David Tomaschik, Red Teaming: Why Organizations Hack Themselves | KringleCon 2020

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone and welcome to my cringlecon 3 talk red teaming why organizations hack themselves i'm david tomaszek i'm a senior security engineer on the google red team and i'm going to be talking a little bit about why we do red teaming and how we go about the approach of conducting a red team exercise before we dive in i'd like to cover a quick disclaimer that the opinions stated here are my own and not those of my company the scenario described is entirely hypothetical and does not reflect any real world events a little obligatory about me as i said before i'm senior security engineer at google i'm a tech lead on the offensive security team i'm also a security researcher and a ctf player uh there's my twitter and blog if you're interested in finding out more i will also have a copy of the slides up on my blog once this goes live so what is offensive security well offensive security is basically using adversarial techniques to test security controls sometimes you'll hear it called ethical hacking it's at least legal hacking it's a spectrum of activity ranging from penetration testing to red teaming it's authorized by the organization that is under attack in the case of uh a internal red team it would be authorized by your employer it's also done as consulting where you're hired by a company to come in and perform these attacks in either case it's done with authorization of the target so red teaming in particular is a business objective driven approach to offensive security it's attempting to test the entire cyber kill chain but through adversary emulation and what i mean by the cyber kill chain is what we have here on the right and it's the steps that generally any adversary whether simulated or real world will have to go through in order to successfully compromise an organization and it starts with reconnaissance and goes all the way until they have action on their target right which is actually conducting whatever it is you were trying to do whether it's stealing some data or modifying some data or performing some other business relevant action within the target organization and we'll go through each of these steps using an example of how we go about conducting a red team exercise there's a reason why we conduct red teaming it's mostly done to do what we call challenging assumptions which is where you think that you have adequate security or you think that you have security controls in place but it's to try to identify those gaps between how they were designed and how they are implemented right discover maybe misconfigurations or unexpected approaches to bypass security controls you might find exposed back ends that no one knew about or something like that that allows you to completely bypass the security controls it's also important in that it allows you to test your detection and response capabilities as an organization so your red team or your red teaming partner is the only adversary you'll be able to compare notes with whenever you get breached by a real adversary there's no way to know what you missed whereas when conducting a red team you can go back and compare notes between the red and blue teams to discover whether were there any hosts that the blue team missed you taking action on was there any um you know things that should have been signaled that weren't signaled in the case of the exercise so these are all these blind spots that you can find by comparing notes and finding out what additional signals need to be added what different actions should be taken on those uh signals how does the cleanup work digit the blue team send signals to the adversary when they were caught so there's a variety of different lessons that can come out of conducting an offensive security exercise so how do we go about running one of these exercises well i said we'd go through the various phases and the first thing we have to do is we have to figure out who our actor and our objective are right like what is it that someone is trying to do and who is it that is trying to do that so you might have a cyber crime group stealing credit card data a business competitor stealing intellectual property a nation state accessing the email of dissidents activists defacing a popular page or even the evil grinch stealing christmas lists in any of these we have an actor that is trying to perform an objective that is relevant to your organization right any of those objectives are things that are going to reputationally financially physically harm your organization so we have this fictional organization we'll be doing some red teaming for called spacely sprockets and our simulated adversary will be cogswell's cogs they're well resourced but they're not at the level of an intelligence agency they have access to commercial tools they would have access to research and would have professionals working on this but would not have access to a variety of oda and browsers or in operating systems they're very interested in not being caught because our adversary would be committing a crime so we are wanting to keep a very low profile as we go through the exercise their objective is to steal intellectual property in this particular case they are interested in stealing the new series 2021 sprocket as well as a list of top customers so then maybe they could make something similar to the 2021 sprocket and sell it to our top customers before we actually start engaging though we need to write the rules of engagement which define what we can and can't do in other words it limits the team's action we need to identify a scope which is the hosts and networks that can be targeted we need to determine whether or not we have limits on social engineering whether physical attacks are allowed or not and we need to ensure that we're respecting our users whether that's customers or users internal to the organization they do have a right to privacy and we need to conduct our exercise in a way that protects their right to privacy so we do put together a list of these constraints and what we can and can't do and get both our leadership and our legal team to sign off rules of engagement can be either on a per exercise basis or you can have standing rules of engagement if you have an internal team that's going to be conducting red team exercises on a regular basis that cover all of your red team exercises so reconnaissance is about getting information about your target and reconnaissance can be either passive or active passive reconnaissance is when you don't send any traffic to your target immediately there's nothing that's going to alert them that an exercise is being conducted or that an attack is being conducted that focuses on them right and that can include things like reading job listings which maybe list specific technologies that they expect familiarity with that ex list specific skills that they expect uh new employees to have these can tell you a lot about their internal tech stack looking for news articles you'll find posts that say you know this technology has just been adopted by the by a company or something like that and that'll tell you about their internal tech stack and also looking for employees posting to support forms it's amazing what you can find by looking at support forums at public mailing lists things like that where employees may have disclosed information also sometimes employees personal github repositories sometimes people will check in configuration files or even more sensitive information like cookies or credentials into a personal github repository that's publicly exposed which can obviously help you conduct your red team exercise on the other hand we have active options which include things like performing port scans brute forcing credentials uh interacting with web servers to try to find vulnerabilities in them performing sql injection attacks all kinds of active reconnaissance steps to try to find out about the environment that you're operating in but all of these have an element of risk associated with getting caught so if you're trying to be quiet about your attacks these active options tend to be more noticeable to your target environment and so are things that you want to either limit the scope of or conduct it from separate infrastructure than you're going to use for your actual attacks or some other ways separate it from your active phase of your exercise so that the reconnaissance isn't attributable back to your threat actor in the case of spacely sprockets we can do something called dns enumeration to find out about their mail server their vpn and this is just a case where we take common subdomains and try to perform dns lookups and we find out which ones actually point to real hosts and so that allows us to have an idea of what their infrastructure looks like from the very get-go just by guessing some of their domain names additionally by looking at support mailing lists and other information we can find out that they're running their support portal on support force 14.1 and that they're getting a particular error when they're trying to run it now the error itself isn't that interesting to us but what is interesting is that in the error message they've quoted they tell us the host name where it's running and give us more information about where our target is right so if we know that there's some vulnerabilities in support force 14.1 for example then we could target this particular server with those vulnerabilities so the very next step we want to do is we want to gain some initial access to the target environment and there's a bunch of different ways you can go about that one of the most common ways for an attack to take place is through fishing it can be for fishing for username and password or fishing with maybe a malicious attachment but some form of phishing is very commonly used in breaching organizations and this is why for example two-factor can be a very important step in a security boundary because it makes phishing for the username and password a more difficult task for an attacker can also potentially compromise an internet-facing server like i mentioned if we knew of a vulnerability in their support portal perhaps we could use that as an initial foothold maybe we can email them a malicious attachment to a document that when macros are enabled does something on their workstation and gives us some level of access it could potentially drop a flash drive or something that looks like a flash drive in the parking lot and hope they pick it up and plug it in fans of the tv show mr robot might be familiar with this particular style of attack and on the right we in fact have a product from hack five called the usb rubber ducky which is a very very well known tool for conducting these kind of attacks it's a small microcontroller that looks like a flash drive in terms of physical form factor but in fact pretends to be a keyboard when you plug it in so it can type in arbitrary things which can do things like run a command or browse to a web page or any number of other things as if you were controlling their computer another possibility is to bribe an insider it's a little less commonly done in terms of red team exercises but is a real world scenario where an insider might be subject to some form of coercion whether financial or other coercion to get them to perform an action like executing something on their work computer to give you an initial foothold if you do decide to go that way out in an exercise do be sensitive of how you do it usually that's something we could would do as a simulated uh initial foothold where the insider would be someone who's volunteered to work with us we're not going to try to coerce our own employees because that does not it's not an effective way to build trust between the security team and the rest of the organization so how do we get initial access on spacely sprockets well one possible way is to send an email to support that links to a clone of the support site login page right we know where their support site is so we can just clone the login page and we can capture their username and password and this is of course a form of credential phishing and then maybe we can use that combined with the remote access or vpn server that we found earlier to log in and even get a remote desktop session on the support agents workstation so at this point we have a remote capability into a workstation within their environment using their credentials so now we need to move on to establishing a command and control mechanism right sometimes you'll hear this called c2 and what that is is it allows the remote access to your target systems it's usually intended to obfuscate the traffic so it's not easily detected it can either be a custom tool or you can use existing or legitimate tools such as the remote desktop protocol or secure shell maybe just add an ssh each key of your own as a back door to allow you access uh into the system so there's a couple of different ways you can establish your command and control of the target environment um and the way we'll choose for spacely sprockets uh is we'll actually use a tool called metasploit if anyone has much familiarity with penetration testing or for example the oscp certification you've probably gotten very familiar with metasploit and we'll establish a connection from our environment back to the red team server so this appears as an outbound connection so it's less suspicious than attempting to get something in through the firewall most corporate firewalls are fairly permissive in what they allow going outbound and what metasploit gives us the capability to do is to do things like run commands on the remote system transfer files to and from the remote system dump credentials that are saved on our target system and also even route our network traffic through the metasploit implant so that other attacks we conduct seem to be coming from within their network instead of coming from the internet so this gives us a lot of different capabilities that puts us in a much stronger position than we were when we were outside of the network the next thing we need to do is we need to do movement within the network you may also hear this described as lateral movement basically the machine that you initially compromise may not have access to what you're ultimately going for so in this case remember we want blueprints for uh the new series 2021 sprocket and a support engineer probably doesn't have access to that so there's a couple of different ways you can do it you can do it by compromising internal hosts using vulnerabilities present on those hosts we can try to reuse the credentials that we have either from our support engineer or from credentials saved on their host or we can try various mechanisms of transitive trust which is when one host implicitly trusts traffic coming from another host so this can include things like moving within a windows domain for example you might have login privileges on another host that you can use to remotely gain access to that other host in the particular case of spacely sprockets what we're going to do is use access to a support representation the support reps workstation which doesn't have the access to the data we want but we will upload metasploit again to the file server and ask the internal it staff to help with an issue what this will do is potentially get them to execute that tool for us and we can gain a session running as their internal help desk and once we have that we can use the help desk privileges to create a new account and grant ourselves access to all the servers within their domain so by compromising the support rep we've then used them to compromise it staff which we're then using to give ourselves more privileges and allow ourselves to move across their entire organization finally we're moving on to action on objectives and that's when we actually want to do our final um you know final task that we're trying to do in order to consider our exercises success very often that's about accessing or modifying data or systems so exfiltrating sensitive data modifying records knocking systems offline adding long-term access any number of these can be your final objective most of the time that i have been engaged in red teaming it's exfiltrating some sort of sensitive data whether it's data about users data about corporate records whatever it may be but there's this data that's held and is of interest to the adversary and in the case of spacely sprockets we again want the blueprints for the new series 2021 sprocket so what we want to do is access the file server that we've granted ourselves access to and archive product designs archive customer lists right we you can extract those as like a zip file or some other form of archive and then first we'll copy the data back to the support individuals computer the support engineer computer because what we don't want is we don't want a whole bunch of traffic from the file server going directly to the internet that might look suspicious whereas traffic from a workstation to the internet is a lot less likely to look suspicious so we'll copy it back first to an intermediate host and then we will slowly upload the data to the server on the internet and we'll do that in an encrypted fashion and there's several different reasons for doing it encrypted first of all it prevents any data loss protection systems from triggering on the data any dlp systems secondly it does because this is an exercise one of the things we need to do is protect the data that we are touching so uploading it encrypted protects the data because we do have an interest in keeping it secret and finally uh it does better match the ttps the tactics techniques and procedures of known adversaries so uploading in an encrypted format has several benefits to us in a red team exercise we also will conduct the upload slowly because we want to reduce the likelihood that any sort of network level detections take note of a sudden spike in outbound traffic from this host so trickling it slowly though it may feel may feel difficult waiting for that time for it to finish is actually something that would make it more likely that you're successful in your exercise so once you've completed an exercise all you've done at that point is found some issues you haven't actually improved the security posture of your organization and at the end of the day as a security professional it's my job to improve the security posture of the organization that i'm working in and so that's where impact comes in right we need to do something with our findings where we actually get the security posture to a higher level where we're able to make our organization more secure and better able to withstand attacks like the one we've simulated and so one of the first steps in our process here is actually reporting on the uh exercise that we've just conducted and quite frankly communication skills are one of the most underrated security skills at the end of the day your reports are going to be read by a wide audience that will include other security professionals i.t staff software developers physical security potentially your leadership that is vps and csos and everything like that and even lawyers are going to be interested in this sort of thing because they need to know what kind of liabilities might have existed if there was a data breach it can help them to inform future exercises and the rules of engagement there so there's a wide spectrum of roles that will be involved in reading your report so you need to write something that is clear that is digestible that doesn't assume underlying security knowledge so basically figuring out how to communicate with all of these other different groups in a written report is actually a critical skill for red team operators you also need to produce actionable results you can't just say oh it's all broken and leave it there you need to be able to suggest fixes that make the situation better if you just say that the situation is broken and full of flaws then that's not going to get into a great position you don't necessarily have to describe the implementation of all of the fixes but you should describe what the ideal state is so i've got some examples in the spacely sprockets case in a moment because i know this is a little bit of a nebulous point here you can also advise on hardening measures right like some things may not be possible to completely prevent but you can make it more difficult for an adversary to do it anything that increases the cost to the adversary makes that a less likely attack path you can also start to suggest things that improve detection while prevention is better than detection our detection and response teams are a critical part of our security posture and so coming up with new things that they can detect such as exfiltration of large quantities of data would be something that you can make recommendations to so what recommendations might we have from spacely sprockets well for one i would strongly suggest that they use two-factor authentication particularly if they use physical security tokens like uh ubiko's security keys or any other universal two-factor format security token would make it a lot harder to fish them you wouldn't be able to just get a username and password and get directly into their system you'd need to come up with another approach to gain that initial access so that would have made the perimeter much harder to breach also scanning the file server for malware in the case of spacely sprockets right metasploit is something that will commonly be flagged as malware even though it also has legitimate uses such as in a red team so scanning the file server and finding those instances would be useful whenever someone uploads a new file detecting large file copies to workstations right we exfiltrated all the data through the workstation if it's not normal for a support reps workstation to be pulling gigabytes and gigabytes of data from the file server all at once then that's something that's an anomaly that is worth looking at it's not always going to be malicious but that's why you have incident responders that's why you have a security operations center to take a look at these things and determine is it malicious or is it in fact a benign event and finally the fact that compromising one support tech was adequate to create a new account suggesting that it takes two people to actually create new accounts means that you've raised the bar significantly for an attacker yes an attacker could still just compromise two support texts but it gives you longer time to detect the attack it gives you a higher likelihood of detection when you have to compromise the two individuals instead of just one so requiring two texts to create new accounts has a small cost to the business in terms of time for new account creation but it also has big benefits in preventing the creation of rogue accounts within the organization so that's all we've really got time for uh i do want to suggest um some resources here uh this is my twitter my blog um i've got uh the slides that i've used for this actually from a previous incarnation of this talk and notes up here and a reading list for those who are interested in getting into the red teaming space as well as a great book that is about the practice of red teaming not super technical but is about why red teaming exists the history and how it is used today by organizations uh and i think it's a wonderful resource as well i want to thank sans uh and the holiday hack challenge for letting me speak for a little bit and bring this presentation to you encourage everyone to play holiday hack challenge if you don't know it is hosted on google cloud platform so i could highly recommend checking it out and giving it a try the challenges are always fantastic and a lot of fun and finally thanks to all of you who have attended this talk and i hope that you found something about it useful informative entertaining um and please you know reach out to me via twitter or other means to provide any feedback that you might have and thank you very much [Music]

Info

Channel: KringleCon

Views: 930

Rating: 5 out of 5

Keywords: Holiday Hack Challenge, KringleCon, SANS, InfoSec, CTFs, CyberSecurity, Cyber Security

Id: 2ejR8ITe_uA

Channel Id: undefined

Length: 26min 13sec (1573 seconds)

Published: Wed Dec 09 2020