Transcript
This transcript was autogenerated. To make changes, submit a PR.
Hello and welcome everybody to today. We are going to be talking about
the atomic red team and closing the gap with
threats actors. So specifically this talk, we want to
do something proactive where incident management,
it's very professionally rewarding to me in particular whenever we can proactively
reduce a risk and identify something before a threat actor
does it for a customer or organization.
So without further ado, let's go ahead and get started and
jump right in. I do have a quick agenda where I'm going to talk a
little bit about myself. Kind of the problem that we see a potential
solution that we can explore. We'll talk a lot about
the mitreattack framework, the atomic red team, and then know
launching atomics and what that looks like in that perspective.
So jumping into our presentation a little bit
about myself. My name is Chris Haller. I am the offensive security
practice lead at strong crypto. What I
do is a lot of penetration testing, red teaming,
phishing, you name, know, tons of the offensive security
work. I've been doing offense specifically
full time for a little over three years now. Before that
I did eight years active duty with the Navy, number three in
the reserves. And I did some time as a sysadmin,
also deployed on board a carrier, which was a
lot of fun, learned a lot from that. And then I also spent four
years at the Navy Cyber Defense Operations Command and that's
where I got my feet in cyber. I did a lot of incident management
over there at NCDOC, which was a lot of fun.
I learned a lot from it and I'm really glad I had the chance to
do it. I did a little bit of time doing some work for about two
years in cyber threats intelligence as well. And I'm really happy to
be doing the offensive work now because again, like I said,
anytime we can identify and remove or
reduce that risk before a threat actor does is
immensely professionally rewarding. So I do way
too much stuff in my off time. I am the
red versus blue coach for the US cyber team, which I'm very excited.
This is a competition team for CTFs that
got an initiative from SZA and DHS and the
US Cyber team will go around and compete internationally
in cyber competitions. So very excited to do that.
A lot of very young athletes that love doing the
CTF work. I do a lot of speaking. I really enjoy
being a mentor as well. So please reach out to me if
you have any questions. Want to talk about
something. I always love talking
with people, especially junior people that want to try and learn and break
into the industry. So I've got way too many certifications.
The only one I'll talk about is my GSE, which I was very excited to
earn earlier this year, and constantly learning,
always getting new stuff. So really excited to be here today.
So getting into what's
the problem, right? What we see is that
criminal hacking is accelerating. All this information
came from the Sans.org evolution of
cybercriminal operations report in 2023.
And when we look at this
stuff, it's kind of demoralizing, right?
So everything is accelerating with how fast
threat actors are gaining access and then also pivoting
within that access and leveraging tools
and techniques in order to cause harm.
So a lot of this really comes down to some of the commoditization
of cybercrime as well. Initial access brokers
are a pretty interesting bunch. The ones that focus on just
getting that initial access and then selling that beyond that.
And then we're also looking at ransomware as a service,
phishing as a service, all this kind of service
based activities that we see with like 365 and
other types of software,
it's huge in the cybercrime area too,
right? At this point, we really don't even have to
be that technical. As a criminal,
all you have to be good at is just project management, right?
We just buy a few different types of services, cobble them together, get initial
access from an initial access broker, and we can start
handing out ransoms for a couple of hundred thousand dollars.
So along with that, the average breakout time is
now 79 minutes. And when we're talking about the
breakout time, that's from the initial infection vector to
the lateral movement. So this is a five minute
decrease from the previous year, which obviously things are
accelerating and moving faster. And one particular
area that I was concerned to see as well is the
312% increase in remote monitoring and management tools.
And a lot of these are very legitimate tools
and legitimate software that we'll see
and use in the ways that we administer
our networks. So this is things like any desk teamviewer screen
connect things that sysadmins rely
on in order to conduct operations and have us
do work, right? So by
using and leveraging these RMM tools,
threats, actors start to blend in and they start to hide
among the known good activity.
So that's kind of what my view
of the problem is and how fast this stuff is moving. Now,
along with this, I really like to talk about the knowns
matrix. And if you're not familiar, Donald Rumsfeld,
when he was Secdef, created this knowns matrix.
As he was talking about things that are known
knowns and known unknowns. The whole idea is we want to
try to understand what are the things we know that
we're aware of. And we understand. We have the known unknowns,
which are things that we are aware of but don't really understand. So the things
that we know, we don't know. There are the unknown
knowns, which are the things that we understand but are not exactly aware
of, kind of like an intrinsic understanding of something.
And then we have the unknown unknowns. These are the things that
we neither are aware of or understand.
And that's where a lot of this risk really comes from.
And that's where hackers absolutely love exploiting
the unknown unknowns, right? Because these are things that
we don't even know are a threat to us.
And if we don't know that they're a threat, it's immensely more
difficult for us to be able to defend against it.
Whereas the known unknowns, we can understand
that. We don't fully understand what
the impact is, but at least we are aware of that
threat vector. The unknown unknowns are the ones that
really keep me up at night, right? We don't understand or
are aware of those threat vectors.
So we want to try to look through solutions,
right? We want to try to solve these problems.
So one way I've been looking and trying to understand is
let's emulate the known attacks and measure our response
effectiveness. This is pretty standard pen testing,
red teaming, all that kind of stuff, right?
Not everyone can necessarily afford the red team.
Or if you want to look through one specific area
of activity that we want to defend against,
do we really want to pay for a full pen test if we're trying
to evaluate one specific item?
So when we're looking at this, the threat actor actions are well
documented. The three letter agencies are
very good at writing down
and documenting exactly how they move through a network and the tools
they leverage and how they did it. The tactics are consistent
throughout environments, and these are going to be things like the
initial access, and then they're going to try to escalate across
the network. And then from the network, once they gain admin permissions,
they'll try to dump the hashes and get administrative
permissions, and then they'll look through and try to find the
most sensitive data in the organization. So these
tactics are very consistent, as well as the
actual procedures that the threat actors do and how
they run those procedures within the tactics.
So there's always indications of compromise which
three letter agencies are very good at reporting.
And one thing that really keeps me
up at night too, is do our established EDR
MDR tools actually alert and prevent
this activity? We don't get alerts.
That either means that nothing bad has happened or
nothing bad has been detected, right?
So the false negative kind of aspect of that is always
a concern and we don't really know unless
we check, right? So we want to try to find the gap between
the known threats actor procedures and what our tools will
either alert or protect against from.
So we want to find that gap and understand how we can
tune our tools to protect against it.
So this really revolves a lot around
the mitreattack framework. So if you're not familiar with the attack
framework, this is adversarial tactics, techniques and common
knowledge. And the whole idea of this
framework is that Mitre put it together so that we as
defenders have a comprehensive knowledge base of the
actual specific things that a threat actor
does during a cyberattack. And these are
the very specific and standardized framework for us to
also be able to talk to others and discuss this
specific dancing panda threat actors is known to be
using miterattack? Id 10030
zero three or something along those lines. So anytime
we're talking about password spraying, password cracking,
different types of access, or gaining information, we can
all understand and agree on that specific type
of description and how that activities occurs inside
of a cyberattack. So if you're not familiar
with the attack framework, I really recommend taking a closer
look at it and understanding it and studying it. It's a
phenomenal tool and I read it every day.
So these procedures are the actual real
world implementations of how these techniques actually
happen. So these are the actual hands on keyboard,
the commands and the way they're running those commands and running
the attacks inside of the actual cyberattack.
Right? So we do want to talk about these procedures and
we want to try to understand how can we model these,
because again, as defenders, if our
tools are not alerting us or telling us something bad has happened,
that either means nothing bad has happened or they didn't
catch anything bad that has happened. And if
we have the actual procedures that the threat actors
have been known to use, we can try to run those on
our system and then that'll actually give us an indication of
either, hey, our tools found this activity and stopped
it, or they did not stop this activity.
Now how do we fix that gap and allow us to
stop that and understand or alert on it?
So the atomic red team is a pretty fantastic project,
which is done from Red Canary. What they
have done is they've actually created individual
tests for each of these specific miter attack ids.
So what that means is that for a specific attack
id we can actually find the individual
smallest unit of testing for that very specific
attack id. And when we're talking the smallest unit, that's where
the atomic kind of comes from, right. We're looking at the
smallest piece for us to be able to test just that one
very specific thing. That way we can control and understand
how our systems are reacting to it. So 294
of the 750 attack ids are covered right now.
It is an open source project so anyone is able to contribute
or modify any of the tests.
There are over 1500 tests available right
now and that does sound a little weird, right?
Why are there one 5000 hundred tests for 294 attack ids?
The reason is because the attack ids, they're not necessarily
specific to an operating system where the
actual individual tests, they can test for many
different ways that an attack id can be leveraged
by a threat actor, as well as many different ways that the
attack ids are covered throughout different operating
systems. So there's a lot of very interesting ways for
us to be able to review how to test these and see
exactly how this activity meets
up and is working inside of the miter attack framework.
So when we go to the atomic red team website we can
actually see that they have a huge list of the atomics, the 1500
that we were talking about. Lots of really fun stuff,
right? Like stealing application access tokens or clearing
mailbox data, right? So all these cool things
and then when we actually click on them we can see how we can actually
test that activity as well. So really exciting
stuff. There's a lot of very interesting ones.
So I really highly recommend taking your time
looking through these, trying to understand which ones are interesting, which ones aren't,
and then all of these are available on GitHub as well.
And they are available in Powershell so we can actually download
them and launch them interactively via Powershell as well
as always just copy pasting them directly from this website.
Please note that if you do download the Powershell that
your windows defender or edrs will very likely
start lighting them up because it's legitimately trying to
do actions that threat actors are taking,
right? So we would expect that our EDR finds
it and stops it, which is a good thing.
If you do want to test these, then we're going to need to be able
to do things like allow list those
specific Powershell scripts or the scripts that are being
used to test this activity. And then we can launch those
tests and see how the environment reacts and
what we can see in our detections or not.
So this also gets into how can
we do breach attack simulation on a budget,
right? And going back to what we were saying
at the start of this presentation, there's a lot of
ways that we can try to test
this activity. And a lot of organizations may not have either
the expertise, the time or the funding to be able to pay
for a full red team and penetration testing assessment,
all this fun stuff. So what we can do is
use the atomic Red team and actually read
intelligence reports and find out where these things
map up with each other and how we can effectively
emulate threat actors based on intelligence reporting.
So if you've never read a joint cyber advisory or these
other types of advisories posted by the
NSA, scissor, all these huge cyber
agencies, I really do highly recommend it. It's some pretty interesting
stuff where we can actually read through exactly
how state sponsored cyber actors are
moving throughout an environment and leveraging live off the land
tools or different types of malware and how they leverage
that activity. So I really recommend taking a look through there
inside of the reports, they actually do reference the specific
miter attack ids that are used throughout the
actual attacks. And then we can take
a look and see hey, these attack ids,
let's look them up in the atomic red team. I want to make sure
that we can defend against it, right?
So we open up the atomic red team and then we can see hey,
there is a specific atomic test which allows
us to look and see if Seatbelt will be run.
And if you're not familiar, Seatbelt is a c sharp project
which does a bunch of kind of safety checks on a
machine. And I enjoy using this from the offensive perspective
and I do recommend that people use it on the defensive side because
it helps look for specific vulnerabilities or
misconfigurations. So what we can see is at the
bottom of this specific slide we do have some
powershell where it'll try to download the specific
seatbelt from GitHub
and then it'll try to import it and then execute
it. So what we can see though, I did run
this on a test machine and I can see that,
hey, when I download this and run it, invoke the
expression that it does give an error which says this
script contains malicious content and has been blocked by your antivirus software.
And this was just Windows defender, pretty vanilla
stuff on an endpoint. This is good,
right? We want to make sure that, hey, if a threat actor got onto
my asset and tried to specifically
download and run this PS
one script inside of memory, that it would be stopped. So that is
one way for us to be able to see this and make sure that,
hey, this is how we can stop that, right?
And then there's always things like dumping the
active directory database with NTDs util and
going back to the joint cyber advisory. These are live off the
land binaries. These are legitimate binaries through Microsoft
that we use to administer and conduct operations.
So what we don't want to do or see
is having people dump the NTDS database.
Very often that's something that we want to be able to specifically
understand and make sure that we can account for every time it
happens. Because if you're not familiar the NTDs,
it contains all of the password hashes for the entire active directory
domain. And if you have all of those, you can do quite a bit of
damage and lock people
out or gain access to the sensitive data,
launch the ransomware, you name it. So anytime that
we are gathering a copy of this activity, we always
want to make sure that we get alerted and we can identify it.
So running the NTDs util,
ACI, TDs, that whole string at the bottom,
that allows us to actually run
that and see, okay, do our detections tools
find this and do they stop it? And if they don't,
how do we change that and make sure that we
do get alerts or it does stop it on purpose?
Because again, this is a very critical action that threat actors take.
And if we can get alerted or stop it anytime it
happens, even if it does happen in a legitimate sense, we can create
those individual detections, especially for something like this,
to make sure that we have that positive control over these
types of attacks.
So as far as in conclusion, we definitely want to
embrace that intelligence. The NSA,
scissor, all those joint cyber advisories,
really highly recommend taking a read through them and understanding them.
That way we can find out exactly what the threat actors are doing
and how they are leveraging different tactics
and procedures within the Mitre attack framework. And then
we can identify the gaps inside of our own organization.
When we can find those gaps, we can tune our
detections and preventions. That way we can make sure
that, hey, this actually stops this malicious activity.
And we can feel confident that based on the cyber
threat reporting through the NSA that
the specific tactics that Volt Typhoon
was doing that was reported on, we would be able to be alerted
on or prevented based on that activity.
So we can do that iterative process of tuning
the detections and then rerunning it. That way we can keep
using those atomics over and over until we feel confident that we have
our detections and preventions in a much better spot.
So if you have any questions, please reach
out. Let me know if you have them. I love talking with people. This is
a lot of fun. Again, I am the offensive security practice
lead at strongcrypto. That's my email. You can shoot me an email if you have
questions. I'm on LinkedIn. Love chatting about this stuff. And then I
do have some references as well. So again,
thank you for your time. I hope you learned a lot. Please let me know
if you have any questions and enjoy the rest of the conference.
Thanks.