O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Sacha Faust @sachafaust / Azure Red Team | Ram Shankar @ram_ssk / Azure Security Data Science
DATA DRIVEN OFFENSE
KeyTakeAways
2
Use data to drive common scenarios
How ML can be used
Strategic advantages
Our Reality
Context
4
•Cloud vs Cloud
•Red vs Blue focus
 Increase - MTTC and MTTP
 Decrease - MTTD and MTTR
•Engineering heavy
•Sin...
“Advanced”PersistentThreats
5
Specific/sequential targeting
Effective reconnaissance
Practiced tool usage
Sophisticated pl...
Infrastructure
6
Feed
Forward
Observations Decision
(Hypothesis)
Action
(Test)
Cultural
Traditions
Genetic
Heritage
New
In...
NextGenerationAPT™
7
Diversionary Tactics
Machine Learning
Varied PersistenceIntelligence Driven
Multi-FrontAssaults
IntelligenceDriven
8
Pivoting Scenario
ProblemStatement
9
Compromised
User
Target
Servers with
Administrator
access
0
Context Data available to all authenticated
users
Identity used - 1
Exfiltration Size - ~4Gb
Data Sources
Active Directory...
RouteDiscovery
11
Pivoting
Opportunities
Dashboard
# Actions – 0
# Routes – 0
# Routes to eval - 7
Assets
# Identities - 1...
OneLevelDeep
12
Dashboard
# Actions – 7
# Routes – 12
# Routes to eval - 11
Assets
# Servers - 23
# Identities - 4
0
1
2
3...
Outcome
13
Pwned Report – PtH Pivoting
MTTP – seconds
# Actions to target - 9
# Min Pivots required – 2
# Routes - 12
Blue...
Examples
14
Examples
15
Examples
16
StrategicAdvantages
17
• Surgical
• Fly under most radar
• Limited TTP exposure
• Routes can be saved/replayed/measured
• ...
BeyondPtHPivoting
18
•Paving Egress routes
•Path avoidance
•Beachhead candidates
•Cloud Pivoting
MachineLearning
19
Feed
Forward
Observations Decision
(Hypothesis)
Action
(Test)
Cultural
Traditions
Genetic
Heritage
New
...
Computer
System
Data
Program
Output
Computer
System
Data
Output
Program
Traditional Programming
Machine Learning
Source: L...
Introduction
21
Why is Machine Learning Relevant
to red teams?
Introduction
22
Why is Machine Learning Relevant
to red teams?
Introduction
23
Why is Machine Learning Relevant
to red teams?
MLDrivenSpearPhishing
24
How can Red Teams use Machine
Learning
• Subvert existing ML algorithms that defenders have put i...
MachineLearning
25
ML driven Spear Phishing
ML-Approach
26
• Problem: Which phishing mail should be sent to a victim?
• Why Use Machine Learning?
-> Targeted Phishing...
ML-Approach
27
Recommender Engines!
Contextual Bandit arms -- Intuition
•The world announces some
context information (Program
Managers like meetings).
•A pol...
Experiment
29
Objective - Recommend the most appropriate email for the user, based on his
role
Data Set:
1) Leverage data ...
RedAdvantages
30
Takeaways
1) Embedding intelligence into attacks, can make it more effective.
ML can make attacks adaptiv...
Parting Thoughts
Advantages
Strategic
 Targeting and Surveillance
 Monitoring (IOM)
 Detection (IOD)
 Recovery (IOR)
 Automated and re...
PossibleDefense
33
•Adopt “Assume Breach” mindset
•Accelerate growth – War Games
•Consider Moving Target Defense
•Understa...
Thank you
Sacha Faust
@sachafaust
Ram Shankar
@ram_ssk
Infiltrate 2015 - Data Driven Offense
Próximos SlideShares
Carregando em…5
×

Infiltrate 2015 - Data Driven Offense

2.585 visualizações

Publicada em

How to use Big Data and Machine Learning for attacks - specifically to achieve large scale attack planning and automatic attack execution.

This talk was given at Infiltrate 2015.

Publicada em: Tecnologia
  • Entre para ver os comentários

Infiltrate 2015 - Data Driven Offense

  1. 1. Sacha Faust @sachafaust / Azure Red Team | Ram Shankar @ram_ssk / Azure Security Data Science DATA DRIVEN OFFENSE
  2. 2. KeyTakeAways 2 Use data to drive common scenarios How ML can be used Strategic advantages
  3. 3. Our Reality
  4. 4. Context 4 •Cloud vs Cloud •Red vs Blue focus  Increase - MTTC and MTTP  Decrease - MTTD and MTTR •Engineering heavy •Single target
  5. 5. “Advanced”PersistentThreats 5 Specific/sequential targeting Effective reconnaissance Practiced tool usage Sophisticated planning Social engineering Advanced & persistent
  6. 6. Infrastructure 6 Feed Forward Observations Decision (Hypothesis) Action (Test) Cultural Traditions Genetic Heritage New Information Previous Experience Analyses & Synthesis Feed Forward Feed Forward Implicit Guidance & Control Implicit Guidance & Control Unfolding Interaction With EnvironmentUnfolding Interaction With Environment Feedback Feedback Outside Information Unfolding Circumstances Observe Orient Decide Act StorageService Bus Big Data ML Auto Scaling
  7. 7. NextGenerationAPT™ 7 Diversionary Tactics Machine Learning Varied PersistenceIntelligence Driven Multi-FrontAssaults
  8. 8. IntelligenceDriven 8 Pivoting Scenario
  9. 9. ProblemStatement 9 Compromised User Target Servers with Administrator access 0
  10. 10. Context Data available to all authenticated users Identity used - 1 Exfiltration Size - ~4Gb Data Sources Active Directory User/Groups Machines Local group membership Implementation • SQL Azure • Service Bus • Azure Worker Role • Remote Powershell 10
  11. 11. RouteDiscovery 11 Pivoting Opportunities Dashboard # Actions – 0 # Routes – 0 # Routes to eval - 7 Assets # Identities - 1 # Servers - 7 0
  12. 12. OneLevelDeep 12 Dashboard # Actions – 7 # Routes – 12 # Routes to eval - 11 Assets # Servers - 23 # Identities - 4 0 1 2 3 Untouched
  13. 13. Outcome 13 Pwned Report – PtH Pivoting MTTP – seconds # Actions to target - 9 # Min Pivots required – 2 # Routes - 12 Blue Learnings Comprehensive TTP exposure analysis Increased awareness Measure mitigation impact Measureable (KPI)
  14. 14. Examples 14
  15. 15. Examples 15
  16. 16. Examples 16
  17. 17. StrategicAdvantages 17 • Surgical • Fly under most radar • Limited TTP exposure • Routes can be saved/replayed/measured • Long shelve life • Not bound to PtH only
  18. 18. BeyondPtHPivoting 18 •Paving Egress routes •Path avoidance •Beachhead candidates •Cloud Pivoting
  19. 19. MachineLearning 19 Feed Forward Observations Decision (Hypothesis) Action (Test) Cultural Traditions Genetic Heritage New Information Previous Experience Analyses & Synthesis Feed Forward Feed Forward Implicit Guidance & Control Implicit Guidance & Control Unfolding Interaction With EnvironmentUnfolding Interaction With Environment Feedback Feedback Outside Information Unfolding Circumstances Observe Orient Decide Act StorageService Bus Big Data ML Auto Scaling
  20. 20. Computer System Data Program Output Computer System Data Output Program Traditional Programming Machine Learning Source: Lectures by Pedro Domingos
  21. 21. Introduction 21 Why is Machine Learning Relevant to red teams?
  22. 22. Introduction 22 Why is Machine Learning Relevant to red teams?
  23. 23. Introduction 23 Why is Machine Learning Relevant to red teams?
  24. 24. MLDrivenSpearPhishing 24 How can Red Teams use Machine Learning • Subvert existing ML algorithms that defenders have put in place • Classic “Adversarial Machine Learning” • Key goal: Game the ML System • Check out: http://www.slideshare.net/RamShankarSivaKumar/subverting- machine-learning-detections-for-fun-and-profit (Derbycon2014) • Think of attacks as a large scale optimization problem and ML to solve it
  25. 25. MachineLearning 25 ML driven Spear Phishing
  26. 26. ML-Approach 26 • Problem: Which phishing mail should be sent to a victim? • Why Use Machine Learning? -> Targeted Phishing emails increase likelihood of compromise • Distinguished Engineer: Subj: Country Club Invitation • Program Manager: Subj: Kanban Notes • Developer: Subj: Code check In? -> Makes blue team’s job of building attacker’s TTP and IOC much more difficult • Machine Learning task: How to pick the right email per person?
  27. 27. ML-Approach 27 Recommender Engines!
  28. 28. Contextual Bandit arms -- Intuition •The world announces some context information (Program Managers like meetings). •A policy chooses arm a from 1 of k arms (i.e. 1 of k phishing emails). •The world reveals the reward ra of the chosen arm (i.e. whether the message is clicked on).
  29. 29. Experiment 29 Objective - Recommend the most appropriate email for the user, based on his role Data Set: 1) Leverage data from (previously/currently) compromised hosts 2) Input: Email Corpus , context (title of role), action (clicked, not-click), featurization (time of click, number of words…) Tooling - Vowpal Wabbit (- I/O bound, parallelizable, specific for large scale learning) Result - Overall Click through rate (CTR) increased by 23%, with the highest increase in Program Managers (+22%) and least in Developer (5.4%)
  30. 30. RedAdvantages 30 Takeaways 1) Embedding intelligence into attacks, can make it more effective. ML can make attacks adaptive too! 2) The tricky part is mapping the attack goals to the right kind of problem - Short, but steep learning curve. -> Tip: Borrow the blue team’s behavorial detections and use the same tools, against them.
  31. 31. Parting Thoughts
  32. 32. Advantages Strategic  Targeting and Surveillance  Monitoring (IOM)  Detection (IOD)  Recovery (IOR)  Automated and reusable attack planning  Decreased MTTC & MTTP  Increase MTTD & MTTR  Controlled exposure  Small footprint  TTP/Actor Emulation/Impersonation Operational  Autonomous stages  Measurable efficiency  Reduce Capabilities Exposure  Flexible  Improve IP retention  Efficiency increased over time 32
  33. 33. PossibleDefense 33 •Adopt “Assume Breach” mindset •Accelerate growth – War Games •Consider Moving Target Defense •Understand pivoting opportunities •Sharing TTP/IOC
  34. 34. Thank you Sacha Faust @sachafaust Ram Shankar @ram_ssk

×