18 October 2016 Use a custom Sysmong confing Amazing feature here Verbose logs • Your text here Filtering via “ Condition ” • is, is not, contains, excludes, begin with, • Your text here end with, less than, more than, image SwiftOnSecurity Sysmon Config •

Sysmon: Event Filtering and (pre)Classification

S C E N A R I O # 1 - A P T 3

APT3 - Intro What about … ü Also known as UPS Team and suspected attribution China ü Target sectors: Aerospace and Defense, Construction and Engineering, High Tech, Telecommunications, Transportation ü Associated malware: PLUGX , SHOTPUT, COOKIECUTTER, SOGU ü APT3 uses a combination of custom and openly available tools ü Attack vectors: The phishing emails used by APT3 are usually generic in nature, almost appearing to be spam

APT3 – Threat Analysis: Weapon / Tool: Assessment & Categorization Weapon / Tool Type Initial Execution Persistence Privilege Defense Credential Discovery Lateral Collection Exfiltration Command Access Escalation Evasion Access Movement & Control RAT (Custom) PIRPI SHOTPUT RAT (Custom) PLUGX RAT (Custom) RAT (Custom) Backdoor.APT.C ookieCutter OSInfo Information Discovery Customized Win Pwd Dumper pwdump Customized Win Pwd Dumper Mimikatz Keylogger sw Keylogger Remote RemoteCMD Execution Dsquery Information Discovery ChromePass Browser Pwd Dumper App. Pwd Lazagne Dumper ScanBox ExploitKit / Keylogger