Eric Goldstrom - Interactive Threat Defense: Incident Response, Threat Intel, and Red Team (oh my!)

welcome to interactive threat defense incident response threat Intel and red teaming home I our speaker is Eric gold strim and he's the security incident response manager at cambia Health Solutions in Portland he built a new program called the interactive threat defense which will be the subject of the presentation and prior to the private sector Eric worked in the DoD conducting both computer network exploitation and computer network defense operations he has an MS in cyber security and his certifications include the CISSP OS CP and sans certification would you please give a warm welcome to Eric [Applause] hello good afternoon thank you very much for the introduction thank you besides PDX for having me and thank you all very much for attending my

presentation today I'm talking about interactive defense like you said which is a combination of instant response threat intelligence and red teaming and the goal of the presentation is to provide small medium-sized businesses an avenue to implement these capabilities if they don't already have them today and for large companies to kind of combine these capabilities together and make them more effective so it's gonna start a kind of strategic and as I progressed it'll get a little bit more tactical a little bit more tactical and then finally I'll be discussing some open source tools that you can use along the way so here's the agenda first I'll start with quick intro and then a background about how a ite became came

to be and then I'm gonna be diving into instant response threat intelligence and red teaming what they are why they're important to any organization and ways to get started now if I create the presentation correctly I put a higher ratio of content for specific functions so just out of curiosity how many of you at your organization with show of hands have an instant response program almost everybody knows awesome now how many of you had a threat intelligence function to have your organization show hands about half okay now how many of you had a red teaming function okay so I think I got right but how many of you just have insanely good OPSEC and don't want to

say otherwise okay good enough like that now of course the end presentation will be providing examples about how this actually works out and then okay I'll throw some questions so Who am I I already had a great introduction so I'm not gonna lab rate on that but I work at cambia Health Solutions which is a hundred-year-old healthcare company that kind of evolved into more of an app centric and technology company and it's with that culture of innovation which allowed me to build this program kind of from scratch so here's the background it's start a couple years ago and was formalized earlier last year so it's been a program in our organization for about about a

year and a half and it landed on using interactive partially because it pays homage to a previous life before cameo but also because it translates to a very hands-on proactive program which I'll be expanding on later and then if you look at the definition it's kind of interesting because it means of two people are of things influencing or having an effect on each other and that kind of speaks to the collaborative nature of ITV as well so that that kind of stuck with me and interactive is what I landed on truth be told you will not find an interactive threat defense at least named that program as you saw from the raise of hands you'll find IRC TI

and red teaming everywhere and then of course threats and what we're combating in our defense is what we're improving so here's a snapshot of the program portfolio and the mission is providing proactive data-driven hands-on approach to identify risks and validate security controls now generally an InfoSec what we do is we start by identify risks and then we prioritize those risks and then third we either accept or mitigate those risks the cool thing about interactive threat defense is it's more proactive in nature whereas in risk management traditionally is very reactive interactive threat defense does all of those things it finds these risks it identifies them and then it helps to mitigate them all more proactively then

risk management traditionally is now most of you raise your hand for having a response program which is which is awesome as you should so I won't dive into it it's an instant response planning process however at this point you should have a planning process in place if you don't it really explains what you need to do start to finish one incident what a breach happens you have to understand who the contact when contact who to communicate with whether it's a vendor third party planning process is extremely important but it's kind of outside of the scope so I'm gonna leave that out but just in general IR is all about rapid response to escalated incidents and building

as a result CGI's about is all about consuming intelligence related to your industry and finally red teaming is all about adversarial TTP's and kind of emulating those things to build your defense proactively so I know what you're thinking a unicorn is required I will tell you with absolute certainty that I am NOT an InfoSec unicorn but I do find that if you're really good at insta response you can also be really good at red teaming if you're really good at red teaming can be good at innocent response that's not always the case but for example a red teamer might be injecting the process it is they might be creating registry settings they might be dropping files they might be

opening network sockets these are all the same artifacts that instant responders look for so it's really just a correlation of technologies but a change and tools that you're using so you can kind of learn either/or depending on what you're what you're doing today next it kind of sounds like a sec ops but I actually find this to be a very loaded term nowadays and I've found that some organizations call theirs suck a sec ops team have also found that some organizations will call basically the entire gambit of InfoSec programs that they have a psych ops team so I think it's kind of loaded so itd isn't bad right it's the instant response threat intelligence and RI teaming only that's

all it is now a valid concern is you may not have enough resources but these capabilities really balance each other out really well which I'll explain later on in the presentation and some of you might also be thinking all right great Eric this is just a purple team this is done beef this has been done before but we're a red team is emulating adversary TTP's and a blue team is kind of defending against that type of stuff and the red team a purple team really bridges the gap between communications between those two teams what I TD is trying to achieve is filling that gap while to get together eliminating that gap and doing that with specific

workflows so let's talk about that so when I say workflows these are things like an out of a bands Chad a centralized IT D intake system that I'll be expanding on later and then just a simple ITV dashboard to keep everybody in the loop what you see on screen here is a week which I think at this point most organizations have it is just a custom wiki you create this dashboard and it has a date a summary and outcome of what happened or the lessons learned after each of these different events happens the source weather in CT iír or Red Team it has a details page and as it has the status and the details page is just a

quick link to really understand what happened for that specific event and how it was responded to so know how things like the manager the handler it'll have things like the technical POC POCs that were involved and the more detailed summary the workflow with date and time stance that IOC is and so on and so forth what's great about this is not only can your team really understand what happened for that event if you have to hand it off but you can kind of publish this and hand it off to another threat intelligence a person that you're trying to communicate with for a specific event you can hand it off to management if you want you can you can

exit you can make a PDF and you know hand it off to anybody anybody on the team so really it's it's all about flexibility and I'm all about tailoring your program regardless of what the program is but especially with itd so in order to understand this response you have to kind of have an idea of what an incident and I'm not gonna dive too deep into definitions really I would just recommend following what the compliance definition is first alright so if you're in healthcare there might be a HIPAA definition if you're in financial it might be PCI related if you work in Europe and my be GDP are just really follow the regulatory or compliance

definition first and you can't go wrong if you look at some of the definitions that are aligned however it kind of centers around the CIA triad the confidentiality integrity and availability and the intent to harm one of those three things so this is very process driven stick to regulatory compliance definitions first chances are you won't be escalating and responding to incidents and branches every day you organization at least I hope not you could it's possible but what we've done is expand the scope to a security events to be a little bit more direct general so a security event is an ongoing or imminent information security circumstance that should be investigated to determine whether it has potential to become a

security so whether the event is ongoing or imminent will determine what methodology you might want to use and so for ongoing I really like the stands methodology is has been most affected for us the pickerel methodology but I'm not going to deep dive into every single one of these phases however preparation is all about personnel training pre-established planning process like I mentioned earlier identification is that precursor we first hear an incident could be from a CISAC could be from another organization that precursor containment is all about ensuring an incident is isolated eradication is done to make sure an attacker is completely out of your organization recovery is kind of getting back to business as usual and then finally lessons learned

is kind of wrapping everything up bringing everybody together to figure out what happened and how to make sure that doesn't happen again the only reason I bring this up is because I want to put a lot of emphasis on containment and lessons learned containment lessons learned the reason is is because one of the keys to instant response is agility you have to be rapid and the containment phase is not a good time to start reaaargh attacking or and re-engineering certain technologies that you do have this is the time where you have to make sure that a system is isolated that the hacker is out of your network with that eradication phase next to make sure that that problem is

contained before getting ahead of yourself unless it's learn is incredibly important but often overlooked so you do not want to let anything go to waste and this is also one of the core features of the ITA intake which like I said I'll get to in a few slides now for those imminent security events that might get brought up you might want to apply kind of an attackers langston what might actually happen if something is follow through with what I mean something like seeing on a desktop behavior a passion a vulnerability assessment this could be a threat actor information from threat intelligence and on the left side you see the cyber kill chain on the right

side you see the major attack framework this could be threat modeling this could be a hacker methodology any framework you might find interesting to apply that attacker lines so that you as you respond appropriately so some of the keys to success for instant response are pay close attention to lessons learned right yes I'm going to put more emphasis on that I can never put more emphasis on this or enough I should say do not neglect an opportunity for improvement don't let in some good ways for example a specific business unit might have been compromised or their systems might have been involved in an incident just closing the gap on how one incident that one problem is fine however it's

probably a systemic problem you might want to use that opportunity to then talk to that business unit about really understanding their posture it might have been a missing patch that happened which is you know you just patch it up you make sure that the attacker is out but then they might also have a lack of security agents they might have configuration management problems they might have a bunch of security waivers in place because they're afraid that security is going to break their stack use this as an opportunity to I don't wanna say strike fear into them but uses an opportunity to really explain what's going on and how to make sure an incident doesn't happen again

third is practice makes perfect right practice practice practice practice if you're not practicing at least once a year with some type of exercise you should be and try and get as many business units involved as you can right good leave involved your privacy involved get PR or strategic communication involved let those folks know this is what you're trying to achieve during an incident or a breach really understand that with the entire business rather than isolating it to your security team but I will say what's really effective as well is if you do some type of work gaming with your soccer your set off that can be really effective as well and then constantly improve on visibility

if you can't detect an attack you've already lost and if you can't investigate the attack you've lost even harder so always expanding on visibility is incredibly important and I'm gonna just jump to that talk to that a little bit more and then go to threat intelligence so this is my vision pun intended for visibility detection and response TAC and I think this is a really common pitfall where you might be an organization that is trying to emulate one of your partner organizations or you might be an organization that's trying to get the best and bringing product or vendors really good at selling you a product that's a bad thing to do I think it should start down at the bottom with log

management and work its way up and if you do this your implementations are gonna be a lot more effective you're gonna get a little a lot more value out of your products and much much more much more much more quickly so starting with log management this is a good opportunity to get the entire business involved right it might not just be about InfoSec use cases a lot of them might be it might be compliance it might be Incident Response if you're starting from like a top-down approach it might be operational though you might need troubleshooting logs for other parts of the business so really understanding what the use cases are will drive the data sources that you need from log

management then you can start ingesting those those sources and have a really good idea of what you have already before working on your analytics platforms which by that I mean a sim solution of some sort of sim a user inanity behavior analytics platform these are technologies like I said to stack on top of each other and one thing that I hear about with analytics platforms is next gen stem cloud Sam I hear about these terminologies all the time and I think give one to two years from now a lot of the things you see in these next-gen Sims right now are gonna be pretty standard so be patient with this you're gonna see a ton of pre-built

use cases which could help you with the use cases you've already established at your organization you're gonna have a bunch of data sources they can already ingest for you they're gonna be either SAS or on Prem is fantastic they're gonna be able to ingest from a centralized data link of some sort these are all going to be standard I think what next-gen at least for me actually means is the licensing model are these different we have so much data at our fingertips that we can almost realistically attacks detect some of these more sophisticated attacks at organization however we're often handcuffed by events per second by consumption based modeling by gigs per gigs per day I think what you're gonna

find is a change in that licensing model and a better opportunity for us to better detect our technology so once you get to that point you really want to enrich and understand the data you have ingested and if you can do that you can have much higher fidelity alerts coming out of your sim and you can research and get lower MTTR lower mt DD and overall I have a better sock security posture now I will caveat that with you could probably slide this out especially if you have an analytics platform that already has threat intelligence built-in however I do think threat intelligence just in general is pretty important for adding context once you get to that

point like I said high fidelity alerts higher success for response you can now automate some of these things you can't automate all the things I know that was a huge discussion we had just a couple years ago we wanted to bring in this solution to kind of fill that the gap the a lot of us have of you know being undermanned in needing they respond faster and more accurately but the reality of it is a lot of those automation playbooks come directly from security tools to include this analytics platform so start from the bottom line management and then kind of lead into automation onto threat intelligence I'm going to pause here for a second to

suspense

so it's all about the dark web when we talk about threat Intel right what I actually do it where it's frustratingly accurate to a certain extent but a quick note about the dark web do you have to speak multiple language multiple languages to be the best threat intelligence researcher do you have to be able to reverse malware do you have to be ingrained in multiple deep web forums and marketplaces to be the absolute best yeah probably to be honest you probably should but to be effective in threat intelligence and use those Center to your advantage and start a threat intelligence program at your organization I don't I don't think those things are necessary but some of the

common concerns that I hear about pretty often there's that technical barrier to entry it's not just about configuring sending up or to connect to these marketplaces and forms it's about knowing what I mean addresses to navigate to it actually prove value for you and your organization it's also about making sure you're not getting in trouble if you've talked about this with a like legal team their hair is probably on fire just talking about this interacting with people on the dark web and I understand it's a really common concern so you might not want to dive right into this but it is important however if you're really curious this is not the end-all be-all you can look at

these kind of clear web search engines like amia and dark search dorks are supported if you're really curious what's on the dark web it's on the clear web so you don't have to worry about any of those technical or trouble legal problems you just search for something and it'll pop up with you know whatever your company name might be including whatever you plan to dork so threat intelligence can be tough to explain even to InfoSec professionals but this is the best way that I found your organization is a delicate ecosystem of these intertwined processes and they are well understood unfortunately we have these outside influences that are of our control and this is where threat

intelligence comes into play this is why it's so important so I work in health care as I as I mentioned and if you look at the spring here a hacktivists might not like us health care in general a cybercriminal might find the value in the day that we own an opportunist might come across a misconfigured system and just take advantage of that a nation-state to a lesser extent might attack us to take our IP or something similar that so so for each of these categories the better you understand the exact attackers that are targeting or your organization the better you can understand those tactics techniques procedures the better you can understand the IOC s and the better you can

understand the mitigations that you have to put into place so I'm not going to dive a lot into that however I do want to talk about a few key things about threat intelligence when you're first guarding getting started and the first is building that trust you really have to build trust and a great way to do that is if you're from the DoD or government background probably has some type of clearance or you have an understanding at least of the classification system this is kind of the private sector equivalent of that it's from us cert and it explains what you can cannot share whenever you're sharing information between different communities and different organizations so I'm not going to read every single

word here but TLP red is all about participants only amber is all about organization only Green is community and then whites for fair game but the better you implement this and the faster the more trust you can build when you're communicating with others and then you can start doing those things you can start joining communities you can start subbing the fees one that I really like because it's industry specific is a nice sack information sharing and an analysis center and like I said if you're in health care they have a choc if you're in finance they have fi sack they have one for DoD in government in IT and they have a lot of really great ways they can start

ingesting at the very least and consuming deduplicated threat intelligence data which is specific to your industry and this is extremely important you can also start consuming feeds like the us certs some of these other government feeds like and I asked from DHS recorded futures is a paid for tip threat intelligence provider however they have a free fee that you can subscribe to which provides a lot of cool data they have news targeted industries for that day emerging threat actors vulnerability is currently being exploited emerging malware a lot of these really cool things that you need from threat intelligence comes from a lot of these feeds so these are great we used to get started if you don't have a

threat into a program and then shamefully I through social media on here so you can set up a tweet deck it can be a non at rib account if you want but set up a tweet deck start following these these hackers that are posting and bragging online security researcher is releasing different code and no days a lot of the thought leaders and in these in these areas will prove a lot of value out of the written out of the rip and reddit I was really debating whether or not to add this because it's it's kind of hit or miss don't spend more than a couple minutes on this but you can have a multi reddit that combines a lot of

the InfoSec related sub reddits and then this have like kind of a single pane of glass and read through that real quickly like I said it's been a couple minutes if you're not finding value in it just add Plus memes at the end of a and then you will you at least have fun so one of the things that I really love about threat intelligence is the impact it can have for vulnerability management and prioritizing vulnerabilities is insanely difficult we have these volcanoes and it gives you this the score that's pretty good sometimes it's based off of NVD CBS s scores sometimes it's based off of the vendor scoring it sometimes it's based off of an exploitation being available

in Metasploit this is still not enough that is not enough to prioritize these hundreds and probably thousands of Vons that we have to assess day to day in our corporate environment so when threat Intel does is it helps prioritize valen spaced off of things like x it's been seen in the wild right if it's actively being discussed on dark web forums if exploit developers on dark web are spending time developing pcs for these type of exploits the other cool thing is it's kind of well-known at this point that the Chinese mvd is quickly quicker to publish than the US and and so it's kind of nice to have that threat intelligence background you can't read Chinese then third

intelligence providers kind of help you with that another thing that I use Oh sent for and this kind of low barrier to entry is tying back to install response right we get vendors that reach out to us and let us know that they've had a breach minor and major and a lot of vendors are good at doing that so by this point you should have some internal and external communication templates really understanding the root cause if they're reaching out to your users you can understand what's going on with them however your third party is may not be good I'm notifying you promptly we're notifying you at all for that matter so that's why I really like I was saying

you follow blogs you follow news articles you subscribe to these communities and if they don't notify you the verbage of those templates changes dramatically when you reach out to them instead of them reaching out to you that changes the whole dynamic of instant response you want to know what they're hiding and why they're hiding it and that kind of changes the template as well so use au sent to kind of leverage learning about your vendors and talking about necessary response and then if you're not directly involved in that incident that you do discover and news articles and blogs and so on and so forth you can at least use those lessons learned so uses lessons learned and the

one kind of pop talked to me is a few weeks ago Capital One was breached we weren't directly involved as a relationship with Capital One but what happened was it was a server side request forgery the attacker forwarded a request through a Miss considered laughs it was on a host in AWS and they were able to query the ec2 metadata service to pull down credentials they used those credentials to reach out to s3 list all of the information that was in there and then got pulled down all the information which is kind of a disaster but this is a good learning experience right even though we weren't impacted we jumped on a call we assessed our environment

because we use AWS if you use a wife you might want to discuss that you might want to just go through kind of checklist of what they learned from their incidence and then you adapt that to your own environment so on for red teaming so I think the red teaming is usually the odd man out in most organizations especially for small medium-sized businesses but it's vitally important for assessing your posture and it's also my personal favorite so I'm gonna get to nerd out for a little bit here but often times when we're going through the risk assessment process we land on a technology to mitigate the risk when we we kind of just trust fall

into vendors and depend on them for fixing that mitigated problem we should be testing those vendor mitigations and technologies we should be testing what we're not filling the gaps for and that's really important when you're looking at a red team now when you're first starting out you know I wouldn't cause impact when you're doing red team you're right you do not want to be that team responsible for crushing a business critical service you have to build trust first and I pulled these RVs down from Microsoft for a team I added one in my own because it's applicable to my environment but I obtained permission to in dr. our team activities first I think this is important when you're first

starting out maybe less so as you progress and gain that trust but follow a change management process lettings know we're trying to achieve with a red team and then you can let them decide you know if they're caught if you're causing some type of problem with their application stack they need contact with your back out process kind of problem kind of is once you start gaining that trust then you can kind of do these things on your own but you see a lot of these other ones you do not would intentionally cause any type of harm like I said crush any services you don't want to cause any problems in your environment and treat the critical and

high findings from your right team just like you would in vulnerability management don't share this out or overshirt also we first starting out you likely won't have the time or resources to have a full-fledged red team campaign where full-fledged working campaign might be emulating a PTO some sort so they might footprint and pull down some email addresses either brute force or social engineer with spearfishing they might gain access to a system clean up escalate privileges implant booth laterally try and gain access to a DC they might try and look for it for information that is sensitive in your environment when you're first starting out there's not really a time or a place for that instead if you break

it down by each of those steps or some type of hacker methodology you can address those things one by one unless of course there's a caveat where one phase might be dependent on the previous one but if you follow these steps and kind of break them down one by one and then do those TTP's you can get a lot of value and when you're starting out with a writing i'm conveniently these also align pretty well with a man miter attack framework as well so would not be an info set conference without some mention of a minor attack framework right this is that mention I'm not gonna do like that 20,000 foot overview and kind of dive into it excuse me I want to

get straight to the point and give you a potential delivery point if you're not familiar with minor attack framework I'll give you a quick summary the 30 second view is let's say an attacker gains access to a system where spearfishing whether it's an unpatched system an attacker has a finite number of things right it's much more than the minor attack framework has but if they have a finite number of things they can do when they access that system right so the minor attack framework explains what an attacker could do and that kind of walks the full gamut in a 12 step process that you can follow and actually start to run through so I have five

steps listed here I started with easy steps because they're actually really easy to start down this path however they are kind of tedious I am going to dive into these five steps but this is me letting you know that's it's actually pretty easy to start implementing right out of the bat so I'm not a huge fan of spreadsheets I ditched them every chance I get but um cyberwar dog if you haven't heard of him he's one of the best throat hires out I've applied his kind of metric spreadsheet to red teaming which I'll explain in a few slides but if you use a tracking spreadsheet like this you let managers know the progress that you're

making and you understand your maturity over time and then you execute these red canary unit tests I have that a github link there so you can kind of use that and then you validate what is being detected or not detected in your security stack after that you score that outcome in the spreadsheet and then mature over time so this is just a quick look at what that metric spreadsheet looks like like I said I hate spreadsheets and I'll talk about how you progressed past this but this is a good starting point this is the first three phases of the mitre attack framework I kind of blew it up like I said there's 12 phases but this is an issue access

execution persistence the reason I threw this on screen is because you see a column right next to it that's what's going to become the scoring column and you're gonna develop this into a heat map so once you have that spreadsheet ready you can start scoring this is something that I have is vastly different from cyberwar dogs where I converted this into more of a Red Team mindset and so really what it is is a score of 1 is it wasn't logged or it was not logged or detected in any way number two it was it was lied but no alert was thrown number three is is an alert was thrown but is not being triaged by any

team like a sock or a psych ops team four is an alert was thrown and it was sent to a ticketing system like JIRA remedy service now for a team the triage and work on and then five is the technique was fully blocked or mitigated this could be with something like a sore and some automation so one through five and then once you have this scorecard you have your scoring spreadsheet you can start executing on these red canary what they call execution framework so this is really testing easy but it's honestly really this easy you download the atomic protein execution framework you install the script which is just a ps1 file in the room you install that

script you import the module and then you're ready you can execute all of these with just a quick you know a couple of arguments but if you execute these I'll warn you that they'll all execute in one time and it's really hard to assess your different security tools all at one time when you're executing all 120 or so of these checks so instead I recommend just tacking on the Oh - show details - information action continue and what it's going to do it's going to print to the console all of these different techniques then you can just copy pasta into a PowerShell command prompt or a command shell and what it's going to look like is what I have down on the

bottom screen there it's a invoke expression right to IEX it's downloading a string from a github user content for me me cats and then it is invoking me me cats to dump the creds so this is a pretty common technique and what you might want to do after you execute this one line is look in your ETR was that detected was detected in proxy calling back to that that content was it detected at ids/ips calling back I mean there's so many different ways to detect this that you should be looking through your technology stack and then of course like I said progressing and maturing over time and your mileage may vary to be honest you don't get 100%

coverage like I said but I honestly haven't found a product not even a commercial product that has complete coverage over the minor attack framework so last time I checked there were two hundred fifty nine total minor attack techniques this covers down on about half of those 117 which is a great story they'll keep you busy for a while so once you do that you look in your security tools to make sure it's detected or not and then you develop this heat map then you average up all these scores and then you figure out the outcome right the average over time for each of the different areas and now you can average the scores and see how

you're improving and this is great for management so it's good for proving value like I said this is how do you improve scores you can work with vendors you can explain to them how they can prove their product they are usually very receptive they might even have a roadmap to implement that you're talking about with them EGR is great NTR is great I promise open source so this one an oddity for both Windows and UNIX are both fantastic and just by implementing these in your environment you can detect at least a third to a quarter of those techniques and then you can progress to fully protecting you probably heard of the swift own security system on a person

like a lot of hurt tongs a little better because it aligns directly with the minor attack from work same idea with Unix you don't see this very often in talks but be fuzzy has a really good one also their lines with a minor attack during work so from a routine infrastructure perspective once you have under attack from work down and improving value the right team now you're ready to build out an infrastructure now I understand public for some of the VP sees what I meant to me was you just whitelist your corporate network and then you're ready to start testing safely this doesn't happen AWS the Sumida lotion me as it could be GCP wherever you wanna build this start with

newton VPN at this point you can assess your internal network with Kali but then when if you connect to the Open VPN service you can then text test out your external footprint and then you have the opportunity to build out your infrastructure directors your command and control your team servers come on strike and hire those sorts of things and I recommend looking into the automated versions there's RA Rai rapid attack infrastructure this kind of infrastructure agnostic there's also the terraform version that came from Rastamouse it's also pretty good as well now once you have the infrastructure in place you can start going down that hacker methodology one by one I like footprinting a lot because this

is extremely low barrier to entry really easy and it's great especially if you were implementing user and energy behavior analytics because you can dump the output of these tools directly into a watch list and just keep an eye on whether these users are doing because they are very likely to be targeted right then you can jump ahead to enumeration if you haven't read these three tools or something similar I highly recommend it and Matt can help to reduce the external system footprint and also the port footprint this can be extremely effective but it also has a side benefit of making sure that you are laughs where your authentication services are protected efficiently you shouldn't be

able to connect directly to an IP address kind of bypassing those services and the laughs so this is a good way to make sure that your firewall is it properly fencing those things off I witness is really good about inventory and taking snapshots of your web asset assets and then amasses is folded from from o mas and they're really good about explaining certificates DNS and subdomains and those sorts of things so this is really good to start down the path of exploitation issue access not just spend a lot of time on this but there's some areas in here that once you get to a good point with the previous phases you can kind of jump to this with

spearfishing repeating what pentesters might be doing kind of ad hoc independent testing depending on what the business need is and then finally how to mature so you want to get to a point where I made a lot of these things that you're doing breach attack simulation called errand navigator are a good way to get out of the spreadsheet mindset not I made a lot of those things that you're doing with those unit tests from from writing canary you can also go to active directory auditing and do some of these techniques that are very very well documented and branched out from there and then living off the land TTP's I see is a similar set of really cool

techniques that are almost like mitre attack but kind of take it a step further with slightly less tracking mechanisms but are really cool techniques that you can use to test your infrastructure so tying it all together how do we combine these efforts and kind of just change the hat that we're putting on day to day when we're doing these things well one example is on Twitter I'm going back to the meme the researcher develop develops a zero-day and they talk about it without disclosing it to a vendor going incident response mode you don't have to just kind of throw it to the vault management team you can escalate this if you have relationships with the business units

let them know when the vendor does release a patch quickly patch it you're good to go and then a red team can help with kind of the POC development making sure that you're truly not susceptible to this exploit and they can also help to set up a VM or a docker container to do some light testing to let stakeholders know what the impact could actually be example two is red teaming gaining initial access you should go into IR mode and the attacker might go to gain an issue access just like you did as a red teamer so again go into IRA would make sure nobody else access the system that you gain access to and then

as a thread hunter and thread Intel it just kind of pivot and go from there and then finally the full process start to finish the itd intake which I've mentioned many times before it could be anything from a risk register it could be GRC it could be i TSN like the Gira's and the service now's but we are trying to do is consolidate all of these programs into one consolidated consolidated intake system so you can start to prioritize those effectively and these are things from IR lessons learned threat Intel data and Red Team findings this kind of looks like a noodle loop really it's just an iterative process to make sure you're constantly improving on your security

posture not going to dive into metrics but thread Intel feeds are incredibly important I mentioned that but that might kind of fall off eventually so having feeds that are duplicated kind of becomes a waste of time so that might be a metric that falls off so use these metrics to prove the value over time and kind of adjust them as you as you see fit for your business and then the last few slides here some interesting side benefits of itd we had a job posting earlier this year and we had a huge influx of resumes so if you're a manager and you're looking to get some interesting candidates really well call qualified candidates this might be a

good option and get them interested because I was really surprised to see some really good resumes and some really good candidates this job posting it also helps to reduce burnout you might have some of these really smart InfoSec people they just don't really like the exact thing they're doing so if they don't like if an instant response they might want to shift a threat intelligence or writing for a little bit and then they can get the hang of instant response and the pressure is associated with that so it helps to reduce burnout there's also the sense of urgency which I've talked about and also being more proactive rather than reactive and then the summary slides it all comes down to people

processes and technology I really think you should nail down at the basics and InfoSec that's patching ids/ips i IV make sure make sure you're good there and then think about a program like this to help assess those gaps a little bit more in depth ironically enough when I was putting this presentation together I started reading this down and I was like this is probably the same set of things you would want from an InfoSec professional across the board so anyway offensive or defensive background or tribal knowledge are both extremely helpful in this specific program processes are all about maturing over time establishing requirements letting your business know what you're trying to achieve and then technology right I've

talked about that pyramid or that full stack you might not be the creator or the product owner of these specific technologies we should have high input into what's going on with these specific technologies sim er tips for all these ones we've been talking about at the very least a content creator for some of these things and with that I'm going to fill some questions and I really appreciate your time thank you guys so much [Applause]