So you want to beat the Red Team

hi folks anga Kia unfortunately we don't have any audio in here until about the 17-minute 52nd mark sorry for the inconvenience

you

you

some of our users who clicked on really stupid stuff you know as part of camaraderie but really at the end of the day Mike my message to my staff is you got to pick up their slack even though there are a bunch of you know idiots that you you got to pick up their slack right and that's really that's really important ways that we pick up their slack is that if you come to one of my security awareness trainings and somebody on your team misses that meeting they're on vacation they're sick they didn't show up and their boss is gonna do it then we sit down as the pretend Yeller money you know your employees at the company will sit down

come up with the fishing and then we'll attack the people that didn't show up to the meeting right it gives them buy-in they think it's kind of fun and they pay attention a little bit better it kind of game of flies it a little bit for them as well makes it interesting they get to see you know I how to social engineer somebody had to go find all their information on the internet and then make a phone call to try and get some of that stuff out doing whatever you can to raise that level of engagement making it interesting is is good but just know it's never going to get to a hundred percent you gotta you

got to really focus on what can you do after they've clicked how can you find out after they clicked so pay attention to that when it's important all right so you you're in the middle of an engagement or you're actually being targeted by somebody first thing that we've found after phishing is your external services do we have to factor because if they get credentials boom we've had red team engagements where they've got credentials they enabled EAS on a device and now they're acting is that employee sending emails is that employee the best one that we had was they actually got into I t's email address you know they're like the distribution list and we're sending

emails to employ hey click on this link I need you to check this out can you see what this is doing and that's how we were that's how they did it it was awesome I mean and they did it remotely they never touched foot you know never came in our offices they all did it through yes the cool thing is is that I told my CEO and my vice president about this and they were like well let's get rid of OWA and I'm like really I mean you just you just want me to get rid they're like yeah get rid of it I'm like not what I was expecting but okay so much to the

rest of the companies you know dismay and mine as well I really didn't expect it they were like yeah just get rid of out it's invulnerable then yeah go for it I'm like I think there's some things we can do but you're the boss so okay VPN same thing you know look at your stuff your web apps your portals your your whatever they are do they have to factorize education whether it's I guarantee you the red team's gonna fish and they're gonna use that right off the bat I mean that's like the guys you've been hearing from today that's the fastest way to try and gain entry so be prepared you know a lot there's been a lot there's a lot of

debate security people I love them they can agree with you and then they'll argue to death about something that's you know I feel like hey yeah I think we're saying something similar the inflammation implementation might be different I've got a lot of debate a lot of criticism about SMS text messages as being a second factor or a multi factor whatever you want to call it you know and I've heard great arguments for pro whatever my thought on it is if you put something in there like that yeah can it be bypass can somebody figure out a way to to spoof something and get that code back or fish the user for the code yeah absolutely

but you know what there's a good chance that you're probably going to run into somebody who didn't do that it gives you another opportunity to detect the red team's presence somebody to report and go hey I didn't reset my password and I got this SMS text and then another text saying to send me that it just creates that opportunity of you walking down the hall you see in a creepy old dude tie in his shoe and somebody saying something and that's really again back to that detection right the things that we've focused on it Ben very much detection as well as prevented prevention but detection is the heart of it so if you can do anything SMS text or even just an

email with a code it's better than nothing trust me number two so beyond fishing but say that they're actually get on a machine and a lot of times in some of our smaller Tiger team engagements I straight-up give the red team one of my laptops I'm like hey here's one of our laptops go to town so they can go sit out in the parking lot connect to our Wi-Fi you know do all that fun stuff in my job Mike my team's job to figure out something odd it's not not happening right so anyway real quickly they're gonna start running PowerShell right off the bat I mean well a good ones will I mean maybe you get

somebody who's like me still holding on to the VB days you know I'm like awesome but you know my admins can do amazing things with PowerShell that would take me like 50 lines of code to do what one line of code does in PowerShell do you guys control that there's in our environment yours might be different there's zero reason why my users need to be running PowerShell 0 so they can't we disabled it application whitelisting yeah I know there's ways to bypass it again security people splitting hairs on stuff having it there is better than not having it there and it gives you that opportunity to detect something I don't know how many times we brought in a new

red team company and we said oh yeah yeah you see what you can do and they fish a user boom we get an alert because they try to the you know malware tried to execute on that machine in our application whitelisting caught it right we've blocked it you know that is important in our environment I'm telling you I don't know how many times we've caught malicious stuff just with us absolutely with just PowerShell and application whitelisting there's really no reason why your users need to be and you know what sometimes I don't think my desk should be running PowerShell either but you know I figured we figured out a way to let them do that

so any questions about that right there there are way yes ma'am

no I'm sorry I will not be this is mostly windows-based I apologize for not including all that stuff sorry the the reason why a lot of this is tailored to two windows environment and not the Linux UNIX is typically because where we find the most activity the most opportunity for us to detect is at the desktop where the end users are and most of them aren't using Linux are actually none of ours are but but I apologize for that I will say though that there are opportunities for you to implement some of this stuff even in a mixed environment like that so for what it's worth right off the bat you know after after they gain access to something

they're gonna try some of this stuff I don't know if you guys know what responder is or played with responder you know I wish that the good guys had a tool it was as easiest to use as responder that was as effective at doing the things that responder does but literally a dummy can go on YouTube watch a five-minute video while they were watching that five-minute video download Kali it already has a responder on it and then they can start attacking your network in five minutes a dummy can i'm property you know you can go teach your your secretary the executive assistant how to scrape credentials using responder in very very short amount of time it's an a super effective

tool and it's very easy to you know deter sometimes I hear people talk about well we can't disable NetBIOS because we have legacy system or another one is SMB signing they'll be like oh I can't do that because I got to support Linux or UNIX or whatever can you disable it somewhere I mean you know maybe you have ten users that are using some Linux system or you have you know accounting that's using a really old you know mainframe that you got to have NetBIOS running on or something I don't know but does the rest of your organization need to have NetBIOS running if not they disable it from them because at least you'll have something protected right

because this stuff is really quick and easy scary I mean it like I said it's really effective and I said it right there so trivial you can just get credentials and we've been burned by this one time we had red team they were they had given them a laptop they're on our network actually I think they had a little Dropbox I plugged in for anyway about four hours into the engagement the guy calls me up and says hey I just want you to know we're gonna continue on with the you know with the engagement we still have 70 something hours left but we've already escalated to you know domain administrator and I'm like how'd you do that and they're like well you

have an admin that's running as he's logged in as a domain you know admin on this server and you know w pad and I got the credentials in one and really we're like four hours into it I hadn't even had in a second cup of coffee yet this is terrible there's another really big one for us I love it this is my favorite one when we have a new pin test company come in because they try and move laterally and I catch them right off the bat right a lot of people disable Windows Firewall inside the network right cuz it's a pain you know and you're inside the network it's trusted but we don't we we enable it and we

block everything that we don't need running off that machine so if one of my machines tries to ping another machine I get an alert on it and I get to see where they were trying to ping what they were doing and it's really awesome when Red Team or pen tester comes in and they try and port scan something or they just even try and SSH to a switch or something that you know it's really awesome because then I can you know call up the guy and say hey I got you you try to do this please put that in your report so I can give it to my VP and get a raise but it's really it's really

really effective because my users like PowerShell they don't need piñon anything you're an accountant why are you pinging something right and it really freaks them out when you walk up to somebody and say hey uh 22-year old intern what were you pinging this for and they're like well I I I just was I I'm sorry am I going to lose my job don't tell my dad and I'm like that listen don't do that anymore okay but it's really really effective at identifying things that aren't happening again it goes back to that detection you got to be able to detect quickly things that are abnormal and these are one of the things that we use and it catches them really quickly

it's awesome consequently I should mention that typically we will do an entire year with one company and my instructions to them is that you learn from the last time you were here so that it gets harder for us to detect you so that you don't waltz in and just you know blast everything or you don't run some PowerShell code and I catch you like that that way they know what I have in place and it makes it harder for them it makes it they have to be more quiet which makes it harder for my staff to detect them right so I should mention that every time the red team comes in they don't just do things and I catch

them right off the bat we make it I try and make it really hard another really big one for us we've had some fun with this one but we have several different admin accounts you know if you're if you're our sister senior systems admin he's going to have at least three admin accounts right he's going to have a local admin account he's gonna have what we call him a network admin or a machine admin in some cases where he can get onto servers like the print server and clear a queue or something stupid or install something and then there's the domain admin right and we're really really careful to only use the domain admin for domain work right there's no

reason why you need to login to a user's machine to install a printer as the domain admin but yet that happens a lot I know of a company you know they've got a couple of thousand machines and they're they're our CIOs running a domain admin as his regular account right you know it that kind of stuff happens out there but it's been really effective for us because like I told you in with the W pad thing when like sysadmin logs into a machine and he's using non domain credentials so the an attacker gets those credentials it's limited to scope a little bit and it allows us to detect if they try and do something thinking they're a domain

admin or trying to pivot around thinking that that admin account might have keys to other servers so keep that in mind figure out what levels of account admin separation there's really no reason why service accounts should ever be a domain admin right I mean you if you do have service accounts domain admin you probably need to really examine if they actually need it I know that support told you I tell this my admins all the time I know the support told you to add domain admin but no we're not doing that find a way to get it to work otherwise you know we're ditching the product right keep that in mind any questions about that yeah hmm yeah interactive service

login I kind of put that in there in the last slide but in our environment if you create a service account you you know in Active Directory you have the little log on to button you can click and it gives you a list of servers that this that account can only log into if you create a service account in my environment you have to fill that out you know you can't have a service account that can login to multiple servers that it doesn't need whether that's you know interactive login or a lot of stuff we limit that down as well so yeah if your service account no service account all service accounts don't need interactive login

disable that for them and make it even worse take that service account and only if it's only for the print server then put in that login tap the print server and that's it right I mean you have to put the domain admin or the domain controllers in there too so it can authenticate but you know trim that list down so that if they do get that credential all they can do is attack your print server they can't attack you know other file servers are over maybe your confidential information is stored it's a good point thank you on that I'll tell you that one time we had the red team and at this point in time we were getting fairly good at

detecting stuff and we've locked down a lot and so we get in about ten hours into the engagement and the only thing that they had been able to do and we've already been tipped off to their activity so we're tailing I'm pretty hard and we see that they're they're messing with one of our printers like a big huge Xerox multifunction something color cube big printer right we're like I don't know what they're doing to that thing I mean you know it's not a lot we can do anyway because Xerox soon you know we can't really patch it as fast as we want to and then all the sudden they stop messing with it and so we're kind

of like what's going on then we start seeing them logging trying to enumerate all the you the video and try to egg did enumerate all of the user accounts from our Active Directory oh that's really strange what that was about and the next thing you know I get a call from I get a call from one of my administrators I said hey there's a there's a there's an account that just got created on our network what how did they how did they do that so turns out we had just done a domain upgrade from I think 2012 maybe 2016 or something like that I remember I guess it was 2008 to 2012 is when we did the upgrade

and in the process somehow I don't know if it was by default or somebody just screwed up on my end I never figured that out the join a computer to the network you know you can do that by default like each account can join a computer to the network of the domain like 10 times well they had gotten onto the printer they logged in and gotten the the address book lookup account service account use that to enumerate all of the accounts on our Active Directory which was pretty awesome I was like man that's cool I know I wouldn't have even thought to attack a printer to get that once they had an account all the list of

accounts they went through all the accounts and they found one was like test user accounting one right and then they sprayed the password turns out it was password one right and because we had just done that upgrade they used that account to then join a VM that they were running to our domain and had administrative privileges on that machine that VM that they created so it was pretty awesome I mean honestly that was a it was a really cool little pathway that they got you know to to create an Essene on my network and of course because they had a list they knew how to do the convention so that it looked legitimately and not like desktop

VM seven eight nine five but anyway that's a good example of where limiting those accounts to only login on what they need to be able to login would have been able to help us out a little bit the go back a little bit that test user account one of our devs Isle of deaf people but one of our devs had created it to do some testing with on our intranet and so using that account they also were able to you know go into the accounting because it was an accounting and take out some some personal information as well so good good wet red team win there it was pretty awesome too because we were we're starting to get a

little cocky at that point we're feeling pretty confident physical security if you have a physical component to your red team which like I said we do not always they tend to ramp the cost up quite a bit and generally are a lot more difficult to you know correct but one of them is the port security being able to detect whether it's red team or the Secretary's son computer plugging into our network is pretty important because the Secretary's son is a twelve year old and he's doing terrible things on his computer in his room while his mom's not there and it comes onto our network because she needs to try and fix it and the Internet's not working at their

house so she plugs it into our network and boom can I detect that quickly because I don't want that machine and the red team if you have a physical component they will do the same thing whether it's an Wireless AP like we've seen whether it's a Dropbox that's going to phone home or whether it's an actual laptop that they're just sitting there interacting with you need to be able to do that vendors we've had we've caught vendors I've walked into conferences before conference rooms before and I said hey sir do you mind unplugging your machine from my network not only does it make your staff realize that okay they're serious about this it also reminds the vendor that you can't do

that isn't it embarrasses them quite a bit so far I haven't been pushed back on that but you know it's important those are things that you really you know got to be able to identify that stuff quickly okay so here's some of the notables I talked about these because they've they've been important to us but they've not necessarily like saved us in the long run with the exception of the outbound port blocking we have actually caught malware because it was trying to send stuff on ports that were not allowed but we all know that you can just put it on port 80 and you know put whatever you want in it anyway and it'll still go out because we allow port 80

I'm sure you guys do too in in reality it's a Microsoft ata I really hope Microsoft and by the way I'm not pushing Microsoft stuff but this product it's kind of interesting and I throw it out there just as something to just be aware of because I really hope Microsoft invests a lot in it and makes it more robust and better but it's really cool because if you run you know where's the enum for I don't know how you pronounce that because I'm not really like cool but if you go and you try and enumerate a list of a council off Active Directory Microsoft ata will alert you to that the other really cool thing is is so we

schedule restarts after patches in bulk right so these servers are going to restart because I just got patches it's really neat because that only happens every once in a while I mean it's not like a daily occurrence and Microsoft ata will you know it'll alert us to say hey this admin account just told all these servers to reboot or just logged into all these servers so it's it's pretty interesting I said I'm not pushing it it's not something that's really saved us a lot but it's been it's been kind of neat to watch certificate based authentication Wi-Fi authentication been important to us the red team has tried very hard to get on to our website and our corporate Wi-Fi

and having that certificate based authentication something other than the passphrase has been useful before we had that red team was able to figure out a way to get onto that network and generally it was done by social engineering or by you know getting it off of them the users machine piggybacking off that machine somehow I don't remember exactly but once we got that certificate based on their it it really helped us out and not having that password anymore I talked about port blocking and then the service account control we've already kind of hit on that logon tab time of day usage that kind of stuff it's built into there but nobody really uses it or at least

doesn't use it very often we found that to be tremendously helpful if we know backup jobs are only going to run between you know midnight and 6:00 a.m. that service account doesn't need to be logging in at 2:00 p.m. it just doesn't and so we use that keep that stuff in mind you know like I said none of what we talked about is is going to save you at the end of the day it's really about detection response and a lot of these things that we've saw what I've talked about here we have seen and really rely on as really good indicators I hate trying to use the jargon but you know really good ways to

detect things that aren't normal it's still your job to respond to it adequately and figure out is it just normally or is this actually malicious so anyway that's kind of what I got the worst thing then pour the no security is poorly adopted security we've all done things where people try and get around it right we we put in YouTube blocking and people figured out that their laptops could connect to the guest Wi-Fi so guess what they did they undocked they connect their guests white their laptop to the guest Wi-Fi and next thing you know they're on the actual open Internet not as protected inside the courtroom you know there's there's some things that we've done about that

but my point of it is as you are going through your security program really think about how it impacts the user and if they're going to try and get around it and if they do can you detect that can you prevent that all of those things matter red team's going to come in and do it the best the best red teamers the best pin testers are the best system admins out there if you want to be a really good sis atman you could probably be a really good pen tester so any questions comments yes sir yep yeah yeah

well I will say and this is probably true of any anything that you do in life planning in preparation goes a long way so the question was is there any one big bang for the buck because turning some of these things on just turning them on it's going to create a lot of false positives it's going to create a lot of mayhem for users and that is absolutely that's absolutely true application if I were to say any one thing application whitelisting and PowerShell are probably the the biggest at preventing and detecting that we see and that goes with malware that goes with red team or my own users trying to do stuff but it goes

back to the preparation and planning when we first initially started rolling out application whitelisting of course we you know we do our due diligence figure out what needs to run what's running on our users machine we already had it pretty tightly locked down as far as our software inventory goes so we knew it was out there but what we weren't prepared for was applications that behaved badly was shot how many applications run stuff from the app data I mean it was literally an executable in the user app data folder that it's calling to run that's terrible that's a terrible approach so I call up several vendors and pretty much gave them an earful hey this is dumb I mean this is

really bad practice really bad practice you know you do have to you do have to do a lot of real pass application whitelisting and so you have to be aware of those things so really if you're trying to avoid if you're trying to implement any control that's both preventive and detective you're you be prepared to spend a lot of time planning it and thinking it through testing it and then rolling it out and ready for kind of some and that was a pushback but to address those things that will come up port blocking was easy for us you know we we hopped on just look at traffic like I said we pretty pretty tight controls on software so wasn't a

lot that we were expecting to see and in the end of it there really wasn't a lot some well there's a lot I'll tell you you know I mean they are in really big environments like thousand machines or more I mean that's not really big but let's just start at a thousand okay so the bigger your environment the more you're gonna have to rely on third party products but if you're on a small environment I mean you know a couple hundred people that's easy to do you uh you can write some PowerShell script you can go get MAC addresses you can get it out of your DHCP server and you throw those in a list on your switch and

you've got and then you get an alert when when something tries to connect on that it is vulnerable to spoofing there are things but again somebody comes into your environment they're not expecting that they get on your network and boom you get an alert right there again a lot of this stuff there's ways around it but that's that's one way to do it I try not to be and try not to mention vendors specifically in this talk because I really really feel like a lot of people could benefit from moving away from all we need to go get a product to do this and really thinking through how can we do this effectively because in some

cases you need a product in some cases you just need some planning and you know maybe a couple lines of PowerShell [Music]

yeah so uh everybody gets that to that point where you're like uh these alerts are killing me outbound port blocking is probably a great example of that because there's always some application that you really can't turn off whatever it's trying to phone home to or doing and so what I would say in that respect is that you know one of the things that we've learned is things that we thought were important to us through all these red teaming and all this practicing ended up not being important to us at all getting alerted on outbound port blocking for the ephemeral range matters zero to us right in most cases but if we see something on port 21 22 25 red flags fly

up the other thing is narrowing it down to a specific scope for instance some of my servers try and phone home on that stuff we don't care about that as much as the endpoints because we know that endpoints are more vulnerable since we don't control the person using it so if if an end users computer doesn't about Portland some kind of port that gets blocked we want to know about that more than we do you know our wsus server or whatever so that's kind of how we handle it it really is a risk management process of looking what's effective and what's not and in some cases you you find out a little bit down the road that

yeah this alert wasn't was good in theory but then we get a lot of pop false positives and it's really useless to us so we trim those things down yes sir

yeah well typically like you know the planning and preparation you're gonna start communicating with those users early hey this is this is this is coming this is going to affect you you're not going to be able to do this you're not going to be able to do that in a lot of cases your relationship with those employees matters there as well because if you have a group of employees that you can say hey we're thinking about doing this what's that gonna what's that gonna how's that going to impact you you start kids to hear their perspective and that might make a difference for instance two-factor authentication at the desktop something that we're pursuing we've implemented it at our

privileged accounts so our domain admins all of our admins are two-factor at the desktop interactive sessions but when we get down to the users side they're like man I don't want to I don't want to type in a you know almost an effing pin every single time and so you're like okay that's a good point that's a payment but I hate doing that - so you're like well maybe I'll just plug something into the machine then you get to worrying about and you're like well what if they leave it in there right and they just throw it in their bag and that the USB keys in the machine right it's been effective at that point Oh our idea

was we'll integrate it into a smart card that's also a procs card that's their badge so now they can't leave the building unless they take it out of their laptop even to go to the bathroom right and so what I would say to that is really have a dialogue with them start talking with and how's that going to affect you start trying to think how would that affect you I mean you're you're a systems admin you can you know navigate your way but is it a pain in the butt am I done one minute so it's really like said I can't I can't tell you enough most of what I found to be really effective is planning and

preparation reading the white papers on how a product's gonna work talking with people you know who you might think is an idiot but they're gonna try and get around your stuff anyway or they're gonna complain to management managers gonna pull the plug so that's how I would handle it honestly that's how I would handle it's not sexy it's not fun it goes back to that is c-squared stuff question nope scratching anything else alrighty guys thank you very much if you want to chat like I said I could talk about this for six hours