Jorge Orchilles, Offensive Security Tools: Providing Value with the C2 Matrix | KringleCon 2020

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone and welcome to my talk on offensive security tools providing value with the c2 matrix my name is georgio chias and i'm so excited to be here first off i have to thank santa thanks santa called me he invited me up to the north pole and i'm originally from venezuela which is a caribbean country it's generally very warm i now live in miami which is still very warm about 90 95 degrees fahrenheit every day and i came up with very short notice didn't even have time to get the right clothes so you see me here wearing my uh our trademark unicorn shirts here very purple because uh i'm bringing all purple over to santa this holiday season i know uh it's all about the red and green but i'm all about the purple so let's get to it who am i my name is george or chias i'm the chief technology officer at site and i've been doing offensive security for a number of years i led the offensive security team at citigroup for 10 of those years before then i was a system admin and i wrote a book on windows 7 an operating system you should not be using today and when i finished with doing system admin stuff i worked in a security operations center then i went to the dark side to work on the offensive side and i started doing vulnerability assessment then built out a penetration testing team then a red team and then a purple team function which is what we're going to talk about today so evolution of offensive security this is really how i personally went through this journey in the last 10 or so years also talked to a lot of people as i'm a sans instructor as well so i get to talk to a lot of people that are building out these offensive security programs and more or less they go something like this you start with vulnerability scanning where you run a nessus or a rapid seven against a number of ips and web apps then you get this really long report after that you have someone that goes through that report that's called the vulnerability assessment you do risk rating i did a lot of work with that was part of the common vulnerability scoring system working group so we released version 3 and 3.1 which is the current and then we got to a point where we were exploiting vulnerabilities that was a lot of fun that was pen testing then we noticed that you don't just test technology but you take test people and processing there we built out the red team from the red team we realized that doing all these zero knowledge engagements all the time weren't bringing the most value because a lot of things weren't being fixed so we built out a purple team function and then lastly we realized that individual ttps by themselves don't really say much you really have to create attack chains and then that's when we started doing adversary emulation so um anything i reference you'll see links here so this was a blog post i did on uh that journey if you want to read a little bit more about it so offensive security was always and should always be about providing value right every assessment you do has a number of different objectives you have a scope you have a rules of engagement but at the end of the day the reason that you were hired whether you're an internal team or a consultant was to bring value sure some of you were bought hired to check off that box right that compliance but you're still providing some value so something that occurred to us uh about six years ago was exploitation is very valuable we like doing exploitation we like finding o days and reporting them to vendors responsibly maybe through bug bounty make a little money and those get fixed and those vulnerabilities are fixed and that's awesome super valuable super fun but i remember clearly all the way back in 2011 i was taking sans security 560 with ed scotus it was ctf day day six and i was just trying to exploit everything but in that ctf you really only exploit maybe one host and that's when ed saw that i was stuck and he came by and he told me it is not all about exploitation and i looked at him and i kept trying to metasplay my way through this etf but then i realized it took me a couple years to realize that indeed it's not all about exploitation exploitation is important but there's more to that perfect example is mitre i'm sure all of you have heard of mitre migra has cve common vulnerabilities and exposures right if you find a vulnerability awesome good job report it you either gain your cv or generally you tell the vendor the vendor that has this vulnerability will create a patch and then they create a cbe awesome that's its own portal cd.miner.org but then they have this other thing now i'm sure you've heard about called attack adversary tactics techniques and common knowledge and this is more about behaviors the best way i can show you this is that cves we get thousands of them every year while in attack we have techniques and sub techniques and i actually counted them there's 525 techniques and sub techniques and the 12 or so tactics and if you do a search for the word exploit it's only referenced in nine of these techniques and sub techniques meaning that there's a lot of adversary behavior that does not rely on exploits another method of focusing and giving back and really giving value in your assessments is working under an assumed breach uh method or mode and sansa told me i was talking to him when i got up here um he they operate in soon breach mode they know they're going to be compromised right if you've been to any of the cringle cons you know very well what can happen right and many organizations are starting to work under this mode as well and pretty much what that means is that everyone will be compromised at some point right that's just the way it is right it's gonna happen maybe a patch is not gonna be applied in time and it's gonna get exploited maybe um a user will fall for a phishing campaign but it's gonna happen right so that mode is very important it's very important when we do our assessments as well because what happens next is what matters once someone gets in what happens next will you get detected so one of the methods that we found to bring the most value while doing offensive security is through purple team and these unlike red team engagements are full knowledge exercises and a purple team is actually a virtual team it's a functional team where you have multiple teams working together you have your cyber threat intelligence team you have your red team and you have your blue team we've released a free public framework for this called purple team exercise framework the link is down there and of course you can go and download it right now and implement this but let me tell you why first of all cyber threat intelligence is very important for your organization some organizations have internal cyber threat intelligence teams some have external but many people think that this is only about indicators of compromise oh this bad domain or this bad ip but it's not it's a lot more it's more about adversary behaviors what we want to talk about so a cyber threat intelligence analyst working for a company or as a vendor a consultant needs to understand the target organization they need to identify adversaries that are likely to attack that organization then gather threat intelligence about that particular adversary extract the ttps those are tactics techniques and procedures or also the adversary behaviors if you will then they analyze and organize this information they create a plan and then you emulate the adversary now you can do this from a red team perspective where the blue team doesn't know about it or you can do it as a purple team now who's the red team they are the offensive team right and red team i love the red team journal they're back follow them on twitter redteamjournal.com they have the definition that red teaming is the practice of looking at problem or situation from the perspective of an adversary but really what we're doing is we're testing measuring and improving right business value people process and technology not only vulnerabilities in tech but vulnerabilities and people and processes as well who are the blue team well the blue team are the defenders now you don't go and fight look up blue team and find a job as a blue team or blue teamers are a lot of people right there's a lot of defenders from security operations analysts to manage security service providers detection engineers incident response forensics right there's a lot of people that fall into this and they're great we love our defenders they do a great job and their main role is to detect and respond to attacks now so far hopefully i've talked enough saying that prevention does not mean detection right at some point someone might get in you didn't prevent them now you have to detect them how do you detect them well in the simplest way possible you need to log them log what they're doing see what they're doing get relevant logs start locally and then send those logs somewhere then based on the logs that you receive create alerts and alert people follow a process and then get to the response phase where you actually respond and uh you have process people and automation for them so what's the flow of a purple team engagement first you all get together there's a lot of planning that goes into it read the framework if you want to know more about that but once everyone's together either on the same room or all through video like we are now cyber thor intelligence presents the adversary presents the tactics techniques and procedures and technical details then the attendees have a tabletop discussion this is a great discussion because you hear everyone's assumptions of things that will work and won't work and then you have the red team actually emulate those ttps actually run those ttps in the target environment while the blues team watches then the blue team goes they follow their process they detect and respond to his ttps all while sharing their screen so now the red team is learning how the blue team works it's fantastic then you document your results what worked what didn't work if you can perform adjustments then repeat the ttps and then go through and do this over and over you can do this in a one hour two hour exercise or a week long exercise of course to emulate adversaries you need tools that's where the c2 matrix comes in c2 matrix is a collaborative evaluation it's really a google sheet but there's a website called the c2matrix.com there are 60 command and control frameworks that you have available for you um there's a lot they're free there's some that are paid for and there's also a how-to that teaches you how to use any of these frameworks and what we've done along with collaboration with sans and ryan o'grady shout out to ryan is we have created a virtual machine called the sans slingshot c2 matrix edition and the goal of this is to lower the learning curve for you instead of having to install any of these you get straight to testing it comes with eight of these c2s already pre-installed and then you can just use them you can follow the how-tos on howto.c2matrix.com you can set up things like empire or apostle 2 or covenant or merlin or sliver all these awesome c2s and then you have to provide value so this is an example of a six week long purple team exercise we were actually hired to do the cyber threat intelligence red team blue team and exercise coordinator so we brought big team in uh to this organization and we didn't assume breach scenario that means that we ran everything internally we did not focus on fishing or exploitation we started on a system and we emulated a variety of different apts from russian to iranian to chinese and we track this we use vector and that's what you can see here on the right and as you can see the results weren't too too pretty we tested 65 unique ttps and only three of those were detected while one of them was blocked all of the others were not detected meaning that if this adversary would have gone and targeted this organization they would have achieved their objective without being detected after these six weeks we didn't spend any money on technology we only tuned what was already available we enabled telemetry through cismod we created logics and alerts on their sim and at the end we didn't get to 100 right this isn't bingo but we had 64 detection rate that means that if any of these adversaries would have gotten onto this target system they would have been detected and responded to before they reach their objective and we did that using a tool called vector vector is free and it's for tracking and showing measuring and showing value of your red and purple team engagements highly encourage you to check that out it also comes as part of the sans slingshot c2 matrix edition so you get eight command control frameworks and you also get vector for tracking that also use the how to because there we show you how to use everything so with that i want to thank you all i hope you have an amazing holiday hack challenge 2020 we're gonna wrap up this year in the best way possible and again thank you to santa for inviting me up here thank you for giving me a warm room to present from uh because it is cold out there in the north pole so again thank you um feedback is always welcome and i hope you have a great holiday season we'll catch you soon [Music]

Info

Channel: KringleCon

Views: 671

Rating: 4.8461537 out of 5

Keywords: Holiday Hack Challenge, KringleCon, SANS, InfoSec, CTFs, CyberSecurity, Cyber Security

Id: CcteG3Z2nCU

Channel Id: undefined

Length: 14min 48sec (888 seconds)

Published: Wed Dec 09 2020