O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation

493 visualizações

Publicada em

This presentation provides an overview off common adversarial emulation approaches along with attack and detection trends. It should be interesting to penetration testers and professionals in security operations roles.

Publicada em: Tecnologia
  • Entre para ver os comentários

2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation

  1. 1. Adventures in Adversarial Emulation Common Approaches and Trends Q1 Meet Up
  2. 2. The Speaker Overview Name: Scott Sutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott- sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind
  3. 3. Overview • The Problem • The Goal • The Approach • The Difference • The Hunt • The Trends The Presentation Overview
  4. 4. The Problem
  5. 5. The Problem Companies spend millions on detective controls, but don’t know if they can detect common: • Indicators of active attack • Indicators of compromise • Indicators of data exfiltration The Problem
  6. 6. The Goal
  7. 7. Understand the company’s ability to identify and respond to common real-world threats Understand how to improve detective and preventative control capabilities Verify that third party service providers and products are detecting what they say they can The Goal
  8. 8. Service Overview: Approach The Approach
  9. 9. Service Overview: Approach 1. Inventory known controls 2. Emulate attacks 3. Monitor security events and alerts 4. Identify gaps in controls 5. Provide actionable feedback and recommendations 6. Provide Mitre style heat map The Approach: Summary
  10. 10. Service Overview: Approach Inventory Known Controls Interview key members of the security and incident response teams to inventory existing preventative controls, detective controls and detective control boundaries. Common control placement and boundaries include: • External network zones • Internal network zones • Wireless network zones • Email gateways, servers, and clients • Workstations and Servers • Network devices • Applications • Databases The Approach: Inventory Known Controls
  11. 11. Service Overview: Approach Emulate Attacks using common tools, techniques, and tactics used by real-world attackers in multiple variations of common attack kill chains across identified detection control boundaries • Threat agnostic • Many kill chain variations • Common tools • Common techniques • Common procedures • Mitre AT&TACK covers post exploitation pretty well The Approach: Emulate Attacks
  12. 12. Service Overview: Approach Monitor Security Events and Alerts in real-time with security teams: • External network zones • Internal network zones • Wireless network zones • Email gateway, servers, and Clients • Workstations and Servers • Network devices • Applications • Databases The Approach: Monitor Security Events
  13. 13. Service Overview: Approach Identify major gaps in detective and preventative controls by working security teams in real-time during the test to determine which security events: • Go completely undetected • Are logged • Trigger correlation rules • Trigger alerts • Trigger incident response The Approach: Identify Gaps
  14. 14. Service Overview: Identifying Gaps Provide actionable feedback that includes the information below so internal security teams can build better defensive capabilities: • Log sources • Generic indicators of attack and compromise • Generic SEIM correlation rules • Preventative control options • Mitigation options • Existing controls The Approach: Actionable Feedback
  15. 15. Service Overview: Identifying Gaps Below are some notes from the Chris Gates + Chris Nickerson presentation at Brew con. Great notes for internal teams! http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial- simulation-team-chris-gates-chris-nickerson • Create a charter • Provide metrics - readiness/resistance to ttp + Pretty charts • Build an attack simulation lab with all preventative and detective controls • Work through the Mitre ATT&CK techniques in the lab • Continuously validate prod controls • Work closely with the internal team • Establish rules of engagement, procedures, workflows with internal team • Estimate resources people, servers, crack box, vms, access to defensive tools • document sharing to store and share info The Approach: Notes from brucon
  16. 16. Service Overview: DeliverablesThe Approach: Notes from brucon Source: http://www.slideshare.net/chrisgates/building-a-successful-internal- adversarial-simulation-team-chris-gates-chris-nickerson
  17. 17. Service Overview: DeliverablesThe Approach: Notes from brucon 1. Gather threat intelligence about and threat attributes 2. Compare to capabilities map (preventative and detective) 3. Predict likelihood of successful attacks before they happen Source: http://www.slideshare.net/chrisgates/building-a-successful-internal- adversarial-simulation-team-chris-gates-chris-nickerson
  18. 18. Service Overview: DeliverablesThe Approach: Notes from brucon Source: http://www.slideshare.net/chrisgates/building-a-successful-internal- adversarial-simulation-team-chris-gates-chris-nickerson
  19. 19. Service Overview: Deliverables Source: http://www.slideshare.net/chrisgates/building-a-successful-internal- adversarial-simulation-team-chris-gates-chris-nickerson The Approach: Notes from brucon
  20. 20. http://www.slideshare.net/chrisgates/building-a- successful-internal-adversarial-simulation-team-chris- gates-chris-nickerson
  21. 21. Service Overview: Providing Guidance The Differences
  22. 22. Service Overview: Providing GuidanceThe Difference: Service Goals Service Type Service Goals Network Vulnerability Assessment • Identify known and common configuration, patch, and code related vulnerabilities at the server and web application layers. • Meet compliance requirements. Network Penetration Test • Help company’s determine if identified vulnerabilities can be used to gain unauthorized access to protected networks, systems, application functionality, and sensitive data. • Identify known and common configuration, patch, and code related vulnerabilities at the network, server, and web application layers. • Meet compliance requirements. Network Red Team Testing • Attempt to gain unauthorized access to an environment using paths of least resistance without detection and maintain that access for a pre-determined period of time in order to test the Incident Response Team’s ability to identify and respond to threats. This often includes non-standard scoping with very specific system, application, and data targets. Threat Emulation • Emulate a specific threat and determine the ability to prevent, detect, and respond to it with in a specific environment. Defense Assessment • Help company’s obtain a more comprehensive understanding of they’re ability to identify and respond to real world threats and potential breach scenarios. Executing multiple variations of common attack workflows across detective control boundaries while working with internal security teams to identify detective control gaps and misconfigurations. • When blue team and red team members test a company’s environment together to build an understanding of their company’s ability to prevent, detect, and respond to real world threats at all layers of the organization. This requires much more collaboration and is broader in scope than a red team engagement. It is intended to test for the most common tools, techniques, and procedures used by attackers and malware. • Test capabilities of 3rd party service provider. The Differences: Service Goals
  23. 23. Service Overview: Providing Guidance The Value: Service Differences Service Type Identify Server Issues Identify Network Issues Identify Application Issues Determine Impact of Vulnerabilities Determine Ability to Detect Attacks Identify Missing Detective Controls Determine Incident Response Ability Vulnerability Assessment Yes No Partially No Partially No No Penetration Test Yes Yes Yes Yes Partially No No Red Team Test (Limited to Specific Scenarios) Partially Partially Partially Partially Partially Partially Partially Threat Emulation (Limited to Specific Threat) Partially Partially Partially Partially Partially Partially Partially Defense Assessments Yes Yes Yes Yes Yes Yes Yes The Differences: Service Objectives
  24. 24. Service Overview: Providing Guidance The Value: Service DifferencesBREAK TIME
  25. 25. Service Overview: Deliverables The Hunt
  26. 26. Service Overview: Deliverables Deliverables • Search for known common indicators of compromise on scale • Typically does not include EPP, HIDS, NIDS • PowerShell comes in handy for automation • Identify sample systems based on information stored in DNS and Active Directory • Gather information via WMI, PS Remoting, schedule task, and psexec (no agent) The Hunt: Threat Hunting Overview
  27. 27. Service Overview: Deliverables Deliverables • Get approval • Some tasks require local and domain administrator privileges • Just like scanning be aware of network boundaries and controls that may block access the sample of systems The Hunt: Don’t forget…
  28. 28. Service Overview: Deliverables Deliverables • Common hunting activities include targeting: - Files with known malware signatures - Windows services running unsigned binaries - Potentially malicious schedule tasks - Potentially malicious File and folder autoruns - Potentially malicious Registry autoruns - Potentially malicious SQL Server autoruns - Potentially malicious WMI providers and triggers - Web shells in internet facing web root folders - VPN or internet log in from strange geographic location or on off hours - Suspicious domain level events The Hunt: Common Targets
  29. 29. Service Overview: Deliverables The Trends
  30. 30. Service Overview: Deliverables Deliverables • Companies don’t know what controls they have and don’t have • Companies are missing major controls in critical network zones • Companies don’t configure controls correctly o No internal resources capable of configuring control o No vendor was paid to configure control • Managed service providers are not catching real attack TTPs • Controls implemented with vendor defaults that don’t detect most real attacks • No internal network logging • Logging, but no correlation • Alerting, but no response • No tracking of metrics over time • Disconnects between systems like AV to controllers o Completely unmanaged or don’t sync fast enough The Trends: General Trends
  31. 31. Service Overview: Deliverables Deliverables • Wireless network zones • External network zones • Internal network zones • Email gateways, servers, and clients • Windows Endpoints • Linux Endpoints • Web Applications • Databases The Trends: Control Boundaries
  32. 32. Service Overview: Deliverables Deliverables • No wireless attack detection (wireless or LAN) o Detection features not enabled o Detection features not available • WEP still used in manufacturing in warehouses and assembly lines • WPA2 PSK still used about 25% of the time • WEP and WPA2 PSK cracking o No detection • Evil twin attacks (attacking wireless endpoints) o No detection The Trends: Wireless Networks
  33. 33. Service Overview: Deliverables Deliverables • Minimal ability to detect scanning an attacks • WAFs are missing or misconfigured • OWASP top 10 vulnerabilities allow remote Access • User and email enumeration via public resources • Lots of internet facing interfaces that support single factor authentication that can be used for pivoting and dictionary attacks o VPN, Citrix, Terminal Services, VDI, Web applications The Trends: External Networks
  34. 34. Service Overview: Deliverables Deliverables • Port scan detection can be avoided in almost all networks using Nmap –T2 or below • Port / vulnerability scan detection occurs more via endpoint protection than via network IDS/IPS controls • Null sessions still yield user and computer lists The Trends: Internal Networks
  35. 35. Service Overview: Deliverables Deliverables • Almost no one detects network attacks: o NBNS MITM, LLMNR MITM, ARP MITM, VLAN tag spoof, Switch trunking, rogue DHCP, rogue PXE servers, unauthorized PXE downloads, etc • ARP spoofing is never going to die o Vendors are still creating devices that don’t support ARP spoof detection o Most companies don’t enabled the detection or prevention features when they do exist • PXE downloads have been more common o Download to VM + Mount HD + Backdoor for access o Domain deployment account password in sysprep files o Domain deployment account password parse from VM memory file o Domain credentials can then be used for to start domain escalation The Trends: Internal Networks
  36. 36. Service Overview: Deliverables Deliverables Network Isolation Bypasses • Direct access to services in isolated environment directly or though trusted hosts o Identify trusted hosts via logon events • Use management systems to execute commands o Group Policy, patch, and configuration management systems • Jump hosted are on the user domain and have accessible non-two factor management ports open • VLAN hopping • Switch Trunking The Trends: Internal Networks
  37. 37. Service Overview: Deliverables Deliverables • Companies seem to have three goals - Test click rates / user awareness over time - Test technical controls - Inject FUD for budget procurement The Trends: Email Attacks – General
  38. 38. Service Overview: Deliverables Deliverables • Service providers – missing some known evil attachments, doing some test execution of links, html • Servers- not blocking evil attachments • Client – allowing execution of untrusted clickonce and java apps • Office – people like to allow macro, those who don’t often let users change the setting in security center The Trends: Email Attacks – General
  39. 39. Service Overview: Deliverables Deliverables Payloads - Links • Direct links to executable files • Links to uncategorized and untrusted sites/IPs Payloads - Phishing Sites • Untrusted ClickOnce allowed • Untrusted Java applets allowed • Capturing password is handy when there are so many single factor interfaces exposed to the internet • Considering looking into XSRF to execute command on web apps already opening in insecure browsers - anyone done that? The Trends: Email Attacks – Payloads
  40. 40. Service Overview: Deliverables Deliverables Payloads – Images in HTML emails • Determine physical location of individuals • Determine firewall egress rules • Determine allowed file attachments – work about 60% Payloads – Executable File Attachments • Only a handful typically get through, but Office Macros still work a lot • User’s often have rights to disable office security features • Interesting that .application ClickOnce apps seem to make it through. • Shortcut files + UNC path injection – not tested yet • Working on basic toolkit for testing links and executable file types… The Trends: Email Attacks – Payloads
  41. 41. Service Overview: Deliverables Deliverables Payloads – Executable Files Note: This is purple teamy… 1. Send hundreds of executable file types as attachments 2. Parse inbox on client to determine which ones make it through service provider, server, and client 3. Cross reference extensions with application file extension associations on their gold build 4. Create proof on concept payloads to illustrate risk The Trends: Email Attacks – Payloads
  42. 42. Service Overview: Deliverables The Trends: Email Attacks
  43. 43. Service Overview: Deliverables Deliverables - Missing and broken two-factor - Missing hard drive encryption - Missing and disabled endpoint protection on servers - Missing ability to detect common persistence methods o File, Registry, Application, and Database autoruns o Windows Services o Windows Tasks o WMI triggers and providers o Log in from unexpected country o Log in during unexpected time The Trends: Windows Endpoints
  44. 44. Service Overview: Deliverables Deliverables • 80% of companies can a Domain Admin being added • Most companies are blind to almost everything else • SPNs are very useful for server and user targeting • Active session scanning can be useful for user targeting (DC, File, Citrix, and Exchange servers yield the best immediate results) • Bloodhound can be very useful if you have enough time to map escalation paths • Kerberoasting, and ASREPRoast are very used for domain escalation • Password dumping, DCSync, ntds.dit via Invoke-Ninjacopy.ps1, NTDSUTIL, VSSADMIN • Group Policy modifications • Net logon script modifications • Sysvol DACL modifications • User and computer object DACL modifications • Delegation of privileges – password reset, replication etc • Group policy passwords are disabled in most environments, but some companies forget to clean up the XML files and the passwords are still valid • SID history works in most environments to escalate from child to parent domain • Lots of user and domain admin password sharing • Lots of domain admins sharing password between domains The Trends: Windows Domains
  45. 45. Service Overview: Deliverables Deliverables Linux Endpoints - No centralized detection capabilities - Sudo configuration issues - World readable/writable daemons and cron scripts - Common issues like heartbleed and shellshock - Excessive share privileges - NFS mountable as root, grab keys, and authenticate - SMB writable to everyone - FTP writable by anonymous (web roots are the best) - Shared NAS between servers for lateral movement via home directories The Trends: Linux Endpoints
  46. 46. Service Overview: Deliverables Deliverables • SQL Injection • XML entity injection • Upload functionality • Application publishing platforms like tomcat, jboss, etc • Database and domain credentials are stored everywhere o In code o In web.config o In application.config o Connection string cheat sheet https://gist.github.com/nullbind/91c573b0e27682733f97d4e6e ebe36f8 • Code repository auditing can usually be bypassed once you have system on the box and can run as the service account The Trends: Web Applications
  47. 47. Service Overview: Deliverables Deliverables • Common platforms include SQL Server, Oracle, MySQL and Db2 • Almost no companies audit beyond failed login attempts • Database teams seem to identify failed login attempts more than AD or response teams on average • Excessive privileges allow normal domain users rights to login • Lots of vendor defaults and unsupported versions • Escalation via weak passwords, UNC path injection, shared service accounts, and database links The Trends: Databases
  48. 48. Service Overview: Deliverables Deliverables • Servers and DCs with direct access to the internet! • Tons of options in most environments without detection: o TCP Ports 100% Authenticated outbound on 80/443, reflection through trusted sites, and unauthenticated outbound on various ports (21, 22, 23, 25, 53,110) o UDP Ports 50% o ICMP Tunnel 50% o DNS Tunnel 80% o SMTP Tunnel 100% o Skype Tunnel 100% The Trends: Data Exfiltration & C2
  49. 49. Service Overview: Deliverables The Questions?