SLIDE 1
Outline
Breach & Attack Simulation Cryton
Cryton Page 2 / 22
CRYTON BREACH AND ATTACK SIMULATION Thursday 4 th October, 2018 Ivo - - PowerPoint PPT Presentation
CRYTON BREACH AND ATTACK SIMULATION Thursday 4 th October, 2018 Ivo - - PowerPoint PPT Presentation
CRYTON BREACH AND ATTACK SIMULATION Thursday 4 th October, 2018 Ivo Nutr Outline Breach & Attack Simulation Cryton Cryton Page 2 / 22 About me Where I work CSIRT-MU KYPO What I Do Cryton B&S Penetration testing CyberEx GT/RT
SLIDE 2
SLIDE 3
About me
Where I work
CSIRT-MU KYPO
What I Do
Cryton B&S Penetration testing CyberEx GT/RT
http://a.openalt.cz/33
Cryton Page 3 / 22
SLIDE 4
Terminology
Comparison Vulnerability Scanning
Low hanging fruits False positives Cheap
Penetration Testing
Real attacker tools Depends on tester’s skill Once in a while/once a year/ ... External
Red Teaming
Pentest + social engineering, physical attacks ... Silent, aims to also test detection capabilities May be also internal Skilled personnel
Cryton Page 4 / 22
SLIDE 5
Breach & Attack Simulation
Cryton Page 5 / 22
SLIDE 6
Breach & Attack Simulation
According to Gartner, "BAS tools simulate a broad range of malicious activities (including attacks that would circumvent their current controls), enabling customers to determine the current state of their security posture." Gartner also granted the first patent for BAS to tool SafeBreach. Automatization of Killchain to: Detect soft spots Test detection systems Train blue teams https://www.esecurityplanet.com/threats/ breach-and-attack-simulation.html
Cryton Page 6 / 22
SLIDE 7
Breach & Attack Simulation
Figure: Cyber Kill Chain by Lockheed Martin
Cryton Page 7 / 22
SLIDE 8
Turn this ...
Cryton Page 8 / 22
SLIDE 9
... into this
Cryton Page 9 / 22
SLIDE 10
B&S tools
Open source Metta
Uber Local execution MITRE attack matrix
DumpsterFire
"Security Incidents In A Box!" Local execution Simulate infected hosts
APTSimulator
...
Commercial AttackIQ, Cymulate, Safebreach, ThreatCare ... https://www.esecurityplanet.com/threats/ breach-and-attack-simulation.html
Cryton Page 10 / 22
SLIDE 11
Cryton
Cryton Page 11 / 22
SLIDE 12
Cryton
Description Cryton is being developed at CSIRT-MU as a part of KYPO project. It’s
- riginal objective was to automate some of Red Team tasks during
CyberEx. Create JSON/YAML describing attack scenario Feed to Cryton Execute Wait... Read report Original thesis on https://is.muni.cz/th/cry3j/
Cryton Page 12 / 22
SLIDE 13
Cryton
Attack scenario Plan - Stage - Step Plan has a start time Stage has a delta (diff from plan start time) Steps are organized into attack trees
Successors based on success or string result Execution of attack module
Sessions management (using msfrpc) Various attributes
Cryton Page 13 / 22
SLIDE 14
Cryton
Plan Plan contains a description of whole attack scenario. Name Owner (optional) Start time (optional) Slave List of Stages
Cryton Page 14 / 22
SLIDE 15
Cryton
Stage One logical part of attack scenario, typically oriented on one specific target. Name Delta (optional) Target (optional) Slave List of Steps
Cryton Page 15 / 22
SLIDE 16
Cryton
Step Step in context of Cryton is an execution of attack module. It might be a nmap scan, vuln scanner run or a metasploit module execution. Name Action (optional) List of Successors (optional) Target (optional) Slave
Cryton Page 16 / 22
SLIDE 17
Cryton
Session management Heavily depends on Metasploit framework msfrpcd + pyMetasploit Can create and use sessions
create_session use_session vs use_named_session
Shared throughout the Plan
Cryton Page 17 / 22
SLIDE 18
Cryton
Slaves
Figure: Master - Slave
Cryton Page 18 / 22
SLIDE 19
Cryton
Attack scenario
Figure: Example topology
Cryton Page 19 / 22
SLIDE 20
Cryton
Attack scenario Example
Cryton Page 20 / 22
SLIDE 21
Cryton
Execution Example
Cryton Page 21 / 22
SLIDE 22