Conf42 Incident Management 2023 - Online

Atomic Red Team - Closing the Gap with Threat Actors

Video size:

Abstract

Do you know if your expensive MDR tools will actually work when you need them to? The Atomic Red Team is a project from Red Canary which simplifies identifying the gap between threat actor activities and MDR detections. Knowing how threat actors attack will keep your organization ahead of threats.

Summary

  • We are going to be talking about the atomic red team and closing the gap with threats actors. We'll talk a lot about the mitreattack framework and then know launching atomics. It's very professionally rewarding to me in particular whenever we can proactively reduce a risk.
  • Chris Haller is the offensive security practice lead at strong crypto. He has been doing offense specifically full time for a little over three years now. He is also the red versus blue coach for the US cyber team, which he's very excited about.
  • The average breakout time is now 79 minutes. One particular area that I was concerned to see as well is the 312% increase in remote monitoring and management tools. A lot of this comes down to some of the commoditization of cybercrime.
  • There are known knowns and known unknowns. These are the things that we neither are aware of or understand. The unknown unknowns are the ones that really keep me up at night. One way to measure response effectiveness is to emulate known attacks.
  • The atomic red team has created individual tests for each of the 750 miter attack ids. It is an open source project so anyone is able to contribute or modify any of the tests. There are over 1500 tests available right now.
  • A lot of organizations may not have either the expertise, the time or the funding to be able to pay for a full red team and penetration testing assessment. What we can do is use the atomic Red team and read intelligence reports and find out where these things map up with each other. And then we can identify the gaps inside our own organization.

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Hello and welcome everybody to today. We are going to be talking about the atomic red team and closing the gap with threats actors. So specifically this talk, we want to do something proactive where incident management, it's very professionally rewarding to me in particular whenever we can proactively reduce a risk and identify something before a threat actor does it for a customer or organization. So without further ado, let's go ahead and get started and jump right in. I do have a quick agenda where I'm going to talk a little bit about myself. Kind of the problem that we see a potential solution that we can explore. We'll talk a lot about the mitreattack framework, the atomic red team, and then know launching atomics and what that looks like in that perspective. So jumping into our presentation a little bit about myself. My name is Chris Haller. I am the offensive security practice lead at strong crypto. What I do is a lot of penetration testing, red teaming, phishing, you name, know, tons of the offensive security work. I've been doing offense specifically full time for a little over three years now. Before that I did eight years active duty with the Navy, number three in the reserves. And I did some time as a sysadmin, also deployed on board a carrier, which was a lot of fun, learned a lot from that. And then I also spent four years at the Navy Cyber Defense Operations Command and that's where I got my feet in cyber. I did a lot of incident management over there at NCDOC, which was a lot of fun. I learned a lot from it and I'm really glad I had the chance to do it. I did a little bit of time doing some work for about two years in cyber threats intelligence as well. And I'm really happy to be doing the offensive work now because again, like I said, anytime we can identify and remove or reduce that risk before a threat actor does is immensely professionally rewarding. So I do way too much stuff in my off time. I am the red versus blue coach for the US cyber team, which I'm very excited. This is a competition team for CTFs that got an initiative from SZA and DHS and the US Cyber team will go around and compete internationally in cyber competitions. So very excited to do that. A lot of very young athletes that love doing the CTF work. I do a lot of speaking. I really enjoy being a mentor as well. So please reach out to me if you have any questions. Want to talk about something. I always love talking with people, especially junior people that want to try and learn and break into the industry. So I've got way too many certifications. The only one I'll talk about is my GSE, which I was very excited to earn earlier this year, and constantly learning, always getting new stuff. So really excited to be here today. So getting into what's the problem, right? What we see is that criminal hacking is accelerating. All this information came from the Sans.org evolution of cybercriminal operations report in 2023. And when we look at this stuff, it's kind of demoralizing, right? So everything is accelerating with how fast threat actors are gaining access and then also pivoting within that access and leveraging tools and techniques in order to cause harm. So a lot of this really comes down to some of the commoditization of cybercrime as well. Initial access brokers are a pretty interesting bunch. The ones that focus on just getting that initial access and then selling that beyond that. And then we're also looking at ransomware as a service, phishing as a service, all this kind of service based activities that we see with like 365 and other types of software, it's huge in the cybercrime area too, right? At this point, we really don't even have to be that technical. As a criminal, all you have to be good at is just project management, right? We just buy a few different types of services, cobble them together, get initial access from an initial access broker, and we can start handing out ransoms for a couple of hundred thousand dollars. So along with that, the average breakout time is now 79 minutes. And when we're talking about the breakout time, that's from the initial infection vector to the lateral movement. So this is a five minute decrease from the previous year, which obviously things are accelerating and moving faster. And one particular area that I was concerned to see as well is the 312% increase in remote monitoring and management tools. And a lot of these are very legitimate tools and legitimate software that we'll see and use in the ways that we administer our networks. So this is things like any desk teamviewer screen connect things that sysadmins rely on in order to conduct operations and have us do work, right? So by using and leveraging these RMM tools, threats, actors start to blend in and they start to hide among the known good activity. So that's kind of what my view of the problem is and how fast this stuff is moving. Now, along with this, I really like to talk about the knowns matrix. And if you're not familiar, Donald Rumsfeld, when he was Secdef, created this knowns matrix. As he was talking about things that are known knowns and known unknowns. The whole idea is we want to try to understand what are the things we know that we're aware of. And we understand. We have the known unknowns, which are things that we are aware of but don't really understand. So the things that we know, we don't know. There are the unknown knowns, which are the things that we understand but are not exactly aware of, kind of like an intrinsic understanding of something. And then we have the unknown unknowns. These are the things that we neither are aware of or understand. And that's where a lot of this risk really comes from. And that's where hackers absolutely love exploiting the unknown unknowns, right? Because these are things that we don't even know are a threat to us. And if we don't know that they're a threat, it's immensely more difficult for us to be able to defend against it. Whereas the known unknowns, we can understand that. We don't fully understand what the impact is, but at least we are aware of that threat vector. The unknown unknowns are the ones that really keep me up at night, right? We don't understand or are aware of those threat vectors. So we want to try to look through solutions, right? We want to try to solve these problems. So one way I've been looking and trying to understand is let's emulate the known attacks and measure our response effectiveness. This is pretty standard pen testing, red teaming, all that kind of stuff, right? Not everyone can necessarily afford the red team. Or if you want to look through one specific area of activity that we want to defend against, do we really want to pay for a full pen test if we're trying to evaluate one specific item? So when we're looking at this, the threat actor actions are well documented. The three letter agencies are very good at writing down and documenting exactly how they move through a network and the tools they leverage and how they did it. The tactics are consistent throughout environments, and these are going to be things like the initial access, and then they're going to try to escalate across the network. And then from the network, once they gain admin permissions, they'll try to dump the hashes and get administrative permissions, and then they'll look through and try to find the most sensitive data in the organization. So these tactics are very consistent, as well as the actual procedures that the threat actors do and how they run those procedures within the tactics. So there's always indications of compromise which three letter agencies are very good at reporting. And one thing that really keeps me up at night too, is do our established EDR MDR tools actually alert and prevent this activity? We don't get alerts. That either means that nothing bad has happened or nothing bad has been detected, right? So the false negative kind of aspect of that is always a concern and we don't really know unless we check, right? So we want to try to find the gap between the known threats actor procedures and what our tools will either alert or protect against from. So we want to find that gap and understand how we can tune our tools to protect against it. So this really revolves a lot around the mitreattack framework. So if you're not familiar with the attack framework, this is adversarial tactics, techniques and common knowledge. And the whole idea of this framework is that Mitre put it together so that we as defenders have a comprehensive knowledge base of the actual specific things that a threat actor does during a cyberattack. And these are the very specific and standardized framework for us to also be able to talk to others and discuss this specific dancing panda threat actors is known to be using miterattack? Id 10030 zero three or something along those lines. So anytime we're talking about password spraying, password cracking, different types of access, or gaining information, we can all understand and agree on that specific type of description and how that activities occurs inside of a cyberattack. So if you're not familiar with the attack framework, I really recommend taking a closer look at it and understanding it and studying it. It's a phenomenal tool and I read it every day. So these procedures are the actual real world implementations of how these techniques actually happen. So these are the actual hands on keyboard, the commands and the way they're running those commands and running the attacks inside of the actual cyberattack. Right? So we do want to talk about these procedures and we want to try to understand how can we model these, because again, as defenders, if our tools are not alerting us or telling us something bad has happened, that either means nothing bad has happened or they didn't catch anything bad that has happened. And if we have the actual procedures that the threat actors have been known to use, we can try to run those on our system and then that'll actually give us an indication of either, hey, our tools found this activity and stopped it, or they did not stop this activity. Now how do we fix that gap and allow us to stop that and understand or alert on it? So the atomic red team is a pretty fantastic project, which is done from Red Canary. What they have done is they've actually created individual tests for each of these specific miter attack ids. So what that means is that for a specific attack id we can actually find the individual smallest unit of testing for that very specific attack id. And when we're talking the smallest unit, that's where the atomic kind of comes from, right. We're looking at the smallest piece for us to be able to test just that one very specific thing. That way we can control and understand how our systems are reacting to it. So 294 of the 750 attack ids are covered right now. It is an open source project so anyone is able to contribute or modify any of the tests. There are over 1500 tests available right now and that does sound a little weird, right? Why are there one 5000 hundred tests for 294 attack ids? The reason is because the attack ids, they're not necessarily specific to an operating system where the actual individual tests, they can test for many different ways that an attack id can be leveraged by a threat actor, as well as many different ways that the attack ids are covered throughout different operating systems. So there's a lot of very interesting ways for us to be able to review how to test these and see exactly how this activity meets up and is working inside of the miter attack framework. So when we go to the atomic red team website we can actually see that they have a huge list of the atomics, the 1500 that we were talking about. Lots of really fun stuff, right? Like stealing application access tokens or clearing mailbox data, right? So all these cool things and then when we actually click on them we can see how we can actually test that activity as well. So really exciting stuff. There's a lot of very interesting ones. So I really highly recommend taking your time looking through these, trying to understand which ones are interesting, which ones aren't, and then all of these are available on GitHub as well. And they are available in Powershell so we can actually download them and launch them interactively via Powershell as well as always just copy pasting them directly from this website. Please note that if you do download the Powershell that your windows defender or edrs will very likely start lighting them up because it's legitimately trying to do actions that threat actors are taking, right? So we would expect that our EDR finds it and stops it, which is a good thing. If you do want to test these, then we're going to need to be able to do things like allow list those specific Powershell scripts or the scripts that are being used to test this activity. And then we can launch those tests and see how the environment reacts and what we can see in our detections or not. So this also gets into how can we do breach attack simulation on a budget, right? And going back to what we were saying at the start of this presentation, there's a lot of ways that we can try to test this activity. And a lot of organizations may not have either the expertise, the time or the funding to be able to pay for a full red team and penetration testing assessment, all this fun stuff. So what we can do is use the atomic Red team and actually read intelligence reports and find out where these things map up with each other and how we can effectively emulate threat actors based on intelligence reporting. So if you've never read a joint cyber advisory or these other types of advisories posted by the NSA, scissor, all these huge cyber agencies, I really do highly recommend it. It's some pretty interesting stuff where we can actually read through exactly how state sponsored cyber actors are moving throughout an environment and leveraging live off the land tools or different types of malware and how they leverage that activity. So I really recommend taking a look through there inside of the reports, they actually do reference the specific miter attack ids that are used throughout the actual attacks. And then we can take a look and see hey, these attack ids, let's look them up in the atomic red team. I want to make sure that we can defend against it, right? So we open up the atomic red team and then we can see hey, there is a specific atomic test which allows us to look and see if Seatbelt will be run. And if you're not familiar, Seatbelt is a c sharp project which does a bunch of kind of safety checks on a machine. And I enjoy using this from the offensive perspective and I do recommend that people use it on the defensive side because it helps look for specific vulnerabilities or misconfigurations. So what we can see is at the bottom of this specific slide we do have some powershell where it'll try to download the specific seatbelt from GitHub and then it'll try to import it and then execute it. So what we can see though, I did run this on a test machine and I can see that, hey, when I download this and run it, invoke the expression that it does give an error which says this script contains malicious content and has been blocked by your antivirus software. And this was just Windows defender, pretty vanilla stuff on an endpoint. This is good, right? We want to make sure that, hey, if a threat actor got onto my asset and tried to specifically download and run this PS one script inside of memory, that it would be stopped. So that is one way for us to be able to see this and make sure that, hey, this is how we can stop that, right? And then there's always things like dumping the active directory database with NTDs util and going back to the joint cyber advisory. These are live off the land binaries. These are legitimate binaries through Microsoft that we use to administer and conduct operations. So what we don't want to do or see is having people dump the NTDS database. Very often that's something that we want to be able to specifically understand and make sure that we can account for every time it happens. Because if you're not familiar the NTDs, it contains all of the password hashes for the entire active directory domain. And if you have all of those, you can do quite a bit of damage and lock people out or gain access to the sensitive data, launch the ransomware, you name it. So anytime that we are gathering a copy of this activity, we always want to make sure that we get alerted and we can identify it. So running the NTDs util, ACI, TDs, that whole string at the bottom, that allows us to actually run that and see, okay, do our detections tools find this and do they stop it? And if they don't, how do we change that and make sure that we do get alerts or it does stop it on purpose? Because again, this is a very critical action that threat actors take. And if we can get alerted or stop it anytime it happens, even if it does happen in a legitimate sense, we can create those individual detections, especially for something like this, to make sure that we have that positive control over these types of attacks. So as far as in conclusion, we definitely want to embrace that intelligence. The NSA, scissor, all those joint cyber advisories, really highly recommend taking a read through them and understanding them. That way we can find out exactly what the threat actors are doing and how they are leveraging different tactics and procedures within the Mitre attack framework. And then we can identify the gaps inside of our own organization. When we can find those gaps, we can tune our detections and preventions. That way we can make sure that, hey, this actually stops this malicious activity. And we can feel confident that based on the cyber threat reporting through the NSA that the specific tactics that Volt Typhoon was doing that was reported on, we would be able to be alerted on or prevented based on that activity. So we can do that iterative process of tuning the detections and then rerunning it. That way we can keep using those atomics over and over until we feel confident that we have our detections and preventions in a much better spot. So if you have any questions, please reach out. Let me know if you have them. I love talking with people. This is a lot of fun. Again, I am the offensive security practice lead at strongcrypto. That's my email. You can shoot me an email if you have questions. I'm on LinkedIn. Love chatting about this stuff. And then I do have some references as well. So again, thank you for your time. I hope you learned a lot. Please let me know if you have any questions and enjoy the rest of the conference. Thanks.
...

Christopher Haller

Offensive Security Practice Lead @ Strong Crypto Innovations

Christopher Haller's LinkedIn account Christopher Haller's twitter account



Join the community!

Learn for free, join the best tech learning community for a price of a pumpkin latte.

Annual
Monthly
Newsletter
$ 0 /mo

Event notifications, weekly newsletter

Delayed access to all content

Immediate access to Keynotes & Panels

Community
$ 8.34 /mo

Immediate access to all content

Courses, quizes & certificates

Community chats

Join the community (7 day free trial)