Presentation for EkoParty covering Adversary Emulation and using the Honeybee threat actor as an example.
Blog: https://www.scythe.io/library/threatthursday-honeybee
Adversary Emulation Plan: https://github.com/scythe-io/community-threats/blob/master/HoneyBee/HoneyBee_scythe_threat.json
Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement.
2. @JORGEORCHILLES
T1033 - System Owner/User Discovery
● Chief Technology Officer - SCYTHE
● Purple Team Exercise Framework (PTEF)
● C2 Matrix Co-Creator
● 10 years @ Citi leading offensive security team
● Certified SANS Instructor: SEC560, SEC504
● Author SEC564: Red Team Exercises and Adversary Emulation
● CVSSv3.1 Working Group Voting Member
● GFMA: Threat-Led Pentest Framework
● ISSA Fellow; NSI Technologist Fellow
2
3. @JORGEORCHILLES
Agenda
● What is Adversary Emulation
● Cyber Threat Intelligence
● About Honeybee
● Adversary Emulation Plan
● Live Demo
● Don’t get Stung!
3
4. @JORGEORCHILLES
Ethical Hacking Maturity Model
https://www.scythe.io/library/scythes-ethical-hacking-maturity-model
4
● Based on my experience and experience in other organizations
● Not a step by step guide but can be used as a blueprint for maturing
● You can skip steps
● Every organization is different
● Don’t stop doing the previous assessment types as you mature
5. @JORGEORCHILLES
Red Team
● Definition:
○ “The practice of looking at a problem or
situation from the perspective of an
adversary”
– Red Team Journal
● Goal:
○ Make Blue Team better
○ Test and measure people, process, and
technology
○ Test assumptions
5
https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
● Effort:
○ Manual
○ Many tools (C2 Matrix)
○ Some automation for attack infra and
TTPs
● Frequency:
○ Intelligence-led (new exploit, tool, or TTP)
○ Yearly (regulatory)
● Customer:
○ Blue Teams
6. @JORGEORCHILLES
Adversary Emulation
● Definition:
○ A type of Red Team exercise where the Red Team emulates how an adversary operates,
following the same tactics, techniques, and procedures (TTPs), with a specific objective similar
to those of realistic threats or adversaries.
● Goal:
○ Emulate an adversary attack chain or scenario
○ Understand organization’s preparedness if under a real, sophisticated attack
● Effort:
○ Manual
● Customer:
○ Entire organization
6
https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
7. @JORGEORCHILLES
Internal vs. External Teams
Internal Red Teams
● Repeated engagements
○ Remediation retesting
● Use privileged/insider knowledge
● Sparring partner
External Red Teams
● Offers new perspective
○ May have other industry
experience
● “Snapshot” engagements
7
10. @JORGEORCHILLES
Purple Team Exercises
10
● Virtual, functional team where teams work together to
measure and improve defensive security posture
○ CTI provides threat actor with capability, intent, and opportunity
to attack
○ Red Team creates adversary emulation plan
○ Tabletop discussion with defenders about the attacker tactics,
techniques, and procedures (TTPs) and expected defenses
○ Emulation of each adversary behavior (TTP)
○ Blue Team look for indicators of behavior
○ Red and Blue work together to create remediation action plan
● Repeat exercises to measure and improve people,
process, and technology
11. @JORGEORCHILLES
Framework & Methodology
11
● Purple Team Exercise Framework (PTEF)
● Cyber Kill Chain – Lockheed Martin
● Unified Cyber Kill Chain – Paul Pols
● Financial/Regulatory Frameworks
○ CBEST Intelligence Led Testing
○ Threat Intelligence-Based Ethical Red Teaming
○ Red Team: Adversarial Attack Simulation
Exercises
○ Intelligence-led Cyber Attack Simulation Testing
○ A Framework for the Regulatory Use of
Penetration Testing in the Financial Services
Industry
● Testing Framework:
14. @JORGEORCHILLES
CTI - Honeybee
14
Honeybee is a campaign led by an unknown actor that targets humanitarian aid
organizations and has been active in Vietnam, Singapore, Argentina, Japans,
Indonesia, and Canada. It has been an active operation since August of 2017 and
as recently as February 2018.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operati
on-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
17. @JORGEORCHILLES
Adversary Profile (1)
17
Tactic Description
Command and Control T1071.002 - Application Layer Protocol: File Transfer Protocols - Honeybee uses FTP for command and
control
Execution T1059.005 - Command and Scripting Interpreter: Visual Basic
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1569.002 - System Services: Service Execution
Defense Evasion T1140 - Deobfuscate/Decode Files or Information
T1070.004 - Indicator Removal on Host: File Deletion
T1112 - Modify Registry
T1027 - Obfuscated Files or Information
T1055 - Process Injection
T1553.002 - Subvert Trust Controls: Code Signing
Discovery T1083 - File and Directory Discovery
T1057 - Process Discovery
T1082 - System Information Discovery
18. @JORGEORCHILLES
Adversary Profile (2)
18
Tactic Description
Privilege Escalation T1548.002 - Abuse Elevation Control Mechanism: Bypass User Access Control
T1546.009 - Event Triggered Execution: AppCert DLLs
Persistence T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1543.003 - Create or Modify System Process: Windows Service
Collection T1560 - Archive Collected Data
T1005 - Data from Local System
T1074.001 - Data Staged: Local Data Staging
Exfiltration T1020 - Automated Exfiltration
19. @JORGEORCHILLES
Planning
● Goals and Objectives
● Red Team or Purple Team Exercise?
● Exercise Coordinator/Project Manager
● Assume Breach or Full End-to-End?
○ Initial Access takes time
○ Infinite ways in
● Rules of Engagements
● Attack Infrastructure
19
20. @JORGEORCHILLES
Determine Tools to Use - C2 Matrix
● Google Sheet of C2s
● https://www.thec2matrix.com/
● Find ideal C2 for your needs
● SANS Slingshot C2 Matrix VM
● https://howto.thec2matrix.com
● Follow @C2_Matrix
20
21. @JORGEORCHILLES
T1548.002 Bypass User Access Control
● Windows security feature designed to split admin privileges from normal
user privileges
● Implemented by Windows via “token integrity levels”
○ Low: Restricted privileges
○ Medium: Normal user privilege
○ High: Administrator privileges
○ SYSTEM: Highest Windows privilege
● UAC prevents a user with administrator privileges in a medium integrity
context from performing admin tasks without approval via a UAC prompt
21
22. @JORGEORCHILLES
UACMe
● Over 60 methods documented
● DLL Hijack
● Application Compatibility
● Elevated COM Interface
● Shell API
● Just ask
● https://github.com/hfiref0x/UACME
22
24. @JORGEORCHILLES
Don’t Get Stung!
24
● Don’t allow FTP inbound or outbound of your network/endpoints
● Monitor egress from your network
○ Heartbeats
○ Jitter
○ Large amount of data
● Ensure all users run with least privilege
○ Bob in Accounting does not need local admin
25. @JORGEORCHILLES
MOAR!!! #ThreatThursday
● https://www.scythe.io/library/threatthursday-honeybee
● Choose an adversary every week
○ Introduce Adversary
○ Consume CTI and map to MITRE ATT&CK w/Navigator Layer
○ Create Adversary Emulation Plan
○ Share the plan on SCYTHE Community Threat Github:
https://github.com/scythe-io/community-threats/
○ Emulate Adversary with video
○ How to defend against adversary
● All free for the community: https://www.scythe.io/threatthursday
25
28. @JORGEORCHILLES
SCYTHE
● Enterprise-Grade platform for Adversary Emulation
○ Creating custom, controlled, synthetic malware
○ Server can be deployed on-premises or your cloud
○ Multiple relays - Docker, Python, Windows MSI
● Emulate known threat actors against enterprise network
and systems
○ Consistently execute adversary behaviors
○ Continually assess security controls
○ Decreased evaluation time of security technologies
○ Identify blind spots for blue teams
○ Force-multiplier for red team resources
○ Measure and improve response of people and process
● 28
29. @JORGEORCHILLES
Features & Capabilities
● Enterprise C2:
○ HTTP(S), DNS, Google Sheets,
Twitter, Stego, SMB
● Automation
○ Build cross-platform synthetic malware
via dashboard
○ Synthetic malware emulates chosen
behaviors consistently
● Delivery methods
○ Web Page/ Drive-by (T1189)
○ Phishing Link (T1192)
○ Phishing Attachment (T1193)
●
29
● Reports
○ HTML, CSV, Executive, and
Technical Reports
○ ATT&CK Navigator Layer
○ MITRE ATT&CK Heat Map
● Integrations
○ VECTR - Tracking Red and Purple
Team Exercises
○ PlexTrac - automated report writing
and handling
○ Integrated with Splunk and all other
SIEMs with syslog
○ Red Canary’s Atomic Red Team test
cases