SlideShare uma empresa Scribd logo

Cuddling the Cozy Bear Emulating APT29

Jorge Orchilles
Jorge Orchilles

Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement. In this talk, we will learn about APT29 “Cozy Bear”, how they operate and what their objectives are. We will create an adversary emulation plan using C2 Matrix to pick the best command and control framework that covers the most TTPs. We will spend at least half the talk live demoing the attack with various tools that emulate the adversary behaviors and TTPs.

Tecnologia
1 de 30
@JORGEORCHILLES Cuddling the Cozy Bear Emulating APT29 @JorgeOrchilles
@JORGEORCHILLES T1033 - System Owner/User Discovery ● Chief Technology Officer - SCYTHE ● C2 Matrix Co-Creator ● 10 years @ Citi leading offensive security team ● Certified SANS Instructor: SEC560, SEC504 ● Author SEC564: Red Team Exercises and Adversary Emulation ● CVSSv3.1 Working Group Voting Member ● GFMA: Threat-Led Pen Test Framework ● ISSA Fellow; NSI Technologist Fellow 2
@JORGEORCHILLES Agenda ● What is Adversary Emulation ● Bear Pictures ● Cyber Threat Intelligence ● Cozy Bear + Pictures ● Adversary Emulation Plan ● Bear Pictures ● Live Demo - pray to the demo bears ● MOAR Bear Pictures ● Defending against Bears + Pictures ● Cuddling with Bears 3
@JORGEORCHILLES Red Team ● Definition: ○ “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal ● Goal: ○ Make Blue Team better ○ Test and measure people, process, and technology ○ Test assumptions 4 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Effort: ○ Manual ○ Many tools (C2 Matrix) ● Frequency: ○ Intelligence-led (new exploit, tool, or TTP) ● Customer: ○ Blue Teams
@JORGEORCHILLES Red Teams Internal Red Teams ● Repeated engagements ○ Remediation retesting ● Use privileged/insider knowledge ● Sparring partner External Red Teams ● Offers new perspective ○ May have other industry experience ● “Snapshot” engagements 5
@JORGEORCHILLES Adversary Emulation ● Definition: ○ A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. ● Goal: ○ Emulate an adversary attack chain or scenario ○ Understand organization’s preparedness if under a real, sophisticated attack ● Effort: ○ Manual ● Customer: ○ Entire organization 6 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
@JORGEORCHILLES TOWARD A PURPLE TEAM
@JORGEORCHILLES Purple Team Exercises 8 ● Virtual, functional team where teams work together to measure and improve defensive security posture ○ CTI provides threat actor with capability, intent, and opportunity to attack ○ Red Team creates adversary emulation plan ○ Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses ○ Emulation of each adversary behavior (TTP) ○ Blue Team look for indicators of behavior ○ Red and Blue work together to create remediation action plan ● Repeat exercises to measure and improve people, process, and technology
@JORGEORCHILLES Did you say Purple? 9
@JORGEORCHILLES Framework & Methodology 10 ● Cyber Kill Chain – Lockheed Martin ● Unified Cyber Kill Chain – Paul Pols ● Financial/Regulatory Frameworks ○ CBEST Intelligence Led Testing ○ Threat Intelligence-Based Ethical Red Teaming ○ Red Team: Adversarial Attack Simulation Exercises ○ Intelligence-led Cyber Attack Simulation Testing ○ A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry ● Testing Framework:
@JORGEORCHILLES MITRE ATT&CK https://attack.mitre.org/ 11
@JORGEORCHILLES ATT&CK Evaluations 12 https://attackevals.mitre.org/
@JORGEORCHILLES Threat Intelligence 13 David Bianco: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
@JORGEORCHILLES Cozy Bear ● Threat group that has been attributed to the Russian government ● Reportedly compromised the Democratic National Committee in 2015 ● Commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware Source: https://attackevals.mitre.org/APT29/ 14Thanks MITRE!! https://twitter.com/MITREattack
@JORGEORCHILLES Types of Bears 15 Thanks Jamie!! https://twitter.com/jamieantisocial
@JORGEORCHILLES ATT&CK Navigator 16
@JORGEORCHILLES Planning ● Goals and Objectives ● Red Team or Purple Team Exercise? ○ Blue Team has full knowledge or no knowledge? ● Exercise Coordinator/Project Manager ● Assume Breach or Full End-to-End? ○ Initial Access takes time ○ Infinite ways in ○ Moving target ● Rules of Engagements ● Attack Infrastructure 17Thanks Alex!! https://twitter.com/_sailfinn
@JORGEORCHILLES Determine Tools to Use - C2 Matrix ● Google Sheet of C2s ● https://www.thec2matrix.com/ ● Find ideal C2 for your needs ● SANS Slingshot C2 Matrix VM ● https://howto.thec2matrix.com ● Follow @C2_Matrix 18
@JORGEORCHILLES Adversary Emulation Plan Split in 2 days; 20 Steps: ● Initial Access via Phishing ○ Broad & Targeted ● Day 1: Smash-and-Grab ○ Pupy & Metasploit/Meterpreter ● Day 2: Stealth (low and slow) ○ PoshC2 and Powershell ● Resources: ○ https://attackevals.mitre.org/APT29/operational-flow.html ○ https://github.com/mitre-attack/attack-arsenal/tree/master/ adversary_emulation/APT29/Emulation_Plan 19
@JORGEORCHILLES Track your work! Use VECTR 20
@JORGEORCHILLES DEMO 21
@JORGEORCHILLES Defending against Cozy Bear 22 Results: https://attackevals.mitre.org/evaluations.html?round=APT29
@JORGEORCHILLES Want MOAR! Follow #ThreatThursday ● Weekly blog post with a chosen adversary ○ Introduce Adversary ○ Consume CTI and map to MITRE ATT&CK ○ Present Adversary Emulation Plan ■ Share the plan on SCYTHE Github ■ https://github.com/scythe-io/community-threats/ ○ Emulate Adversary ○ How to defend against adversary ● Published Posts ○ APT19: https://www.scythe.io/library/threatthursday-apt19 ○ Buhtrap: https://www.scythe.io/library/threatthursday-buhtrap ○ APT33: https://www.scythe.io/library/threatthursday-apt33 ○ Cozy Bear: https://www.scythe.io/library/threatthursday-cozy-bear 23 Thanks Tim! https://twitter.com/malcomvetter
@JORGEORCHILLES VECTR Webcast 24Register: http://sans.org/u/14IR
@JORGEORCHILLES References 25 ● Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Purple Team Exercises: https://www.youtube.com/watch?v=Ard7c-79X84 ● ATT&CK Evaluations: https://attackevals.mitre.org/ & https://attackevals.mitre.org/APT29/ ● C2 Matrix: https://thec2matrix.com/ & https://howto.thec2matrix.com/c2/poshc2 ● Emulation Plan: https://github.com/mitre-attack/attack-arsenal/tree/master/adversary_emulation/APT29/Emulation_Plan ● PoshC2: ○ https://labs.nettitude.com/blog/introducing-poshc2-v6-0/ ○ https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/ ● VECTR: https://vectr.io/ ● #ThreatThursday: https://www.scythe.io/library/ ● SANS VECTR Webcast: http://sans.org/u/14IR
@JORGEORCHILLES@JORGEORCHILLES Thank you! Questions? 26
@JORGEORCHILLES SCYTHE ● Enterprise-Grade platform for Adversary Emulation ○ Creating custom, controlled, synthetic malware ○ Can be deployed on-premises or cloud ● Emulate known threat actors against an enterprise network ○ Consistently execute adversary behaviors ○ Continually assess security tool configuration ○ Decreased evaluation time of security technologies ○ Identify blind spots for blue teams, ○ Force-multiplier for red team resources ○ Measure and improve response of people and controls 27
@JORGEORCHILLES Features & Capabilities ● Trivial installation - for real, see the video ● Automation ○ Build cross-platform synthetic malware via dashboard ○ Synthetic malware emulates chosen behaviors consistently ● Delivery medium: web (drive-by) and email 28 ● Reports ○ HTML Report, CSV Report, Executive Report and Technical Report ○ Mapped to MITRE ATT&CK ● Integrations ○ PlexTrac - automated report writing and handling ○ Integrated with SIEMs (Splunk and Syslog) ○ Red Canary’s Atomic Red Team test cases ○ RedELK and VECTR integration in progress
@JORGEORCHILLES What’s Next? ● SCYTHE v3 ○ Virtual File System ○ Threat Automation language ■ Structured Data out of Unstructured Data ■ Use results of one action for the next action ● Module SDK ○ Native and Python SDK ○ In-memory loading techniques ● Marketplace ○ Ecosystem of third party contributors ○ Create custom modules ○ Request custom modules - TTP Bounty 29
@JORGEORCHILLES Architecture 30

Recomendados

Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatJorge Orchilles
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 

Recomendados

Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatJorge Orchilles
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConJorge Orchilles
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Jorge Orchilles
 

Mais conteúdo relacionado

Mais procurados

8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 

Mais procurados (20)

8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 

Semelhante a Cuddling the Cozy Bear Emulating APT29

Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConJorge Orchilles
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Jorge Orchilles
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzJorge Orchilles
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Jorge Orchilles
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersJorge Orchilles
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
 
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
earning by s/doing/h4ck1ng/ - Our experience learning application security th...earning by s/doing/h4ck1ng/ - Our experience learning application security th...
earning by s/doing/h4ck1ng/ - Our experience learning application security th...NECST Lab @ Politecnico di Milano
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestJorge Orchilles
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyJorge Orchilles
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceJorge Orchilles
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Jennifer Burns
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
Adversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection TechniquesAdversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection TechniquesJustin Berman
 
How to get into Kaggle? by Philipp Singer and Dmitry Gordeev
How to get into Kaggle? by Philipp Singer and Dmitry GordeevHow to get into Kaggle? by Philipp Singer and Dmitry Gordeev
How to get into Kaggle? by Philipp Singer and Dmitry GordeevVienna Data Science Group
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKElasticsearch
 
Intelligent evolution
Intelligent evolutionIntelligent evolution
Intelligent evolutionPeter Leeson
 
No, you don't need to learn python
No, you don't need to learn pythonNo, you don't need to learn python
No, you don't need to learn pythonQuantUniversity
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 

Semelhante a Cuddling the Cozy Bear Emulating APT29 (20)

Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootCon
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim Schulz
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red Teamers
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
 
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
earning by s/doing/h4ck1ng/ - Our experience learning application security th...earning by s/doing/h4ck1ng/ - Our experience learning application security th...
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security Weekly
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV Conference
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 
Adversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection TechniquesAdversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection Techniques
 
How to get into Kaggle? by Philipp Singer and Dmitry Gordeev
How to get into Kaggle? by Philipp Singer and Dmitry GordeevHow to get into Kaggle? by Philipp Singer and Dmitry Gordeev
How to get into Kaggle? by Philipp Singer and Dmitry Gordeev
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
 
Intelligent evolution
Intelligent evolutionIntelligent evolution
Intelligent evolution
 
No, you don't need to learn python
No, you don't need to learn pythonNo, you don't need to learn python
No, you don't need to learn python
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
 
Core Hack Day 2
Core Hack Day 2Core Hack Day 2
Core Hack Day 2
 

Mais de Jorge Orchilles

KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityJorge Orchilles
 
C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020Jorge Orchilles
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixJorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Jorge Orchilles
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksJorge Orchilles
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationJorge Orchilles
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to InfrastructureJorge Orchilles
 

Mais de Jorge Orchilles (11)

KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive Security
 
C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 Matrix
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 Security
 

Último

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Último (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

Cuddling the Cozy Bear Emulating APT29

  • 1. @JORGEORCHILLES Cuddling the Cozy Bear Emulating APT29 @JorgeOrchilles
  • 2. @JORGEORCHILLES T1033 - System Owner/User Discovery ● Chief Technology Officer - SCYTHE ● C2 Matrix Co-Creator ● 10 years @ Citi leading offensive security team ● Certified SANS Instructor: SEC560, SEC504 ● Author SEC564: Red Team Exercises and Adversary Emulation ● CVSSv3.1 Working Group Voting Member ● GFMA: Threat-Led Pen Test Framework ● ISSA Fellow; NSI Technologist Fellow 2
  • 3. @JORGEORCHILLES Agenda ● What is Adversary Emulation ● Bear Pictures ● Cyber Threat Intelligence ● Cozy Bear + Pictures ● Adversary Emulation Plan ● Bear Pictures ● Live Demo - pray to the demo bears ● MOAR Bear Pictures ● Defending against Bears + Pictures ● Cuddling with Bears 3
  • 4. @JORGEORCHILLES Red Team ● Definition: ○ “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal ● Goal: ○ Make Blue Team better ○ Test and measure people, process, and technology ○ Test assumptions 4 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Effort: ○ Manual ○ Many tools (C2 Matrix) ● Frequency: ○ Intelligence-led (new exploit, tool, or TTP) ● Customer: ○ Blue Teams
  • 5. @JORGEORCHILLES Red Teams Internal Red Teams ● Repeated engagements ○ Remediation retesting ● Use privileged/insider knowledge ● Sparring partner External Red Teams ● Offers new perspective ○ May have other industry experience ● “Snapshot” engagements 5
  • 6. @JORGEORCHILLES Adversary Emulation ● Definition: ○ A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. ● Goal: ○ Emulate an adversary attack chain or scenario ○ Understand organization’s preparedness if under a real, sophisticated attack ● Effort: ○ Manual ● Customer: ○ Entire organization 6 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
  • 8. @JORGEORCHILLES Purple Team Exercises 8 ● Virtual, functional team where teams work together to measure and improve defensive security posture ○ CTI provides threat actor with capability, intent, and opportunity to attack ○ Red Team creates adversary emulation plan ○ Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses ○ Emulation of each adversary behavior (TTP) ○ Blue Team look for indicators of behavior ○ Red and Blue work together to create remediation action plan ● Repeat exercises to measure and improve people, process, and technology
  • 10. @JORGEORCHILLES Framework & Methodology 10 ● Cyber Kill Chain – Lockheed Martin ● Unified Cyber Kill Chain – Paul Pols ● Financial/Regulatory Frameworks ○ CBEST Intelligence Led Testing ○ Threat Intelligence-Based Ethical Red Teaming ○ Red Team: Adversarial Attack Simulation Exercises ○ Intelligence-led Cyber Attack Simulation Testing ○ A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry ● Testing Framework:
  • 13. @JORGEORCHILLES Threat Intelligence 13 David Bianco: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
  • 14. @JORGEORCHILLES Cozy Bear ● Threat group that has been attributed to the Russian government ● Reportedly compromised the Democratic National Committee in 2015 ● Commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware Source: https://attackevals.mitre.org/APT29/ 14Thanks MITRE!! https://twitter.com/MITREattack
  • 15. @JORGEORCHILLES Types of Bears 15 Thanks Jamie!! https://twitter.com/jamieantisocial
  • 17. @JORGEORCHILLES Planning ● Goals and Objectives ● Red Team or Purple Team Exercise? ○ Blue Team has full knowledge or no knowledge? ● Exercise Coordinator/Project Manager ● Assume Breach or Full End-to-End? ○ Initial Access takes time ○ Infinite ways in ○ Moving target ● Rules of Engagements ● Attack Infrastructure 17Thanks Alex!! https://twitter.com/_sailfinn
  • 18. @JORGEORCHILLES Determine Tools to Use - C2 Matrix ● Google Sheet of C2s ● https://www.thec2matrix.com/ ● Find ideal C2 for your needs ● SANS Slingshot C2 Matrix VM ● https://howto.thec2matrix.com ● Follow @C2_Matrix 18
  • 19. @JORGEORCHILLES Adversary Emulation Plan Split in 2 days; 20 Steps: ● Initial Access via Phishing ○ Broad & Targeted ● Day 1: Smash-and-Grab ○ Pupy & Metasploit/Meterpreter ● Day 2: Stealth (low and slow) ○ PoshC2 and Powershell ● Resources: ○ https://attackevals.mitre.org/APT29/operational-flow.html ○ https://github.com/mitre-attack/attack-arsenal/tree/master/ adversary_emulation/APT29/Emulation_Plan 19
  • 22. @JORGEORCHILLES Defending against Cozy Bear 22 Results: https://attackevals.mitre.org/evaluations.html?round=APT29
  • 23. @JORGEORCHILLES Want MOAR! Follow #ThreatThursday ● Weekly blog post with a chosen adversary ○ Introduce Adversary ○ Consume CTI and map to MITRE ATT&CK ○ Present Adversary Emulation Plan ■ Share the plan on SCYTHE Github ■ https://github.com/scythe-io/community-threats/ ○ Emulate Adversary ○ How to defend against adversary ● Published Posts ○ APT19: https://www.scythe.io/library/threatthursday-apt19 ○ Buhtrap: https://www.scythe.io/library/threatthursday-buhtrap ○ APT33: https://www.scythe.io/library/threatthursday-apt33 ○ Cozy Bear: https://www.scythe.io/library/threatthursday-cozy-bear 23 Thanks Tim! https://twitter.com/malcomvetter
  • 25. @JORGEORCHILLES References 25 ● Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Purple Team Exercises: https://www.youtube.com/watch?v=Ard7c-79X84 ● ATT&CK Evaluations: https://attackevals.mitre.org/ & https://attackevals.mitre.org/APT29/ ● C2 Matrix: https://thec2matrix.com/ & https://howto.thec2matrix.com/c2/poshc2 ● Emulation Plan: https://github.com/mitre-attack/attack-arsenal/tree/master/adversary_emulation/APT29/Emulation_Plan ● PoshC2: ○ https://labs.nettitude.com/blog/introducing-poshc2-v6-0/ ○ https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/ ● VECTR: https://vectr.io/ ● #ThreatThursday: https://www.scythe.io/library/ ● SANS VECTR Webcast: http://sans.org/u/14IR
  • 27. @JORGEORCHILLES SCYTHE ● Enterprise-Grade platform for Adversary Emulation ○ Creating custom, controlled, synthetic malware ○ Can be deployed on-premises or cloud ● Emulate known threat actors against an enterprise network ○ Consistently execute adversary behaviors ○ Continually assess security tool configuration ○ Decreased evaluation time of security technologies ○ Identify blind spots for blue teams, ○ Force-multiplier for red team resources ○ Measure and improve response of people and controls 27
  • 28. @JORGEORCHILLES Features & Capabilities ● Trivial installation - for real, see the video ● Automation ○ Build cross-platform synthetic malware via dashboard ○ Synthetic malware emulates chosen behaviors consistently ● Delivery medium: web (drive-by) and email 28 ● Reports ○ HTML Report, CSV Report, Executive Report and Technical Report ○ Mapped to MITRE ATT&CK ● Integrations ○ PlexTrac - automated report writing and handling ○ Integrated with SIEMs (Splunk and Syslog) ○ Red Canary’s Atomic Red Team test cases ○ RedELK and VECTR integration in progress
  • 29. @JORGEORCHILLES What’s Next? ● SCYTHE v3 ○ Virtual File System ○ Threat Automation language ■ Structured Data out of Unstructured Data ■ Use results of one action for the next action ● Module SDK ○ Native and Python SDK ○ In-memory loading techniques ● Marketplace ○ Ecosystem of third party contributors ○ Create custom modules ○ Request custom modules - TTP Bounty 29