Embed Size (px)
Citation preview
Purple TeamingTHE COLLABORATIVE FUTURE OF PENETRATION TESTING
Presenter Will Pearce
Joined FRSecure in 2014
OSCP, SWCCDC Red Team, OSCE to be.
InfoSec Crushes◦ Raphael Mudge (@armitagehacker) – blog.Cobaltstrike.com◦ Matt Weeks (@scriptjunkie) scriptjunkie.us
But Why…•Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.
•Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking.
•Remediation steps rarely include management objectives.
•General lack of excitement for Blue Team functions. Red team is sexy, but just a tool.
•Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
Our Definition of Purple Teaming Improving cyber security by leveraging red teams as representative adversaries. Using red
actions, blue teams practice detection and response against active threats.
“Putting more Offense in your Defense”
-Chris Gates
Different FocusKEY WORDS
Detection
Response
Practice
ABSENT WORDS
Patch
Annual
Compliance
Different Focus Cont’d Military Model (Red vs. Blue)
◦ Military Mindset: National Security◦ Private Sector Mindset: Security for Cheap
Collaborative Security (Red + Blue)◦ What did it look like on blue side?◦ How did red get there?
Exercise IR Plan◦ Find the gaps in people, technology, and processes.◦ Detection 50%, Response 50%
Educational◦ Consultants come on site with expertise, then leave at the end of the day taking their expertise with them.
Different Focus Cont’d Validates tools/processes.
◦ Certain people not getting alerts/responding to alerts.
Find paths of least resistance.◦ Repeat.
Assumes a hardened network.◦ Preparation is key. Doing some research upfront can save $$$◦ Scope is key
Gets to the point.◦ Remediation steps are valuable, generally structural in nature (at first)
Practice, Practice, Practice◦ Gain confidence in IR◦ Save $$$$
Time is the CommodityCURRENT
Attack Sim.
Full Scope Penetration Test.
Vulnerability Assessment
FUTURE
Vulnerability Assessment
Full Scope Penetration Test
Attack Sim.
Lack of Malware It’s not all about the malware
◦ Poison Login.bat◦ Poison other scripts
Spot the Malware (You won’t find it)◦ PowerShell◦ Regsvr32◦ Rundll32◦ Tracker◦ notepad
Scenario Based Let’s pretend…
◦ Alice has been CryptoLockered
Results◦ Alice has access to these shares. 3 of which Alice should not have access to.◦ Alice is a local admin.◦ Alice can run macros from internet.◦ AV failed to detect.◦ Spam filter worked but Alice moved it out of junk.◦ Our backups are insufficient.
Scenario Based Let’s pretend
◦ External terminal server has been breached, Bob logged in from Germany after several failed attempts.
Results◦ Terminal server has access to these systems.◦ Excessive failed attempts do not generate alerts.◦ Bob has excessive failed attempts to login on these systems.◦ Bob successfully logged into these systems.◦ Bob is a local admin on random webdev system on the domain.◦ Webdev machine has production data.
Scenario Based Scenario
◦ Sourcefire is alerting on DNS beacons. Internal host communicated 2, 4, and 6 weeks ago.
Results◦ Several internal IPs are communicating to the same address space.◦ Traffic has matched known APT signatures.
Two Kinds of Customers Those who think they have everything buttoned up.
◦ Generally get high marks on audits and assessments. ◦ False sense of security.◦ A lack of humility costs $$$
Those who are working on maturing their processes.◦ Do research and go beyond what audits and assessments tell them.◦ Not necessarily assessment focused.◦ Know they’re are not perfect, put effort in anyway.
Common Issues•Tools that cannot be properly implemented AND maintained.
•Lack of network visibility, knowledge of what is on the network, or what is even supposed to be on the network – not just devices, software too.
•Lack of real network segmentation.
•Lack of manpower and resources.• Little knowledge of how attacks happen. Anyone alerting on PowerShell.exe?
•Lack of system hardening.• STIG it!
•Lack of 2FA for external services.
Eliminate Low Hanging Fruit•PowerUp.ps1• Invoke-AllChecks• Service abuse• DLL Hijacks• Registry checks
•PowerView.ps1• Find-LocalAdmin• Invoke-ShareFinder –CheckShareAccess• Invoke-ShareFinder -CheckAdmin
•Get-GPPPassword.ps1• MS14-025
•Responder.py –I <IP> -I <int> -wrf
•Local Administrator (Honorable Mention)
Put Controls Around Admin Tools•AppLocker, Device Guard, LAPS
•Alert on the use of admin tools.
•Alert on new services.• (netsrv.exe)
•Accounts logging into systems they shouldn’t be, at odd times.
•Turn on various Windows logging abilities that are off by default.• Firewall Logs• PowerShell Logs• Object Access• File Access
Vulnerabilities an Honorable Mention
Patching is a lagging defense mechanism.◦ Vuln -> Discovery -> Patch -> Push
Vulnerabilities not a big deal anymore (Internally).◦ Users still click on stuff.◦ Whoami /groups◦ Still patch diligently
Trust Materials, protect them.◦ 2FA◦ Remove caching of creds◦ Remove Local Administrative access from users. Please.
Getting Management Involved BECAUSE THEY’RE MOST RESPONSIBLE FOR INFORMATION SECURITY.
First and ForemostInformation Security is NOT and Information Technology function. They may sound the same, but they’re quite different.
Information Security is NOT about saying no, it’s about finding a secure solution to a business need.
ALL engagements go better if management willingly involves itself.
Information Security seen as cost center – there is marketing value in being secure.
Obligatory XKCD
Purple Teaming’s place in an information security program
Information security: administrative, physical and technical controls which minimize risks associated to the confidentiality, integrity and availability of data.
Enhances almost every facet of your program, because it places greater emphasis on the human element.
◦ Enumerates structural issues within the network (technical)◦ Identifies deficiencies in logging and monitoring capabilities (technical)◦ Strengthens monitoring and response plans (administrative)◦ Satisfies audit/vendor management requirements (administrative)
Communicating results (without getting fired)
Effectively communicate outcomes prior to engagement◦ Level with them - “Given enough time, resources and motivation, any network is susceptible to breach” ◦ Justify the cost - The reason these are so expensive is because they are so good, they will provide
capability we may never see “in the wild”.◦ Utilize cost/benefit - We’re going to learn our weaknesses in one of two ways: the good guys will find it,
or the bad guys will. The good guys are typically cheaper.◦ Baffle them with bullshit – We need to know if the MPLS is inherently POODLE’d when IP/TCP traverses
multiple virtual clusters. That’s what they did in Office Space.
Incorporate them in the exercise◦ Any executive team acting as an incident response committee during a concurrent table-top exercise
derives value, sense of accomplishment and empathy for the difficulties you face. We are more accepting of “us” mistakes than “them”.
Including Executives Purple Team Exercise – The Bob goes to China
Technical team – Confirm containment and determine severity◦ Contain the potential breach, as much as possible, ASAP◦ Determine if a breach occurred, review audit logs (local, gateway, etc), inspect devices
Executive team – Determine appropriate action◦ Ascertain situation based on streaming information from technical team
Speaking of Audit……. Audits typically test the design and implementation of controls, it does not address the efficacy of them. Purple teaming does IPS is in place IPS is reviewed and tuned on a regular basis
? IPS is actually detecting and correcting realistic adversarial tactics
NMAP is run periodically to enumerate open ports Results are reviewed by network admin, unnecessary ports closed
? The ports left open are risk free?
