Emulating the Adversary While Training the Defenders: Purple Teaming with MITRE ATT&CK

google this cat that's about to talk to you right now former worker for the nsa scary three-letter eight word agency oh he's done a lot of stuff and he's gonna talk to you about some pretty cool stuff today so without any further ado david eminent god damn it did i pronounce it yes yes see i'm full from lunch too round of applause for the gentleman all right okay can you hear me perfect a few things just right off the bat that i'm bad at is this so if i try to like drop the mic because i'm not paying attention what i'm doing um just somebody's like hey put the mic back up so we can hear what you're

saying i literally am not good at that so i'm going to forget along the way um i always get nervous whenever i talk almost every single time no matter how many times i talk so if i get so nervous i pass out just wait for me to stand back up um and what kind of go through so what we're gonna talk about today is emulating an adversary while training defenders really what we're doing is auto magic you know implementation of being able to incorporate the minor attack framework for specific adversarial ttps into a database assigning those to known exploits in different systems for instance like if you were to do that within medical age one actually help you because it's going

to get caught by every av and adr solution alive but if you're able to do that or some other type of system see as for instance you can do this in an automated automatic way uh in a happy process forward so we're going to kind of talk about a lot of processing we're going to go through a bunch of stuff i talk really fast because i'm nervous um so as we kind of go through there you guys have questions also don't don't hesitate to uh to interrupt me i'm completely okay with that and at the end um if we have other questions outside of this talk there's a lot of things that i've done for instance if you guys have

questions about that i'm happy to answer them um if i can so i'm a hacker former linguist um i speak persian farsi um i publish a bunch of books also we have them sitting behind on the center counter i've published that with lauren netplus tech plus usa pentax plus forensics and um a couple of other different things uh and uh so i'm a founder i own standard user cyber security and i'm a finder i love identifying new methodologies and and protocols practices or to accomplish mundane tasks that nobody wants to do anytime that i can automate something so i can go to something else 100 percent it's my hat being on actually like bothering me i got a thumbs up um and

also i'm a new i always consider myself new to our industry you know i've been here not very long you know if you guys probably do a comparison of how long you've been in this space i probably haven't been here as long as you um just sort of the road and the path to get me there was very quick did it while i was in the service so just a little bit of history of myself got my initial degree down in wichita um kind of in this space it was really great to kind of again even be invited back to this area and then um i joined the service became a persian linguist to transition out of that role

as an effective intelligence operator for the nsa went through a very concise course where you're basically getting a bachelor's degree in six months and then went up to the nsa for three and a half four years before moving overseas working in conjunction with coalition forces to hunt and track isis unicode operatives and um ended up accidentally helping start off one intelligence service came to talk about that a black hat this year i'm also number 47 on darknet diaries and a bunch of other different um sort of talks a couple days ago um department of justice issued three um indictments from my former managers because of their turn and started working for intelligence service well we all fled the country by the

united states little hints just in there kind of what my experience is so now i help track foreign intelligence activity and usb's critical critical infrastructure and in doing so one of the things that we're learning is while this is sort of antithetical to my talk is specific targeting and identification and training towards ttps as they relate to different actors it's not actually that helpful if you don't have funding behind it in order to support it um i think jacob talked about that this morning uh in the uh opening talk which was phenomenal in fact i asked him if you would mind if i just took a couple of his slides and put him in mine so i have

because i think that reinforcement of those ideas is really powerful this is a fun exercise something that you can do there's a lot of open source technologies that are that are out there that you can use in order to do it that's just what i did you know we didn't really write anything new we just use existing stuff but you can automate the entire process defending our training defenders on how to identify and mitigate remediate and alert just an entire pipeline for specific apts and gtps and target sets so outline we're going to go through purple team modeling red team engagement life cycles thread actor modeling with minor attack um uh metis point module modeling

blue team post engagement and security post um security posture modeling and then uh purple team synergy these are just titles that can come up with the best thing of them what i think this might relate to um we'll kind of get there as we go uh so this is really like a main focus on what obviously you guys can think of what purple team modeling might be uh some of this talk is really designed for people that might even be in this space that high school students called students that may have never been introduced to this so this may not be new information for you because you might know red team is offensive in nature blue team is

defensive in nature and purple team is collaborative it kind of makes sense so moving through so red team engagement live cycles really and again what we're talking about is in the event that your job is to identify vulnerabilities and attack those vulnerabilities within say your scope or your environment scoping planning and then rules of engagement building those for an internal infrastructure even if you're saying mssp you're doing that for a third party these are really important aspects of what you're doing rules of engagement incredibly important if you go outside the boundaries of the rules rules of engagement as an ssp and you break something you're gonna you know you could potentially be in a lot of trouble uh

there are all kinds of things you know identification clauses and whatnot so in the event that we do something we break something we're not gonna be responsible for that so ensuring that those are built in you actually have rules and then even if they like give you the ip addresses how you're going to be targeting 15 ip addresses here they are go just make sure they know what they're talking about that they didn't just pull these ip addresses somewhere these these belong to us five years ago but they don't block to us anymore better go check before you gain access to it so recon so in that former recon attack foothold internal recon lateral movement

target critical data and then export that data so as we kind of go through that i'll talk a little bit more about i'll go very specifically through the exploitation lifecycle stages of red team and pen testing and then i'll walk through why we at standard user institute focus on how to mitigate that lifecycle which is really just work in reverse but first here for instance is just sort of a good uh red team engagement last night before we're using engagement in the event that you guys don't know what should be in the rules of engagement one ask someone google something look at a somebody else's sow to identify what that is because this is your cya card

that's gonna allow for you to protect yourself um well actually let's kind of go through it so really what you're going to do is you're going to like develop off limits list don't don't target these is your key devices list this is your specific critical infrastructure critical infrastructure sometimes is that infrastructure where we want you to target this and make sure that it's secure sometimes that critical infrastructure is don't touch this this is absolutely off limits so while we have an off limits list really the critical infrastructure is absolutely off limits and then sensitive data in the event that you do identify or have access to sensitive data you are not allowed to download it off of the

target system you just need to verify that you actually have been there to get a small screenshot of a file name or something similar to that and then uh approved hours of operations lots of times if you're doing large scale scanning or operations against a production environment pardon me they don't want you doing that during working hours or sometimes they do want you doing that during working hours so in the event that you do accidentally take something down they can train and model and identify where their gaps are within their system for remediation for down systems for instance again that's something else jacob talked about earlier about putting in some specific key elements in to production

environments to see if you invent you pull this plug or took down a system you know what's your continued continuous uptime so again talking about sort of the pentest methodologies or the um exploitation lifecycle this isn't really our exploitation lifestyle we have a different image for that um but a pretty good large scale overview recon target reach persistence migration and exfiltration what we're talking about here is in the event that you have an external target and they give you just the company name how can you go through the process of performing external reconnaissance against that organization what tool sets are out there what open source uh websites are out there where you can put in that company name or some

variation of that company name and identify the infrastructure that's owned by that company and then from the perspective of only identifying what infrastructure is owned by it now you're going to start the process of scanning identifying those vulnerabilities identifying uh key gaps within their security posture that you can export and gain access once you do that now you have target breach which is really once you identify a vulnerability on a target that's owned by the client now you're going to throw a specific export and gain remote access interactive access to that there are different aspects of access to something you can have long-term persistence access which is you know beginning agents not exactly interactive and then you do have i o or

interactive operations against a remote target so for instance in the event you're typing on a keyboard and it's running against a remote target that's interactive uh in the event that it's calling back and no one's interacting with that it's just storing the content and then going back to sleep that's you know a hibernation agent or a persistent methodology we're not going to necessarily go into right now within this talk you guys have questions afterwards just so we can get through everything won't necessarily go into persistence methodologies but i'm having stuck with it afterwards um but in the event that you don't know what persistence is so let's just say you gain access to a system because

you've thrown an exploit and that exploit in two weeks is going to get packed or it has been patched and you know it's they have a maintenance window in two weeks in order to solve that problem you don't want to rely on that exploit to gain access to the environment every single time so you install some kind of persistence within the environment that allows us to call back and communicate with some c2 platform a c2 platform would be commanding control so it calls back whether or not directly or through some type of actor owned relay or victimized relay and communicates with the c2 server to run specific commands or just check in or whatever it might be due

and then migration let's say 99.9 of the time unless you're fantastically amazing you're not going to gain initial access to your target and the specific target machine inside of that environment in the same host you're going to gain access to some low hanging fruit and then you're going to have to move throughout the environment in order to gain access to the target that you want to exclude data from exfiltration is um really identifying a specific piece of data whatever your end goal is and they've hired you to do and then pull that information out okay so um this is uh i guess walking through that same process is uh scoping scanning vulnerability identification exploitation post

exploitation lateral movement and stealing of critical data so again just everything we kind of um the next stage we're going to talk about is threat active modeling with mitre attack this is really going to go into the fantastic methodologies it all kind of comes back together i know it feels like that we're talking about separate things but at the very end we'll kind of go into there it's really important kind of over here again with uh what jake before you talk about this morning kind of one of the some of the things that are good to train defenders on are some of the new methodologies and techniques that actors are actively using an environment the event that

you're using very old ttps and some you know database that you guys downloaded and stored 25 years ago it's probably not going to help you if you're continuing that you have to use updated you know artificial intelligence machine models against uh against an environment in order to better train defenders again if you're doing it you just have this scope and you don't have the money in order to do it well you don't have the money to like take everyone off high in order to train them you're just doing it as a regular exercise as a regular exercise is fun but probably not helping a whole lot of people um so again we're going to go through

programmatic access the minor attack framework actor technique mapping it's important to know i don't know if you guys have ever used the matter tech framework i'm sure there's quite a few people here that use the ui of programmatic access to be able to store that content in the localized database and then access that content or map it as it relates to metasploit modules cobalt strike modules something similar to that and then being able to hit i want to replicate this particular actor and then hit enter and then that's the entire platform does that job it's only going to pretend to be this particular actor set so active to industry mapping so in the event also i want to do this and i want

to pretend to be say for instance if you're an mssp and you're building the platform in order to work against a bunch of different clients you don't want to build it just to work against finance you know you want to finance energy you know uh div so on and so forth so you can go to the actor specifically and then drop down and go specifically to the industry and then object oriented database storage technique to msf module mapping now the object oriented storage that's important because you're accessing large amounts of data in order to throw specific exploits very quickly so if you can index that data and access it index it across multiple different databases

it's going to run a lot faster you're going to need less resources okay so in thread actor modeling in minor attack it's just important to understand how much data is in their system they have a ton of data we need to kind of sift through and understand what's in there in the event if you want to use a python module in order to do this that's pre-existing we can show you what that is and give you access to that it's pretty easy to do um it's easy to do now the python module is written um and so kind of coming back through here understanding recognizing that data infiltration recon breach migration and persistence are all built into the minor

impact model now those are just those top level subject matters you kind of rotate into the the outer ring and those fall down into those specific ttps of what active groups might do something in a different way hopefully that makes sense um so again this is uh you're just basically like pulling down uh sticks to modules uh pulling in the cti enterprise attack framework module pulling in the database storing it in this situation i'm storing in fs and then down here i'm just using list comprehensions in order to build new uh lists uh in order to sort that content for use later after i'm able to map it with men's my prosthesis i know we're gonna this is kind of

unorthodox but right now does anyone have any questions yup do it yeah um so if i'm packing someone's uh business or something like that can i use that person's uh clientele as well okay so i'm sorry i actually stopped becoming linguists because i can't hear very well so you're gonna have to just project us a little more sorry it's okay yeah if i tax a client's server i'm sorry if i use uh say i have like a person's email address or a client or something like that and i give them and i make a fake email and stuff like that and send them and i gain access to the system do that does that consider

the infiltration or is that just considered [Music]

[Music] so how do you gain access or is it that persistence or yeah yeah okay yeah so that's that's a great question so he's basically asking it sounds like when you're talking about external infrastructure you're scanning stuff and gaining access to a known vulnerability or default password or something similar to that if i send a phishing campaign uh create some type of an email address and then they interact with that and gain access is that also initial access 100 it's also initial access you just perform that in a different way the i was hitting actor actor-to-ttp modeling that would happen in that case is what are you using in order to manipulate the end user in order to

interact with your content am i using some type of dot bin or macro embedded microsoft word document or pdf document or am i sending them something with an email or am i targeting one of their their existing clients say for instance watering hole or drive by attack and i this is my target but i don't want to get access to them we're kind of getting outside of offensive security and into offensive intelligence in that conversation but um because generally speaking in defensive intelligence you're not gonna actually target your target um you're not gonna hack your target you're gonna hack somebody there to do business with and wait for them to browse to their website or wait for them

to go somewhere else and then get access to them and all you've done is just create an exploitation chain that looks exactly like what they're existing doing what they're already doing but yes initial access via a vision campaign is also initial access and you can install persistence migration the whole process begins at that point does that answer your question yeah actually that's exactly what i was wondering what i was thinking that we were asking but i just wanted to get that any other questions yes sir uh the so when you're talking about minor attack i'm familiar with the framework i'm not familiar with uh actual command line tools that uh uh help like emulate yeah so so is this something provided by

miner is it just called miner is that what minor attack is uh nsf modeling and carrying that without that's literally the next step of what we're going to talk about i appreciate you paying attention and keeping up i do apologize for not actually addressing that before we got to the spot i will tell you in the c2 platform there's a lot of open source framework that diligent script kitties i would say that i'm a diligent script kitty i'm good at what i do but i'm using export c2 platforms that are developed by somebody else um so i'm not writing any of my own exploits or anything like that i haven't knows no cbds today and chances are i'm going

to die with new cves because this is not my area of expertise um but metasploit cobalt strike all of those platforms are platforms that you can integrate programmatically with the miter tech framework in order to pair that information together so we'll talk about that right now before we continue any other questions hook it up let's see oh we're already here okay so really what we're doing is again pairing information with known modules so within the metasploit framework there's initial exploitation which is at the very top you might even have auxiliary which is like scanning infrastructure you might have a specific payload and then post exploitation in the event that you've never done offensive anything let's go ahead and walk through

these really quickly so if i am doing like stage one i'm performing reconnaissance i'm scanning i'm doing some type of auxiliary where i'm scanning something i might want to draw something i might want to see if there's some type of spoons or uh spooked or information gathering of specific targets are there any default admin portions of that where i can scan against a remote target and identify something and gain access for actually having to throw an exploit or scanning to identify some type of vulnerability that might pair with a known uh metasploit module once i identify what that is i have to shift over within the metasport framework and use an export you use an exploit and pair that with a

payload what does that mean is i'm throwing an exploit injecting something into memory in order to get it to manipulate and do whatever it was i want and then i'm replacing a piece of memory address space with some type of shell code that i would run that shell code is going to be a payload kind of loosely interchanging terminology here because it is important but and for this case it doesn't at that point in the event that you're an export developer and i'm interchanging payloads and um shell code and you hate me i apologize but really you're using a payload in order to might be of a multi-stage payload that then you're going to gain

interactive access to a remote target during that chain once you do that and you want to run something else on top of that i'm going to know who's on the machine i want to gather a bunch of stuff i want to just perform integrated scanning against remote or json infrastructure that's where you fall into post-exploitation models i'm going to run something i want to gather some stuff you can also run auxiliary modules um in that as well so you want to gain or you want to gather so auxiliary gather and the event that you gain access to a system you want to pull out information you can do that with that module excuse me um so

this is how you okay about that i don't really have a screenshot of the metasploit framework by itself which is kind of a lapse in my part this is sort of moving into the next stage do that so cali is a common um virtual machine used that has metasploit on it where you can just download the iso loaded as a virtual machine and now you have metasploit on there in the event that you do that you can just drop to a shell run msf console uh once you do that you can use use and help and search and all the other things that he's talked about in the event that you don't want to do

that or you don't want to be interactive on a machine you can actually run msf console and then walk away from it and then interact with that nsf console remotely so you can pull everything down i can run commands i can run exploits whatever it is i want to do you can do it on the same machine you can do remote machines if you want to do it from against remote machine you actually have to go into the msn console meta support framework and make a few adjustments so that these ports are accessible remotely so once you do that you can actually drop into a remote post guest post grass connector post sql and then um

connect to it and pull information down or let's just say for instance you get like a nasa scanner or something similar to that you want to take your nicest results and push them over to a transport framework to actively throw an exploit to gain access you can do that in the same process here you can actually do this on some centralized python where you're pulling minor minor attack framework in you're pulling all the modules down and then syncing them together and then as you're scanning in a different module using something like nmap you can do that from there so for instance if i were to do that here and i would run that i can pull all the

information down based on the full name or path name the id the details and then the operating system that it might run against there's a ton of other information in here this is obviously just like four little rows or columns but there's so much information that as you're scanning something you can pull back those scans of information sync them with a note exploit map those exploits with the tte and then now you know specifically in this environment what actor is using what and what within my environment might be vulnerable to what they're using and then you launch them does that answer your question yeah perfect any other questions okay let's go okay so uh manual request is something

that we wrote just for fun ended up being like this process it's extremely dangerous and it doesn't actually make sense to release it in the wall if you want access to that just because you're a verified researcher and you're not going to use it for something nefarious i'm happy to let you use it but in the event that you're going to use it for something is going to be ridiculous i'm happy to teach you processes but i'm not going to give this to you so the process here is what it does is target identification i've gone outside the world i've got a bunch of like ip addresses you can also do this automatically with known open source software so it's not a

manual process of identifying the ip addresses corresponding to a specific organization and then you're pulling that information in you're loading it into a python nmap module you're scanning that information storing it into its own database vulnerability discovery syncing that information for as vulnerabilities in open source platforms pulling the information back in with metasploit module mapping and then initiating msrpr msfrpc console module which is the remote access to munispoint and then from there mapping them to actor new infrastructure and then mapping things based on a specific actor that you want to emulate hopefully that kind of makes sense i would put that pretty fast good okay so um so in here really we're kind of dropping down into an and that port scan

processing through you can like kind of change up your arguments over here whatever you want to run and then you're processing through your targets pulling back os match class family ports the entire process and then eventually after you kind of get down this process here mapping those against the other columns in the metasploit framework and then syncing that information with the miter tech framework to launch exploits as they relate to a specific act okay still here we're kind of in the same process here we're kind of just jumping over to different spots but scanning identifying that information running back down and then running in this case for initial access once you gain some initial access i would say

a large number of organizations that are not quite hacked but offensive in nature initial access is automated so you're going to run some type of survey or situational awareness script for instance i think which i have a copy of one right here um so what this right here does is uh i think that's right let me just take a look at this make sure i'm not lying here um yeah yeah so right here so you can actually like drop down and run a file write series of commands like you know command host name whatever it might be and then just do like a little array there's a menace point module for custom scripting that exists it's a survey script you can

just change it up do whatever you want uh we actually have that that particular one just runs stuff and prints it out to the screen you can edit that where it the output of those commands are written to a disk or you can um interact with remote database and store that for long term storage basically what that means is in the event that you do receive a callback and it's automated and no one is there at three o'clock in the morning to watch the output of what those commands are but i'd like to know what they are tomorrow when i come into work you can just store that information in some type of database come in you know

what it's done it's gone back to sleep but you actually see the output of those commands and i know that mark is always on this computer but for whatever reason bob the domain administrator enterprise administrator logged on this computer last night why did he do that has he on to me whatever it might be so um to sort of long-term access to long-term c2 embedded agents there is a praetorian has actually a really good um attack automation for purple teaming out there uh and they uh down here praetorian it's a vlog getting started with praetorians attack automation they have a really good walkthrough in a couple of videos and a github link to something you can get

started in this process again nothing that we did here even though it's kind of a lot of work nothing we did here is anything we did on our own you know you want to use a python c2 instead of interpreter go get puppy you know whatever it might be that you want to do there's stuff out there okay so how does this help defenders or blue teams in the end really allowing for them to understand i would tell you that one of the primary capabilities of a defending team is visibility in the event that they can see what's happening in their environment they're going to be successful in the event that they can't see what's happening in the environment

they're absolutely not going to be successful if you can't see what's going on you can't stop anything you can't block it if you can't help anything you can't learn anything so increasing visibility and increasing the identification of malicious activity within that visibility is how you help and train defenders so what does that mean basically it means like if i do gain access to a remote environment and a new operating or new process comes up on a remote machine somewhere and i have some type of edr solution or antivirus edr and bone detection response antivirus and everybody i think everybody knows what an advert is and so it's mapping or it's processing where it's it's keeping

track of what processes are on there and those launch back and it generates an alert that alert comes back to me or somehow i've been able to identify a new process that doesn't get flagged by their edr solution but i run commands smb commands from workstation to workstation workstation workstation smb command should automatically flag an alert you should know that why why why is someone need to be doing this there's no reason for people to be using 445 across workstations that's that's um vertical and not lateral movement activity so in the event that they can't see you don't have any type of internal to internal firewall which might go back to work tomorrow or let's say saturday um go back to work on

monday and be like hey what kind of internal to internal lateral movement visibility do we have in our environment we're like why are you asking these questions because we have no visibility here okay sure let's have a conversation about that chances are if it's an existing company long long-term existing company with a good stack they're going to know that they have that visibility gap and then there might be something in the roadmap in order to solve it or there might not be and you asking those questions is ultimately going to help long-term one thing that i will tell you is using the minor attack framework in order to train defenders alone not a good solution

this is where you're starting start tomorrow's because it's not a good spot to start it's for training defenders that understand and already have visibility within their environment we want to we want to test our instant response time we want to test different types of stages from that process again jacob mccoy sort of reemphasized this you know trying to make um partial programs and multiple games both i'm sorry uh partial progress in multiple games simultaneously really is you're going to ultimately fail if you're doing this over here trying to increase visibility and you're also trying to train our insurance spots at the same time fix your visit visibility problems and then email me later and we'll help

you get it going on what you got done some of these other sections are understanding like internal processes this is more like education kind of really boring but um you know understanding sort of the life cycle of within an environment what are some of the key aspects that you need asset management i don't actually know that ioc is one of those first things but implementing good leadership in a place with good experience it's going to help you move forward firewalls promoter controls experience of leadership av edr solutions visibility integrated partners nice sims and ultimately teamwork so um i actually am a i'm a strong believer you know we have a cyber security firm but we also have an

institute everybody that works or works on assessments pen tests whatever it might be at the firm has to also also require to teach if you're not teaching the next stage of people the only next gen that actually matters then we're not really helping anyone so teaching that next stage and reinforcing that knowledge gap um to that that next series is really going to make them better at what they do ultimately but it's going to reinforce the leadership that your team already has they have that leadership by teaching those other people it reinforces and gives them confidence in their space and builds community uh especially as people go off and work somewhere else so we have a 90 day internship program

and if you guys have questions about that about building a cybersecurity internship program at your organization happy to have that conversation too um so other cyber security framework versions i you know identify protect attack respond i feel like i'm i feel like i'm like quoting octonauts right now when i say that um i don't know if you guys watch knockdowns no one laughs so no one here has any kids um protect detect respond recover so um identify critical assets within your environment and put key personnel in place in order to protect them enable enterprise security close visibility gaps implement and train response implement and train based on response plans configure proper backups lean on professional security services

and business continuity programs okay here is my last slide let's see how fast i talked that's okay um so if this right here is the exploitation or the pen testing life cycle my initial suggestion is to work backwards if someone's going to exclude data if there's this is the key bit of element or piece inside of your environment that's like the keys of the kingdom and i'll tell you domain and insured privileges are not the answer to that because who cares if you got it if you're stealing critical data pii passwords credit card information that's the important data in your environment and that's what we're talking about here is identify critical data identify critical data in your environment what

do you have where is it at and who can see it answer those three questions these machines have access to this why close this access down nobody needs to be remotely logging into all of our credit card systems so network visibility who has access to that host visibility what's happening on our hosts why are things changing and manipulating you know i think jacob torrey also earlier today talked about his time at darpa in using basically similar types of processes and interacting with them i don't understand everything he was talking about but i kind of do but i can't replicate it um where if you interact with the keyboard stack within a process and it makes

different types of changes over time it means that that's the structure of the process so if the structure of your processes on your operating systems are changing working slower you know everything seems to be convoluted all the time maybe you need to do a little bit of research understanding what's happening and increasing your host visibility within your environment would be incredibly helpful perimeter visibility so what's on the external of your environment when you come out there if you have something out there and you forgot about it that's probably a pretty big issue you need to go take it down because it's not being updated it's not being patched and it has direct access inside of your

environment ocean visibility in fact there's an ocean workshop i think we got here i think that's a really great spot to go to i think understanding open source intelligence and how that can help you understand like what's out there if you have developers on your team for instance i'm just going to throw developers on it because i have a java developer on our team who i love but i hate java so i always get more time writing in like different blogs everybody knows that he works with this company he's going out there and he can't figure out hey we have this external piece of infrastructure he doesn't actually do this but we have this external piece of infrastructure

and he can't figure out you know how to get this to work how do i use this or get this particular module to work on this operating system well what module are using what operating system are you using what's your most recent patch well guess what you've just done you just gained an adversary every single bit of information about your externally hosted infrastructure that as soon as your volume video comes up they can just keep track of that and launch it at your target and gain access just keeping in mind that if you're posting information on stack overflow and different types of questions rein it in uh and then so after you get all this

information back together performing risk determination about where to start and how to help okay that's everything we've gone through a little bit out of breath could talk so fast but um what else we got i can go back and forth to different slides or we can ask questions about other stuff just kind of depends yes you had mentioned that there shouldn't be smb access laterally would that apply to like windows admin shares those windows admin shares would be from a workstation to another workstation correct hypothetically i'm not saying like oh yeah yeah okay i mean i would just i would just want to know what the use case for those windows admin chairs are before i would give a definitive answer

on that you know are they sharing stuff back and forth if that's the case why are they storing something on a file server somewhere so i guess that those would be my questions but if you were asking that question say hey we need this open i'd be like well no you need to do it like this instead plus we got involving your policy if you found that involving your policy team when developing out your purple team has been super helpful especially because you're using an attack framework that is based off of minor which also has the blue team attack framework too or the blue team framework yeah so when you're saying uh have you found that

involving your policy team uh helps when working in conjunction with multiple departments within your environment that's your question basically yeah and within policy you mean like how are we interacting with or what is like within that aspect of policy yes like implementing specific mandates you have to do it like this you have to help with this but once you identify this and you have a specific sla in order to perform this action or nist frameworks need to be implemented or so on and so forth you have to do that if you're not in including policy or legal in these processes ultimately that team is going to leave that's learned all this stuff and you're going

to start from ground zero when the new team comes in yeah what else we got today i'm sorry did i answer that question any other questions here yes sir again uh do you you yeah i'm involved yeah uh do you so so this question is again in relation to kind of the automation around uh you know using metastoid to emulate an adversary yeah how do you correlate this adversary uses these metasploit modules like is this just you may have mentioned it in the picture so that's actually a really good um question and the distinction there would be that i would tell you adversaries are not using medical modules um they're using customized framework that are

associated with specific ttps which those ttps are they're launching these types of exploits they're hitting java they're hitting solar winds whatever it might be but they're still doing this we're still doing that there are metasploit modules to attack those same pieces of framework so understanding what they're attacking and how they're doing it and the different processes that they're doing then you're mapping those ttps to something in the wall or in the uh open source community that you can leverage it may not necessarily be multiplied but it's just a really good easy framework got it uh and so it's just open source intelligence to figure out what the etps are and then you build your automation

around it i would tell you that minor attack has made that open source intelligence but generally speaking the answer to that is no you know i work in a lot of programs in conjunction with alphabet soup if you will that give different intelligence to actor organizations and what type of ttps they're leveraging but minor tech framework because of the open source community anonymously providing different information being able to broadcast that back out for open source information sharing has been incredibly helpful in the development of something like the minor attack framework that totally answers my question cool great perfect any other questions yes sir so i appreciate your presentation obviously this is an advanced field i

guess my question is i'd assume that for a company that doesn't already have this type of talent skill set in-house is going to be outsourcing you know for services so my question is at what point would organization be smart to what criteria what threshold would they pass where they were going to have some of this capabilities kind of in-house basis yeah that's a great question i'm going to pull a katy nichols answer and it depends um it really just depends on what the maturity of their stuck is that uh everybody hear this question at what point are you hiring in external mssp in order to perform these adversary emulations or a pen test against you at

what point do you convert that over and start doing that yourself i would say you it's a specific threshold of what you're doing if you haven't hit a specific mark yet continuous monitoring you know integrated deployed enterprise wired edr solutions vulnerability vulnerability scanning one of the assessments to begin holistically with asset management what do i have in my environment if you don't know what you have in your environment you shouldn't be trying to test all of it you need to be like identifying scoping understanding what you have there and then as you understand what you have there scoping that out into like smaller scales as you're working with remote team to perform vulnerability identification in your system and then

even performing pen tests in your environment um to understand those visibility gaps while you're maturing on the inside and then as soon as you come up and you begin to understand all those results that they're sending in they say okay i feel like i can start producing some of this myself but i'm only two people so we don't have the time to do this nor do we have the funding to do this even though you can do it the answer is you still shouldn't do it um until you do have the resources and funding and the expertise and maturity within your stack in order to perform those actions i guess that's my answer so it just

still doesn't depend but it depends on where you're sitting i heard resources funding maturity welcome books um what else

do you see these groups quickly changing or adapting new ttps once they've been profiled or do they kind of stick with those for quite a while regardless yeah i will tell you that people on our side of the fence know the people on the other side of the fence intimately you know we know who they are we know where they work where they're getting training at where they put their file pass whether they get access to remote machines how what their naming conventions are for their executables specifically for doug or bob or replace that with a chinese or russian name you know we know when they go to our training and they're learning this new

concept out of training within four to six months or up to 18 months we might see that http start to be used so um yes they are they do move i'm getting a little bit of feedback um we do uh we do start to see those changes within ttps over time but until adversary um personnel on teams move or take other training lots of times you just use that same stuff for long periods of time we start to see changes in management changes in personnel you can anticipate changes in tactics yes don't make it work brother mike say i'm a small company and i only have a limited amount of funds for smart people and i'm going to go for a pen test which

contest am i going to choose web app internal or external it depends it depends on what you have where is it at and who can see it so do i have proprietary configured or developed software that have been developed in-house and we're hosting that externally i would tell you that if that's the case and that stuff has not been assessed yet you need to start there you develop things in-house you don't have you know secure coding best practices if invented internally you're not performing dash or sas solutions against those or assessments against those that's step one um in the event that you're not developing that let's just say for instance your energy company and you're not developing

anything internally um i don't have any idea where it works so if you happen to work in an entry company it's just a good guess um but you're doing that you're not developing any of your own stuff you're just using third party infrastructure um some type of externally hosted infrastructure pen test would be a good place to start but also keep in mind that uh majority of you know attacks nowadays in small medium businesses do happen based on phishing campaigns where you're interacting with something or something browsing or something and you hit a web browser so vulnerability scanning against targets this is a good step so setting up a necessary internally you can do that yourself

depending on how much you've learned uh 2500 you can do that you can scan your entire infrastructure as long as you can understand the difference between a false positive and a non-false positive and then uh implement severity uh severity against those results and begin that way so that's one step you can do that internally in the event that you're hiring somebody an outsider i would say it outside but again it depends on what you have and where as it comes any questions all right hey guys thank you so much appreciate your attention and you guys have a great day