1 / 36

Cyber Aggressors

Cyber Aggressors. A Concept of Operations. Quick Introduction. Raphael Mudge, Strategic Cyber LLC raffi@strategiccyber.com I develop Cobalt Strike http:// www.advancedpentest.com / Would you like to try Cobalt Strike? I have DVDs with a complete hacking lab on them

diella
Download Presentation

Cyber Aggressors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Aggressors A Concept of Operations

  2. Quick Introduction Raphael Mudge, Strategic Cyber LLC • raffi@strategiccyber.com I develop Cobalt Strike • http://www.advancedpentest.com/ Would you like to try Cobalt Strike? • I have DVDs with a complete hacking lab on them • Ask for one. They’re fun.

  3. Overview My Back Story Pen Testing vs. Red Team vs. Aggressor What is an Aggressor? From Red Team to Aggressor

  4. Rochester, NY (March 2008)

  5. Personal Detour

  6. Armitage

  7. Red Team Collaboration

  8. And… Automation

  9. Red Team Support to DoD Agency

  10. How To Get a Foothold Map client-side attack surface Create Virtual Machine for testing purposes Use Virtual Machine to select best attack Configure and disguise the attack Email attack package to victim

  11. How To Get a Foothold Map client-side attack surface Create Virtual Machine for testing purposes Use Virtual Machine to select best attack Configure and disguise the attack Email attack package to victim

  12. Metasploit’s Tactical Gaps Attacks are caught by anti-virus Limited options to egress a network • HTTP, HTTPS, TCP, TCP – All Ports Meterpreter • Communicates with one C&C endpoint • Requires active channel or session dies • Non-obfuscated staging process (fixed April 2013)

  13. Metasploit’s Tactical Gaps

  14. Cobalt Strike

  15. Augment the Metasploit Framework Artifacts that get past anti-virus Social Engineering Workflow Beacon Payload • C&C over DNS, HTTP, and SMB Named Pipes • Uses redirectors, calls home to multiple systems • Low and Slow “asynchronous” C&C Post-Exploitation Emphasis • e.g., browser pivoting to get past 2FA

  16. Static Defenses

  17. Static Defenses

  18. Roles Penetration Tester Red Team Aggressor

  19. Roles (What) Penetration Tester • Exploit Security Holes Red Team • Simulate an Attack Aggressor • Replicate an Imminent Threat

  20. Roles (Why) Penetration Tester • Find and verify vulnerabilities Red Team • Exercise Security Controls Aggressor • Exercise Intelligence Support to CND

  21. Vietnam War 2.2:1

  22. Continued… Project Red Baron II • Pilot’s chance of survival increases after 10 missions • Led to USAF’s Red Flag Exercise in 1975 * Red Flag Exercise • Fly 10 combat missions against… • dissimilar aircraft (flown by Aggressors) * US NAVY founded TOPGUN in 1969 to address training gap after heavy losses during Operation Rolling Thunder.

  23. Aggressors Selected from top pilots Trained to use enemies TTPs Flew American aircraft!

  24. Aggressor Platform American aircraft with similar profile Painted with adversary’s colors

  25. What is a Cyber Aggressor? Selected from top red operators Trained to use enemies TTPs Uses platform with enemy’s capabilities

  26. Cyber Aggressor Platform Standard Platform Gets past static defenses Extensible for mission needs Customizable Indicators

  27. Customizable Indicators On Disk • Add static strings to EXE and DLL artifacts • Drop persistence to same location, use same registry key

  28. Customizable Indicators On Network • Limit C&C Protocols to what adversary uses • Customize C&C with indicators to look like actor

  29. Beacon as a Communication Layer

  30. Communication Profiles Start a Cobalt Strike team server with a profile Profile is compiled and hot-patched into Beacon agent and server Communication through Beacon follows profile

  31. Communication Profiles To replicate Comment Crew: • Restrict Beacon to its HTTP channel • Load profile that: • Base64 encodes data • <html>Pads data with dummy HTML</html> • <!-- Wraps data in an HTML comment --> • Tunnel Tools through Beacon

  32. Red Team: Security Controls What did you see? What did the adversary take? Which systems is the adversary on? Which accounts are compromised? Where is the adversary’s C&C?

  33. Aggressor: Intelligence and CND Who is attacking us? What do they want? What will they go after next? Which indicators match known profile? Which indicators are new? What other indicators may we look at?

  34. Summary My Back Story Pen Testing vs. Red Team vs. Aggressor What is an Aggressor? From Red Team to Aggressor

  35. Questions Email: raffi@strategiccyber.com Twitter: @armitagehacker WWW: http://www.advancedpentest.com/

More Related