Defending Your Network…By Attacking It!The Many Shades of Red

Ed Skoudis

@edskoudis

Montreat RETR3AT Event

October 21, 2016

Overview• This is the “ASSESSMENT” portion of RETR3AT

• But my talk is about defending your network…

– ...and I’m an offensive guy

• ...so how to reconcile those facts?

• Eureka!

Defending Your Network…

Overview• This is the “ASSESSMENT” portion of RETR3AT

• But my talk is about defending your network…

– ...and I’m an offensive guy

• ...so how to reconcile those facts?

• Eureka!

Defending Your Network…

By Attacking It!

Assessment: The Many Shades of Red

SecurityResearchers

Auditors

Vuln Assessors

Pen Testers

Red Teamers

Adversary Simulators

Offensive Ops

Width: Approx # of Jobs

Depth: Relative Technical Complexity

Where do you fit?Where do you want to fit?

Assessment: The Many Shades of Red

SecurityResearchers

Auditors

Vuln Assessors

Pen Testers

Red Teamers

Adversary Simulators

Offensive Ops

Width: Approx # of Jobs

Depth: Relative Technical Complexity

Where do you fit?Where do you want to fit?

There is a WHOLE BIG BLUE aspect to this as well... more on

that soon!

Audits, Assessments, Pen Tests… Oh My

• Audit – measure against a standard spec

– Payment Card Industry Data Security Standard (PCI-DSS)

– ISO, ITIL, etc.

– Why? Compliance and due diligence

• Assessment – Search for vulnerabilities

- Why? To find flaws and eliminate them

• Penetration Test – Find vulns and try to exploit them

– Why? To better understand business risk and prioritize resources

Pen Testing… Rut(?)• Pen testing, as it is commonly

understood, has a fixed time span, narrow scope, and a focus on finding vulns– And exploiting them only as time is

available

• In doing this, we sacrifice realism, stealth, depth, and understanding deep business implications– And most importantly, determining

whether Blue is ready to detect and respond to real-world attackers

The Move Toward Red Teaming• Engagements tend to be longer (instead of 1-2 week pen test)

– Months or even continuously

• Often done without a fixed starting date / time

• Internal red teams tend to know the “lay of the land”

• Useful in determining changes of security stance over time

Adversary Simulation• Applying the Red Team deeply

– Face the Red Team against the Blue/Hunt Team

– Apply techniques used by real-world attackers

– Include surprise, stealth, lateral movement

• Focus on measuring detection and response

– Very useful… but can feel a bit “messy”

The Foundations of Red vs. Blue

• Considering the evolution from Vuln Assessment Red Team / Adversary Simulation, what’s the real purpose of Red?

– To help prioritize resources and heighten defenses

– To make Blue better

– This will help us provide more business value

Metrics andContinuous Improvement

• To provide some structure, consider this process:

• Red discusses with Blue the general techniques they’ll use– Spear phishing… something that nearly guarantees access

– Or, just assume compromise & pivot mercilessly

• Establish time metric for Blue to detect– 2 weeks of active infiltration & exfil sim

as a first blush for an inexperienced Blue

• Establish a scope (fairly widespread)

• GO!

Did Blue Detect Red in Time?• No…

– Red helps explain to Blue what they did, and they brainstorm how to detect it better, faster, and in a more distributed fashion

– Red sharpens Blue

• No! But they detected a real bad guy – WIN!

• Yes!– Blue then shows how it

detected Red

– Tweak scope, enhance allowed Red techniques, lower timeframe (1 day)!

– Blue sharpens Red

Up-Front Planning: Why This Test?• Discuss with pen testers and red teamers: Why are you doing

this project?– Compliance?

– Check the box?

– The big boss wants it?

– You want to be a good steward of your organization? Against which threats?

• Brainstorm in advance so they can model their work and describe their findings to better meet your needs– Goal-Oriented Pen Testing – Thanks, @jabra!

WHY?

Getting Started on the Right Foot• For scoping and rules of engagement,

pen testers should provide a thorough list of questions

– http://pen-testing.sans.org/resources/downloads

• Pen testers can also provide a sample report to help their customers understand what they’ll be getting

– Are there reporting options (perhaps lower cost)? Full report vs. Spreadsheet

Include Client-Side Testing• Client-side exploits: a dominant attack vector today

– Exploiting user action (click and/or run)

– Exploiting client-side software

• For a realistic assessment of your risk, please please please consider including both forms of client-side attacks in your scope

• If customer leaves them out, the pen testers could rightfully mention this fact in their report– “The scope of this test focused on XYZ, and did not include client-side testing”

Help Target Organization Prioritize• High, medium, low? That’s all I get? I need more!

• Of my high-risk findings, which should I do first? Second?

• Consider not just the risk, but the IMPACT and the LIKELIHOOD of occurrence

• Calculating CVSS scoring from scratch is complex and can be misleading… two axes is usually sufficient

Reporting: Comparison to Similar Organizations

• Is our security stance the same as, better than, or worse than our peers– Similar mission / data?

– Similar size?

– Different departmentsin the same organization?

• Especially valuable input from in-house testers

• Letter grade versus Red-Yellow-Green versus Good-Better-Best…

Include Positive Findings• Surely we are doing something right

• Reinforce the positive… let me know what’s working well so I can reinforce that

• Also, a spoonful of sugar helps the medicine go down

Great job configuring your firewall, Ms. Poppins!

Techniques forVerifying a Fix is In Place

• Provide a series of brief steps customer can use to check a fix– Suitable for ops people to conduct, or

perhaps an in-house security person

• Hard to do for ALL findings, but at least for some of them, this can be a big help in providing extra value– For patches and config changes, it’s

usually relatively easy to test

– More complex findings (XSS, SQLi), may require formal retesting

Communicate Using The Organization’s Risk Vernacular

• How does the organization conceptualize and verbalize risk?

– National Security impact?

– Money loss?

– Government oversight?

– Reputation impact?

• Don’t deliver silly FUD, but please provide an honest discussion of business risk in the customer’s terms

- SEO results worse?

- Less safety?

- Impact personal pride?

- Personal liability?

Conclusions• It used to be OUTLANDISH to say “I’m going to pay

people to hack my stuff.”

– Now, pen testing and red team assessments are becoming a fundamental part of due diligence

• Think through the topics discussed at RETR3AT, considering how Red and Blue can sharpen each other

Red BlueSOMETHINGAWESOME

Red’s primary goal is to make Blue better. Never lose sight of

that, Frodo!

References• Raphael Mudge Blog, “Models for Red Team Operations”

– http://blog.cobaltstrike.com/2015/07/09/models-for-red-team-operations/

• Ed Skoudis presentation, “How to Give the Best Pen Test of Your Life”– http://is.gd/8OAXRN

• Robin Mejia article, “Red Team Versus Blue Team: How to Run an Effective Simulation”, CSO Online– http://www.csoonline.com/article/2122440

• Raphael Mudge Blog, “Red Team Tradecraft”– http://blog.cobaltstrike.com/2015/04/29/2015s-red-team-tradecraft/