Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

KringleCon 3 Providing Value in Offensive Security

Santa invited me to the north pole to talk about how Offensive Security is meant to provide business value. I cover Purple Teaming and C2 Matrix as well.

  • Soyez le premier à commenter

KringleCon 3 Providing Value in Offensive Security

  1. 1. Offensive Security Tools: Providing Value with the C2 Matrix Jorge Orchilles CTO / SCYTHE Twitter @JorgeOrchilles
  2. 2. T1033 – User Discovery • Chief Technology Officer - SCYTHE • 10 years leading offensive team @Citi • Wrote a book when I was a system admin • Started in Vulnerability Assessment • Pen Test • Red Team • Purple Team @JorgeOrchilles
  3. 3. Evolution of OffSec Or how I went through this journey in past 10+ years @JorgeOrchilles https://www.scythe.io/library/scythes-ethical-hacking-maturity-model
  4. 4. Offensive Security is about providing value
  5. 5. Exploitation is valuable! However, there is much more to an attack than exploitation @JorgeOrchilles “It is not all about exploitation” – Ed Skoudis 2011 MITRE has CVE and ATT&CK • CVE is for vulnerabilities (and exploits) • ATT&CK is for adversary behavior • 525 Techniques and Sub techniques • Only 9 reference “exploit”
  6. 6. Assume Breach Santa operates in assume breach mode Everyone will be compromised at some point • A patch will not be applied in time (exploited) • A user will fall for a phishing campaign (oops) What happens next is what matters @JorgeOrchilles
  7. 7. Purple Team Full Knowledge Offensive Exercises @JorgeOrchilles A Purple Team is a virtual team where the following teams work together: • Cyber Threat Intelligence - team to research and provide adversary behavior • Red Team - offensive team emulating adversaries • Blue Team - the defenders. Security Operations Center (SOC), Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Provides (MSSP) https://www.scythe.io/ptef
  8. 8. Cyber Threat Intelligence We are not talking about Indicators of Compromise but about Adversary Behavior (TTPs) @JorgeOrchilles
  9. 9. Red Team The Offensive Team @JorgeOrchilles “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal Test, measure, and improve people, process, and technology
  10. 10. Blue Team The Defenders tasks with identifying and responding to attacks @JorgeOrchilles Log • Relevant Events • Locally • Central Log Aggregator Alert • Severity Respond • Process • People • Automation Detect & Respond Prevention != Detection
  11. 11. The Flow @JorgeOrchilles 1. Cyber Threat Intelligence presents the adversary, TTPs, and technical details 2. Attendees have a table-top discussion of security controls and expectations for TTPs 3. Red Team emulates the TTPs 4. Blue Team analysts follow process to detect and respond to TTP 5. Share screen if TTPs were identified, received alert, logs, or any forensic artifacts 6. Document results - what worked and what did not 7. Perform any adjustments or tuning to security controls to increase visibility 8. Repeat TTPs 9. Document any feedback and/or additional Action Items for Lessons Learned 10. Repeat from step 1 for next TTPs
  12. 12. Tools @JorgeOrchilles • Collaborative Evaluation • Google Sheet of C2s • 60 frameworks • www.thec2matrix.com • @C2_Matrix • howto.thec2matrix.com
  13. 13. SANS Slingshot C2 Matrix Edition @JorgeOrchilles • Made in collaboration with SANS and Ryan O'Grady • Goal is to lower the learning curve of installing each C2 framework • Gets you straight to testing C2s • 8 C2s installed by default • VECTR for managing/tracking exercises https://howto.thec2matrix.com/slingshot-c2-matrix-edition
  14. 14. Provide Value - Baseline @JorgeOrchilles https://vectr.io • 6-week Purple Team Exercise • Assumed Breach scenario • Emulated 4 APTs Baseline Result Known threats have the ability to achieve their objective without being detected
  15. 15. Provide Value – End State @JorgeOrchilles https://vectr.io • $0 technology spend • Achieved 64% detection rate • Enabled telemetry (Sysmon) • Created logic for alerts on SIEM End State Result Known threats will be detected and responded to before achieving objective