breaking and entering emulating the digital adversary in
play

BREAKING AND ENTERING: EMULATING THE DIGITAL ADVERSARY IN 2019 - PowerPoint PPT Presentation

Jun 30, 2023 •250 likes •522 views

C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y BREAKING AND ENTERING: EMULATING THE DIGITAL ADVERSARY IN 2019 Bobby Thompson National Cybersecurity Assessments and Technical Services

  1. C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y BREAKING AND ENTERING: EMULATING THE DIGITAL ADVERSARY IN 2019 Bobby Thompson National Cybersecurity Assessments and Technical Services (NCATS) Bobby Thompson 1 May 30, 2019

  2. Services Today If vulnerability is the only element of risk that we can eliminate …. Cyber Risk Advanced Hygiene Evaluation Operations • Open Source • Risk and Vulnerability • Critical Product Intelligence Monitoring Assessments Evaluation • Phishing Campaigns • Validated Architecture • Red Team Assessments and Assessments Design Reviews • System & Application Vulnerability Scanning • Remote Penetration Testing .... lets focus on proactive elimination of vulnerability to reduce risk Bobby Thompson 2 May 30, 2019

  3. Goals DHS NCATS INTRODUCTION REDUCE ENABLE INFLUENCE REDUCE RISK AND INCREASE RESILIENCE ENABLE DATA-DRIVEN DECISIONS INFLUENCE OPERATIONAL BEHAVIOR • I DENTIFY AND ELIMINATE • I MPROVE POLICY MAKERS • MEASURE AND MONITOR THE ABILITY TO MAKE INFORMED , ATTACK PATHS PRIOR TO IMPLEMENTATION OF MATURE RISK - BASED DECISIONS ; THEIR EXPLOITATION BY OPERATIONAL CAPABILITIES MALICIOUS ACTORS ; • E NABLE ANALYSTS TO • N OTIFY STAKEHOLDERS OF • C OLLABORATIVELY EVALUATE ENRICH THREAT ANALYSIS SIGNIFICANT FINDINGS AND PRODUCTS WITH VENDORS AND MODELING AND INFORM TRENDS IN ORDER TO INCREASE “ OUT RISK MANAGEMENT ; OF BOX ” SECURITY ; • C HAMPION AND PROMOTE • P ROMOTE EFFECTIVE DATA - DRIVEN STANDARDS , POLICIES , GUIDELINES AND CYBERSECURITY RISK MITIGATION STRATEGIES . CAPABILITIES . Bobby Thompson 3 May 30, 2019

  4. THREAT EMULATION MODEL COMPARISON Threat emulation and assessment models means many things to many people • Vulnerability Assessment • Penetration Testing • Red Team Operations • Used interchangeably and often amalgamated • Important to establish a clear delineation for your purposes • Each have advantages and disadvantages • Caveats…. Bobby Thompson 4 May 30, 2019

  5. VULNERABILITY ASSESSMENT • Primary objective: Identify vulnerabilities within target scope • Vulnerabilities generally discovered via automated tools • Typically, no exploitation is performed against hosts • Additional manual steps required to clear false positives • Some tools may provide the capability to attempt exploitation for validation • This model could be leveraged by leadership to: • Discover critical vulnerabilities and recommended mitigations • Determine criticality statistics for a target environment • Validate patching capabilities in place are effective Bobby Thompson 5 May 30, 2019

  6. PENETRATION TEST Primary objective: Effect & outcome of vulnerability exploitation • Emulation is conducted by applying an attacker mindset to discovered vulnerabilities • Breadth of testing is limited by scope and legal restrictions • Tests are collaborative in nature and exploitation is coordinated • No obfuscation of activity or evasion of traditional IR • Focus is testing technical controls in an environment • This model could be leveraged by leadership to: • Prioritization, management, and mitigation of risk • Identify and eliminate attack paths prior to exploitation by malicious actors • Find misconfigurations not discovered by vulnerability scans Bobby Thompson 6 May 30, 2019

  7. RED TEAM OPERATIONS Primary objective: Effective training for blue teams, SOCs, and network defenders • Emulates real-world threat activity against a target organization • Events are not coordinated with security personnel • Utilization of evasion, obfuscation techniques, and advanced skill sets • Breadth of testing limited by legal restrictions • Tests people, processes, and technologies • This model could be leveraged by leadership to: • Train defensive personnel against a live threat actor in a controlled scenario • Test defensive detection and response capabilities of an organization Bobby Thompson 7 May 30, 2019

  8. WHY EMULATE? Compliance and RPCI-DSS regulations governance Identifies unknown deficiencies, weakness, and misconfiguration Asset discovery HVA discovery User awareness and susceptibility and training B o l s t r e e r p g s l u a n t n i d a o t n i i o t e i n p d s d a e v s i e s i n f i t e s f u f o J / k e r v o i w s t n e e n f s s e You get to wear a hoodie e h d i t f g i t n n e e Helps refine r d t s I Incident Command process Justifies the Vulnerability n identification o stickers on i t a ) People fear you for z h i t g your laptop i i r h o i , r m p no good reason u k i s d i e R m Security tool , w o l ( validation I t ’ s f u n ! Compliance and governance Incident Response training Bobby Thompson May 30, 2019

  9. ADVERSARY EMULATION 101 • Authorization of an ethical, professional, and realistic attacker within the confines of your network infrastructure • Allows stakeholders to: • Understand and manage risk • Discern what happens if a real-world attacker infiltrates a network • Did the SOC detect adversarial activity/entry? • Was root cause determined? • Were critical assets manipulated? • What were the lessons learned? • Cyclical Process • Adversary Emulation • Test/Challenge Defense/Blue Teams • Report, Review, Revise, Mitigate, & Follow Up • Log, communicate, collaborate Bobby Thompson 9 May 30, 2019

  10. ADVERSARY EMULATION 101 • Infrastructure setup • Team share • C2 Infrastructure and redirectors • Domain names • Payload development • Data collection repository • Findings • Observations • Risks and issues • Daily summary • Persistent and non-persistent • Raw data Bobby Thompson 10 May 30, 2019

  11. ADVERSARY EMULATION 201 • Research, Read, Test, and Develop • Standard, consistent, quantifiable, and adaptable TTPs, PPPs, and methodology • Multiple options to exploit the kill chain • Evolve, Adapt, Thrive • Administrative statistics, findings, and standards (ATT&CK, NIST, etc.) • Do not accept the status quo! Bobby Thompson 11 May 30, 2019

  12. ADVERSARY EMULATION 201 Bobby Thompson 12 May 30, 2019

  13. ADVERSARY EMULATION 301 • Assume breach • Replicate threat landscape specific to each customer – adversarial modeling • Wealth of intel reports, malware analysis sites, and formal collaboration groups • Allow for adaptable TTPs • Total and complete transparency • Automation Bobby Thompson 13 May 30, 2019

  14. THREAT EMULATION METHODOLOGY Bobby Thompson 14 May 30, 2019

  15. METHODOLOGY: RECON • OSINF and passive/active recon is the primary activity for the initial phase • Information gathering, passive fingerprinting, social media monitoring • Personnel, roles, e-mail addresses, organization schemas, infrastructure • Multitude of sources provide a wealth of valuable data • Google Dorking, LinkedIn, social media, and publicly hosted information • Analytics are applied to tie the information into a bigger picture • Initial targets are developed based off this information • Specially crafted spear-phishing campaigns are developed • Restriction: establishment of personas, impersonation, etc. Bobby Thompson 15 May 30, 2019

  16. METHODOLOGY: EXPLOITATION* • Primary attack vector is phishing • Non-technical personnel are generally targeted • Human Resources, contract managers, press, hiring managers • Everyone and anyone • Out of office replies can provide a wealth of information • A rapport is built with the target before payload delivery • This establishes trust so suspicion is not raised upon payload execution • This also provides an avenue to test payload success • 1-3 campaigns, no rapport, lure is moderate in sophistication • Payload delivers code execution and the code establishes C2 • Once exploitation is successful, the method can be replicated Bobby Thompson 16 May 30, 2019

  17. Bobby Thompson 17 May 30, 2019

  18. METHODOLOGY: PERSISTENCE • Once access is obtained, an initial triage and enumeration is performed • Triage is a series of steps taken to learn about the host environment • Persistence may be required as C2 runs in memory • Persistence will provide us the opportunity to maintain access through reboots • Risk: artifact to be left on disk-potential point of detection • Persistence is established based on the triage results • Examples of persistence could include registry or schtask modification • Different lanes will use different methods of persistence so tactics are varied • Persistence may be established or removed as required Bobby Thompson 18 May 30, 2019

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Breaking and Entering as a Legal November 4, 2011 Obligation: Amendments to Chicago Practice

Breaking and Entering as a Legal November 4, 2011 Obligation: Amendments to Chicago Practice

Breaking and Entering as a Legal November 4, 2011 Obligation: Amendments to Chicago Practice Group(s): Mortgage Banking & Ordinance Continue Trend of Forcing Consumer Financial Products Lenders to Maintain Vacant Property Even Before

338 views • 7 slides
Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve,

352 views • 14 slides
Marketing & Digital Strategy Key Themes The IIA is entering a dynamic phase in our

Marketing & Digital Strategy Key Themes The IIA is entering a dynamic phase in our

5/2/2017 Marketing & Digital Strategy Key Themes The IIA is entering a dynamic phase in our evolution. The challenge will be to identify new demand and generate greater levels of engagement and satisfaction from existing members.

549 views • 6 slides
Outline The Adversary 1 A Cracking Example! 2 The Adversary 1/44 Whos our adversary?

Outline The Adversary 1 A Cracking Example! 2 The Adversary 1/44 Whos our adversary?

Outline The Adversary 1 A Cracking Example! 2 The Adversary 1/44 Whos our adversary? What does a typical program look like? The Adversary 2/44 Whos our adversary? What does a typical program look like? What valuables does the

1.14k views • 64 slides
Active Adversary Lecture 7 CCA Security MAC Active Adversary Active Adversary An active

Active Adversary Lecture 7 CCA Security MAC Active Adversary Active Adversary An active

Active Adversary Lecture 7 CCA Security MAC Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob

2.08k views • 160 slides
MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them

2.08k views • 155 slides
Quantum query complexity and the adversary bound Part I: The adversary bound Alexander Belov

Quantum query complexity and the adversary bound Part I: The adversary bound Alexander Belov

Quantum query complexity and the adversary bound Part I: The adversary bound Alexander Belov University of Latvia 22nd EWSCS, 5-10 March 2017, Palmse 1 / 36 Introduction Settings Why? Sub-question 1 Sub-question 2 Sub-question 3 Short

536 views • 36 slides
Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming

Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming

Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin The Hardness of Breaking RSA One approach to breaking RSA is to

274 views • 15 slides
A Framework for Emulating Non-Volatile Memory Systems with Different Performance Characteristics

A Framework for Emulating Non-Volatile Memory Systems with Different Performance Characteristics

A Framework for Emulating Non-Volatile Memory Systems with Different Performance Characteristics Dipanjan Sengupta 1,2 , Qi Wang 1,3 , Haris Volos 1 , Lucy Cherkasova 1 , Guilherme Magalhaes 1 , Jun Li 1 , Karsten Schwan 2 1 Hewlett-Packard Labs

425 views • 15 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
EE 109 Appendix G Emulating FP 2 USING INTEGERS TO EMULATE DECIMAL/FRACTION ARITHMETIC 3 FP

EE 109 Appendix G Emulating FP 2 USING INTEGERS TO EMULATE DECIMAL/FRACTION ARITHMETIC 3 FP

1 EE 109 Appendix G Emulating FP 2 USING INTEGERS TO EMULATE DECIMAL/FRACTION ARITHMETIC 3 FP Emulation Low-end microprocessors (like the Arduino) may not have hardware for floating point ( float and double ) operations If you do use

468 views • 11 slides
Broadcast channels Adversary Central adversary (collaborating parties) Corrupts t

Broadcast channels Adversary Central adversary (collaborating parties) Corrupts t

Sum Protocol 2 Goal: Compute sum of inputs Protocol Specification 0. P i : input x i random r y 1 = r + x 1 y 7 Cryptographic Protocols 1. P i : send x i to TTP y 7 = y 6 + x 7 y 1 x i s = y 7 r y 6 2. TTP: y = Spring 2020 y 2 =

67 views • 4 slides
Physics becomes the computer Norm Margolus Physics becomes the computer Emulating Physics

Physics becomes the computer Norm Margolus Physics becomes the computer Emulating Physics

Computing Beyond Silicon Summer School Physics becomes the computer Norm Margolus Physics becomes the computer Emulating Physics Finite-state, locality, invertibility, and conservation laws Physical Worlds Incorporating

721 views • 42 slides
StarCraft: Remastered Emulating a buffer overflow for fun and profit A note before we begin

StarCraft: Remastered Emulating a buffer overflow for fun and profit A note before we begin

StarCraft: Remastered Emulating a buffer overflow for fun and profit A note before we begin Blizzard Entertainment in no way endorses or condones reverse engineering of our properties. The exercises herein were conducted to understand the

1.47k views • 95 slides
Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s, but adversary given VK Sig SK Ver VK s i = Sign SK (M i ) Ver VK (M,s) (M,s) M i VK Advantage =

693 views • 10 slides
Quantum query complexity and the adversary bound Part II: Learning graphs Alexander Belov

Quantum query complexity and the adversary bound Part II: Learning graphs Alexander Belov

Quantum query complexity and the adversary bound Part II: Learning graphs Alexander Belov University of Latvia 22nd EWSCS, 5-10 March 2017, Palmse 1 / 35 Learning graphs Dual Adversary Certificate Structure Examples Idea Construction

639 views • 44 slides
3) Intrusion Tests Red Team approach Emmanuel Benoist Spring Term 2016 Berner Fachhochschule |

3) Intrusion Tests Red Team approach Emmanuel Benoist Spring Term 2016 Berner Fachhochschule |

3) Intrusion Tests Red Team approach Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Presentation Example of a Red Team Mission

728 views • 46 slides
mami Plane 1 In the beginning there was ping , and it was good. (still the only

mami Plane 1 In the beginning there was ping , and it was good. (still the only

Platforms and Tools for Internet Measurement: Current and Future Developments Brian Trammell IRTF/ISOC Workshop on Research and Applications of Internet Measurements Yokohama, Japan, 31 October 2015 mami Plane 1 In the beginning

683 views • 32 slides
United States Army Security Assistance Command North Alabama International Trade Association

United States Army Security Assistance Command North Alabama International Trade Association

UNCLASSIFIED//FOUO UNCLASSIFIED//FOUO United States Army Security Assistance Command North Alabama International Trade Association (NAITA) Industry Day 2017 Foreign Military Sales: Ready for Today Set Conditions for Tomorrow Go

539 views • 16 slides
Transparent Microsegmentation in Smart Home IoT Networks Amr Osman 1 Armin Wasicek 2 Stefan

Transparent Microsegmentation in Smart Home IoT Networks Amr Osman 1 Armin Wasicek 2 Stefan

, Faculty of computer science Transparent Microsegmentation in Smart Home IoT Networks Amr Osman 1 Armin Wasicek 2 Stefan Kpsell 1 Thorsten Strufe 1 1 Chair of Privacy and Data Security TU Dresden firstname.lastname@tu-dresden.de 2 Avast Inc.

652 views • 44 slides
Participant Manual August 2017 Pre-CERCLA Screening Training Pre-CERCLA Screening Course 1

Participant Manual August 2017 Pre-CERCLA Screening Training Pre-CERCLA Screening Course 1

Pre-CERCLA Screening Training Participant Manual August 2017 Pre-CERCLA Screening Training Pre-CERCLA Screening Course 1 Course Objectives After taking this course, participants will be able to explain: What a Pre-CERCLA Screening

1.02k views • 57 slides
GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions

GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions

Marshall Heilman GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions Introduction 3 3 Evolution of Cyber Attacks 4 - Technical Problem - Unix Systems -- 1998 - Servers - Attacks Were a Nuisance -

948 views • 47 slides
StratCom in Context: The Hidden Architecture of U.S. Militarism Jacqueline Cabasso Western

StratCom in Context: The Hidden Architecture of U.S. Militarism Jacqueline Cabasso Western

Slide 1 StratCom in Context: The Hidden Architecture of U.S. Militarism Jacqueline Cabasso Western States Legal Foundation April 12, 2008 Presented at the 16 th Annual Space Organizing Conference Global Network Against Weapons & Nuclear

419 views • 18 slides
Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber

Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber

Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of cyber attacks by making the system

728 views • 27 slides

More recommend