Free Blue-Team TTPs: Stop Shiny Object Syndrome

robert is the co-founder of hack4kids.com hackforkids.com uh spelled with a k so h a k for kids with a z dot com yes our life as hackers is super confusing sometimes with these terms but hacks for hack for kids and it's an official the first ever first official youth conference for getting designated to ethical hacking that's taking place in chicago robert thank you so much for being a part of this event joining us now live from chicago if i get the okay from our av team that we can switch over just let me know robert will be joining us live from chicago

are we ready all right hey uh good morning from chicago hi tel aviv uh thank you so much for having me here i was so excited to hear that i was accepted to speak and so bummed that i can't actually be there in person i really really wanted to come and visit your beautiful city uh but hopefully i do really well this time and i get invited back next year right uh so my name is robert wagner i'm mr minion on the twitters i don't tweet a whole lot but it's a great place to get a hold of me if you like and just a quick little introduction so i need to make that active again so

uh i've got about 20 years of experience in it and infosec i started off my uh security career as a third shift sock analyst uh where we were running a 24x7 sock with four people and one floater so i learned a heck of a lot it was a great experience but it was definitely a hectic time uh moved my way up through security engineer and architect uh like karen said i'm a co-founder of hack for kids where we teach kids about internet safety security and ethics uh and a co-organizer of verbsec and burbsecond in chicago we'll talk about what that is in a minute uh my opinions in this deck are my own or those of other researchers

and not necessarily those of my company although they'd be really silly if they disagreed with me because it should be really great information and of course my biggest claim to fame uh is the dog i wrote uh taught to ride motorcycle with me uh this is rocket and uh he's fantastic dog uh so on to the presentations so uh i i have been putting this together this deck it's been a living deck for many many years now um and uh and i put it together because i saw that too many companies kept getting fixated on buying technologies to fix their problem right buy this new technology by that technology and when uh when i was in the sock um oh and it

results in shiny object syndrome so when i was in the stock the we had a problem it's the same problem every company has there was never enough budget to actually buy all these shiny things right or to even get new head count and things like that even training uh sometimes there wasn't enough budget to get everybody the training they wanted so i started noticing that i needed to find out free easy or cheap ways to fill our security gaps so every time i was at a conference and i heard somebody say well if they had just done this or this is easy to mitigate you just do that and it was it was a free or easy mitigation i would

write that down and i just kept that all together and put this into this deck especially because a lot of times if you missed that presentation and didn't get to hear that easy mitigation you might never actually hear about it uh but over and over again i saw that the best place to start every high-performing security group that i saw started with the most important security tool in their organization it's the one everybody's got and and which what tool is that yeah it's you now that's not to call you guys tools that's not my intended all um but every company that i saw that focused on the people first did so much better i saw a small

security team of five outperform a larger security team of 25 because the larger team focused on just technology they always wanted the shiny object right whereas the smaller team challenged each other they taught each other how to script they taught each other how to hack um and they did a fabulous fabulous job with just five people um so the problem of course that we're describing here is this stupid venn diagram right who hates this venn diagram i hate it because every place i go we see people focusing always on the technology buying more technology and what happens if you disregard if you ignore your people in process you get something that looks like this and nobody wants this for their security

uh group right this is not the description we want for our security team not at all so how do we do that now i don't think i have to tell most of the people at b-sides tel aviv that there's fantastic information to be found at hacker cons but managers if you're listening and please dear god be listening this is a great place to be sending your people um i i've learned so much and you'll see much what i've learned from my mentors from mike poor ed scotus mubics dave kennedy danny harris-benten ryan cover dave harold and more um and you can see most of the conferences online defcon shmukhan tour khan most of the b-sides including besides tel aviv

uh broadcast and record their uh their uh sessions now especially now with govan 19. um and they're free or very cheap hacker cons are typically very cheap they're free and i'm seeing csos and security managers going at them the problem we had of course when when i was in the sock was well three people could go to really extensive training this year and three people could go next year when we had more budget for the price of just one of those classes you could send your entire staff to a good event like besides tel aviv and if you're not if you managers are not you're pissing your money away because this is great places for them to go

learn make sure that they go do everything you can to get your people to these kinds of events in addition there are great researchers sharing out in their blogs so infosec taylor swift hopefully most people have heard of them uh the decent security blog there is fantastic teaches you how to secure your windows and how to log your windows to look for evil hacks for pancakes another fantastic surger a researcher who shares prolifically online um her blog to syffini.net has great dfir information and then there's uh the concept of uh of city sac um it started about the mid-2000s where rather than having formal meetups like issa and isaka which are good organizations too how

about just an informal meetup where people get together uh have some beers uh be very social but informal uh so burbsec because it started up in the suburbs of chicago uh there's five of those now uh every month in chicago and for the price of a beer i learn what my red teaming friends and pen testing friends um are doing and by the way they're freaking bored they're getting into organizations the same way every single time and i guarantee you if that's how they're getting into organizations on paid engagement that's how the bad guys are getting into your organization so if you're a blue teamer sit with those red team people listen to their stories understand how

they're working their attacks if you don't have the advantage of having your own red team at your organization to do purple team exercises learn from those people it's a great way to go if you're going to set one up in your own city if you don't have one going on the formula is simple get three people from three different organizations preferably because if any one of those organizations is having a real security incident you've got two other people that can show up meet at the same same day of the month like the first thursday of the month whatever at the same place um and the organizers jobs are just to show up make people feel welcome when

new people show up say hey new person welcome come on this is the group come on have a have a drink uh join us um and then make sure that the bar of course knows that remembers that you're coming um and just make it a welcoming place and uh our we've grown to five here in chicago and it's a fantastic method um so that's how we level up our people but how do we level up our users themselves right those uh those videos the security awareness videos they're so awful you want to rub glass in your eyes right they're terrible we have to do them anyway because it's a compliance issue but how about doing something that

really teaches our users about security and gets them excited about it so i got this idea from ben 10 you can actually see this whole video from derbycon like 2013 2014 just google it but it's a great idea he gamified security awareness in his organization and it was simple all he did was say hey everybody in my organization um you're going to start seeing some security related issues like you might have seen in that security awareness training you had the first person that reports any single one of those uh security issues will get a gift certificate to dunkin donuts or whatever your local coffee shop is um at the end of the month a week

whoever gets the most will get a gift card for i don't know hundred two hundred dollars nothing too expensive within a couple of days people were trash talking other people at the water quality like you're going down i'm totally reporting more than you are people started reporting things like there was a strange box on outside the side door uh it turned out to be just one of those rodent control devices but still people were paying attention um somebody else reported the cfo for not having their badge on uh as they were going through the halls which was against policy which is great and the best one actually happened about uh 15 minutes into the contest he gets a

call from a very excited woman she's like hey hey i see one of your things and he's like what what things and she's like the security things that you said you know and he's like um wow we haven't started yet what is it you're seeing and she's like oh this pop-up comes up every once in a while and says uh you know click here to authorize i don't know what it i just click it and once he took his face out of his palm he said uh yeah how long has that been happening for he said oh like six months now yeah he had a real security incident 15 minutes in uh he had turned his people into

carbon-based intrusion detection systems and it was beautiful now i will give you one word of caution so as i've talked to people you know around the country around the us at least and uh and and they've said yeah we did that um and it worked great one place told me it worked great for a while and then we ran into a problem we had some users that were so overzealous that they started doing things like downloading nessus to scan for vulnerability so that they could report that now if your users can download and run nessus you also have other problems that you need to address but there are some users who may get a little

overzealous uh so just be careful about this idea um so emmett yes um for those who don't know it uh do not just turn it on it will break all over your organization but it can be helpful um it's designed it's it's free from microsoft it's designed to protect the apps uh uh a memory of apps you designate um you gotta test the heck out of it there are bypasses for it like rock chaining and yes it end of life in 2018 um that's if everything all your windows at least is on wind 10 by now and can you honestly say that it is what does every atm in north america still run on to this day yeah it's

windows xp i mean it's embedded windows xp but my point is is that there's always going to be pockets of stuff that may be able to leverage this um and i i you know i i wonder uh somebody told me that it may even be built into the next version of defender and i know dana spoke earlier i'd love to hear if that's actually part of the tool uh as of now um but it reduces the number of tools an attacker can use and you've made it harder for an attacker to win ah so why are passwords still the bane of security practitioners blue teamers existence right this should be solved by now and they

the the best answer of course is two factor right two factor cures a lot of sins in fact if you were gonna shiny object syndrome on something get two-factor it's it goes beyond shiny object it actually works it does stuff that's really helpful right solves a lot of sins but not only does not one not use the same password for banking and twitter but how many of you think you might have a domain admin who who went to the trouble to create a really complex password like 18 characters long all random memorized it and then when they had to sign up for their banking account or their local home depot or whatever they also use

the same password right yeah it's it's not great um in fact it's so bad the password situation who here's seen this xkcd cartoon by now hopefully most of you have if you hadn't um that the point is is this this that we've been teaching right here for for 20 years now teaching people to uh you know use leap speak and replace letters without this is absolute crap this cartoon is about nine years old now and nine years ago it took three days for a password cracking rig to crack the hash on something like this and people that are running more modern ones using gpus they're telling me an hour maybe minutes this is this is

terrible this is bad we've got to get rid of this get two factor when you can but it's not free it's not cheap right so until then what can we do well password phrases heck of a lot better so nine years ago it took something like 550 years to pass correct horse battery staple uh to do don't obviously use that one it's in every dictionary now but uh password cracking dictionary but add a even now a password cracking rig a few hours maybe a day but you throw in an extra number you throw in an extra special character and the entropy on this still goes way up and last but not least especially for like your domain admins

keepass is free there are other password vaults that are free that they could be leveraging now some of my red team friends go yeah but if you have a password vault and i fish my way on your system then i have your whole list of passwords to which i say yeah but if you have one password and it's on a sticky note under your keyboard and i sneak in the back door with the smokers i still have all your passwords so a password vault is it's at least some mitigation um password phrases some mitigation get the two-factor as soon as you can authy is free but i haven't heard anybody implementing authy it's a it's a free two-factor um open

source tool uh through an enterprise like through an entire large organization so your mileage may vary on that one smaller organizations you may be able to leverage it pretty quickly um so java so who here still has java 6 somewhere in your organization now i can't see your hands but some of you are laughing right now i know some of you may not realize it but i guarantee you you have java 6 somewhere in your organization and the reason is always always the same there is some mission critical app it's like what the whole company depends on it runs in the back office the developer died like 10 years ago and no one knows how to update it no one

knows how to fix it so here you are stuck with this old version of java which needs old java agents um java 6 to connect to it now the great thing is is you don't have to let java connect to the internet right that's where the problem lies is when that old version of java connects the internet that's when you get owned well every uh instance of java installs with a its own user agent string and you can actually block that user agent string at the outbound proxy so by blocking that um you don't let it out to the internet laptops are a problem of course because they leave the network um you're going to have to do i mean you

could mitigate it by backhauling everybody through the vpn that would be a freaking nightmare but it is a mitigation um probably a better one would be a gpo that says when the system's off the corporate network uh java doesn't run at all just shut that down um so uh so block those old versions don't let java go outside and get rid of it eventually you got it you got to get someone in to fix that old app uh so this is great so um this is from blueteamer.blogspot.com this is every extension that is executable that you should be blocking at the email gateway now can uh an attacker obfuscate the extension and get into some other way absolutely but still

block all of these it will get rid of some low-hanging fruit and i mean the whole list put the whole list in block it all just do it be like nike please now i know what you're saying you're saying robert yeah but there might be some people in my organization that need their ceo and i don't know what to do yeah it doesn't matter if apple can tell us that we can live without a headset check and we're just gonna have to deal with it you can tell your users all this is getting shut down now have a really robust exception policy in place and i mean you need to be able to act on it fast

there will be a few people that have a legit need for one or more of these extensions and you can make exceptions for that tiny group of people but for the rest of everybody else just get rid of this it needs to go away um and and it's free and it's cheap and it actually works it does stuff um so antivirus um you've got it anyway right it's yeah of limited value right but it's not completely useless so one nice thing about every major antivirus is that can be used to search for iocs now you could also use your phone scanner if your phone scanner is authenticating to everything and it needs to authenticate to

every device out there to use it in that fashion not everybody does that so av is out there on everything though again usually because of compliance reasons so if you if you take that list right of things that are coming through and you dump that into cuckoo or something and extract your indicators of compromise dump it in your av your av is now helping you uh in addition heuristics still finds some malicious code right heuristics was this one of his attempts at uh doing things without it being signature based right uh to to actually analyze uh what's going on and figure out that it's malicious uh by a heuristic check it's pretty noisy it can be pretty noisy so i imagine

that's why people have disabled it in some organizations have your it teams do the work to tweak it get it up and running it will catch some low-hanging fruit and last but not least is anybody just checking the av alerts it's it's free and cheap to do but i have so many times seen attackers go through an organization they're tripping off av left and right but it doesn't matter because nobody's looking and by the time they get domain admin you know this game over too late um so i love this next section this whole section is some people call it honey tokens um canaries landmines um whatever tripwires not the product chip wire just a

tripwire uh in concept and it's great it's the whole process of tricking the attacker into doing something that lets you know that they're there without them knowing that you know that they're there or maybe they even know that you know that they're there but by that time it's too late so in any event one of the easiest ones is something like a honey file you get together with your it team you put a hidden file in the golden image it goes out to all your systems if you want to get really tricky you can even use a little bit of scripting a little bit of regex to make the pass through the file name different on every system that it goes

on just a little bit different a little bit different size but you call it something juicy credit cards password list something that an attacker just wouldn't be able to resist and then alert on access to that one file you can monitor your entire uh user base just with this right very simple very easy way you don't have to log the world you don't have to monitor the world just this one simple thing to get you started free easy works great prone to some false positives right if someone drops down to the command prompt and does a dirt slash s you are going to get a false positive on this i don't see users doing that

a whole lot anymore right um make sure you uh don't uh you know whitelist it out from your things like your av scanners and stuff like that so that they don't touch the file but just this one simple thing can catch so much evil you want a little bit better fidelity let's do something even trickier let's create a fake domain admin account you call it domain admin whatever put the password actually in the description of this account literally say and the password is the attacker will think you are the dumbest window admin that must have ever existed right they're going to see that when they're enumerating active directory they're gonna go i have you now and uh

all they're really gonna get is uh is nothing right there you put this in the admins group you make it log on hour zero it can't actually be used but then again you alert if the actual uh account is used in active directory and now you've caught someone creeping through your networks right trying to gain access with this fake account um so some even some more landmines so um who here is is anybody actually a dva um i i hope not if you are put your fingers in yours because they are such prima donnas right we can't put anything on their databases to monitor for security so instead of putting something on let's collude with the dbas and be clever

let's make a honey database or a honey table don't publish a schema only have a few people that even know about it hide it somewhere and then alert just on simple access of this table or this database call it something juicy again call it credit cards call it something someone will want to steal from your organization and alert simply on access to that table or database it works beautifully and and it's not prone to false positives if you do get one obviously your dba needs to go back to remedial dba school because they just did something like select star from everything right uh so great way to just monitor people trying to access your data

and then this last one so this is great so you can download this from github it's called invoke run as uh all it does is you deploy it with sccm or whatever to all your windows machines it loads a fake admin account and a fake set of credentials into memory um and then again just like the other one you alert on use but this is great so this is going to catch people trying to scrape creds from memory something like nemicats or something like that it's not likely to hit a false positive because your users shouldn't be able to do something like that if they are again you have bigger problems um but a great

way to catch a potentially more advanced attacker within your organization or at least an attacker that knows how to run the right tools and scrape creds and then just recently i ran into this one um the concept of honey people um even a honey org uh but basically instead of taking those uh those phishing emails that usually go into the report phishing email address pass those phishing email on to a honey person who you've created an entire dossier for they should have a linkedin account social media all this stuff and that honey person can then interact with your fisher with your attacker and get you more information than you would have if you would just

run virustotal or something against the link so very clever idea i like this a lot um and uh and starting to explore more and in scripting that and delivering a whole honey org um within an organization very clever idea uh other quick ways to stop attackers in the tracks so using a web form to authenticate to the proxy is a great way to stop a a lot of attacks i even heard it suggested i think mubic said uh that you can go so far as to ask users to allow a site once per day so the first person that goes to google they get a little pop-up and say is it okay to go to google and

they say yes or no uh but um obviously you don't want them saying no to google uh the the idea really isn't that they should know whether or not the site is okay or not it's just that automated stuff won't know what to do with something like that right so it's a little stopping block for a script there's a a w-pad vulnerability a man-in-the-middle uh vulnerability these two null routes take that volume mitigate that vulnerability um so just by deploying those two null routes you can mitigate that uh that wpad vulnerability in addition i want you to get rid of that bios i know you can't get rid of it this week or this year even but

have it in your plan five year plan i don't care what it is get rid of net bios it just allows so much evil there's the llm and our um attacks that it allows for and if anybody's heard of the tool responder it's one of the first things most pen testers and red teamers download i'm sure it's most what most attackers will download as well and with netbios it will wait for netbios broadcast and then lie it'll say hi yeah that's that's me i i'm the server you're looking for go ahead give me your hash give me your creds whatever i'll take care of everything for you net bios needs to be gotten rid of

so make a plan do it logically but get rid of it uh also disabling dns for internal namespace so again making it harder for your attacker to get outside to get to their tools to exfiltrate data your internal name servers do not need to do forward lookups for outbound um ip addresses right that's the proxy's job let the proxy do it and if you're using a web form to authenticate to the proxy now you've doubled down you know you're mitigating lots more uh just by uh leveraging those two together um what roadblocks so lapse is free it's free from windows or if it's not free you can negotiate it in with your contract anyway make them give it to you for free it

does a good job if you have local admin still within your organization uh and it's going to allow somebody you know if it's the same local admin uh and password on every system it's gonna allow an attacker to jump from machine to machine to machine lateral moving laps takes care of that it randomizes local admin password there are some bypasses for it but for the most part it works really well now get rid of local admin as soon as you can but just like netbios i understand there are business reasons some of these things hang around get rid of them as you can make a plan and then the last one got this from dave kennedy this is great

so this is nothing more than a simple gpo deny access to this computer to you to your workstations and laptops from the network um yeah i.t people still need to connect to systems but they're i.t they can flip that gpo you put this on and deny access and there's no reason anybody other than it should ever need to connect to your users systems so just block that you do this and all of a sudden an attacker needs to either hope for vulnerability that will allow them to laterally move or they need to start fishing each and every individual target in your organization to get to their goal you're going to make their lives freaking miserable you do this

so what about the logs robert so some of you know i work for splunk so how about some uh tricky stuff with logs doesn't mean you have to have splunk to do this this is all stuff you can do with whatever um any logs uh so pass a hash yeah it's on to the decline right now it's typically not the go-to um but this uh still pretty good fidelity you could even run this against your backlog of logs see if pasta hash was in use before especially maybe by an insider is a great way to see if you haven't had any insider threat problems in the past and your mileage may vary but uh it's worth a go on this one um

[Music] so dns uh and dns logs are another fantastic place to go looking for evil it's very hard for attackers not to leave their fingerprint on dns um so you can look for unauthorized dns and this is just three different ways to do it um they all get you the same results it just depends on what the source of your dns log is um your dns spoofing activity similar concept and then this uh this third one here finding clients connecting to multiple dns servers one of my peers came up with this and i thought it was brilliant because by default how many dns servers does any particular host know about two right so if it's connecting to more

than two dns servers unless you've got some sort of round-robin going on and you can again mitigate that um but uh you find host connecting to multiple dns servers that's pretty freaking weird you want to go hunting that down extremely long dns queries so this would be used for things like data exfiltration right so quick and easy ways to to look for extremely long you can do over two standard deviations this uh url toolkit by the way that's another free tool from splunk you can use this but again you don't need to use splunk to get to standard deviations you can do your own math against it um or 200 characters long now these aren't magic numbers right they're a

place to start you're gonna have to tweak up and down based on uh your environment to to get the right amount of deviation it could be 2.1 2.4 maybe under whatever 200 characters long maybe not quite long enough maybe too long just tweak it a bit and you should start finding very suspicious dns traffic if it's within your organization um entropy is another great way to look for unusual dns so uh by applying shannon entropy um to something like google.com you get an entropy score of 2.6 whereas this long string right here that's going to get you an entropy score of 4.28 which is really high uh in a trivia math that's it doesn't seem like a widespread

but that is a huge difference in entropy between those two things and then you just apply that to your dns queries and you can start pulling out some very unusual stuff so domains with high entropy subdomains with the entropy you will have to filter out for cdns right so the alexa 1 million two minutes something like that filter out the alexa um for cdns and what remains depending on how you tweak that should again be pretty evil so uh to give you an example um things like these long strings here you can see everything ended up with a a score of over 4.4 all of it really high entropy all of it if it's not a cdn would be pretty

suspicious and something your hunters might want to track down ah so algorithms right uh so ai and algorithms it's all the hot everybody wants to sell you some fancy shiny ai you can do it for free um so to get you started um you can download something like r or scipy scientific uh the python kit for scientific computing um you can even download some free tools from splunk uh it all works the same way um so what uh to give an example of how you can leverage it uh we downloaded an interesting data set so in the us um uh the government um healthcare is called medicare and medicaid and you can go here to the research tab

and download tons of data so we downloaded a year's worth of prescriptions uh you don't of course hipaa and everything you don't know who the prescription was for but you get everything else what it was for who wrote it when they wrote it where they wrote it all that great stuff um we said let's go see what we can just mine out of this data so we reduced it down to just the opioid uh prescriptions right figuring there might be something that we could find that would be interesting there and this is all we did so we ran it through two algorithms the first algorithm is called pca and pca basically is an algorithm to

take a huge data set and reduce it down to x number of data points so we chose three and you can see the results that pc one two and three right there um those are whatever the algorithm figured out is the most relevant things about this data set and then we ran it through just one other algorithm uh it's called k-means and k-means is a clustering algorithm and you can see here that it created this lovely cluster and then this tale of outliers at this point it's sesame street math which of these things are not like the other we don't know why these are outliers after just running it through the algorithm but with some simple googling you come

down here to the list of providers these are the doctors you'll find that john couch here is in jail for 240 months for prescription fraud we didn't know what was going to come out of it but that was an interesting outlier if we were to scroll further down there's another doctor and by the way he was an outlier because of the number of prescriptions he was writing he was writing way more than other doctors who are writing if we scroll further down we'll find another doctor who um the reason that doctor was an outlier is that he was a pediatrician and remember these are opioids and i don't know too many two-year-olds that need oxycontin on a regular basis

although every time i fly there always seems to be one that i really wish had but i digress so um so just by simply uh using some very simple algorithms against a data set you can start looking for weird stuff this could be very helpful for hunters you could leverage this against you know weird traffic sessions weird protocols all sorts of stuff with the organization um i've seen it used all the time to catch fraud actually so things like online fraud or uh loyalty fraud like with loyalty points and things like that we can we can apply something as simple as this and then look for the outliers in those uh web transactions and start finding fraud

that way too very clever and if you can start finding fraud for your organization you might get them to give you some more budget uh so hopefully this was a great set of tips and tricks i hope everybody found at least one gemma out of it that they can leverage back at their own organization uh so go out there and use it because only you can prevent infosec dumpster fires um i hope you guys have a lot of fun with this if you do if something works for you let me know or if you come up with a great idea let me know because i love sharing this with organizations who are struggling with budget

who need free ways to shore up their things so you can contact me uh here if you like um oh and or on my twitter and thanks very much everybody