O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Sacha Faust @sachafaust / Azure Red Team | Ram Shankar @ram_ssk / Azure Security Data Science DATA DRIVEN OFFENSE
KeyTakeAways 2 Use data to drive common scenarios How ML can be used Strategic advantages
Our Reality
Context 4 •Cloud vs Cloud •Red vs Blue focus  Increase - MTTC and MTTP  Decrease - MTTD and MTTR •Engineering heavy •Sin...
“Advanced”PersistentThreats 5 Specific/sequential targeting Effective reconnaissance Practiced tool usage Sophisticated pl...
Infrastructure 6 Feed Forward Observations Decision (Hypothesis) Action (Test) Cultural Traditions Genetic Heritage New In...
NextGenerationAPT™ 7 Diversionary Tactics Machine Learning Varied PersistenceIntelligence Driven Multi-FrontAssaults
IntelligenceDriven 8 Pivoting Scenario
ProblemStatement 9 Compromised User Target Servers with Administrator access 0
Context Data available to all authenticated users Identity used - 1 Exfiltration Size - ~4Gb Data Sources Active Directory...
RouteDiscovery 11 Pivoting Opportunities Dashboard # Actions – 0 # Routes – 0 # Routes to eval - 7 Assets # Identities - 1...
OneLevelDeep 12 Dashboard # Actions – 7 # Routes – 12 # Routes to eval - 11 Assets # Servers - 23 # Identities - 4 0 1 2 3...
Outcome 13 Pwned Report – PtH Pivoting MTTP – seconds # Actions to target - 9 # Min Pivots required – 2 # Routes - 12 Blue...
Examples 14
Examples 15
Examples 16
StrategicAdvantages 17 • Surgical • Fly under most radar • Limited TTP exposure • Routes can be saved/replayed/measured • ...
BeyondPtHPivoting 18 •Paving Egress routes •Path avoidance •Beachhead candidates •Cloud Pivoting
MachineLearning 19 Feed Forward Observations Decision (Hypothesis) Action (Test) Cultural Traditions Genetic Heritage New ...
Computer System Data Program Output Computer System Data Output Program Traditional Programming Machine Learning Source: L...
Introduction 21 Why is Machine Learning Relevant to red teams?
Introduction 22 Why is Machine Learning Relevant to red teams?
Introduction 23 Why is Machine Learning Relevant to red teams?
MLDrivenSpearPhishing 24 How can Red Teams use Machine Learning • Subvert existing ML algorithms that defenders have put i...
MachineLearning 25 ML driven Spear Phishing
ML-Approach 26 • Problem: Which phishing mail should be sent to a victim? • Why Use Machine Learning? -> Targeted Phishing...
ML-Approach 27 Recommender Engines!
Contextual Bandit arms -- Intuition •The world announces some context information (Program Managers like meetings). •A pol...
Experiment 29 Objective - Recommend the most appropriate email for the user, based on his role Data Set: 1) Leverage data ...
RedAdvantages 30 Takeaways 1) Embedding intelligence into attacks, can make it more effective. ML can make attacks adaptiv...
Parting Thoughts
Advantages Strategic  Targeting and Surveillance  Monitoring (IOM)  Detection (IOD)  Recovery (IOR)  Automated and re...
PossibleDefense 33 •Adopt “Assume Breach” mindset •Accelerate growth – War Games •Consider Moving Target Defense •Understa...
Thank you Sacha Faust @sachafaust Ram Shankar @ram_ssk
Infiltrate 2015 - Data Driven Offense
Próximos SlideShares
Carregando em…5
×

Infiltrate 2015 - Data Driven Offense

2.585 visualizações

Publicada em

How to use Big Data and Machine Learning for attacks - specifically to achieve large scale attack planning and automatic attack execution.

This talk was given at Infiltrate 2015.

Publicada em: Tecnologia
no profile picture user

  • Entre para ver os comentários

Infiltrate 2015 - Data Driven Offense

  1. 1. Sacha Faust @sachafaust / Azure Red Team | Ram Shankar @ram_ssk / Azure Security Data Science DATA DRIVEN OFFENSE
  2. 2. KeyTakeAways 2 Use data to drive common scenarios How ML can be used Strategic advantages
  3. 3. Our Reality
  4. 4. Context 4 •Cloud vs Cloud •Red vs Blue focus  Increase - MTTC and MTTP  Decrease - MTTD and MTTR •Engineering heavy •Single target
  5. 5. “Advanced”PersistentThreats 5 Specific/sequential targeting Effective reconnaissance Practiced tool usage Sophisticated planning Social engineering Advanced & persistent
  6. 6. Infrastructure 6 Feed Forward Observations Decision (Hypothesis) Action (Test) Cultural Traditions Genetic Heritage New Information Previous Experience Analyses & Synthesis Feed Forward Feed Forward Implicit Guidance & Control Implicit Guidance & Control Unfolding Interaction With EnvironmentUnfolding Interaction With Environment Feedback Feedback Outside Information Unfolding Circumstances Observe Orient Decide Act StorageService Bus Big Data ML Auto Scaling
  7. 7. NextGenerationAPT™ 7 Diversionary Tactics Machine Learning Varied PersistenceIntelligence Driven Multi-FrontAssaults
  8. 8. IntelligenceDriven 8 Pivoting Scenario
  9. 9. ProblemStatement 9 Compromised User Target Servers with Administrator access 0
  10. 10. Context Data available to all authenticated users Identity used - 1 Exfiltration Size - ~4Gb Data Sources Active Directory User/Groups Machines Local group membership Implementation • SQL Azure • Service Bus • Azure Worker Role • Remote Powershell 10
  11. 11. RouteDiscovery 11 Pivoting Opportunities Dashboard # Actions – 0 # Routes – 0 # Routes to eval - 7 Assets # Identities - 1 # Servers - 7 0
  12. 12. OneLevelDeep 12 Dashboard # Actions – 7 # Routes – 12 # Routes to eval - 11 Assets # Servers - 23 # Identities - 4 0 1 2 3 Untouched
  13. 13. Outcome 13 Pwned Report – PtH Pivoting MTTP – seconds # Actions to target - 9 # Min Pivots required – 2 # Routes - 12 Blue Learnings Comprehensive TTP exposure analysis Increased awareness Measure mitigation impact Measureable (KPI)
  14. 14. Examples 14
  15. 15. Examples 15
  16. 16. Examples 16
  17. 17. StrategicAdvantages 17 • Surgical • Fly under most radar • Limited TTP exposure • Routes can be saved/replayed/measured • Long shelve life • Not bound to PtH only
  18. 18. BeyondPtHPivoting 18 •Paving Egress routes •Path avoidance •Beachhead candidates •Cloud Pivoting
  19. 19. MachineLearning 19 Feed Forward Observations Decision (Hypothesis) Action (Test) Cultural Traditions Genetic Heritage New Information Previous Experience Analyses & Synthesis Feed Forward Feed Forward Implicit Guidance & Control Implicit Guidance & Control Unfolding Interaction With EnvironmentUnfolding Interaction With Environment Feedback Feedback Outside Information Unfolding Circumstances Observe Orient Decide Act StorageService Bus Big Data ML Auto Scaling
  20. 20. Computer System Data Program Output Computer System Data Output Program Traditional Programming Machine Learning Source: Lectures by Pedro Domingos
  21. 21. Introduction 21 Why is Machine Learning Relevant to red teams?
  22. 22. Introduction 22 Why is Machine Learning Relevant to red teams?
  23. 23. Introduction 23 Why is Machine Learning Relevant to red teams?
  24. 24. MLDrivenSpearPhishing 24 How can Red Teams use Machine Learning • Subvert existing ML algorithms that defenders have put in place • Classic “Adversarial Machine Learning” • Key goal: Game the ML System • Check out: http://www.slideshare.net/RamShankarSivaKumar/subverting- machine-learning-detections-for-fun-and-profit (Derbycon2014) • Think of attacks as a large scale optimization problem and ML to solve it
  25. 25. MachineLearning 25 ML driven Spear Phishing
  26. 26. ML-Approach 26 • Problem: Which phishing mail should be sent to a victim? • Why Use Machine Learning? -> Targeted Phishing emails increase likelihood of compromise • Distinguished Engineer: Subj: Country Club Invitation • Program Manager: Subj: Kanban Notes • Developer: Subj: Code check In? -> Makes blue team’s job of building attacker’s TTP and IOC much more difficult • Machine Learning task: How to pick the right email per person?
  27. 27. ML-Approach 27 Recommender Engines!
  28. 28. Contextual Bandit arms -- Intuition •The world announces some context information (Program Managers like meetings). •A policy chooses arm a from 1 of k arms (i.e. 1 of k phishing emails). •The world reveals the reward ra of the chosen arm (i.e. whether the message is clicked on).
  29. 29. Experiment 29 Objective - Recommend the most appropriate email for the user, based on his role Data Set: 1) Leverage data from (previously/currently) compromised hosts 2) Input: Email Corpus , context (title of role), action (clicked, not-click), featurization (time of click, number of words…) Tooling - Vowpal Wabbit (- I/O bound, parallelizable, specific for large scale learning) Result - Overall Click through rate (CTR) increased by 23%, with the highest increase in Program Managers (+22%) and least in Developer (5.4%)
  30. 30. RedAdvantages 30 Takeaways 1) Embedding intelligence into attacks, can make it more effective. ML can make attacks adaptive too! 2) The tricky part is mapping the attack goals to the right kind of problem - Short, but steep learning curve. -> Tip: Borrow the blue team’s behavorial detections and use the same tools, against them.
  31. 31. Parting Thoughts
  32. 32. Advantages Strategic  Targeting and Surveillance  Monitoring (IOM)  Detection (IOD)  Recovery (IOR)  Automated and reusable attack planning  Decreased MTTC & MTTP  Increase MTTD & MTTR  Controlled exposure  Small footprint  TTP/Actor Emulation/Impersonation Operational  Autonomous stages  Measurable efficiency  Reduce Capabilities Exposure  Flexible  Improve IP retention  Efficiency increased over time 32
  33. 33. PossibleDefense 33 •Adopt “Assume Breach” mindset •Accelerate growth – War Games •Consider Moving Target Defense •Understand pivoting opportunities •Sharing TTP/IOC
  34. 34. Thank you Sacha Faust @sachafaust Ram Shankar @ram_ssk

×