4. #whoami
Nathi Mogomotsi @nathimog
african, black, grand[son], brother, hacker, n00b, vegan, alcohol, not-french,
suck-at-english, God fearing, not-a-saint, no tattoo, biker
Sr. Red Teamer @sanlam
Hacker @sensepost
5. How it all started
• New job
• More time to do research and 1337 hax
But…
• It wasn’t fun anymore
• Now I get to receive pen test reports
• I am on the receiving end
• Needed to do something about this
• Time to help the defenders
https://twitter.com/s7ephen/status/925969930134024192
6. On an Unrelated Note:
• I asked my previous boss (Charl) to buy me this book 4~ years I ago
• I knew I had some “defensive” blood in me
7. How it all started
• Watched CG and CN talk
• Was impressed, thanks guys
• Go watch the talk
• Will wait for you…
8. Why this talk
• To share my experience
• To share my learnings
• Hopefully it will help you get started (you should)
• I am not an expert, so this is really basic stuff
• Ping me if you have any comments or ideas
• nathi@protonmail.com
9. Why this talk – Pyramid of Pain
http://detect-respond.blogspot.co.za/2013/03/the-pyramid-of-pain.html
10. What is attack simulation ?
• Just like a pilot simulator, it is there to put you in the worst possible
situation at a lowest level of risk - Chris Nickerson
• Understanding attacks that might be used against an organisation in
order to improve the organisation’s defence – me
• Attack simulations should be done to learn how attackers are likely to
achieve goals against your organization – Zane Lackey
• Can we detect and/or stop a particular attack ?
• Assume compromise – We can be compromised!
11. What is attack hunting ?
• Proactive incident response
• Are we hacked by this particular attack ?
• Assume compromise – We might be compromised already!
13. Attack Techniques
Choose a
technique you
interested in:
• Technique used in the wild
• Technique from threat reports
• Technique you found during your vuln research
• Technique from software vendors security bulletins
• Technique from hacker tools
• Technique from pen testing report
14. Attack Techniques - MITRE
“ATT&CK is useful for understanding security risk against known
adversary behavior, for planning security improvements, and verifying
defenses work as expected.” https://attack.mitre.org/wiki/Main_Page
20. Weaponization
Reconnaissance
Delivery
Exploitation
Installation
Command &
Control
Actions on
Objectives
Detect Deny Disrupt Degrade Deceive Contain
Web Analytics Firewall ACL Firewall ACL
NIDS NIPS NIPS
Vigilant user Proxy filter Inline AV Email Queuing
App-Aware
Firewall
HIDS Vendor Patch EMET, DEP
Inter-Zone
NIPS
HIDS ‘chroot’ Jail AV EPP
NIDS Firewall ACL NIPS Tar pit DNS Redirect Trust Zones
Audit log Outbound ACL DLP QOS Throttle Honeypot Trust Zones
21. Recap
• We identified the technique we want to focus on.
• We understand our current defences.
• We identified the technique we want to focus on
Attack
Technique
Defensive
Controls
Simulation
Hunting
Measure
Effectiveness
22. Simulations – The process
Hack yourself first
Hack the humans
Attack analysis with the blue team
Defence controls update
Validate new defence controls
Activity Tracker
23. Simulations – Hack yourself first
• Test detection tools
• Use a test machine identical to your environment
• Collect Indicators of Compromise (IoCs)
Network artefacts
User Agent Strings
Dynamic DNS visits
Encrypted traffic
MIME type downloads
Host artefacts
New files
New services
New registry
Files that runs on reboot
25. Simulation – hack the humans
• Test processes
• Test blue team response to alerts
• Test IR procedure
26. Simulations – Attack Analysis with the blue
• Show how you did your hack
• Kill chain analysis and controls
• Map logs to the attack
• Handover Indicators of Compromise
28. Simulation – Defence update
• To automate detection
• Update
• FW/IDS/IPS/AV/EDR/<your security product here>
• Processes
• Deploy Controls
• Controls should not be expensive and complex
• https://t2.fi/2017/02/05/haroon-meer-keynote-2016/
29. Simulation – Controls validation
• Validate the new defence controls
• Create a script to automate this
• Should not be fancy
• Mainly to help the blue team
31. Recap
• We identified the technique we want to focus on
• We understand our current defences
• We tested, updated and validated controls and incident procedures
• We know which data sets to use for our hunts
Attack
Technique
Defensive
Controls
Simulation
Hunting
Measure
Effectiveness
32. Hunting – The process
• Collect data sets
• Process the data sets
• Analyse collection
• Malicious activity
• Activity tracker
34. Hunting – Techniques to process the data sets
Searching
Stack Counting
Grouping
Clustering
https://sqrrl.com/threat-hunting-reference-guide/
https://speakerdeck.com/davidjbianco/toppling-the-stack-practical-outlier-detection-for-threat-hunters
35. Hunting – Analyse collection
• Search artefacts on the network data sets
• Find suspicious hosts
• Host threat hunting
https://www.sans.org/summit-archives/file/summit-archive-1492556122.pdf
36. Hunting – Found suspicious activity
• Call the forensicators
• Execute the IR plan
38. Recap
• We identified the technique we want to focus on
• We understand our current defences
• We tested, updated and validated controls and incident procedures
• We know which data sets to use for our hunts
• We confirmed if we are under attack or not
• Hopefully eradicated the threat
Attack
Technique
Defensive
Controls
Simulation
Hunting
Measure
Effectiveness
39. Measure Effectiveness
• Effectiveness is a measure of the success of the operation, overall - Raphael Mudge.
• Roberto Rodriguez (@cyb3rWard0g)
• https://cyberwardog.blogspot.co.za/2017/07/how-hot-is-your-hunt-team.html
40. KEY TAKEAWAYS
• You get to play part in defence
• You get to find bad guys and pen testers
• You get to learn other stuff i.e DFIR, network monitoring, rules writing
• You get to do cool hacks that actually makes a difference in your org
• You get to teach the blue team
• You get to learn from them too..
https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180
41. More from CN and CG
• If you didn’t watch their talk earlier
• Go ahead and watch this one
• Updated and more awesome
• Thanks once again guys
42. Tools – because you want to automate
• CALDERA: Automatic adversary emulation (to be released at BH17 EU)
• DumpsterFire – Threat simulations
• SQRLL VM – Threat hunting
• CCF VM – Incident triage (DFIR) with ELK
• Bro IDS – Network monitoring
• Sysmon – System monitoring
• ELK – Data visualisation
• Chris Gates is also releasing something soon ;)
43. Credits / References / Thank you
Credits & Thank you for your contributions
• @indi303
• @carnal0wnage
• @ jackcr
• @DavidJBianco
• @Sroberts
• @RobertMLee
• @Subtee
• @Chrissanders88
• DR. Eric Cole
• @Jaredcatkinson
• @Robwinchester3
• @DAkacki
• @cyb3rWard0g
Resources
• https://github.com/magoo/redteam-plan
• http://soc.wa.gov/resources/exercises
• https://github.com/redcanaryco/atomic-red-team
• https://resources.redcanary.com/atomic-red-team-training-session-
nov-2017
• https://github.com/demisto/content
Training
• Chris Sanders - http://chrissanders.org/training/
• @zanelackey
• @haroonmeer
• @M_haggis
• @mattifestation
• @AlanOrlikoski
• @PyroTek3
• @SqrrlData
• @redcanaryco
• Bloodhound Gang
44. Special Thanks:
When I do grow up one day I want to be like these guys
• Willem Smit @slackerscoza
• Kelvin Adams @nivlek007
• George Pranschke @cheorchie
• Chris Gates @carnal0wnage
• Awesome people I have ever met!
• Keep rocking guys.
45. “Do whatever you want. Trust your guts, your humanly feelings, your
very limited knowledge. This is best effort.” – Julio Auto
46. Thanks once again, do your best effort to try to be
nice to one another & take care of your health!