SlideShare une entreprise Scribd logo

Adversary Emulation EkoParty - Don't Get Stung by a Honeybee

Jorge Orchilles
Jorge Orchilles

Presentation for EkoParty covering Adversary Emulation and using the Honeybee threat actor as an example. Blog: https://www.scythe.io/library/threatthursday-honeybee Adversary Emulation Plan: https://github.com/scythe-io/community-threats/blob/master/HoneyBee/HoneyBee_scythe_threat.json Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement.

Technologie
1  sur  29
Télécharger pour lire hors ligne
Adversary Emulation Don’t Get Stung By a Honeybee @JorgeOrchilles
@JORGEORCHILLES T1033 - System Owner/User Discovery ● Chief Technology Officer - SCYTHE ● Purple Team Exercise Framework (PTEF) ● C2 Matrix Co-Creator ● 10 years @ Citi leading offensive security team ● Certified SANS Instructor: SEC560, SEC504 ● Author SEC564: Red Team Exercises and Adversary Emulation ● CVSSv3.1 Working Group Voting Member ● GFMA: Threat-Led Pentest Framework ● ISSA Fellow; NSI Technologist Fellow 2
@JORGEORCHILLES Agenda ● What is Adversary Emulation ● Cyber Threat Intelligence ● About Honeybee ● Adversary Emulation Plan ● Live Demo ● Don’t get Stung! 3
@JORGEORCHILLES Ethical Hacking Maturity Model https://www.scythe.io/library/scythes-ethical-hacking-maturity-model 4 ● Based on my experience and experience in other organizations ● Not a step by step guide but can be used as a blueprint for maturing ● You can skip steps ● Every organization is different ● Don’t stop doing the previous assessment types as you mature
@JORGEORCHILLES Red Team ● Definition: ○ “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal ● Goal: ○ Make Blue Team better ○ Test and measure people, process, and technology ○ Test assumptions 5 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Effort: ○ Manual ○ Many tools (C2 Matrix) ○ Some automation for attack infra and TTPs ● Frequency: ○ Intelligence-led (new exploit, tool, or TTP) ○ Yearly (regulatory) ● Customer: ○ Blue Teams
@JORGEORCHILLES Adversary Emulation ● Definition: ○ A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. ● Goal: ○ Emulate an adversary attack chain or scenario ○ Understand organization’s preparedness if under a real, sophisticated attack ● Effort: ○ Manual ● Customer: ○ Entire organization 6 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
@JORGEORCHILLES Internal vs. External Teams Internal Red Teams ● Repeated engagements ○ Remediation retesting ● Use privileged/insider knowledge ● Sparring partner External Red Teams ● Offers new perspective ○ May have other industry experience ● “Snapshot” engagements 7
@JORGEORCHILLES Towards a Purple Team
@JORGEORCHILLES Did you say Purple? 9
@JORGEORCHILLES Purple Team Exercises 10 ● Virtual, functional team where teams work together to measure and improve defensive security posture ○ CTI provides threat actor with capability, intent, and opportunity to attack ○ Red Team creates adversary emulation plan ○ Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses ○ Emulation of each adversary behavior (TTP) ○ Blue Team look for indicators of behavior ○ Red and Blue work together to create remediation action plan ● Repeat exercises to measure and improve people, process, and technology
@JORGEORCHILLES Framework & Methodology 11 ● Purple Team Exercise Framework (PTEF) ● Cyber Kill Chain – Lockheed Martin ● Unified Cyber Kill Chain – Paul Pols ● Financial/Regulatory Frameworks ○ CBEST Intelligence Led Testing ○ Threat Intelligence-Based Ethical Red Teaming ○ Red Team: Adversarial Attack Simulation Exercises ○ Intelligence-led Cyber Attack Simulation Testing ○ A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry ● Testing Framework:
@JORGEORCHILLES MITRE ATT&CK https://attack.mitre.org/ 12
@JORGEORCHILLES Cyber Threat Intelligence 13
@JORGEORCHILLES CTI - Honeybee 14 Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japans, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operati on-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
@JORGEORCHILLES Of course, as I prepared this talk... 15
@JORGEORCHILLES ATT&CK Navigator 16 https://mitre-attack.github.io/attack-navigator/enterprise/
@JORGEORCHILLES Adversary Profile (1) 17 Tactic Description Command and Control T1071.002 - Application Layer Protocol: File Transfer Protocols - Honeybee uses FTP for command and control Execution T1059.005 - Command and Scripting Interpreter: Visual Basic T1059.003 - Command and Scripting Interpreter: Windows Command Shell T1569.002 - System Services: Service Execution Defense Evasion T1140 - Deobfuscate/Decode Files or Information T1070.004 - Indicator Removal on Host: File Deletion T1112 - Modify Registry T1027 - Obfuscated Files or Information T1055 - Process Injection T1553.002 - Subvert Trust Controls: Code Signing Discovery T1083 - File and Directory Discovery T1057 - Process Discovery T1082 - System Information Discovery
@JORGEORCHILLES Adversary Profile (2) 18 Tactic Description Privilege Escalation T1548.002 - Abuse Elevation Control Mechanism: Bypass User Access Control T1546.009 - Event Triggered Execution: AppCert DLLs Persistence T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1543.003 - Create or Modify System Process: Windows Service Collection T1560 - Archive Collected Data T1005 - Data from Local System T1074.001 - Data Staged: Local Data Staging Exfiltration T1020 - Automated Exfiltration
@JORGEORCHILLES Planning ● Goals and Objectives ● Red Team or Purple Team Exercise? ● Exercise Coordinator/Project Manager ● Assume Breach or Full End-to-End? ○ Initial Access takes time ○ Infinite ways in ● Rules of Engagements ● Attack Infrastructure 19
@JORGEORCHILLES Determine Tools to Use - C2 Matrix ● Google Sheet of C2s ● https://www.thec2matrix.com/ ● Find ideal C2 for your needs ● SANS Slingshot C2 Matrix VM ● https://howto.thec2matrix.com ● Follow @C2_Matrix 20
@JORGEORCHILLES T1548.002 Bypass User Access Control ● Windows security feature designed to split admin privileges from normal user privileges ● Implemented by Windows via “token integrity levels” ○ Low: Restricted privileges ○ Medium: Normal user privilege ○ High: Administrator privileges ○ SYSTEM: Highest Windows privilege ● UAC prevents a user with administrator privileges in a medium integrity context from performing admin tasks without approval via a UAC prompt 21
@JORGEORCHILLES UACMe ● Over 60 methods documented ● DLL Hijack ● Application Compatibility ● Elevated COM Interface ● Shell API ● Just ask ● https://github.com/hfiref0x/UACME 22
@JORGEORCHILLES DEMO 23
@JORGEORCHILLES Don’t Get Stung! 24 ● Don’t allow FTP inbound or outbound of your network/endpoints ● Monitor egress from your network ○ Heartbeats ○ Jitter ○ Large amount of data ● Ensure all users run with least privilege ○ Bob in Accounting does not need local admin
@JORGEORCHILLES MOAR!!! #ThreatThursday ● https://www.scythe.io/library/threatthursday-honeybee ● Choose an adversary every week ○ Introduce Adversary ○ Consume CTI and map to MITRE ATT&CK w/Navigator Layer ○ Create Adversary Emulation Plan ○ Share the plan on SCYTHE Community Threat Github: https://github.com/scythe-io/community-threats/ ○ Emulate Adversary with video ○ How to defend against adversary ● All free for the community: https://www.scythe.io/threatthursday 25
@JORGEORCHILLES References 26 ● Ethical Hacking Maturity Model: https://www.scythe.io/library/scythes-ethical-hacking-maturity-model ● Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Purple Team Exercise Framework: https://www.scythe.io/ptef ● Cyber Threat Intelligence for HoneyBee ○ https://attack.mitre.org/groups/G0072/ ○ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-hon eybee-malicious-document-campaign-targeting-humanitarian-aid-groups/ ● C2 Matrix: https://thec2matrix.com https://howto.thec2matrix.com ● Honeybee Threat Thursday: https://www.scythe.io/library/threatthursday-honeybee ● #ThreatThursday: https://www.scythe.io/threatthursday ● Emulation plans: https://github.com/scythe-io/community-threats/
¡GRACIAS!
@JORGEORCHILLES SCYTHE ● Enterprise-Grade platform for Adversary Emulation ○ Creating custom, controlled, synthetic malware ○ Server can be deployed on-premises or your cloud ○ Multiple relays - Docker, Python, Windows MSI ● Emulate known threat actors against enterprise network and systems ○ Consistently execute adversary behaviors ○ Continually assess security controls ○ Decreased evaluation time of security technologies ○ Identify blind spots for blue teams ○ Force-multiplier for red team resources ○ Measure and improve response of people and process ● 28
@JORGEORCHILLES Features & Capabilities ● Enterprise C2: ○ HTTP(S), DNS, Google Sheets, Twitter, Stego, SMB ● Automation ○ Build cross-platform synthetic malware via dashboard ○ Synthetic malware emulates chosen behaviors consistently ● Delivery methods ○ Web Page/ Drive-by (T1189) ○ Phishing Link (T1192) ○ Phishing Attachment (T1193) ● 29 ● Reports ○ HTML, CSV, Executive, and Technical Reports ○ ATT&CK Navigator Layer ○ MITRE ATT&CK Heat Map ● Integrations ○ VECTR - Tracking Red and Purple Team Exercises ○ PlexTrac - automated report writing and handling ○ Integrated with Splunk and all other SIEMs with syslog ○ Red Canary’s Atomic Red Team test cases

Recommandé

SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzJorge Orchilles
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyJorge Orchilles
 
KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityJorge Orchilles
 
C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020Jorge Orchilles
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Jorge Orchilles
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersJorge Orchilles
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceJorge Orchilles
 

Recommandé

SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzJorge Orchilles
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyJorge Orchilles
 
KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityJorge Orchilles
 
C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020Jorge Orchilles
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Jorge Orchilles
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersJorge Orchilles
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceJorge Orchilles
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatJorge Orchilles
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConJorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixJorge Orchilles
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Jorge Orchilles
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestJorge Orchilles
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Jorge Orchilles
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksJorge Orchilles
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 

Contenu connexe

Plus de Jorge Orchilles

Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatJorge Orchilles
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConJorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixJorge Orchilles
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Jorge Orchilles
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestJorge Orchilles
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Jorge Orchilles
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksJorge Orchilles
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 

Plus de Jorge Orchilles (20)

Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootCon
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 Matrix
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 

Dernier

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 

Dernier (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

Adversary Emulation EkoParty - Don't Get Stung by a Honeybee

  • 1. Adversary Emulation Don’t Get Stung By a Honeybee @JorgeOrchilles
  • 2. @JORGEORCHILLES T1033 - System Owner/User Discovery ● Chief Technology Officer - SCYTHE ● Purple Team Exercise Framework (PTEF) ● C2 Matrix Co-Creator ● 10 years @ Citi leading offensive security team ● Certified SANS Instructor: SEC560, SEC504 ● Author SEC564: Red Team Exercises and Adversary Emulation ● CVSSv3.1 Working Group Voting Member ● GFMA: Threat-Led Pentest Framework ● ISSA Fellow; NSI Technologist Fellow 2
  • 3. @JORGEORCHILLES Agenda ● What is Adversary Emulation ● Cyber Threat Intelligence ● About Honeybee ● Adversary Emulation Plan ● Live Demo ● Don’t get Stung! 3
  • 4. @JORGEORCHILLES Ethical Hacking Maturity Model https://www.scythe.io/library/scythes-ethical-hacking-maturity-model 4 ● Based on my experience and experience in other organizations ● Not a step by step guide but can be used as a blueprint for maturing ● You can skip steps ● Every organization is different ● Don’t stop doing the previous assessment types as you mature
  • 5. @JORGEORCHILLES Red Team ● Definition: ○ “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal ● Goal: ○ Make Blue Team better ○ Test and measure people, process, and technology ○ Test assumptions 5 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Effort: ○ Manual ○ Many tools (C2 Matrix) ○ Some automation for attack infra and TTPs ● Frequency: ○ Intelligence-led (new exploit, tool, or TTP) ○ Yearly (regulatory) ● Customer: ○ Blue Teams
  • 6. @JORGEORCHILLES Adversary Emulation ● Definition: ○ A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. ● Goal: ○ Emulate an adversary attack chain or scenario ○ Understand organization’s preparedness if under a real, sophisticated attack ● Effort: ○ Manual ● Customer: ○ Entire organization 6 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
  • 7. @JORGEORCHILLES Internal vs. External Teams Internal Red Teams ● Repeated engagements ○ Remediation retesting ● Use privileged/insider knowledge ● Sparring partner External Red Teams ● Offers new perspective ○ May have other industry experience ● “Snapshot” engagements 7
  • 10. @JORGEORCHILLES Purple Team Exercises 10 ● Virtual, functional team where teams work together to measure and improve defensive security posture ○ CTI provides threat actor with capability, intent, and opportunity to attack ○ Red Team creates adversary emulation plan ○ Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses ○ Emulation of each adversary behavior (TTP) ○ Blue Team look for indicators of behavior ○ Red and Blue work together to create remediation action plan ● Repeat exercises to measure and improve people, process, and technology
  • 11. @JORGEORCHILLES Framework & Methodology 11 ● Purple Team Exercise Framework (PTEF) ● Cyber Kill Chain – Lockheed Martin ● Unified Cyber Kill Chain – Paul Pols ● Financial/Regulatory Frameworks ○ CBEST Intelligence Led Testing ○ Threat Intelligence-Based Ethical Red Teaming ○ Red Team: Adversarial Attack Simulation Exercises ○ Intelligence-led Cyber Attack Simulation Testing ○ A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry ● Testing Framework:
  • 14. @JORGEORCHILLES CTI - Honeybee 14 Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japans, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operati on-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
  • 15. @JORGEORCHILLES Of course, as I prepared this talk... 15
  • 17. @JORGEORCHILLES Adversary Profile (1) 17 Tactic Description Command and Control T1071.002 - Application Layer Protocol: File Transfer Protocols - Honeybee uses FTP for command and control Execution T1059.005 - Command and Scripting Interpreter: Visual Basic T1059.003 - Command and Scripting Interpreter: Windows Command Shell T1569.002 - System Services: Service Execution Defense Evasion T1140 - Deobfuscate/Decode Files or Information T1070.004 - Indicator Removal on Host: File Deletion T1112 - Modify Registry T1027 - Obfuscated Files or Information T1055 - Process Injection T1553.002 - Subvert Trust Controls: Code Signing Discovery T1083 - File and Directory Discovery T1057 - Process Discovery T1082 - System Information Discovery
  • 18. @JORGEORCHILLES Adversary Profile (2) 18 Tactic Description Privilege Escalation T1548.002 - Abuse Elevation Control Mechanism: Bypass User Access Control T1546.009 - Event Triggered Execution: AppCert DLLs Persistence T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1543.003 - Create or Modify System Process: Windows Service Collection T1560 - Archive Collected Data T1005 - Data from Local System T1074.001 - Data Staged: Local Data Staging Exfiltration T1020 - Automated Exfiltration
  • 19. @JORGEORCHILLES Planning ● Goals and Objectives ● Red Team or Purple Team Exercise? ● Exercise Coordinator/Project Manager ● Assume Breach or Full End-to-End? ○ Initial Access takes time ○ Infinite ways in ● Rules of Engagements ● Attack Infrastructure 19
  • 20. @JORGEORCHILLES Determine Tools to Use - C2 Matrix ● Google Sheet of C2s ● https://www.thec2matrix.com/ ● Find ideal C2 for your needs ● SANS Slingshot C2 Matrix VM ● https://howto.thec2matrix.com ● Follow @C2_Matrix 20
  • 21. @JORGEORCHILLES T1548.002 Bypass User Access Control ● Windows security feature designed to split admin privileges from normal user privileges ● Implemented by Windows via “token integrity levels” ○ Low: Restricted privileges ○ Medium: Normal user privilege ○ High: Administrator privileges ○ SYSTEM: Highest Windows privilege ● UAC prevents a user with administrator privileges in a medium integrity context from performing admin tasks without approval via a UAC prompt 21
  • 22. @JORGEORCHILLES UACMe ● Over 60 methods documented ● DLL Hijack ● Application Compatibility ● Elevated COM Interface ● Shell API ● Just ask ● https://github.com/hfiref0x/UACME 22
  • 24. @JORGEORCHILLES Don’t Get Stung! 24 ● Don’t allow FTP inbound or outbound of your network/endpoints ● Monitor egress from your network ○ Heartbeats ○ Jitter ○ Large amount of data ● Ensure all users run with least privilege ○ Bob in Accounting does not need local admin
  • 25. @JORGEORCHILLES MOAR!!! #ThreatThursday ● https://www.scythe.io/library/threatthursday-honeybee ● Choose an adversary every week ○ Introduce Adversary ○ Consume CTI and map to MITRE ATT&CK w/Navigator Layer ○ Create Adversary Emulation Plan ○ Share the plan on SCYTHE Community Threat Github: https://github.com/scythe-io/community-threats/ ○ Emulate Adversary with video ○ How to defend against adversary ● All free for the community: https://www.scythe.io/threatthursday 25
  • 26. @JORGEORCHILLES References 26 ● Ethical Hacking Maturity Model: https://www.scythe.io/library/scythes-ethical-hacking-maturity-model ● Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Purple Team Exercise Framework: https://www.scythe.io/ptef ● Cyber Threat Intelligence for HoneyBee ○ https://attack.mitre.org/groups/G0072/ ○ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-hon eybee-malicious-document-campaign-targeting-humanitarian-aid-groups/ ● C2 Matrix: https://thec2matrix.com https://howto.thec2matrix.com ● Honeybee Threat Thursday: https://www.scythe.io/library/threatthursday-honeybee ● #ThreatThursday: https://www.scythe.io/threatthursday ● Emulation plans: https://github.com/scythe-io/community-threats/
  • 28. @JORGEORCHILLES SCYTHE ● Enterprise-Grade platform for Adversary Emulation ○ Creating custom, controlled, synthetic malware ○ Server can be deployed on-premises or your cloud ○ Multiple relays - Docker, Python, Windows MSI ● Emulate known threat actors against enterprise network and systems ○ Consistently execute adversary behaviors ○ Continually assess security controls ○ Decreased evaluation time of security technologies ○ Identify blind spots for blue teams ○ Force-multiplier for red team resources ○ Measure and improve response of people and process ● 28
  • 29. @JORGEORCHILLES Features & Capabilities ● Enterprise C2: ○ HTTP(S), DNS, Google Sheets, Twitter, Stego, SMB ● Automation ○ Build cross-platform synthetic malware via dashboard ○ Synthetic malware emulates chosen behaviors consistently ● Delivery methods ○ Web Page/ Drive-by (T1189) ○ Phishing Link (T1192) ○ Phishing Attachment (T1193) ● 29 ● Reports ○ HTML, CSV, Executive, and Technical Reports ○ ATT&CK Navigator Layer ○ MITRE ATT&CK Heat Map ● Integrations ○ VECTR - Tracking Red and Purple Team Exercises ○ PlexTrac - automated report writing and handling ○ Integrated with Splunk and all other SIEMs with syslog ○ Red Canary’s Atomic Red Team test cases