Post on 08-Jun-2015
description
@jwgoerlich
Seeing Purple
Hybrid security teams for the Enterprise
Security consultant with VioPoint
La DoSa Nostra
#misec
Twitter@b31tf4c3
Freenode (#misec / #burbsec / #ladosanostra)Beltface
Me
The ONE thing
Productivity book
The ONE thing your organization does/has
Protect and build off that
Avoid the easy pentest
The Client
$client0 – company in the energy sector
$client1 – company in the financial sector
A Cascade of Pebbles
Talk by Josh Little – Bsides Detroit 2013
Performed Pentest at $client0
Leveraged that scenario to create a program at $client1
“
”
My idea of hacking is taking the tactics, techniques, and procedures, that different threats are using today …
Using them against our organizations, when they have a mature program, to understand how our controls stand up when exercised by a sophisticated thinking adversary.
-- Rapheal Mudge, Armitage and Cobalt Strike, Bsides Detroit 2013 Podcast
Detect Prevent Correct
Detect, Prevent, Correct
Detect – catch attackers in action (SIEM)
Prevent – Stop attackers (Vulnerability Management)
Correct – raise the costs by disrupting or distracting the attackers (eg. honey pots)
Blue Team - Detect
SIEM – Security Incident and Event Monitoring
Pool log sources and analyze logs and flows
Blue Team - Prevent
VM program
Gives visibility into system preparednessHelps with patching scheduleIdentifies most critical hosts
Blue Team - Correct
Red Team - Assessment
Pentesting
Required as part of auditsWe break it, you fix itHigher risk
How do you know remediation is working if its never been tested?
Red Team - ExerciseSelect a specific stage in the attack path
Assume all prior controls have failed
Test preventative, detective, corrective
Test both the controls and the response
Minimal risk
Example
Stage 4 – Persistence
Popping the Penguin – SecTor 2013
No 1337 hax needed
Assessment v. ExerciseExercise
Use real techniques
Use real objectives
Model a real attack
Test specific controls
Assessment
Use real techniques
Use real objectives
Exec an actual attack
Test overall posture
Purple Team
Purple Team
Take knowledge of your security (Blue)
Take knowledge of your weaknesses (Red)
Combine to find what’s most valuable to you (Purple)
Purple Teams
Not necessarily just the red and blue teams
requires a total picture involving all areas of the organization
From this
To this
The Goal
Create scenarios
Identify how you would protect yourself
Test the scenario
Test your environment
Proactive Protection
1. Threat Modeling – Bi-weekly
2. Tabletop exercises – Monthly
3. Red Team exercises – Quarterly
4. Red Team Assessments – Yearly
Our Infrastructure
Threat modeling
Least amount of T/E
One model bi-weekly
Build portfolio of potential attacks
Choosing a model
SDLC threat model-Microsoft
Cyber Kill Chains of Doom ™-Lockheed Martin (r), (tm), (etc)
Attack Paths-#misec
@jwgoerlich
Attack path
Start with why
TED TalkSimon Sinek: How great leaders inspire
action
WhyHowWhat
Why?
Why this model?FreeOpenI’m biased (#misec)
Why will $badguy target us (the ONE thing)$client0 – Access control systems$client1 – Sensitive financial data
Do what is right for you.But do something.
How?
How will the attacker realize their Objective?
-Attack path $badguy took through network
What?
What can we do to prevent this attack?-Document controls
What can we do to be ready?-Develop test cases
Attack Paths
1. External reconnaissance2. Initial breach3. Escalate privileges4. Persistence5. Internal reconnaissance6. Lateral breach7. Maintain presence8. Achieve objective
Initial generation
Start with step 8
Identify ONE thing
Work backwards
A blank slate
Attack Path
Attack PathGoal: Obtain sensitive, proprietary information1. External Reconnaissance
– Attacker will perform OSINT on the company to identify targets
2. Initial Breach– Attacker will have a specially crafted site for user to access containing
either an infected document or a place for entry of credentials
3. Escalate Privileges– Attacker will attempt to add specially crafted user to group / recover
hashes through trust relationships/responder
4. Persistence– Attacker will attempt to maintain his or her presence by installing malware
5. Internal reconnaissance– Attacker will attempt to enumerate the internal infrastructure in an
attempt to identify more targets that will lead him or her to their goal
8. Achieve Objective– The attacker dumps the data and exfiltrates it via cloud service
Tabletop
Tabletop
Slightly more expensive than modeling.
Using more likely of two models, stake holders gather
Should be performed monthly
Tabletop Exercise
Started with table
Gathered $client1’s stake holders
Went over attack path used at $client0
Went over potential responses
As simple as SMTP
Email was sent out to $client0
User credentials were compromised
No detection
Allowed total compromise
$client1:Results
There were no proactive detective capabilities
1 preventative control
$client1:Results
$client1:Corrective Actions
Security Onion installed, configured, and analyzed
VM program re-configured
Exercises
Example
Persistence-Stage 4-Tested ability to connect out and ability to detect-minimal risk to infrastructure
Exercises
More expensive than tabletop
Use most likely of three scenarios
Should be performed quarterly
$client0:Stage 1 – External Recon
OSINT was used to enumerate the following information about $client0
-email addresses
-travel agency
-key players
$client1:Stage 1 – External Recon
In order to save time, we assumed failure at this level
Assumed email was sent and opened
$client0:Stage 2 – Initial Breach
Email sent out, directed to fake login page
Credentials recordedto database
Credentials used to access VPN
$client1:Stage 2 – Initial Breach
Visited unique URL on test box
User was able to rdp into box
Having local admin, was able to create other user
$client0:Stage 3 – Escalate Privileges
Escalation unneeded
User had sufficient privileges to achieve objective
$client1:Stage 3 – Escalate Privileges
Assumed failure at this point in interest of time
Multiple exploitation methods assumed to work
Remediation currently in works to create a Kerberos-only environment
Client0:Stage 4 - Persistence
Installed multiple Core agents
Used this to obfuscate origin
Client1:Stage 4 - Persistence
Showed ability to install software
In this case, we will installed zenmap
Used this to enable stage 5 testing
$client0:Stage 5 – Internal Recon
Very little protection
Enumeration was caught by SIEM using flows
No followup
$client1:Stage 5 – Internal Recon
Attempted to scan internal hosts
Looking for file shares or other repositories
Showed ability to enumerate network
$client0:Stage 8 – Achieve Objective
Goal: Persistent access to critical control systems
Access was obtained
Length of engagement: 21 days
Length of time in network: 21 days
$client1:Stage 8 – Achieve Objective
Goal: Ability to exfiltrate data through cloud service
Cloud services we successfully reached and test data uploaded
Results
$client1:Corrective Actions
purchased, configured, and analyze Qradar
Integrate Qualys into ticketing system
Implement Kerberos-only forest
Block access to cloud storage
$client1:Corrective Actions
Assessments
Assessment
Most expensive
Create targeted scenarios to test
Avoid arp-cache poison story
Sexy
Building Your Program
Where to Start
GrrCon 2013:Scott Thomas(@secureholio): 50 Shades of Purple (teaming): Getting Penetration
Testing into a Conservative Company
Where to Start
Start with threat intelligence
Move to threat models
Get buy in from management
Steve Fox’s Communication planFollow @securelexicon on twitter
Communication
RelevantDistinctCredibleBenefit-DrivenAligned with strategy
Additional reading(http://imgur.com/a/fPLnM)
Do what is right for you.But do something.
Resources
Freenode-#misec#ladosanostra
People-J Wolfgang Goerlich (@jwgoerlich) – Business strategySteven Fox (@securelexicon) – CommunicationScott Thomas (@secureholio) – Process
Links-http://imgur.com/a/fPLnM (Pixar)
Resources
Look for Attack Paths to be published out of #misec soon
#ladosanostra@LaDoSaNostra