![Page 1: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/1.jpg)
![Page 2: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/2.jpg)
root@ssh1:~#whoami
• DIRECTOR OF TECHNOLOGY AND INFORMATION SYSTEMS 20+ YEARS
• CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL (CISSP)
• CERTIFIED GIAC SYSTEM AND NETWORK AUDITOR (GSNA)
• CERTIFIED GIAC INCIDENT HANDLER (GCIH)
• M.S. IN COMPUTERS AND TECHNOLOGY IN EDUCATION
• UNITED STATES MARINE CORPS
![Page 3: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/3.jpg)
GOALS
• EXPLAIN RED TEAM EXERCISES
• ILLUSTRATE COMMAND AND CONTROL COVERT CHANNELS
• OUTLINE SOURCES OF DATA TO IDENTIFY COVERT CHANNELS
• EXAMINE TWO COMMAND AND CONTROL RED TEAM EXERCISES
• OUTLINE BEGINNING STEPS TO CONDUCTING RED TEAM EXERCISES
![Page 4: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/4.jpg)
JARGON ALERT!
•VULNERABILITY SCAN
•PENETRATION TEST
•RED TEAM/BLUE TEAM
![Page 5: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/5.jpg)
RED TEAM—OPPOSING FORCE (OPFOR)
• FINISH THE FOLLOWING SENTENCE, “THE RED TEAM’S GOAL IS TO
MAKE THE BLUE TEAM BETTER AT ________?”
• SKILL BUILDING EXERCISE
• ESTABLISH CLEAR OBJECTIVE(S) TO TEST
• PREPARE EXERCISE TO MEET LEARNING OBJECTIVE(S)
• MEASURES DEFENDERS’ ABILITY TO MEET OBJECTIVES OF RED
TEAM ENGAGEMENT
![Page 6: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/6.jpg)
BLUE TEAM—DEFENDERS
• REVIEW INCIDENT RESPONSE PROCEDURES
• REVIEW SOURCES OF DATA, E.G. LOGS
• PRACTICE OPERATION OF TOOLS, E.G. NETSNIFF, TCPDUMP, WIRESHARK
• GATHER NECESSARY EQUIPMENT, TOOLS, AND SUPPLIES, E.G. EXTRA MONITORS AND SNACKS
![Page 7: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/7.jpg)
WHAT KEEPS YOU UP AT NIGHT?
https://github.com/NextronSystems/APTSimulator
![Page 8: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/8.jpg)
WHAT KEEPS YOU UP AT NIGHT? LOCKHEED MARTIN CYBER KILL CHAIN
• IDENTIFY & RECON
• INITIAL ATTACK
• COMMAND & CONTROL
• 2018 VERIZON DBIR-C2 WAS PRESENT IN 19 OUT OF EVERY 100 “BREACHES” IN EDU
• 2018 TRUSTWAVE GLOBAL SECURITY REPORT—MEDIAN TIME BETWEEN INTRUSION AND DETECTION FOR
EXTERNALLY DETECTED COMPROMISES WAS 83 DAYS IN 2017
• DISCOVER & SPREAD
• EXTRACT & EXFILTRATE
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
![Page 9: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/9.jpg)
GOALS OF COMMAND AND CONTROL
• CREATE TWO WAY COMMUNICATION CHANNEL BETWEEN ATTACKER AND TARGET
• GATHER INFORMATION
• HARVEST ACCOUNTS AND PASSWORDS
• MOVE LATERALLY IN NETWORK TO FIND ADDITIONAL VICTIM DEVICES
• EXFILTRATE DATA
• USE DEVICES AND NETWORK FOR FURTHER GAIN
![Page 10: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/10.jpg)
COMMAND & CONTROL (C2, CNC)
• HOW WOULD I KNOW IF A COMPROMISED COMPUTER OR SERVER IS COMMUNICATING THROUGH A C2
COVERT CHANNEL?
• WHAT SOURCES OF DATA DO I LOG THAT WILL HELP IDENTIFY A C2 COVERT CHANNELS?
• WHAT SOURCES OF DATA CAN I LOG THAT WILL HELP IDENTIFY A C2 COVERT CHANNELS?
• WHAT MONITORING SYSTEMS DO I HAVE THAT WILL TRIGGER ON COVERT CHANNELS?
• WHAT TYPE OF TRIGGERS CAN I DEVELOP TO ALERT ON C2 COVERT CHANNELS?
![Page 11: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/11.jpg)
FIREWALL
• A FIREWALL IS A NETWORK SECURITY
DEVICE THAT MONITORS INCOMING AND
OUTGOING NETWORK TRAFFIC AND
DECIDES WHETHER TO ALLOW OR BLOCK
SPECIFIC TRAFFIC BASED ON A DEFINED
SET OF SECURITY RULES.
https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html
![Page 12: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/12.jpg)
JARGON ALERT!
![Page 13: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/13.jpg)
http-80
https-443
I have 80/443 open.
You can pass.
I’m listening on 80/443.
Here’s what I have.
![Page 14: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/14.jpg)
smb-445
(Windows File
Shares)
I do not have port 445 open.
“You shall not pass.”
![Page 15: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/15.jpg)
I’m stateful. I’ll
remember what port
you use. I’ve been
configured to permit
you access to all
65,535 tcp ports and
all 65,535 upd ports.
http-80
https-443
![Page 16: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/16.jpg)
Email-25/110/143. You can pass.
Outgoing. Sure. I’ll remember.
I remember you. You can pass.
![Page 17: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/17.jpg)
https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/
![Page 18: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/18.jpg)
https://isc.sans.edu/forums/diary/Malspam+pushing+ransomware+using+two+layers+of+password+protection+to
+avoid+detection/23573/
![Page 19: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/19.jpg)
SOURCES OF DATA FOR C2 DETECTION
“PREVENTION IS IDEAL, BUT DETECTION IS A MUST”
-DR. ERIC COLE @DRERICCOLE
![Page 20: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/20.jpg)
SOURCES OF DATA FOR C2 DETECTION
• FIREWALL
•WEB PROXY
• DNS (WINDOWS EVENT LOGS)
• NETFLOW (SESSION DATA)
• FULL PACKET CAPTURE (IF PERMITTED)
![Page 21: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/21.jpg)
SOURCES OF DATA: FIREWALL
• EMERGENCY (SEVERITY 0) SYSTEM IS UNUSABLE.
• ALERT (SEVERITY 1) IMMEDIATE ACTION IS NEEDED.
• CRITICAL (SEVERITY 2) CRITICAL CONDITION.
• ERROR (SEVERITY 3) ERROR CONDITION.
• WARNING (SEVERITY 4) WARNING CONDITION.
• NOTIFICATION (SEVERITY 5) NORMAL BUT SIGNIFICANT CONDITION.
• INFORMATION (SEVERITY 6) NORMAL INFORMATION MESSAGE.
• DEBUGGING (SEVERITY 7) DEBUGGING MESSAGE.
The firewall is
logging.
I think....
![Page 22: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/22.jpg)
SOURCES OF DATA FOR C2 DETECTION
“IF YOU HAVEN'T TESTED AND VALIDATED [YOUR SECURITY MONITORING’S DETECTION
CAPABILITIES], DON'T CONSIDER IT DETECTION, IT'S JUST A RULE WITH A PRAYER.”
–RUSS MCREE @HOLISTICINFOSEC
![Page 23: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/23.jpg)
RED TEAM #1-OBJECTIVES
• PRACTICE INCIDENT RESPONSE PROCEDURES, E.G. EVENT CORRELATION
• IDENTIFY AND CONTAIN COMPROMISED DEVICE
• LOCATE COMPROMISED DEVICE
• IDENTIFY C2 COVERT CHANNEL(S)
• DETERMINE LATERAL MOVEMENT
• TEST OUR MANAGED SECURITY SERVICE
![Page 24: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/24.jpg)
RED TEAM #1-OBJECTIVES
INCIDENT RESPONSE—SANS “PICERL” MODEL
• PREPARATION
• IDENTIFICATION
• CONTAINMENT
• ERADICATION
• RECOVERY
• LESSONS LEARNED
![Page 25: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/25.jpg)
SCOPE OF NETWORK
• >8500 STUDENTS
• >1900 EMPLOYEES
• >14,000 DEVICES ON NETWORK (WIRED AND WIRELESS)
• 14 LOCATIONS CONNECTED VIA FIBER NETWORK
• 71 TELECOMMUNICATIONS CLOSETS
![Page 26: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/26.jpg)
RED TEAM: “LAN TURTLE”
![Page 27: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/27.jpg)
RED TEAM: HAK5 LAN TURTLE20 PREINSTALLED MODULES ON LAN TURTLE:
• AUTOSSH-PORT 22
• NETCAT-REVSHELL ANY PORT (6666)
• HTTPS://WWW.SANS.ORG/READING-ROOM/WHITEPAPERS/TOOLS/NETCAT-TCP-IP-SWISS-ARMY-KNIFE-952
• METERPRETER (METASPLOIT)-ANY PORT (4444)
• HTTPS://WWW.DARKOPERATOR.COM/INSTALLING-METASPLOIT-IN-UBUNT/
DIGITAL OCEAN
• HTTPS://WWW.DIGITALOCEAN.COM/
![Page 28: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/28.jpg)
![Page 29: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/29.jpg)
I remember you. You can pass.
Outgoing 22, 4444 and 6666. Sure. I’ll remember.
![Page 30: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/30.jpg)
![Page 31: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/31.jpg)
![Page 32: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/32.jpg)
RED TEAM: HAK5 LAN TURTLE
RED TEAM KICK OFF:
• RED TEAM WAS SCHEDULED FOR A DAY GOOD FOR
BLUE TEAM MEMBERS—DISTRICT IN-SERVICE
• COMPROMISED DEVICE STARTED LATERAL
SCANNING (KNOWN TO TRIGGER ALARMS IN
LANCOPE--NETFLOW)
• COMPROMISED DEVICE PARTIALLY HIDDEN ON
CROWDED DESK IN LIBRARY
![Page 33: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/33.jpg)
RED TEAM: HAK5 LAN TURTLELESSONS LEARNED:
• INITIALLY DISCOVERED ANOTHER DEVICE WITH WEIRD OUTBOUND COMMUNICATIONS
• REINFORCED ABILITY TO USE TOOLS TO LOCATE DEVICES VIA DHCP, IP SCOPE, MAC ADDRESS, PHYSICAL PORT,
E.G. CAN YOU IDENTIFY WHAT DEVICE HAD A SPECIFIC IP ADDRESS TWO WEEKS AGO?
• IDENTIFIED NEED TO IMPLEMENT EGRESS FILTERING
• IDENTIFIED NEED TO FURTHER DEVELOP AND PRACTICE INCIDENT RESPONSE PROCEDURES
• USE OF SHARED TIMELINE TO RECORD IR ACTIONS
• TEAM BUILDING EXPERIENCE
![Page 34: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/34.jpg)
RED TEAM #2-OBJECTIVES
• PRACTICE INCIDENT RESPONSE PROCEDURES
• PRACTICE COLLECTING DATA REQUESTED BY MANAGED SECURITY SERVICE PROVIDER DURING INCIDENT
• IDENTIFY C2 COVERT CHANNEL(S)
• DETERMINE LATERAL MOVEMENT
• TEST OUR MANAGED SECURITY SERVICE PROVIDER
![Page 35: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/35.jpg)
RED TEAM: DNSCAT2
• DNS--DOMAIN NAME SYSTEM UDP (TCP) 53
• DNSCAT2 DIRECTLY TO C2 SERVER IF OUTBOUND DNS TRAFFIC IS PERMITTED TO ANY DNS SERVER
• DNSCAT2 INDIRECTLY TO C2 SERVER THROUGH VICTIM’S DNS SERVER IF OUTBOUND DNS TRAFFIC IS
PERMITTED BY ONLY VICTIM’S INTERNAL DNS SERVERS
• DNSCAT2 LINUX AND WINDOWS POWERSHELL CLIENTS
• ARBITRARY COMMANDS, UPLOAD/DOWNLOAD FILES, AND SHELL
• POLLS EVERY 1 SECOND, NOISY
![Page 36: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/36.jpg)
DNS
DOMAIN NAME SYSTEM
I want to go to www.bucks.edu
![Page 37: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/37.jpg)
DNSCAT2 Client direct communication with DNSCAT2 C2 Server
DNSCAT2 Client communication with DNSCAT2 C2 Server via Internal DNS Server
![Page 38: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/38.jpg)
DNSCAT2 UNENCRYPTED DIRECT
Hex to ASCII=“whoami”
![Page 39: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/39.jpg)
DNSCAT2 UNENCRYPTED DIRECT
Hex to ASCII=“whoami”
![Page 40: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/40.jpg)
DNSCAT2 ENCRYPTED AUTHORITATIVE
![Page 41: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/41.jpg)
RED TEAM DNSCAT2RED TEAM KICK OFF:
• RED TEAM WAS SCHEDULED FOR A DAY GOOD FOR BLUE TEAM MEMBERS—DISTRICT IN-SERVICE
• RULES OF ENGAGEMENT DISCUSSED, “DON’T MOVE TO CONTAINMENT UNTIL WE FULLY UNDERSTAND
COMPROMISE”
• POWERSHELL USED TO DOWNLOAD DNSCAT2-POWERSHELL
• COMPROMISED DEVICE DOWNLOADED PSEXEC (KNOWN TO TRIGGER ALARMS IN SOPHOS)
• COMPROMISED DEVICE BEGAN LATERAL SCANNING (KNOWN TO TRIGGER ALARMS IN LANCOPE)
![Page 42: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/42.jpg)
RED TEAM: DNSCAT2LESSONS LEARNED:
• BAD CONFIGURATION IN WINDOWS CLIENTS PERMITTED ELEVATED POWERSHELL PERMISSIONS
• IDENTIFIED NEED TO COLLECT DNS LOGS
• IDENTIFIED NEED TO DEVELOP TRIGGERS FOR DNS ALERTING
• EGRESS FILTERING SPECIFIC TO IDENTIFIED SERVERS, E.G. ONLY DESIGNATED DNS SERVERS SHOULD HAVE
ACCESS TO TCP/UDP 53
• NEED TO FURTHER DEVELOP AND PRACTICE INCIDENT RESPONSE PROCEDURES
• TEAM BUILDING EXPERIENCE
![Page 43: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/43.jpg)
THE WORK ISN’T OVER...
THE WORK ISN’T OVER WITH THE COMPROMISED DEVICE IDENTIFIED AND CONTAINED
• WHAT WERE THE INDICATORS OF COMPROMISE (IOC)?
• WHAT DATA SOURCES PROVIDED INSIGHT INTO THE COMPROMISE?
• WHAT ARE THE ROOT CAUSES OF THE EXPLOITED VULNERABILITIES?
• HOW CAN WE REMEDIATE THE VULNERABILITIES? COMPENSATING CONTROLS?
• WHAT SKILLS DO WE NEED TO IMPROVE?
• WHAT INCIDENT RESPONSE PROCEDURES NEED TO BE CREATED OR UPDATED?
• WHAT MONITORING SYSTEMS MET EXPECTATION? WHAT SYSTEMS DID NOT MEET EXPECTATION?
![Page 44: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/44.jpg)
LESSONS LEARNED
• CONDUCT LESSONS LEARNED MEETING
• AVOID FINGER POINTING AND BLAMING
• REVIEW EXISTING INCIDENT RESPONSE PROCEDURE
• DEVELOP PROCEDURE (IF ONE IS NOT AVAILABLE) FOR TYPE OF INCIDENT
• BRAINSTORM ADDITIONAL METHODS TO MITIGATE FUTURE RISK
• IDENTIFY ADDITIONAL REPERCUSSIONS RESULTING FROM IR, E.G. IMPACT OF MITIGATION.
• UPDATE POLICIES, REGULATIONS, AND PROCEDURES
• UPDATE CSIR PLAN AND IR PROCEDURES
![Page 45: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/45.jpg)
START SIMPLE
CIS CONTROL 12: BOUNDARY DEFENSE
• DENY COMMUNICATION OVER UNAUTHORIZED TCP OR UDP PORTS OR APPLICATION TRAFFIC TO ENSURE
THAT ONLY AUTHORIZED PROTOCOLS ARE ALLOWED TO CROSS THE NETWORK BOUNDARY IN OR OUT OF
THE NETWORK AT EACH OF THE ORGANIZATION'S NETWORK BOUNDARIES.
• HTTPS://WWW.CISECURITY.ORG/CONTROLS/
![Page 46: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/46.jpg)
START SIMPLE-SSH/PORT 22
• SSH* TO DEVICE OUTSIDE OF YOUR NETWORK, E.G. DIGITAL OCEAN
• USE SOURCES OF DATA, LOGS, TO IDENTIFY DEVICE ACTIVITY
• CORRELATE SOURCES OF DATA
• IDENTIFY LOCATION OF THE DEVICE, E.G. SWITCH PORT OR AP
• IDENTIFY OTHER ACTIVITIES, E.G. LATERAL MOVEMENT
*SSH BUILT INTO LINUX AND MAC. USE PUTTY FOR WINDOWS.
![Page 47: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/47.jpg)
“THE MORE I PRACTICE, THE LUCKIER I GET.”
![Page 49: RED TEAM Your network - Bucks County Community College · 2020. 5. 29. · red team—opposing force (opfor) • finish the following sentence, “the red team’s goal is to make](https://reader035.vdocuments.site/reader035/viewer/2022071415/6110cadd03af0b37ac58126f/html5/thumbnails/49.jpg)