Modern Adversary Tradecraft

greetings everyone welcome to my talk i hope you're all safe and doing well first of all thanks a lot to morten and jen and the rest of the lb sides crew and the b-sides munich crew for organizing this massive props to all of you right so let's get right into it modern adversary trade craft but first a bit of an introduction who am i i'm sajdal thomas i'm i work at siemens i'm doing adversary simulation and offensive security over there i was previously at fireeye and i'm a first time b-side speaker so ea to me and a quick one-liner to describe me is that my head is red but my heart is blue which means that i'm a red teamer by

profession and my mentality is that of an attacker but in the end i want the good of defense i'm a defender by heart and i really work to make the lives of defenders easier okay straight to the point headlines about ransomware that we've seen in the past few months the past few years for that matter insane timelines one hour five hours two hours absolutely incredible timelines for incident responders to even think about debtoring or detecting or responding to these threats ryok from phishing email to domain white comp ransomware in five hours networker rdp to a box dump creds rdp into domain controller and run some every computer less than an hour so yeah this is what

we're dealing with and this is what we're going to talk about in a sense not ransomware but mostly about what we can do about a threat like this an unprecedented threat and a nuisance more than anything else right so quick 20 minute adventure let's go in and out and get right into it so what this talk is about so we're here to talk about the adversary tactics techniques and procedures then we want to explore the overlap with in the in the ttps between threat actors which have different motivations so we want to see if ransomware groups the kind of ridiculous timelines that they operate and does that mean that they're extremely sophisticated or does that

mean that their malware is super complex or extremely difficult to reverse engineer or what those things mean and where there's a little bit of an overlap in these techniques between between cyber espionage troops and handsomely actors and in the end of course we'll talk about some detection and response strategies that can help the defenders out there to to deal with the threats that we face today okay so those of you unfamiliar with the term might be wondering what tradecraft actually is it isn't all spy stuff uh of course the origins of the world do come from the cold war and tradecraft at least in the intelligence community mean it refers to the the techniques and the

methods that that are used in spying but today it's the the term itself is used for just describing the skills and methods that are used for any for any job for that matter so for us what that means is adversary tradecraft means the the methods that our adversaries are using but you might ask who is my adversary um maybe that that completely depends but in all likelihood it's probably not russian or chinese intelligence contrary to what mainstream media would want you to believe but it most likely might be criminals and ransomware groups so let's say for example if you're just selling vice verse at the corner shop you probably don't have to worry about russian or chinese intelligence however

you do have to worry about criminals or ransomware groups trying to run some of your computers and extort your data and ask you for money but yeah who cares why does it matter well it matters because it depends what your adversary who your adversary is and how they behave and the reason i have this picture is it's just an amazing picture this is one of the members of the ransomware crew and of course he operates out of russia based on various indictments by various governments and yeah he is one of your adversary if ransomware groups are your adversary and one of the videos that i really like that describes this adversary is is this one

i love that video i don't know if you quite got the the audio um but yeah that was a pretty good that was a pretty good drift and a burnout but yeah why does it matter it matters because well ransomware groups operate differently they're more noisy and not noisy in the context of having super fast cars but more noisy in the sense of the the kind of activity that they perform in your network once they're in the kind of techniques they use the kind of approach they have to going about their operations all of these things matter when you when you're responding to such adversaries so you need to be able to profile your adversary and say

that if this is a noisy adversary or if this is a ransomware group then the possible outcome in the in the near future like or in the next few hours uh is going to be a full um lockout of our computers anyway so the ransomware groups of course are more noisy they're more they like to just break in grab what they can get exfiltrated and then ransom the entire network and of course then come back to you with a ransom note and say that just transfer some cryptocurrency to this account and yeah you either you comply or you don't but um there's a huge gulf uh in the sophistication between uh transfer groups and state-sponsored

espionage groups because espionage groups of course operate much differently they they're much more stealthy they do not want to make noise they want to remain low and slow and of course for them the job doesn't end they need to stay where they are they need to continue seeking the information that they seek and they have to do it very quietly and we're going to talk about the the low and slow parts specifically in in the next few slides because that's where the that's where it gets interesting right but there are plenty of overlaps between groups uh even though their their motivations are completely different and their approaches to going about their objectives are completely different

this is a meme that i shamelessly stole from one of my former colleagues bryce and more often than not this is the case that any loader or any any sample that is found on virustotal or or if you're responding to a breach and you see that there's a custom loader that's doing something fancy ultimately it is loading cobalt strike and for those of you unfamiliar with cobalt strike it's it's just a framework that penetration testers and adversary simulation [Music] professionals like myself use because well it's it's a great platform to begin with and it gets the job done but the point here is that it's it is now being used by groups with varying motivations

and varying tactics so it's really hard to identify once you get to the point of triaging the the shell code and when you see that okay this shellcode is this is kobus right this is definitely cobalt's right it's hard to distinguish who the threat actor is because it could be your red team or it could be your uh it could be a nation state has been like troop or ransomware actor so it's it's hard to draw those uh distinguishing lines when you're triaging these threats but but there's we're seeing that even though the approaches are different the there's still a lot of overlap between the various threat actors out there and we're now seeing things like code code signed executables

are now very very easily found [Music] in in just about everywhere criminals can just buy these code signing certificates off the dark web for 300 500 sometimes it's a little more if you want to bypass smart screen i think it's about 1500 or so and yeah it's worth the investment because ultimately you're going to ransom a huge organization and the money makes up for itself so code sign code signed executables or code signed malware is definitely something that's that's much more common now and and stage the stage one or the stage two in the malware which is code that's loaded eventually or further down the line is turning out to be cobalt striking practically well every other breach or every other

threat intel report that you read every other ransomware analysis blog or it's all over and of course the most uh the most interesting is is the post exploitation tools that we're seeing we're seeing a lot of mission state adversaries as well as ransomware groups use mimikatz and bloodhound and responder and there's quite a few but the the point here is that even though these these tools are open source these um they're extremely well known by the security industry they're they're heavily signatured but they're still very very popular because all it takes is a few customizations and you don't have to reinvent the wheel and that's the interesting part about the adversary tradecraft it's that the threat actors

are not the they're finding that it's much easier to to just use what's all that's already out there instead of creating a tool from scratch so let's say that a threat actor wants to dump credentials now they can they have the capability to to write something that's exactly like mummy cats but it's not mini cats but they would just rather not because this has very very obvious benefits well a it saves time and effort of course this means you don't have to hire developers you don't have to have you don't have to spend countless hours in building the malware well do it's it's very widely used it's tested in production um every red teamers and pen testers have already

used it if they've seen issues they've opened github issue issues in github or feature requests and of course the the main benefit is that it muddies the attribution water so you can never profile a threat actor by the tools that they use so to put it simply if if i wanted to create or if i wanted to be a thread group of myself and if i started building all these tools myself which were completely custom from scratch then i could only use them in one in one mission because once once they profile they burn and if i use them again then it points directly to me so there are some very obvious benefits of using open source tooling of course i

have no problem with open source tooling per se but that's a different topic that i'm not getting into right so getting into the tactics techniques and procedures itself the important point here is that every adversary has to at some point perform a certain set of actions in order to complete their mission so this means that once the adversary is inside your network they need to perform the same steps in one way or another maybe they do it differently maybe the tools they use are different maybe one thread actor uses tool a the other uses tool b so let's say maybe a ransomware group uses ps exact for lateral movement but maybe a cyber espionage group

uses vinram but they still need to do that they still need to perform that action to move laterally and this is where a detection opportunity arises and every single command that is executed every network packet that's sent step forward that an attacker takes in this kill chain as they call it which is quite popular nowadays each of these steps is a detection opportunity at the end of the day and as a defender it's it's our job to think of each of these steps as a way to catch the adversary it doesn't matter if you don't stop them in the very first opportunity you get a second opportunity a third opportunity a fourth opportunity there are always opportunities because

the attacker has to perform those steps if they want to steal the data they have to move laterally to the to where that information is if they want to ransom your entire network they have to compromise the domain they need domain admin so that they can spread across the entire network so let's get into some popular case studies uh would be remiss if i didn't mention solarwinds here because it's it's the most the most recent the most one of the most talked about i mean a lot has happened since solar winds i mean microsoft exchange happened and then uh pulse secure what happened and sonic all happened then yeah anyway so solo wind was of course the

more sophisticated case study in our case um we saw that the thread actor was was actively reading the process space of ms build processes that were running on the build server and um on the right you can see the screenshot that's from the crowdstrike report which which was which still had has some comments that were left in and we can see that the hash of ms build.exe the the name of the process was used to compare it with the processes that were running and then the the threat actor also looked into the the peb of the process and the peb is where all the all the good stuff is stored of a process so that's where the command line

arguments are stored that's where the uh the attributes of the process are so that the third actor actually went to the extent of reading the peb of the ms build process after finding it and then comparing the the command line arguments and finding and replacing whatever they saw on the commander arguments in the sense that if they saw that it was running a specific it was building a specific project file then well they they replaced the source code so they replaced the project file and that's how the build process was compromised so that was a very very different level of sophistication but when you compare it to some of the recent some of the most recent

ransomware cases specifically the the biggest pipeline of the united states and the group that was behind it which was dark side fire eye did a pretty cool report about the tools the tactics techniques and procedures that they use as well as the tools and you can see that the gulf in class is quite different when you compare the two so you can see a lot more open source tooling and you can see that this is it was much more noisy you see cve 2021 [Music] 20016 which is uh the sonic wall cd i think and uh and then of course uh going down the road uh plenty of uh open source tools bloodhound power view

mimikats speak beacon escobar strike so [Music] very different but also a detection opportunity in each step so going back to the the initial slide that i shared uh what what exactly are we dealing with here um how do we how do we deal with a threat like this um when we have such a short timeline i mean it takes it takes a little more than an hour just to get your asset inventories in place how do you manage to remediate a ransom ransomware threat um so what's important to note that the operation tempo will almost always vary between a ransomware group and a cyber sphere group so the ransomware group will always prefer speed because they will want to break in

and encrypt everything and then leave that ransom note and then just leave but the cyber espionage groups of course they require stealth they need to stay in they need to be in the network for for very very long term uh so they're looking for the long haul so the point here the point here is that the operation tempo all is always polar opposite for both and uh this is even more interesting because um some of the modern defensive tech that we're seeing these days uh relies a lot on baselining what the normal is so a lot of this technology once you install it and once you place it in your network it takes 30 to 90 days just to

just to observe it learns what normal looks like in your network for example or on your endpoint and then after those 30 or 90 days if there's a very obvious anomaly then it'll just ring the alarm bells and say that okay this is not normal we this was not something we observed in in the 90-day window so this is something that you should investigate so this means that the trend going forward will will force attackers to operate slower and the questions that you will then need to ask yourself is that if if the ransomware groups start operating slower if they if they ditch their smash and grab approach and if they if they dump the

the noise and if they start operating in a more sophisticated manner and start being more similar to the cyber espionage groups then would you be able to see this change in behavior would you be able to detect and respond to it a good a good case study or a war story if i may say so from from one of my red teams was that a very popular attack that red teamers really love is the kerber roast attack and we will get into the details of kerberos uh very soon but the point is that this this particular image is from debug privilege on twitter and he said that if you look at these kerberos requests from a defender's perspective then

this is an optic failure by the attacker and opsec means operational security so the attacker wasn't being stealthy and what the what the author is trying to say is that if you just look at the number of requests that were made in that short time frame so 7 42 am from 4 seconds to 5 seconds there are plenty of requests and this is not normal and that is why it would raise the alarm not because the request was made but because the it exceeds the baseline by it just goes through the roof so how do you detect um what kind of detection strategies can you implement this is one that i really like this is one by

uh jared atkinson and he says that attacker tools are just an abstraction of the capability of that tool so defenders need to start looking at tools as just as an abstraction of the capability so if if you're talking about kerberos which is an attack that involves kerberos ticket granting service tickets without getting into a lot of detail about kerberos the attack itself can be performed by many different tools so it depends on how you want to perform the attack but ultimately you need to break it down into what managed code is called what is the windows api function that will be called and what is the rpc call that will be made and on the network what is the kind of

traffic you'll see and if you're able to break down the the tool that attackers used into the building blocks of it then you can you can very well detect any of these tools then it doesn't matter if someone builds something custom it doesn't matter if someone uses um let's say rubios and and you have uh if you have uh detections in place only for powershell because you have msi or whatever then um then you you won't you won't just rely on that one layer of defense so you have to break it down into you have to break down the tool or you have to view the tool as just as a larger wrapper of of the capability itself

um one of the other detection strategies that jared also mentions is the funnel of fidelity and this is one that i really like because it's it's uh it's very realistic and it it's very obvious that these are genuine problems that he has faced and the whole world faces these problems uh and the problems are that well everyone has finite resources and everyone has finite number of sock analysts everyone has finite number of incident responders and of course finite number of hours in a day and there is absolutely no way that you can analyze one million events uh you can probably hire one million people but those i mean that is just um it's it's unthinkable so uh

the idea here is that the funnel of fidelity is the funnel of the data that you receive and every every single event that takes place cannot be investigated so every step in this funnel simply serves a purpose of taking input and filtering it and passing it on to the next step and making it easier for the next step to analyze whatever it is that you're giving it as output so when you're when you're detecting events then you need to filter them out into if you're detecting detecting a million events then you need to filter them out to only the hundreds that need to be triaged and then from those hundred you have to pass them on

you have to pass on even fewer to the incident responders to investigate and if you see that there's a legitimate threat then you pass them on and remediate those threats but the idea is you do not clog this funnel you keep filtering and passing it on to the next step uh some of the most commonly used commonly used commands that we've seen and this is this is very helpful information from the japanese cert team and one of the other detection strategies that come from a very famous red teamer subti casey smith and he said in one of his black hat talks that behaviors happen over time and we need to monitor where the action happens

so we need to have we need to be able to look at the larger picture and from a red team perspective of course you know that attackers pay a lot of attention to blending in so pay a lot of attention to legitimate binaries being renamed and replaced so things like partial.exe renamed to p to p.exe and put somewhere else and then being run from there you need to be able to detect very simple and silly things like those network connections from living off the line binaries so binaries like ms build and rexella 32 so on and so forth also worth looking at and of course frequency analysis that is something you should be performing just to see just to have a good idea if

there's something odd that should be in your network that's sticking out like a sore thumb so if there's a schedule task that has been created only on 10 computers out of 100 computers then that's probably something you should look at okay in the interest of time i'm going to speed up a bit this is a pretty cool picture by um it's a slide by florian roth um on how to prevent ransomware he focuses on low effort and high effectiveness measures so those are definitely something you should prioritize over anything else that the sales team might be trying to sell you and that's where i stop i'll be on slack when this is being played of course this is a pre-recorded

talk so feel free to ask me questions thank you so much thank you merci gracias grazie happy to present and thank you once again to the besides team