370 likes | 575 Views
Cyber Aggressors. A Concept of Operations. Quick Introduction. Raphael Mudge, Strategic Cyber LLC raffi@strategiccyber.com I develop Cobalt Strike http:// www.advancedpentest.com / Would you like to try Cobalt Strike? I have DVDs with a complete hacking lab on them
E N D
Cyber Aggressors A Concept of Operations
Quick Introduction Raphael Mudge, Strategic Cyber LLC • raffi@strategiccyber.com I develop Cobalt Strike • http://www.advancedpentest.com/ Would you like to try Cobalt Strike? • I have DVDs with a complete hacking lab on them • Ask for one. They’re fun.
Overview My Back Story Pen Testing vs. Red Team vs. Aggressor What is an Aggressor? From Red Team to Aggressor
How To Get a Foothold Map client-side attack surface Create Virtual Machine for testing purposes Use Virtual Machine to select best attack Configure and disguise the attack Email attack package to victim
How To Get a Foothold Map client-side attack surface Create Virtual Machine for testing purposes Use Virtual Machine to select best attack Configure and disguise the attack Email attack package to victim
Metasploit’s Tactical Gaps Attacks are caught by anti-virus Limited options to egress a network • HTTP, HTTPS, TCP, TCP – All Ports Meterpreter • Communicates with one C&C endpoint • Requires active channel or session dies • Non-obfuscated staging process (fixed April 2013)
Augment the Metasploit Framework Artifacts that get past anti-virus Social Engineering Workflow Beacon Payload • C&C over DNS, HTTP, and SMB Named Pipes • Uses redirectors, calls home to multiple systems • Low and Slow “asynchronous” C&C Post-Exploitation Emphasis • e.g., browser pivoting to get past 2FA
Roles Penetration Tester Red Team Aggressor
Roles (What) Penetration Tester • Exploit Security Holes Red Team • Simulate an Attack Aggressor • Replicate an Imminent Threat
Roles (Why) Penetration Tester • Find and verify vulnerabilities Red Team • Exercise Security Controls Aggressor • Exercise Intelligence Support to CND
Vietnam War 2.2:1
Continued… Project Red Baron II • Pilot’s chance of survival increases after 10 missions • Led to USAF’s Red Flag Exercise in 1975 * Red Flag Exercise • Fly 10 combat missions against… • dissimilar aircraft (flown by Aggressors) * US NAVY founded TOPGUN in 1969 to address training gap after heavy losses during Operation Rolling Thunder.
Aggressors Selected from top pilots Trained to use enemies TTPs Flew American aircraft!
Aggressor Platform American aircraft with similar profile Painted with adversary’s colors
What is a Cyber Aggressor? Selected from top red operators Trained to use enemies TTPs Uses platform with enemy’s capabilities
Cyber Aggressor Platform Standard Platform Gets past static defenses Extensible for mission needs Customizable Indicators
Customizable Indicators On Disk • Add static strings to EXE and DLL artifacts • Drop persistence to same location, use same registry key
Customizable Indicators On Network • Limit C&C Protocols to what adversary uses • Customize C&C with indicators to look like actor
Communication Profiles Start a Cobalt Strike team server with a profile Profile is compiled and hot-patched into Beacon agent and server Communication through Beacon follows profile
Communication Profiles To replicate Comment Crew: • Restrict Beacon to its HTTP channel • Load profile that: • Base64 encodes data • <html>Pads data with dummy HTML</html> • <!-- Wraps data in an HTML comment --> • Tunnel Tools through Beacon
Red Team: Security Controls What did you see? What did the adversary take? Which systems is the adversary on? Which accounts are compromised? Where is the adversary’s C&C?
Aggressor: Intelligence and CND Who is attacking us? What do they want? What will they go after next? Which indicators match known profile? Which indicators are new? What other indicators may we look at?
Summary My Back Story Pen Testing vs. Red Team vs. Aggressor What is an Aggressor? From Red Team to Aggressor
Questions Email: raffi@strategiccyber.com Twitter: @armitagehacker WWW: http://www.advancedpentest.com/