CYBER AGGRESSORSA CONCEPT OF OPERATIONS

Quick Introduction

• Raphael Mudge, Strategic Cyber LLC– raffi@strategiccyber.com

• I develop Cobalt Strike– http://www.advancedpentest.com/

• Would you like to try Cobalt Strike?– I have DVDs with a complete hacking lab on them– Ask for one. They’re fun.

Overview

• My Back Story• Pen Testing vs. Red Team vs. Aggressor• What is an Aggressor?• From Red Team to Aggressor

Rochester, NY (March 2008)

Personal Detour

Armitage

Red Team Collaboration

And… Automation

Red Team Support to DoD Agency

How To Get a Foothold

1. Map client-side attack surface2. Create Virtual Machine for testing purposes3. Use Virtual Machine to select best attack4. Configure and disguise the attack5. Email attack package to victim

How To Get a Foothold

1. Map client-side attack surface2. Create Virtual Machine for testing purposes3. Use Virtual Machine to select best attack4. Configure and disguise the attack5. Email attack package to victim

Metasploit’s Tactical Gaps

• Attacks are caught by anti-virus• Limited options to egress a network– HTTP, HTTPS, TCP, TCP – All Ports

• Meterpreter – Communicates with one C&C endpoint– Requires active channel or session dies– Non-obfuscated staging process (fixed April 2013)

Metasploit’s Tactical Gaps

Cobalt Strike

Augment the Metasploit Framework

• Artifacts that get past anti-virus • Social Engineering Workflow• Beacon Payload – C&C over DNS, HTTP, and SMB Named Pipes– Uses redirectors, calls home to multiple systems– Low and Slow “asynchronous” C&C

• Post-Exploitation Emphasis– e.g., browser pivoting to get past 2FA

Static Defenses

Static Defenses

Roles

• Penetration Tester• Red Team• Aggressor

Roles (What)

• Penetration Tester– Exploit Security Holes

• Red Team– Simulate an Attack

• Aggressor– Replicate an Imminent Threat

Roles (Why)

• Penetration Tester– Find and verify vulnerabilities

• Red Team– Exercise Security Controls

• Aggressor– Exercise Intelligence Support to CND

Vietnam War

2.2:1

Continued…

• Project Red Baron II– Pilot’s chance of survival increases after 10

missions– Led to USAF’s Red Flag Exercise in 1975 *

• Red Flag Exercise– Fly 10 combat missions against…– dissimilar aircraft (flown by Aggressors)

* US NAVY founded TOPGUN in 1969 to address training gap after heavy losses during Operation Rolling Thunder.

Aggressors

• Selected from top pilots• Trained to use enemies TTPs• Flew American aircraft!

Aggressor Platform

• American aircraft with similar profile• Painted with adversary’s colors

What is a Cyber Aggressor?

• Selected from top red operators• Trained to use enemies TTPs• Uses platform with enemy’s capabilities

Cyber Aggressor Platform

• Standard Platform• Gets past static defenses• Extensible for mission needs• Customizable Indicators

Customizable Indicators

• On Disk– Add static strings to EXE and DLL artifacts– Drop persistence to same location, use same

registry key

Customizable Indicators

• On Network– Limit C&C Protocols to what adversary uses– Customize C&C with indicators to look like actor

Beacon as a Communication Layer

Communication Profiles

• Start a Cobalt Strike team server with a profile• Profile is compiled and hot-patched into

Beacon agent and server• Communication through Beacon follows

profile

Communication Profiles

• To replicate Comment Crew:– Restrict Beacon to its HTTP channel– Load profile that:• Base64 encodes data• <html>Pads data with dummy HTML</html>• <!-- Wraps data in an HTML comment -->

– Tunnel Tools through Beacon

Red Team: Security Controls

• What did you see?• What did the adversary take?• Which systems is the adversary on?• Which accounts are compromised?• Where is the adversary’s C&C?

Aggressor: Intelligence and CND

• Who is attacking us?• What do they want?• What will they go after next?• Which indicators match known profile?• Which indicators are new?• What other indicators may we look at?

Summary

• My Back Story• Pen Testing vs. Red Team vs. Aggressor• What is an Aggressor?• From Red Team to Aggressor

Questions

• Email: raffi@strategiccyber.com• Twitter: @armitagehacker• WWW: http://www.advancedpentest.com/