MITRE ATT&CK – Combining APTs, TTPs, & GRC to build realistic security programs

hello everyone welcome to my talk miter attack combining apts ttps and grc to build a realistic security program um out of show of hands is everyone here familiar with attack or at least heard of it a couple people awesome so it's definitely become a buzzword uh unfortunately our community and more on that just a little bit later but really my goal here and what we're trying to get at is how you can actually leverage this framework and actually integrate it and how to get buy-in for management especially since they most likely have a grc program that they're following a little bit about myself i'm a senior penetration tester at wolf company i've been at the firm for a little over four

years now i'm also a first-time speaker and a first-time attendee at the b-sides so i'm really excited and humbled to be a speaker here if you have constructive if you have any constructive criticism feedback i'm still relatively new to public speaking i welcome it so ping me on twitter email me whatever works i also just left the note that my transition started really with it audit so i actually have experience with reviewing security frameworks such as cis.18 well previously top 20 knit csf and really getting into the weeds of actually reviewing and understanding active directory i'm gonna try and convince you especially if you're an offensive uh security member or kind of on the more

of the purple team house that you're most likely also an outdoor qa type of person and i'll try to convince you to get buying from that even if you aren't a third party or kind of doing consulting services you can take take the audit principles and incorporate them into your actual company my twitter and linkedin also there if and i guess a bigger resolution image as well if you are interested so as an agenda i'm first going to introduce uh the minor attack enterprise matrix um so that's really the framework that we're talking about enterprise since that's mainly the leading one in terms of where we're actually looking at um post compromise of understanding where these threads are

coming from i'm going to try and motivate so since we're in a college i study mathematics in college a lot of times my professors always have to motivate the problem so i'm going to try and motivate why we want to use attack and how we can actually incorporate with grc uh thinking like an auditor like i mentioned i'm going to try and do my best to sell you the idea that you can take these out of principles and incorporate them internally as well and obviously for the business uh purple teaming and a little bit of remodeling there's a lot of talks that are upcoming and also i've already talked about for modeling so i'm gonna

let them do probably much better job at introducing that topic but i guess a brief primer could be at least useful to understand it um again purple teaming i guess there's a huge disagreement of what that buzzword can also mean but we'll try and get to that a little bit later as well uh i also uh prayed to the demo gods uh earlier so i've been uh if you saw me back in the corner just drinking a lot of coffee eat my nerves a little bit i do have a live demo to incorporate some of these tools to actually show you how to use them so hopefully that goes well and then finally we'll have questions

and kind of a qa if there's time obviously so again if you're not familiar with the minor attack framework we're kind of introducing a new framework to solve these types of issues right we have miss 853 and one of my favorite things to explain to people if you're not familiar with these governance frameworks like the cis.18 everything kind of maps up maps back out to that gold standard so you have miss csf that has a mapping you have miter attack that has mapping to nist 853 of a mapping to cis all these different mappings and frameworks it can get really overwhelming and it may be really confusing for me to then say oh let's use another framework

in your security stack um how much time is ever going to spend right um but there is value there and it's not going to be as impossible with a task as you may imagine of trying to lead and explain to the business of hey there's this really cool matrix out there if you're a stock analyst you're probably already seeing those indicators like t103 if something like that comes up in your sim alerts hopefully it doesn't but things like that you may already get those indications and using that framework to align to the business is going to be a much longer win in the long term because you can get buy-in from other departments right so

we we oftentimes especially as security professionals we get super in the weeds of thinking about miter cat because it's it's so interesting it's it's um there's so much new things to learn about it and it's always being updated but if you ask someone in audit or compliance or people who aren't really in the technical roles they've probably never heard of that framework so it's really important that we have a way to actually explain how we can actually use it and that's by leveraging what already exists so if they follow if they have to be build a compliance pci hipaa try to leverage that to your use case to then bring it uh bring in that right time

um so again what is the digital market that's really what we're trying to get at so i have my other obligatory pyramid slide as well and if some of you folks are actually familiar this is how i'm going to motivate the purpose of minor attack as well on the left you have david bianco's pyramid of pain that came out during apt-1 and he really motivated this actual issue of understanding where we are at with especially detecting attacks or how we actually go about defending them the minor attack framework is really looking at post compromise right so what what actions an act a malicious actor is actually taking inside the network so we're kind of assuming that post compromise and that's

important to understand because at the very bottom rung of that the pyramid we have hash values so that's malicious signatures of a random file so if i download something software that has a sha hash on it it's very easy to detect but it's also trivial for an attacker to change that right it's that's really easy for me to change one line of code and it's unfortunately common for av tools to do that where i'm an offensive minded person if i download something from github and all i have to do is change a couple lines for my powershell script to no longer get detected and there are hard tools like that minicaps for example if you remove

some of these lines you can sometimes still execute unfortunately so it's really easier for us as attackers to change that but also easy for defenders to detect that as well as you move up some of them may be more obvious as well ip addresses again as an attacker easy for me to change easy to detect same with domain names and kind of getting more and more difficult at the top at the highest top though at least for the left side pyramid we have ttps and that's tactic techniques and procedures and you can think of that as behavior based it's really difficult to change and influence behavior because we're humans right and that's part of an

advantage and disadvantage that we have as defenders because if you think about behaviors i drink a lot of coffee so um we could think of a tactic i need to get my caffeine in the morning that's one of my tactics and then the techniques that i go about that are an espresso machine at home so i brew my espresso and maybe my procedure is i first have to get the beans i have to grind it and actually get the beans into the um the hopper and make my coffee right so we can think of that as a kind of a top level of a tactic of getting caffeine all the way to the actual procedure of how i'm actually

doing and getting coffee um but if you suddenly to remove where i'm actually getting my beans or try to influence it that's kind of where defenders need to step in to try and change the behavior because if i don't get my coffee in the morning i'm probably going to be a little bit more upset or angry obviously the right pyramid is a little bit more new it's from chris peacock he is a detection engineer out of scythe there's going to be a lot of references to scythe because i think they're awesome and they have a lot of great community resources for understanding how to carry out purple team exercises but i think this is a really great pyramid to i guess

showcase the difference between how we originally thought um the pyramid of pain and motivating why we use minor attack to then understand how we we can actually use that framework on the bottom we have tactics and that's kind of easy for us to understand but really what we're trying to get as procedure level data because that's really king and unfortunately in cyber threat intelligence reporting we don't have a lot of procedure data so breaches although we know occur we don't really ever get the specific details of exactly what an attacker carried out so did they use proc dump to dump memory from credentials what exactly did they actually do and that's really what we're mainly interested from the lighter

attack framework because that's that's really what we can have anyway because if you think about techniques right here we say we're dumping elsa's memory right um but how do we actually do that how do we emulate that if we wanted to use a purple team exercise we'd have to kind of make a guess or an assumption or rely on the cyber threat intelligence reporting to tell us how we do it um i don't know what's the fascination with pyramid but it seems like we have a pyramid scheme problem um where at the at the bottom things are very easy and then at the top you kind of win a prize or reward a weird pyramid scheme problem but

sure so let's actually get into an overview of what mitre attack is so that enterprise framework can be really overwhelming so you have 14 different tactics at the top level so things like initial access credential access data exfiltration impact and then on the bottom like i mentioned you have techniques so if i'm talking about credential access as a tactic i may dump credentials from an operating system and they perform a manual attack builder's kind of techniques and then within those techniques you then have sub techniques and goes into the specific procedures that can be really overwhelming and i'm not even going to showcase the entire matrix right now because it may not even fit into a slide

um but that's something to understand the framework is also based on observable data uh so that means that it needs to be in some sort of public publicly available cyber threat intelligence reporting to then state that they're actually going to put in the framework and that's important because they're really rigorous about that where it needs to be actually observed and that's a really important piece of the minor attack framework that sometimes gets misunderstood so it's really important not to play bingo and saying we're going to cover the whole minor attack framework and make sure we're covered in terms of all these different threat actors because there's so many different techniques that'll actually occur um we have to really prioritize

the ones that uh we know that arthractors or the ones that we care about are actually performing um the second part to that the observed data as offensive security-minded people or at least the people in the room that um know about it is there are oftentimes techniques that are not in the framework but then suddenly appear so one that comes to my mind is if you folks are familiar with octa the octa breach that occurred with lapses one of the techniques that they actually employed or the fractals executed was they obtain credentials and then they started uh logging in kind of interactively against their authenticator so i think they're i'm not sure if it's docker itself but

there was mfa implemented for an end user that they compromised and they kept on scanning a request and in that case they had their soft token on their phone and the end user just kept on getting bombed and requests they didn't accept until suddenly they did they saw some strange authentication intent that occurred that wasn't in the minor attack framework but now it is right that's that's an example of where sometimes it's a delay of us actually receiving novel techniques but if you have kind of trade contesters or anyone in the office of the security committee we've known about that for a while right we've been doing that and does it actually make it real quote-unquote if now miter attack

has it in the framework um so that's one caveat to understand that although it's really rich and there's a lot of data that's in the actual framework that we can leverage to our advantage it's not going to cover encompass those novel nuance techniques that occur and then we also have to understand the ones that we actually care about we can't go around and just start filling in the matrix so how do we actually create a plan that we can think about how we want to bring this into our organization right really the key here is that we want to become auditors or think like auditors in our organization so if we know that we have minor attack

as a framework and some of our tooling if it's a sim or anything like that or edr it's most likely already reporting or aligning to the miter attack framework whether you realize it or not um what we're trying to do is first build out the threat model that actually matters to us so ransomware is a really easy one to kind of think about because they don't discriminate the targets not the most sophisticated types of techniques that are employed and pretty easy to start there so if you don't even know how to perform threat modeling or kind of where to begin ransomware is a pretty obvious group or place to start then we have to identify the actual

security controls that we're actually interested in testing so if we're looking at this in totality we're looking at this post compromise so we already have access to an endpoint most likely are we examining edr do we have a sim um do we have sysmon integrated under endpoints do we have any other controls that will be actually in scope of our actual testing and then we have to validate the controls i think for us as information information security we have one of the only unique problems in the field or one of them in terms of where we buy a tool or we buy this new fancy tool we have no idea that it actually works until post breach right i

buy edr crowdstrike or channel one and um two weeks ago a client told me uh what they marketed or tried to sell them on is that their tool is going to stop running somewhere 100 right it's 100 gonna stop ransomware and some people are laughing right now because that's an obvious um it just it's a great marketing trick but it's never going to be actually reality because we know that's actually not happening right you can't just implement a silver bullet in information security and expect perfection um and in that sense that we have to then since we have these tools we have to essentially audit and measure them right we can't just implement them and forget

so that's kind of the proactive approach that we're trying to align to of leveraging the minor attack framework and bring into the organization um and it's a challenge because some people just don't know that they're being sold edr or they have this new sim um and then they have this technical debt that occurs where they're just integrating all these fancy tools but never really get a chance to actually measure or test how they're actually operating until a breach occurs um but don't take it from me right so that is just a really high level of what we're going to get to through the stock but there's great resources available so scythe their community blog and they released it the purple team

exercise framework so if you're really interested in actually getting into the weeds of thinking about how to be an operator and how to coordinate these types of exercises that's a really great place to start for a reporting perspective defensive origins they have atomic purple team and that's one of the examples of the playbooks that they have where you can have this life cycle of a specific threat model that you're looking to emulate so imagine ransomware is the one i i mentioned conti uh which we'll get to in terms of how we can emulate them uh they're a threat actor ransomware as a service affiliate group offers their software to these ransomware operators and the encrypt

networks right if we're looking at specifically to emulate what kanti does and the stages of discovery as a tactic we can look and examine their actual playbook and those are the techniques and the procedure level data that we have of what conti actually does in the network and have these different different types of exercises that we perform internally that way we can go to management and this is kind of speaking more towards the business rather than saying hey we're going to assume compromise or there's going to be breach happening we can't do anything about it instead we say we heard conte in the news you've heard about dark souls news to the business especially executives this is the steps

that we've taken to ensure that our controls are actually able to defend or or detect against it and that's really important because uh i was in wild west talking festival this is actually credit to the panel that occurred um a couple weeks ago and alyssa miller uh is a diesel and she actually made a really good point that actually struck me because a lot of times with us when we're explaining uh concepts or of of trying to ensure that people understand why we look at this in breach right why are we actually looking to test post compromise we often say oh you're going to get breached so we have we have to just you're going to get

breached so you have to make that assumption but if you think about it from the executive or business side that's not really the best sell right that's telling people that they're going to get breached then why are you hired or what are you doing for your job that's not really a great cell so instead it's shifting it away and saying we're going to emulate this or the reason why we're doing these types of exercises is because we bring proactive threat rather than saying we're going to get breach and we can't do anything about it i just thought that was really funny because i've definitely said that before i've told clients like oh you're you're most likely going to it's a matter of

when you get breached not if right we always kind of say that but that's a really poor job of selling why we actually do post compromise testing as a whole um so if you still don't believe me uh on the right side i have um an excerpt from the fdic hopefully not many of you in this room or anyone watching has to deal with them but they have uh this awesome uh resource if you want to dive in uh on a saturday night um regarding model validation and it's kind of funny but that's similar in terms of what we're actually looking to do internally right if we have edr or our sim we're looking to

validate that that model of the data that's being inputted is actually going to get an output that we're looking for so if i emulate that procedure again of dumping credentials from memory i'm hoping that the output is either well hopefully it gets blocked but if it doesn't at least it gets logged into elementary and then it also executes an alert and that's essentially what we're looking to do we're looking to create those um accurate repeatable and complete tests so i'll repeat that again because it's important that's that's a key audit principle that you should that you should know is that auditors love things that are testable repeatable and they're complete that's what we're looking to perform and that's

essentially those types of test scripts that we're actually looking to perform and most likely your audit department especially if you're in a bank like bsa audits or if you're in a heavily regulated industry most likely other departments already have to deal with that sox reporting of reviewing user lists between a termination sheet they have to do that and ensure that the system is actually reporting like it's invented that's their model and in some ways in what i think it's going to happen information security has the same problem we just haven't really translated that fully or captured that intent but we're really validating models when we actually perform these types of exercises whether it be from a

pen test or we're looking to validate different types of attack paths or it's within this type of purple teaming atomic level testing which we'll get to um but it's really important to make attack appealing because if i just showed you the entire matrix and i tried to showcase hey we're going to use this framework now to a member of compliance or audit it's going to be really overwhelming for them so instead we'll just use the same language so if you like i said are in a banking space or financial institution it's really easy to sell to the auto compliance team that's already doing model validation and explain to them how your system is actually a model

your sim is actually a model that you're looking to validate and then you get buy-in from management to then start performing these sets of exercises um or if you're just have your own security program internally and you want to start actually emulating these actions if you haven't missed csf and your information security officer is working on policies and procedures for actually making the csf for cis controls and they need some sort of backing of we have this critical gap right we know that we have a gap in our tooling we can create an exercise or a life cycle type of assessment where we assess our controls and say we have this critical gap we don't have um you know we don't

have this awesome edr tool that would help help mitigate this and we can get buy-in from executives and boards by using attack um so i mentioned procedure level data as being really important for the mito attack framework and you could really refer to that as atomic testing and that's commonly referred to an atomic meaning it's one single action that an adversary may take in a network so if i'm in a compromised endpoint or i have access to an endpoint a single action that i may take is enumerate users so how would i go about doing that and that could be done through you know net users uh basic commands on the windows operating system kind of living off the land that's one

adversarial action and it's as simple as just thinking that that's one test case right there that we have that we can emulate in our networks and atomic testing it's really important to be accurate though um you can't unfortunately just open a powershell and just do net users and then expect an alert from your er your er should probably get the telemetry from that but really what we're looking to do is chain these different types of atomic sets where the second i start doing net users and then i dump the password policy and i'm starting to do a patch password attack or password spray internally that level of change or linking those different types of procedures or atomics where we have

that actual objective of what that adversary is actually looking to do they're trying to get credentials in that case that's where some security controls with enough telemetry should either take action to prevent it or detect it back in april or early april uh is anyone here familiar with attack evaluations for mitre ingenuity so a couple people so every year it's amazing but we've somehow convinced our edr vendors and sim uh tool or anyone that's essentially making edr was convinced to come in and perform an annual exercise uh that's held by minor ingenuity and what they do is essentially what i'm describing right there's a threat model or a plan that's proposed by knighter ingenuity team they have two factors uh

the most recent one this year was uh wizards fighter which is a ransomware actor and sand worm i think also uh that's actually ffb or gru for a russian actor um and what they do is essentially they tell each vendor that hey we're going to test and validate your actual tooling is working as intended and this kind of live exercise format where all we're going to tell you about wizard spider is these are the techniques come with your tool they don't tell them the procedure level data of exactly what they're executing they just tell the vendors hey um we're going to execute these types of techniques against the wizards by the threat group of what we actually know

that observed data that we talked about and unfortunately mitre ingenuity does nothing to uh state of the efficacy of the results they just kind of showcase the results and if we have time i'll kind of show what that actually looks like but that's a really powerful resource where if you don't even know where to start of where am i supposed to even emulate adversaries or how do i do this internally this is all public information where you can not only look up um the emulation plan you could look up the exact procedures so i'm not sure if it comes out really well they could see the exact procedures that they executed for each of the assessments

and then you can also see any of the configuration changes that the edr vendor actually did so if we're looking at the comparison between crowdstrike or microsoft and not to say one is better than the other but more so of if i'm looking to either purchase an evr or understand where my gaps are you can look at the results as a whole where it shows the screenshots of the outcome you can show the configuration changes like i said and that's all public information so if you're interested in at least looking at that and saying how did crowdstrike do you could take it and see what they changed with their config and implement it internally as well

that's really powerful information however to come like another cheap marketing trick where like i mentioned before a client told me that a vendor called 100 of the ransomware will be blocked very similarly we had on twitter everyone a lot saying that they are 100 miter attack aligned preventa uh they prevent and detect everything um and it's so i was going to put put the twitter post up there but i don't want to discriminate on vendors it's a really good marketing play um but that's one thing to understand that we're not looking to be 100 preventative or detective that's not really the objective of the miter attack framework we're looking to create these test cases of this atomic level of testing and

emulate and ensure that our controls are actually working as intended um yeah so on the bottom you can see kind of an emulation plan and it's again this is all public information that you can even look up on the github so again if i'm looking at this a very naive approach of understanding how we can do threat modeling quote unquote or what should i actually care about i can go straight to the minor attack enterprise matrix and i can perform a search on their search bar unfortunately it takes a little bit but if you search up to like for example i'm a hospital i can search up the groups at target hospitals and just start automatically learning

what the actual techniques that they actually execute and bring that as an emulation plan so in this case i looked up who targets hospitals just by looking at the keyword and on the bottom you'll see what's highlighted is a group wizard spider that's the one that the adverse adversary emulation plan for mitre ingenuity they tested and i can use um i can start understanding the techniques that they use and mapping that out of my plan as well so pretty pretty trivial and easy way to kind of get started at least especially if you don't have the resources of a massive cti tool or team that's investigating actual threats right like if we're just starting as one person we

could just kind of take this it could be as simple as going on twitter or it could be as simple as anything you heard on the news and understanding hey this is what we're going to start emulating and this is the reason why because it's affecting our industry um so this is kind of quick but in terms of that group so i just focus on the wizard spider minor attack also has something uh an application on the web called navigator which allows you to then kind of visualize and highlight different techniques that are actually occurring in each group so in this case for wizard spider i zoomed in really closely but this is what gets highlighted meaning

that wizard spider actually was observed performing this so they use valid accounts and again this may be really high level but what that may be confusing in terms of what does that actually mean there's citations at least to showcase where the actual data actually comes from and hopefully they're in that data i can at least look and see what the actual procedure was in terms of what they actually mean by valid accounts did they get a credential do they guess a credential and that way i can bring into my emulation plan um so that atomic unit of testing it's really important to also keep the your plan simple it's really enticing and exciting to just try 20 different

techniques at once in your network or one of the endpoints that you're targeting because it it's really flashy and interesting but that can cause a lot of issues right like you want to start simple and make sure you understand how a life cycle can actually occur and most likely unfortunately you're going to be hit with a dose of reality meaning that your tools are actually doing what they're supposed to be doing or maybe you have these initial assumptions because that's really what this is looking to do we're looking to validate your types of assumptions that you have of your control environment i have edr so maybe i'm assuming that it's going to pick up a lot of windows binaries or

powershell hinted stock or b you may have this new logging tool that's supposedly working well it's on every endpoint and it's going to pick up every every technique it's most likely not going to so you have to really frame your assumptions correctly and then also keep your emulation plan simple so that way you can achieve success if you still don't know where to start there's red canary creates a detection report every year of the top techniques there's a top ten prelude is a company that we'll get to and try to showcase a little bit they have something called ttp tuesday which they release um different attack chains and insights also has threat thursday where they also showcase simulation

plans and that includes the publicly available procedure data so that's getting really into the specifics of what active's actually doing um so this is again this is a kind of blown up image and why i try not to showcase too much of it but this is the enterprise matrix and how we can overlay different types of threats that we're actually concerned about so this is looking at advanced persistent threat 28 which is the fancy bear one to apt-29 and you can kind of get this joining of what actual threats are being or techniques are actually employed by both triactors so maybe that's one way to actually prioritize where we should actually focus um our defensive measures right so we're

looking at execution uh that's green so that's actually being that one technique of exploitation uh for client execution that's one that's both actors are doing and that's maybe one i care more about than another one um so how is this all made though in terms of where does minor attack actually come with this information this is a public document that's available on minor attack as well that was performed by cyber reason but they took cyber threat intelligence and they essentially started sort of mapping different techniques from a report so like i mentioned this is all observed data so if there's a report of a breach and there's procedure or at least enough detail for us to start mapping back to

attack this is where that comes from so in this case we're looking at the very early stages of an attack of how they actually got initial access so they use a spearfishing link uh they used an attachment with word macros and then they delivered it to the endpoint the client and executed it allowing them to get access to the actual host if you notice a lot of this is still very high level right we sometimes have to still make these assumptions how what kind of macro document did they actually send is it publicly available is it something we need to uh create our own we know that there's an attachment but it's still not really specific which

makes things sometimes difficult um other times you get specific instructions about how you can actually emulate adversaries so conti was the fact that i mentioned earlier that's a ransomware as a service affiliate group where they offer their tool out to operators that want to deploy ransomware and crypt networks in the past year their playbook was actually released and translated this you can download it on github yourself and it's actually really fascinating because it goes through what they use as cobalt spray so cobalt strike is a well it's a commercial tool for command and control but the in the actual playbook they actually detail out different steps that an operator so someone's using their tool should take

to gain elevated rights or how they should actually carry out a ransomware campaign and this is really rich information right we can see okay they're going to do xiao who am i right that's on the cobalt strike beacon and they're executing who am i and that is an example of a technique that procedure level data that we have that they need to occur and we can start chaining these different types of atomic testing to then build out our emulation plan if we have to guess uh we can also use a new concept a relatively new concept called the tac flow so like i mentioned we don't always have the luxury of having that clear procedure level data

that we can use in our actual networks or our testing as an emulation plan but making assumptions and guessing is still okay so if folks have read the recent verizon data breach and it's a response report the diva report of 2022 you'll see that there's nothing in that report that maps to ttp instead what they've done is aligned to with minor ingenuity and that's more in terms of the impact of a breach and less so about how actors actually did their actions or atomic testing but we can still make those different types of assumptions by creating attack flow so on the right hand side you'll see what i have displayed is an image of what we can consider attack

flow it's a little bit easier to understand if you have it blown up but this is actually from the tesla bridge that occurred and instead of going very specific to the atomic testing we can still keep it high level and make an emulation plan that's again repeatable it's accurate and complete based on what actually occurred from uh threat intelligence of maybe what we only have so in this case at the top you'll see that kubernetes kubernetes was exposed uh so that was compromised that allowed them to start executing commands and then that again elevating the rights or gaining credentials they could uh put a cryptocurrency mine around the system um in that attack flow you could start

thinking about ways you can actually emulate or ask your penetration testers to ensure that they're actually doing something similar maybe that's something i really care about of saying i have kubernetes is it exposed how can i actually go about testing it but the end goal is really just to ensure that we have high confidence we're never going to get 100 accuracy of a technique we can't emulate a technique fully we can only really emulate the procedures so we only have some confidence variance between for this technique i have a pretty high confidence i can stop or detect versus another one maybe it's more in the red maybe it's unclear if i tested it or it's never been tested in my environment

another way you can go about actually prioritization is using miter ingenuity's calculator so on the right side is uh their tool to actually essentially um if you wanted to list out the cis control the mist 853 you can start mapping all your controls that we talked about before of if you know that your your organization's using these governance frameworks you can start mapping this and creating ttps that are actually really important to test maybe it's a top priority and they go about that by mainly the key one that i want to talk about is the chokepoint because for each technique it needs to be executed somehow so a really good example is process injection where if you want to successfully

emulate process injection you need to a first use a command line either powershell or or cmd and you also need to execute down some sort of different service um and a lot of different atomic tests or procedures are incorporated into just process injection alone that can include powershell execution it can include a whole load of different types of techniques right there alone so that's a really high priority type of technique that you may want to detect to prevent compared to someone leaving a ransomware note that's just creating a file right there's not many different opportunities or various different techniques that are used to just leave a file in an endpoint um again so linking procedures uh i just

want to touch on again the prelude team or what we're actually going to showcase goes into this really well in a blog post but you should really think about those atomic tests as actions that build up to some sort of attack stream so if all i do is just emulate um impact so tactic being impact and one of the objective as a ransomware actor is to leave a ransomware note to showcase that the your files are encrypted if all i do in my endpoint is just show a files there that's not really giving a fair test to the edr and all you're doing is just okay we have a file on the network and some really

showcasing the full impact of what actually occurred on an endpoint that's why you want to make sure you want to build up these test cases together in a string of an actual attack chain so what what are the adversary actually doing to then leave the file maybe they delete shadow copies on an endpoint so you can't back up a windows system anymore and then they start archiving and collecting data and then they'll leave the ransomware node that builds up an attack chain that is actually actionable for your tools to actually defend against so now i'm hoping that all stud is gonna i can at least emulate this i'm gonna start my lab real quick so we can get into

some examples for those that don't know i'm using the detection lab for this on snap labs this is a really easy way to um actually do these test cases so if you've never done this before or actually interested in starting this is going outside your production network obviously we're just using a lab but it's a really cheap and easy way to do it where you can use these templates such as the detection lab that's a community resource and deploy in aws and get this instant lab kind of built for you or you have a dc you have a windows environment and you can install any tools it has internet access anything you need you can really start creating these test

cases so this is at a high level what the network diagram can look like yes i'm going to be a little bit malicious i'm going to put my tools on a dc just for the essence of time and just being able to showcase what we want

so as this loads up the tool that i'm going to showcase is called prelude operator uh it gives a it's a graphical application that gives you the ability to actually carry out these types of exercises some of you may have heard of atomic red team atomic red team is a really good resource and that's a really good place to start but that's a there's a caveat there where atomic red team is really good at testing telemetry but it kind of fails or one of the things that you need to understand is that if you execute something on the atomic red team it may not give you the best outcome at least for your defending controls to actually

see what's actually going on so for an edr perspective you may be getting into an unfair or unrealistic scenario and that's kind of important to making sure what you're doing is actually complete and accurate because otherwise if you just run one atomic test you don't want to get the full chain behavior where your edr would then pick up malicious activity you may just be executing something and all your edr is doing is picking up the telemetry if something happened however that being said atomic red team is a fantastic place to start especially if you've never done any of these exercises and that's a great way to at least ensure that your systems or our controls on

endpoint are actually picking up that activity so right here what preload operator gives you is different types of beacons or agents you can think of them as i showcased the cobalt strike playbook that conti released so we can think of this as we have remote access on a system and we're really thinking about post compromise a lot of these techniques require administrative credentials and to sell the idea that we want admin credentials is really important so oftentimes we'll run into scenarios where some clients or even people will just say oh that would never happen you need to get admin rights we've segregated admin rights by giving da for our admins and then we have a separate account

meanwhile they have da on their workstations and member servers so it's a difficult conversation to have but you need to get them to at least align to the idea that we need to assume post compromise mainly for the efficiency of our test cases because obviously if i'm going to dump credentials we can go about first showcasing that my assumption of how we separate the privileges if i try to dump credentials as a low privileged user nothing should happen right i shouldn't get the credentials done and then that's maybe the first test case and start building it up as you go if you need that buy-in but it's really important that where you we're actually accurately testing the test case where

if i was able to successfully dump your credentials you kind of miss that if you don't actually give admin rights to actually emulate that behavior uh they have a training platform as well so if you wanted to go through their introductory ctf of actually how to use a tool that's available this is also a community tool so you can download it tomorrow and get started it's completely open source and free on the community edition uh on the top if you see it i have a professional license it's 50 a month or so but what that really gives me is ability to create these attachings or leverage the ones that they create every tuesday to then

target an endpoint but at least for to get started you can certainly start using this completely free um one of the settings goes into the actual plugins that they have available uh the one that i want to touch on is vector vector is a reporting tool for these sets of assessments so if we're trying to incorporate this completely internally we may be able to use vector for example to emulate actions using prelude so we build up our emulation plan and we have this life cycle and then we we have these fancy reports that we generated for executives especially if we don't want to showcase exactly the procedure level data what we did but maybe we want

to showcase at a high level the navigator heat map that we want to showcase and i'll show that in just a minute um additionally for each beacon you'll see red means that it's dead meaning i don't actually have access to it and you can actually use prelude operator as an actual c2 where you can set up redirectors where right now for the sake of demonstration i just have it directly in my end point but you can actually start making these plans a little bit more accurate and complete compared to atomic red team it's really just focusing on that single isolated test where you can actually try to emulate c2 behavior where you have a redirector you

install a beacon or agent on the host and the agent is actually communicating outbound egress out of your network where you have an operator view that kind of communicates that midpoint section uh again so for this profile you'll see my beacon targets just the local host so for the sake of demonstration i do not have a redirector but here i can start emulating uh chains or start executing different atomic tests i should mention too for preload operator they have uh integrated atomic red team in the past they've been trying to figure out ways to actually incorporate that library into it so if you will see one of the techniques so i keep them talking about

t103 i can search by technique right so t103 at the very top is what i'm looking at looking for i'm going to say i'm going to dump them to ds database because this is a dc in in yellow means it's a community resource and this community resource is actually from uh atomic red team itself so this is where they've integrated this test case from atomic red team but then what's more is i can start building out that kind of realistic scenario where i know if rack is going to dump these credentials but maybe initially they're going to do a lookup for users or numerous users or something so get active directory users and i can

start building these chains so you can see that it wants me to save this attack chain where simply right now i want to get active director users so it's going to execute this script on the very bottom and then the next step or this atomic step that it's going to execute is dumping them to the s-dump maybe not the most realistic scenario but just for the sake of demonstration i can just simply hit deploy and i get this green little icon of every anything that i executed that actually worked so i get some sort of benefit on assurance of what i actually did worked in the environment or endpoint as intended if it's red it'll come back

saying that maybe i needed a dependency i needed to modify a script or add some uh some additional data um i executed some in the beforehand as well so if you should if i showcase you for example uh that ransomware chain that i talked about so archiving data and then leaving a ransomware note we could for example list directories in the user's home and you can see on my lab machine this is what got executed that powershell command got executed in the chain of listing desktop documents etc and then it created a staging directory meaning that i wanted to emulate the behavior of i listed directories i'm compiling different files like a ransomware actor would all occurring

from this beacon so the beacon is executing powershell and using these different types of atomics that i've laid out and made for the actual assessment and then at the very end it's going to leave an encrypted note right maybe this is a production system i don't want to actually encrypt files or do anything but i'm going to leave a ransomware note to then emulate that that chain of activity i mentioned uh vector so now we can go into the reporting this tool is automatically plugged in if i use that plug-in vector it goes to the api vector which is a reporting tool that i was talking about and we can start seeing uh what actually

occurred on the system and documenting the actual test cases so if i for example was looking to do conti initial access which is a different chain if i still open i'm not sure if i can find it if you believe me for kante initial access that's one of the chains i emulated and you can probably at least run a quick one in the background so kanti discovery here for example the chain that's already been written and you can see this is everything that was in the playbook that i showcased a little bit ago of that conci ransomware affiliate group and here's all the steps that they may do in an actual network once they actually compromise the system

they'll look for permissions they'll discover domain controller enumerate computers local users domains administrators who's logged in they'll try to get some credentials and hashes i can even showcase the actual views to the ttp identifiers

my window is kind of big so it may not like that what i'm doing but here's the actual ttps or techniques that we're emulating so i can even look before i execute i get an example of what the commands are actually going to be ran and i can hit deploy so i just hit a button almost all of a sudden i'm emulating this adversary so i really care about kante and i want to showcase to the business hey i don't know how my edr or sim is actually going to work i want to build this test case and we're going to start first very simple just do conte discovery it's not going to do their privilege escalation or really

impact the system we're just doing this discovery phase and see how our system actually aligns maybe we're trying to build up our defenses a little bit and if we go back to vector and this is initial axis so i'll go back to discovery and you could if you saw the prelude stuff come up that's that's it at least communicating to my vector right now by the api i can see each test case is already laid out for me and what's more is if i click on one i can see the operator command that i actually output or like what what it actually did so this is actual test execution that i performed it ran cmd.exe

dash c not local group administrator so just examining who's in local administrative group that's really trivial and simple to understand right it's not a complicated zero-day or really malicious binary that got exploited or we didn't do anything fancy but this is a huge win right now where we're looking at observed attacker data we know that this is a chain or direction attackers are actually executing in the networks and we can see what the actual outcome is all via the api so now i get the ability to start tracking actually what occurred in my systems so maybe nothing happened i didn't even get uh detection out of notice maybe i know it was logged in my

systems because i have a sim that's supposed to be doing this and i can hit save it's that one action now it gets updated with not detected i can then finally go into reporting and you can see i didn't complete everything right and i didn't go through the entire exercise but i start getting these graphs that are much easier to understand from management executives where i don't have to go into the details of explaining what conti is or um you know what procedure we actually ran with cmd or what actually happened i could just tell them like hey this first emulation plan we failed we didn't actually get the detection logic or we weren't able to prevent the adversary

from accomplishing what they're looking to do but then we retested and then we got to this end result so you kind of showcase a level of history between trends of what actually occurred in endpoint my favorite is the heat map which is going to be so much revealed right now but we can start building a heat map as well in terms of understanding our control environment from again that trend data of tracking historical assessments that we perform so maybe that first time i ran conte discovery it went really poorly and i didn't have my assumptions my assumptions were completely incorrect but then i went to my security team and i fixed it and we have the ability to

retest and remediate things and then come back and have a historical trend between here's things that are red but here's what we did to fix that that's a more proactive approach does anyone have any questions so far

you know oh you know crowdstrike caught uh you know this procedure that falls within because attacks in abstraction yeah so it caught this uh procedure within this technique but then we failed like four or five others that also fall how do you or your organization explain that um that almost cognitive dissonance there to an executive team to be explained and also how do you grade that right so i think the question and correct me if i'm wrong is if you created an emulation plan where you have five different atomic tests that you're emulating and maybe one of the five only gets caught undetected and how do you explain to management that there's still more work to be done where

you can't just rely on that so one test case that would detect it or blocked you have to kind of view in totality and how do you actually explain that um in my opinion that's kind of just a conversation with the executives team and first off the management to get them aligned with why we're actually executing this and making sure that those test cases they're performing align to specific attack chain so if i just haphazardly just choose random techniques and then they say oh hi i blocked you here or defected you here is that something that actually is an attaching that we can look like look at or examine closely where for example the password policy one that i

mentioned if i perform password policy or discover password policy in numerous users and perform a password spray that's an affection itself and then a separate one would be credential dumping and then all the way that's how i would break them apart to be able to then report at least in totality of what we're actually examining so in a given emulation plan i may say we're going to do five different test cases or these attack chains maybe it's specifically discovery credential access et cetera and then that's going to be kind of the report in terms of how you did it in totality of the attack chain and less so about the time procedure if that makes sense

one thing about the edr tools i'll mention too is a lot of them actually can be enabled in auto mode so they won't actually prevent things because we're looking really to examine how detection is working because that's going to be the sole factor because you always can't prevent everything but you can enable auto mode to then get the full data of what would actually happen so if you're actually getting an attack chain and you stop there uh that first step maybe you can't get the full like five different additional atomics you could put in audit mode to then see what how the next iteration would go because we're really looking to cover as much as possible in the in

the framework at least that's aligned to the threat model hopefully that answers your question does anyone else have any questions good i guess a more general question i feel like and techniques is there like a vetting process or how they get added to this requirement to the matter attack repository yeah so it's mainly just publicly available uh threat intelligence so if you the one that i referred to as a red canary's detection report that's one example where they're examining threat of breaches essentially and they are looking at what an actual attacker is doing and if we go to this example where essentially the crowdstrike would release a report of what the adversary actually did and in that report you can

start mapping um techniques to the minor attack framework and that exercise is somewhat rigorous so you'll see linked to malicious site that downloads the flash installer that's maybe the only friend intelligence available and then analysts are looking at that and then mapping it back to the attack framework um the other one another great example is the fatigue so that soft token i was mentioning of uh the thracter was just bonding this end user with alert authentication requests that's a really good example because that wasn't observed up until now in public data so it didn't exist until they actually observed and put it into them it's all analysts just it's a community repo so it's always being updated

yeah yep

any other i think we had time so cool if you have any questions feel free to get in touch or ask me i'll be around but thank you [Applause]