Upload
diella
View
69
Download
0
Embed Size (px)
DESCRIPTION
Cyber Aggressors. A Concept of Operations. Quick Introduction. Raphael Mudge, Strategic Cyber LLC [email protected] I develop Cobalt Strike http:// www.advancedpentest.com / Would you like to try Cobalt Strike? I have DVDs with a complete hacking lab on them - PowerPoint PPT Presentation
Citation preview
CYBER AGGRESSORSA CONCEPT OF OPERATIONS
Quick Introduction
• Raphael Mudge, Strategic Cyber LLC– [email protected]
• I develop Cobalt Strike– http://www.advancedpentest.com/
• Would you like to try Cobalt Strike?– I have DVDs with a complete hacking lab on them– Ask for one. They’re fun.
Overview
• My Back Story• Pen Testing vs. Red Team vs. Aggressor• What is an Aggressor?• From Red Team to Aggressor
Rochester, NY (March 2008)
Personal Detour
Armitage
Red Team Collaboration
And… Automation
Red Team Support to DoD Agency
How To Get a Foothold
1. Map client-side attack surface2. Create Virtual Machine for testing purposes3. Use Virtual Machine to select best attack4. Configure and disguise the attack5. Email attack package to victim
How To Get a Foothold
1. Map client-side attack surface2. Create Virtual Machine for testing purposes3. Use Virtual Machine to select best attack4. Configure and disguise the attack5. Email attack package to victim
Metasploit’s Tactical Gaps
• Attacks are caught by anti-virus• Limited options to egress a network– HTTP, HTTPS, TCP, TCP – All Ports
• Meterpreter – Communicates with one C&C endpoint– Requires active channel or session dies– Non-obfuscated staging process (fixed April 2013)
Metasploit’s Tactical Gaps
Cobalt Strike
Augment the Metasploit Framework
• Artifacts that get past anti-virus • Social Engineering Workflow• Beacon Payload – C&C over DNS, HTTP, and SMB Named Pipes– Uses redirectors, calls home to multiple systems– Low and Slow “asynchronous” C&C
• Post-Exploitation Emphasis– e.g., browser pivoting to get past 2FA
Static Defenses
Static Defenses
Roles
• Penetration Tester• Red Team• Aggressor
Roles (What)
• Penetration Tester– Exploit Security Holes
• Red Team– Simulate an Attack
• Aggressor– Replicate an Imminent Threat
Roles (Why)
• Penetration Tester– Find and verify vulnerabilities
• Red Team– Exercise Security Controls
• Aggressor– Exercise Intelligence Support to CND
Vietnam War
2.2:1
Continued…
• Project Red Baron II– Pilot’s chance of survival increases after 10
missions– Led to USAF’s Red Flag Exercise in 1975 *
• Red Flag Exercise– Fly 10 combat missions against…– dissimilar aircraft (flown by Aggressors)
* US NAVY founded TOPGUN in 1969 to address training gap after heavy losses during Operation Rolling Thunder.
Aggressors
• Selected from top pilots• Trained to use enemies TTPs• Flew American aircraft!
Aggressor Platform
• American aircraft with similar profile• Painted with adversary’s colors
What is a Cyber Aggressor?
• Selected from top red operators• Trained to use enemies TTPs• Uses platform with enemy’s capabilities
Cyber Aggressor Platform
• Standard Platform• Gets past static defenses• Extensible for mission needs• Customizable Indicators
Customizable Indicators
• On Disk– Add static strings to EXE and DLL artifacts– Drop persistence to same location, use same
registry key
Customizable Indicators
• On Network– Limit C&C Protocols to what adversary uses– Customize C&C with indicators to look like actor
Beacon as a Communication Layer
Communication Profiles
• Start a Cobalt Strike team server with a profile• Profile is compiled and hot-patched into
Beacon agent and server• Communication through Beacon follows
profile
Communication Profiles
• To replicate Comment Crew:– Restrict Beacon to its HTTP channel– Load profile that:• Base64 encodes data• <html>Pads data with dummy HTML</html>• <!-- Wraps data in an HTML comment -->
– Tunnel Tools through Beacon
Red Team: Security Controls
• What did you see?• What did the adversary take?• Which systems is the adversary on?• Which accounts are compromised?• Where is the adversary’s C&C?
Aggressor: Intelligence and CND
• Who is attacking us?• What do they want?• What will they go after next?• Which indicators match known profile?• Which indicators are new?• What other indicators may we look at?
Summary
• My Back Story• Pen Testing vs. Red Team vs. Aggressor• What is an Aggressor?• From Red Team to Aggressor
Questions
• Email: [email protected]• Twitter: @armitagehacker• WWW: http://www.advancedpentest.com/