GF - Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention

hello everyone good morning my name is Hasan nikar and welcome to bides Las Vegas uh this talk is being presented by Jason Grace and Adam Bradbury on uh Enemy Within leveraging purple teams for advanced thread detection and prevention a few announcements before we begin we would like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsor Prisma Cloud blue cat and Toyota it's with their support along with other sponsors donors and volunteers that makes this event possible these talks are being streamed live and as a courtesy to our speakers and audience we would like you to make sure that your cell phones are on silent if you have any question please use the

audience microphone so that YouTube can hear you and uh with that let's get started and welcome our speakers hey hey besides how the hell y'all doing excellent y'all are here for it we're here for it let's get it huh so my name is Jason hello uh I formed and co-lead the purple team at meta with Cedric Owens that phenomenal human being right there uh the team was officially established back in January of 2022 uh and uh before I got into Tech I used to be a touring death metal musician that was a lot of fun doesn't pay well uh and my Tech Career has focused on pen testing red teaming devops and Tool development uh I also

have several years under my belt as a systems administrator so I'm old and um this isn't the first team I built uh I actually created the corporate red team at Sania National Labs which I was able to grow to a size about seven hackers before I moved on back in 2019 uh I was in a black hat class yesterday and uh uh some of the folks that are now on the team were there so it's still going well they have uh stickers so I have a I have one of the stickers from the team which is pretty cool and yeah feel good about that buddy hey everyone I'm Adam I'm a tech lead for threat intelligence at

matter um my background is significantly less interesting than Jason's uh I've been in cyber security for about 11 years um I did the first five years of my career working in Security operation centers in the UK I apologize for the accident in advance uh after that I kind of got involved in threat intelligence after trying to broker information between clients of the mssp that I was working for and joined a Dutch intelligence company for two years went all over the world with them helping government agencies and large corporations build intelligence capabilities 2019 I jumped to meta um and joined their team tracking financially motivated through actors so um we've got a hell of a lot

to cover today and not a lot of time to do it so we're going to touch on how purple teaming and threat intelligence is set up at meta we're going to introduce TTP Forge which is the tool we're like releasing open source as part of this talk that helps teams test like tactics techniques and procedures at scale we'll delve into how purple team threat intelligence and TTP Forge fit in with the wider security teams um and delve into some of our both shared and unique pain points but then the meat of this talk is going to be on how we use all of that together to respond to sudden changes in threat landscape and we'll have some demos to

show how that looks like under the foot at the end so what do we mean by sudden changes in threat landscape and the stuff on the screen happened in summer of 2022 when a group that's tracked as scattered spider or octopus depending on where you buyer intelligence from um started like causing major headaches for large tech companies and overnight leadership wanted to know who are this group what are they capable of um have they targeted us um have they been successful and we've we've missed it and they wanted to know answers to that now because companies within our sector were being popped and it was in the news like overnight so like as an Intel nerd I'm

often expected to like peer into a crystal ball and predict the future with 100% confidence but despite all the resourcing you can throw at it like that's still not a feasible objective we still get caught by surprise new actor groups come out overnight that like we we learn about from instant response teams embedded in different companies or like we learn about them from the news articles and have to build some kind of response the same goes for when vulnerabilities are announced or proof of concept exploits get released where there's like no existing patch for them and like the world has to scramble to resp to work out what the response to that looks like and I know that's super

topical for this conference so like a lot of talks yesterday and today are about the ethics of responsible disclosure so what we hope this talk does is lifts the curtain on what it look like for security teams to be on the other side of that and the work that has to go into place when something like that happens so backing up a little bit threat intelligence at meta um first and foremost like there are many intelligence teams at meta there's awesome people doing amazing work in everything from anti-scraping election Integrity influence Ops but the team I'm embedded with is within our incident response function so we track adversaries that Target our employees our endpoints and our infrastructure and

day-to-day we sit side by side with our incident responders our detection engineers and our threat Hunters so by virtue of that we have a huge tactical and operational Focus we don't do too much on the Strategic side where our Specialties Li is in turning intelligence research and tradecraft into applied security changes in the shortest time possible all right let's talk about purple huh so um as I'm sure most of you in this room are well aware dedicated purple teams are a fairly nent concept in the security space um we're seeing a lot more in the way of red teams that will run purple team engagements but there's just not that many dedicated purple teams and all that is to say

there we go we're not feedbacking anymore there isn't much of a golden standard at this point and we're aiming to provide information as part of the general conversation uh around that topic and so the first iteration of purple teaming at meta was technically done by Chris Gates a a carinal owned shout out to that dude uh while he worked here from 2014 through 2015 um although this looked significantly different from what we think about when we do purple teaming today so the purple team of today is built as an internal consultancy so we have customers deadlines and stakeholders across the entire company uh that rely on our deliverables and taking this approach really helps us to maintain a certain

quality and consistency for our outputs uh which is really important when you have a variety of customers in different organizations across the world doing dramatically different work and uh we spent time right out the gate creating engagement offerings or a menu if you will of the various things that we can do that accommodate a wide variety of needs uh in turn this allows us to work with a lot of different teams and uh keeps the work fun so for one engagement we could be doing something around web and then the next one could be around infra or mobile or VR so um I don't like just doing one thing and uh this really checks that box for me uh so

if you're were more interested in the program side of that Cedric Owens and I gave a talk at Sans pentest hackfest back in November uh covering how the team is structured and function so if you want to learn more about that go check out that talk and above all a key principle on purple team is to align pragmatism with enjoyment and so what we mean by this is if you have a endpoint detection and response system that isn't detecting basic ttps you should not be sitting there trying to develop a sophisticated bypass let's let's learn to walk before we can run yeah and at the end of the day the effectiveness of creating useful adversary simulations depends largely on

their realistic nature speaking of ttps I want to introduce you all to the TTP Forge which I am absolutely jazzed to finally be putting out so this is our homegrown tool for purple teaming at meta um this tool is going out live a bit after the talk as free and open-source software so I really hope you all get the chance to check it out see what you think the primary goal of the dtp forge is to simplify the process for engineers with diverse backgrounds to test and build detections and preventions uh and we're able to accomplish this by simulating malicious activities uh using building blocks described with yl you can think of it as Legos effectively you can stack

and we use this to automate and execute dtps uh to give you a sense for how the dtps look uh this particular image here is uh going to be a part of our the demos a bit later um but it's part of a TTP that steals secrets from the AWS Secrets man uh and as mentioned by Adam we're going to be doing some demos towards the end of the talk so stay tuned yeah so like every large company security doesn't happen in isolation there's a lot of teams that plug into threat intelligence and purple team but while putting this Tech together it's like palpable that we're a security rich company and we can appreciate that not

all companies are in that position a lot of the teams that we plug into may exist in a single person or May in worst case exist in less than a single person and that's been one of M and Jason's drivers for releasing TTP Forge is to put the research of a large function like ours into the hands of the community so if you're on your own facing this or you're a part of a small team you can still leverage the same research and tradecraft that we're using so first up in teams that we plug into is instant response and that's everything from like our tier one to tier three responders they plug into threat intelligence to get low latency

access to intelligence about the groups they're facing in the cues and we've done a lot of work to embed intelligence directly into the tooling they use so it's there and readly apparent but if it's not and they're encountering something brand new they can press one button and tag threat intelligence in to do rapid research to fill in the blanks for them to help them understand what they're dealing with what the next steps are what this actor's motivations is and ultimately how to rip it out of our environment if we detect it where it plugs into purple team and TTP Forge specifically is they have a high need for low latency sorry low false positive rate detections if threat intelligence

is pushing to land a new detection in response to some threat which we're tracking but It ultimately results in crazy high load and blowing up the cues for them this is the team that feels it and because our team's embedded in incident response there are primary source of leads about 70% of all of our leads come from people on the front lines answering tickets saying hey this is interesting I've never seen this before so it pays to keep them happy and next up is threat hunting and threat hunting's moved around a lot at meta it's a fundamental capability of a lot of our different security teams but we've recently crystallized it into its own dedicated function and they plug

into threat intelligence in a few ways primarily we're there to help them prioritize the giant backlog of everything they could possibly hunt for and narrow that down to these are the probable groups that are going to try to pop our company or have tried to pop our company in the past so maybe prioritize the ttps they use for threat hunting over something else where they plug in sorry where they plug into TTP Forge is TTP Forge allows them to run a TTP and get signal of what that looks like when it detonates in our environment for a lot of the things threat intelligence sends over to our Hunters we lucky enough to have never experienced that

type of attack in our environment so we don't have the logs in the signal they need to know what that looks like in our environment to go and hunt it retroactively all right so detection engineering now detection engineering is very important partner ultimately detection engineering is going to be amplifying our security by using High Fidelity detections to accurately identify legitimate threats and ideally minimize false positives and negatives uh purple team in collaboration with these folks uh we utilize a TTP Forge to simulate varied threat scenarios and work to be able to empower the Defenders to do this themselves so for more simple ttps they don't even need to talk to us they can just do it themselves which uh

it's been going pretty well so far in terms of generating high quality signals for folks that don't necessarily have a strong offs SEC background um Now red team this is a real interesting one especially when you think about plugging it in with threat intelligence uh if you threat intelligence as a team their primary function is to research real World adversaries and threats this knowledge can be incredibly incredibly valuable for informing red team operations so by integrating threat intelligence into the planning and execution of red team operations we can gain a more focused lens through which we can examine particular threats and this targeted approach allows us to anticipate and address potential threats with some answer to can we detect this

will we see this uh and in turn that uh it leads to a lot of nice Pro active and accurate security winds so that's pretty great and uh to maximize the effectiveness of red team operations uh purple team automates ttps that are used in a red team operation uh with the forge uh so in doing this we're able to use the ttps uh either to control commits trunk uh for infra deployments or to run them as needed to see if uh a detection has regressed or stopped working and so by closely examining the various paths that red team exploits we can ensure a more secure and responsive approach to our security measures all right so now we're going to

talk about some of the difficulties that are unique to each of our teams on the purple side first and foremost information overload um it is vital for purple teams to prioritize quality over quantity when it comes to ttps if you're just running a bajillion ttps simultaneously I mean that's almost as bad as the traditional model of just yeting a pend test report over the fence to be like yo dog fix this like they have a queue they have a lot of stuff going on that's not going to help uh so by just giving them a ton of signal like where are they going to start uh so instead we should aim for focused indepth exploration of fewer ttps for

more effective improvements let's focus on the outcomes and next up as I mentioned before uh purple teaming is a fairly nent field and so a lot of people think of it as pent testic and I can tell you as a career pen tester uh very different they're both quite important um but with purple teaming we are a lot more focused around trying to generate signal that will be used to check and see hey does this work does this not work let's see if we can iterate uh and ultimately uh by executing these in a controlled environment and repeated uh really as many times as needed to uh ensure that we can improve our defense or address any gaps so on our side of

the fence the first up is ruthless prioritization there are thousands of groups that we could track on any given any given day and tracking is a super intensive procedure like it's costly for us to do we don't want to track the entire world and that's especially true in a world where every kid with a laptop can throw up a WordPress blog and call himself the next ransomware crew and at the same time like we don't want to drown our stakeholders as well and it's a common trap of intelligence teams that they just pipe everything that they to a downstream team in the hope that you care about something that lands that problem gets compounded if you have

vague intelligence requirements like a contrary to popular belief tell me what all the bad things are isn't a brilliant intelligence requirement for a team so if you haven't told your team what you care about what you care about there's two things that will happen one your intelligence team's never going to send you anything and you don't see anything or they're going to throw everything at you in the hope that something sticks and like that's become a massive industry trap for intelligence teams where we're perceived as just the producers of reports nobody reads so that's one thing we've had to dig ourselves out of with really tight intelligence requirements and the last is uncertainty and probability so one of

the taglines of my team is threat intelligence exists to remove uncertainty and to inject probability and two like sudden landscape changes they're shrouded in uncertainty we don't know who this group is what they're capable of if they've hit us are we capable of Defending against them all of those are uncertainties that threat intelligence should exist to help teams remove and Empower stakeholders to find the answers to those questions but when we're doing that we have a fundamental language Gap intelligence Works in a murky world of partial pictures confidence ratings TPS classifications and probabilities that traditional blue teams don't use every day every day the blue teams that we deal with are much more absolute they deal in true

positives false positives can we detect this can't we detect this so that's where TTP forges helped us bridge that translation Gap so it's not just me rocking up at your desk and telling you a spooky story about what happening on the internet we're sorry with like we're doing it from a point where there is this thing that poses a credible risk to our business but we've tested it and here's the data that proves it's a problem and we need to move now and here is all the signal that arms you to take the next step all right so with that context and information in mind why don't we talk about the shared problem spaces our

teams have in common first and foremost and I think this applies to hey I think this applies to anyone and and everyone who does Security in this room how do we get people to care about this stuff uh so on the purple side uh securing resources to address gaps can be a real bear and so the key is effectively communicating the impacts of these gaps as far as the organization security posture goes you don't want to just think about your little area that you're targeting we are saying in the grand scheme of things what does this mean and in doing that we're able to highlight potential risks and repercussions if they are left uh these

risks are left unaddressed and that in turn allows us to advocate for the value added by remediating them and so our advice is typically in the realm of utilize purple team reports which are a joint report that everyone involved gets to contribute to more on that later and TTP Forge to support your case and convey the necessity for allocated resources uh next up time to test uh as an internal consultancy we prioritize task based on a well-structured priority queue and no joke it is a priority queue uh that s talk covers that if you uh find that interesting and uh while our ability to Define and defend our timelines is robust our resources to automate ttps

are finite and that can definitely pose some interesting challenges at times uh lastly uh we work at meta that place has anything and everything you can possibly conceptualize it is huge and so uh the nature of our diverse Tech stack uh can often lead to questions of uh hey is this feasible to autom uh and while we strive to automate as many ttps as possible uh ideally to increase efficiency and and provide Defenders with a bigger picture on what's going on the broad variety of tools and systems in use can present really unique challenges what about on the Intel side but yeah on this side of the fence the like the first one on getting people to care the question we

dread as a team coming back when we've broken intelligence is why should we care about this like if that's the first question back to your intelligence team your intelligence team is fundamentally failed in convincing you that you should move and like on time to test like when we dealing with landscape changes we don't have the luxury of waiting weeks back to Summer of 2022 that was in news articles now so we need to do something about it now and where we're trying to bridge that language gap between intelligence teams and more traditional security teams we need to get that into test to generate the data that allows us to have the conversation about what the

next step should be for the company and the last piece on diverse Tech stack to us we're plugged into a fire of stuff and see different attacks and ttps every single day and that's compounded by like as Jason says meta is huge and we don't want to every day have to turn around to all of our different stakeholders surface owners Tech owners and say hey this happened on the internet does it work here like is this viable here we need a way to generate those answers ourselves and then we come to you saying we know it's a problem because we've proved it and we can limit that scope so now we're going to delve into

like bringing stories and reality together so this is like what's happening under the hood between all these security teams when we're responding to a sudden change in threat landscape so the easiest way to sum this up is intelligence teams are reverse engineering A playbook and like like whether you like it or not humans are lazy and playbooks exist there's a talk later on today about the Conti Playbook that leaked in 2021 where threat actors had a literally long form written Playbook that they shared between operators of the cony ransomware affiliate scheme and like to the point where commands could be literally copied and pasted out and then we found in incident response reporting like months

before those playbooks were actually released on the flip side of that there is like soft playbooks the playbooks that exist in an adversary's head and those are the ttps that they use because they know they work they've invested time in learning them they've invested resources in building them and deploy them and they'll use them until a point in time when they become inefficient or unvaluable to use so we're stitching that Playbook up from a diff a number of different sources and like the first is public incident report reporting and to the credit of like coinbase twio Reddit that were responding to this group their public incident reporting was brilliant it had indicators it had ttps it had

everything we needed to latch on and start reverse engineering A playbook but the reality of public incident disclosure isn't always like that often those things come heavily redacted by legal departments so so much so that the details lost and we can't reverse engineer A playbook next we can plug into vendor intelligence we plugged into a load of different vendors um but you have to be lucky that the group that tracking is big enough to be on your vendor radar because they have multiple customers that it impacts because if it's not it's likely that your vendors are also doing the same thing you're doing of trying to reverse engineer A playbook so they can sell you that

intelligence before your team's capable of doing it then next we plug into sharing communities and this is everything from like instant response teams on the ground in different companies within our sectors that are like our eyes and ears of what's hitting us as a sector or a threat intelligence sharing communities and more recently agencies like cesa have been been a massive partner to us in proactively sharing things with us and working with us collaborative collaboratively to build up these playbooks and last but not least we build up we plug all the other gaps with proprietary tracking and it's hellishly expensive but that's when we spin up our group to say we'll do the man the

research manually ourselves to track to build up the rest of the Playbook and that's the reason why that team spends most of our time tracking threats that only target meta or only target a small cluster of companies within our sector that just aren't on anybody El's radar because nobody else is impacted so that's where we spend a lot of our time then we stitch all that together from all those different sources into what we know about a group's Playbook now we'll plot that against miter attack but a seven step kill chain fits a hell of a lot better on a slide so this is a really cut down and simp simplified version but when we're engaging purple

team there's two like choke points that we're looking for one is high frequency reuse ttps those ttps that we know in attack is likely to try first before they fall back to something rarer in in their Arsenal um the second in that sorry the second in that is like where we have good evidence from TTP Forge that we have existing detections for a certain step of an attacker's Playbook but there is one weird branch of their playbook where we have uncertainty and we need to engage like purple team to go and plug that Gap and work out do we actually detect this in actual fact or do we not oops all right so uh we have cultivated

a phenomenal working relationship for over for over three years now uh and we have worked together across different time zones and Geographic locations of the world um and we didn't always have teams uh but I'll tell you once we both got teams uh this uh collaboration and phenomenal working relationship did not slow down rather we've created vetted and scalable methodologies that facilitate doing cool work together and at the end of the day isn't that what we all want all right so you heard Adam's piece on the threat intelligence component here so we're not going to uh beat a dead horse but we'll move on to the next step in this equation purple teaming so the first step to executing a joint

operation with threaten tell is automating the ttps they brought to the table with TTP Forge again automation provides scalability uniformity and testing and the means to replay these ttps regularly to identify regressions or gaps uh however it's not always prudent to automate everything uh there are some elements in an adversarial simulation that require more organic exploration of a Target so you can actually get a sense for some of the pivot Points that may come up so next up we plug something into TTP Forge and purple team help helps us replicate it if we have a detection that fires great a detection lands in a production queue and we know we have coverage but TTP Forge allows us to add

regression testing after that so if in the future our detections regress maybe somebody like disables a rule or our EDR rule engine changes we'll know about it and can kick off a process to address that Gap but more importantly if we if we find that we have no detections no alert fires no incident response team is spun up in in response to it we have a gap and we have uncertainty we know there is a TTP in the wild that an attacker is using that's like a risk to our business and we engage threat hunting there to go and work out if that TTP has ever been used historically and like true positive they find

something great we can well not great but we can escalate that to incident response to remediate but there's equal value in them doing that sweep and proving the negative and I see so many threat hunting teams optimizing for finding true positives and neglecting the value they bring in proving that the fleet is in a secure State as detection engineering Works to plug a gap next up we plug like detection Engineering in and the advantage of both these teams working with TTP Forge is they're working with a signal of what that attack looks like in their environment in their logs in their like full security stack so they know what to hunt for on the hunter side and the detection

engineering side what to write a detection for at the same time TTP Forge allows them to replay an attack as they're developing a detection so they know once it lands it actually detects the TTP that it was intended to after that like we go through a whole process of IR on boarding we don't just ye new detections into our incident response team and hope hope they're good there's a whole amount of playbooks response flows Automation and metrics that have to be stitched to make sure the quality of life for instant response teams is good and that when that alert fires if it ever does they know how to respond to it know the risks associated with it and

know what the next steps are all right the most important part the report specifically we tend to do joint reporting uh for all purple team engagements and through collaborating on a joint report uh we're able to create something that's a lot more effective and robust um the combined effort of all of the different parties involved leads to an output that's stronger than any of its individual Parts uh showcasing the Practical value of working together what a concept right uh and so this tends to be a much easier report for leadership to stomach um it tends to be focused on actionable metrics and viable resolutions to long-standing issues and each report aims to capture enough information so that other engineering

teams are able to pick up that report and repeat the exercise ideally without the original participants that is a very important part of how we can scale again at a massive company and so uh in the spirit of trying to provide the tools necessary for defense teams engineering teams to repeat the work that we've done we are also releasing Forge Armory uh which is a collection of commodity ttps uh some of these uh are uh even include detections actually I've been learning how to write some detections it's been a good learning experience um red teamers you should definitely try that sometime that uh it gives you a new perspective um but yeah so with these detections you

can take those commodity ttps and provide actionable information for your blue team or better yet write them a well- documented TTP that they can run as many times as they want as they go through the process of trying to build a high fidelity detection or a prevention and then you can move on to the other shenanigans that are in your backlog and so uh with respect to both the forge and uh Armory uh this is meant to be a Community Driven way that we can share information and allows us to better communicate and share processes between offc and offenders that allow us to start fixing some stuff oh yeah this is a good stuff right

here uh yeah so we're going to launch into demos and like this is an example of like a cut down Playbook that's quite traditional for us to throw at purple team and and uses a mix of things that we're going to need their hacker expertise to come and manually replicate but also a lot of things that they can throw into TTP Forge and automate for us so yeah kick the demo off yes sure let's go um so first up like initial access we were going to talk through evil engine X quite a lot here but Chris Merkel did a 45 minute presentation yesterday about evil engine X so if you're interested in diving into the realities of how to set

that up configurate what the risks are and stuff like check out his talk it goes into way more depth here but essentially like I tked Jason's team to go and spin up evil engine X for it and he still hates me to this day he hates me even more that I made him replay this um for this demo because he had to do it twice so to the point about automate what you can definitely automate what you can you'll never know when you need it in the conference talk but to this like we're going to run through it with an Outlook account because we've since patched this but in summer 2022 we were halfway through our PH2 roll out so we

didn't know which surfaces had complete coverage of PH2 which users were enrolled and where it was viable so when we first tested this it worked and it blew straight through you could like steal session tokens and authenticate to one of our accounts which isn't great right but so all right uh cool so we're going to continue through the rest of this uh demo and so to start uh we got a credential and uh you know we want to see what uh what's going on with that so going to go ahead and log in oh yeah sorry this is the part where we're catching the credential from e evil and Genex or evil Genex there we go

hey look at that credential it's beautiful um and I forgot to show the uh session uh so I went ahead and went back in So y all can enjoy that and all of its glory and of course I forgot the number oh yeah look at that that's nice all right cool so we have our initial access covered um and this right here oops hey you want to talk about this this is nice was it again oh yeah thanks yeah sure so when we ran this test like and Chris Mel's got all this in his deck as well of it hunting this is really really difficult because like one you can say okay show me what the real

authenticated logged in employees session looks like and two show me the evil engine X session and like you can do things like compare the geolocation like the impossible travel style alerts but when we did it it generated 291 hits in 90 days because a lot of our employees are also using personal VPN to watch like YouTube and content in different regions great so that's not something I'm going to just pipe directly into our incident response queue in the end we paired it down by saying the IP that authenticated does it does it feature in the record of a young domain cuz what we were seeing were groups spinning up an evil engine X domain and then weaponizing it within 24

hours that was a really good way for us to pair that down all right we got a credential so uh we also have a sensor how we could detect that let's see if there's any goodies and uh all right so logging in um it looks like this uh particular account is uh not used for a whole lot and by the way you don't want to do that you want to go ahead and just we were never here there we go uh and hey look at that that looks real juicy I bet that there's a lot we can do with that uh so that's uh the manual Parts there now we're going to get into the forge so

first off we're going to use the forge to execute a TTP that employs the enumerate IM tool um and so I wanted to start by showing you all kind of what TTP looks like um we uh we try to have some decent documentation around it so that ultimately Defenders can read through and stand without having to get into the code and beyond that we also provide prerequisites uh examples that you can copy pasta like we're going to do here and uh we also have each step which for Defenders these can be ioc's if you're trying to figure out hey where do I start here these are the steps it's going to run I think that

there's some options here uh in terms of doing that and as I mentioned we're trying to do some detection so they ain't going to be High Fidelity i a a red team or playing a blue teamer on TV but they give you a starting point for a conversation with your Defenders and uh just a word of warning um the enumerate IM tool does not move as quickly as you're going to see here it takes a lot longer but I'm not going toh subject you all to that because that would not be a prudent way to spend our time uh now here's the interesting thing uh we've got looks like full access for ad SSM we've got Secrets

manager we can list secrets we can describe instances uh there's some good stuff here we can access some logs um so hey we we've got some things we can work with and this gives us a lot of attack paths that we can really start to think about in terms of hey what is an adversary going to do uh now here is another interesting thing the detection uh did not really catch much of anything and so we discovered that uh on certain API in points uh cloud trail seems to be lagging and subsequently that's why we're not seeing anything here so that's good to know as a Defender you're like hey why am I not seeing this like just

give it a bit and then it'll show up but all right so we know roughly what we can do with this credential um why don't we go ahead and start with Secrets manager because that's always a juicy one and so this is another TTP uh basically allows you to pull a secret or multiple Secrets or all of the secrets from Secrets manager so as you can see here these are examples of how to use it those are the steps and uh hopefully those can provide uh some viable ioc's for uh Defenders to start with and so we'll go ahead and kick this bad boy off and if we can take a look here while we were able to get the

secret which is awesome we also see that Defenders can see that we were doing that so uh that means we have limited time time uh and we need to move quickly uh if we were an actual adversary uh so this is good we have something here we can work with this Defenders can start to think about this so all right we got a we got a secret we love Secrets uh this particular one is a database credential and uh we all know that that can be a lot of fun so uh and if you're familiar with AWS uh so RDS is a relational database Service uh and um it's used to spin up relational databases in AWS

could be postgress can be MySQL what have you um now we have this credential and so one way we could do about this is just connecting to it and seeing what's up but that's not what an attacker is going to do because that is going to look funky and probably is going to get you caught so instead we can just be a little patient we have the means to describe instances let's see if there is anything that might be used to connect to this database regularly so then we actually blend in which we're trying to do adversary simulations a good adversary is going to do that and uh so we've been uh building up our uh Fleet of ma ttps uh thanks to

again Cedric Owens uh this man knows a lot about breaking stuff in the Mac world uh so here we're just going to be good attackers and establish some persistence as I'm sure a lot of you are aware SSH is uh quite often uh just kind of open to the whole world so doesn't seem like a far throw to just be able to throw a public key in in order to get back in yeah I've done it it works um and with launch Damon I mean Defenders don't tend to look there uh because there's just not a lot of great tooling around Mac OS so uh Hey Defenders you should definitely look for persistence mechanisms with

that and all right cool now that we're on dis or we're on a system that looks promising it's a Mac OS system uh why don't we go ahead and run lasagna and see if there are any secrets in the uh in memory or on dis as you can see here it didn't really find anything and so this puts us in an interesting position as purple team on one hand we ran the ttps we generated the signal job done not necessarily we're again trying to simulate what an adversary does so why don't we do a little bit of just organic exploration and see what we can do with that because once again that is what an

attacker is going to do they're not just going to stop say oh it didn't find anything all right cool done so we're going to just use a fine command and uh real quick we got uh we got something that looks pretty good and I'll tell you if that matches the secret that we found in AWS Secrets manager I think we're in business o looks like it does so now we know that we can connect to this database and it's expected because obviously they're doing it on the system and so we can blend in all right what we're going to do now is we're going to set up a listener on our attacker so that we can uh shoot

ourselves some delicious data and uh simulate the xville part so uh that's a nice little Docker container if you just need something on 880 that Echoes out whatever it comes in and now we are on the Mac OS system connecting to the database we'll just do a little bit of kind of Recon understand where we're at we got a database that looks pretty juicy and uh see if there's any tables that have anything that looks good oh yeah that looks real good so uh let's see what we get in users we got password hashes we got Social Security numbers this looks like something that we want to steal to see if our Defenders can catch it yeah so

what we're going to do is uh dump the database uh ideally in a directory that we have right permissions like home yeah that's nice cool so we've got the dump we've got the listener on the attacker box we want to make sure the dump is for real looks like it is so now we're just going to go ahead and send that over and uh I'll just go ahead and grab this so it's easier to show you all what's up uh it's Bas 64 encoded so this is what it looks like on the attacker side um you can do a little parsing there um if you don't want to have to copy and paste the whole thing but you know up to

you uh so that's the massive string and we're going to yeah decode it boom success we have stolen things and now we have a complete attack chain that we were able to automate a lot of it we can repeat as many times as we need so Defenders can drill on this and make sure that we have answers for these things Okie doie where's my mouse there you are sneaky little devil all right that was a lot of fun I enjoyed making that um I wanted to uh impart a few takeaways from today's talk takeaway number number one we are releasing the TTP Forge our framework that we employ for purple teaming detection engineering and a whole lot

more uh this is a project that we've been building for years uh that has been a critical component of every purple team engagement at meta it's fine-tuned and built in a way that supports Defenders with very little to no offensive background to be able to create signal and build offensive capabilities uh that they can use while they're testing is phenomenal uh it also supports chained executions for more advanced simulation so you can do a fair bit with it uh additionally this is being released with Forge Armory which is again a collection of commodity ttps for a variety of targets now if you look in the existing space there's a lot of Windows Windows Windows Windows and uh you know what

there's plenty of tools that are able to solve that problem quite well not saying we won't support Windows but our primary focus on our ttps has been around Linux cloud and Mac OS uh which is a sizable Gap uh again with a lot of the existing adim Solutions so I also believe that I've mentioned this once or twice but uh Cedric Owens is the purple team co-lead and that guy knows a lot about attacking Mac OS so we've got some good stuff in there uh and to reiterate from before uh we really sincerely want this to be a community-driven effort so come say what's up let's chat and uh drink a beer or something uh any thoughts Adam yeah

and this last one's more of a personal note from me but if you're in an offensive security team and you've never chatted to a threat tell person before like and you've got a threat intelligence team go and chat to them and the same time if you're a threat intelligence person that's never worked with an offensive security team you should be like opening that relationship up as well from the other side when me and Jason first sat down three years ago and started to lay out the different problems our team had it was amazing how much we shared in common and now we've got a joint product and a joint process we're much more valuable like together

than we ever were aart so yeah go and chat to each other basically definitely 100% do that um and while it's just the two of us up here uh we are standing on the shoulders of giants we both have exceptional teams and we want to make sure to pay respect to everyone that's helped to make this possible so without further Ado here is the rest of the team after we both did an escape room and as you can see the glory goes to the top team uh that was able to finish it first uh bunch of goodlooking folks in that one and uh there's also a lot of names of folks who are not pictured and they were

again a massive help in doing this so shout out to all these folks and uh I'll tell you if any of this sounds cool or you want to get involved with doing this kind of stuff we are hiring red team's hiring and blue team's hiring y'all should uh throw your hat in the uh yeah throw your name in the Hat and let's see what shakes um and with that we'll take any questions or whatever you have [Applause]

thank you great talk uh so one of the points you mentioned is prioritization you know R you prior prioritize basically your efforts so uh can you maybe share um you know your thoughts about how to prioritize among different you know attacking techniques that you want to protect from and also on the on the environment side you the the environment is massive so probably like tens of thousands of microservices so how do you prioritize on on that side as well yeah great question so uh the question was around how we prioritize uh effectively around ttps and uh various surfaces that we need to secure um by actually talking with our blue team and planning with them and trying to just

really sit down and have some come to Jesus talks around hey these are things that we should really be thinking about that's very helpful uh we also have a bunch of teams that are in charge of different uh surfaces if you will at the company and so they really are in charge of prioritizing for us we just kind of try to jump in and try to do as much as we can in a certain area once again as an internal consultancy that gives us some flexibility um so we can also uh look at areas that maybe aren't getting as much love that really should um but effectively a lot of communication and a lot of understanding what blue is seeing

and where their priorities lay and seeing where theirs overlap anything to add on that on the threat intelligence side I think if you asked us that question we'd prioritize it in terms of the groups that we track so the highest priority for us is groups that have attempted to pop Us in the last 18 months they're like our highest we'll track them with the highest frequency in the deepest detail this like the medium stuff for us is groups that have attempted to pop companies in the sectors in which we operate but haven't necessarily we've not seeing them Target us but it's viable and it's probable we could become a risk and then there's the rest of the world of stuff that's just

interesting and out there that could be adopted so that would be the spectrum that we kind of use and like as an Intel team it's not just what we've what's published about a specific group we have a lot of internal TTP data as well that can feed into that so it's not just what's been seen by Blue Team when an attack's been thrown at us to go and replicate it can be what we've seen from research of this act has done in the wild hopefully that helped awesome thumbs up anyone else cool hey y'all have been oh yeah go for it man hey Kyle hey dude you look awesome thank you too so uh what's an example of

a low versus High Fidelity TTP and oh yeah so uh that that goes around the uh detection typically with the terminology anyway but um uh basically actually you know what you're the blue teamer so you should be answering this thanks be for throwing me under the bus with that I love you no like and you're probably going to jump in and correct me when I absolutely butd this but like in the past like we've pushed said this actor uses this TTP go and deploy it as a detection and things like our clone like top of mind when you say when we talk about Fidelity are clones used a lot in our environment so as an Intel team we're like our only

perspective is we see attackers using our clone to xfill data when we go to Blue Team and try and land that as a detection it blows up 3,000 times a day because everybody's are cloning stuff all over the place and we have no security policy in place that forbids you are cloning thing because it's a tool we use so that's where the Fidelity conversation comes down on my mind it doesn't mean it's not useful for threat hunters and useful signal to see what our clone looks like in our environment but it's probably not something that we're going to push for as a detection at least a detection that's going to fire first it might be a lookup that we

do after an initial detection when we detect specific suspicious activity on a box yeah so on one hand you can say all right like hey when this tool fires it's bad but then your Defender like dude what the hell am I going to do with all this this is like a bajillion alert so uh you can kind of look at that and say all right what kind of context happens around this so that we can maybe make this a bit more robust and not inundate our Defenders with a bunch of BS and so in trying to figure out more nuanced ways to look at certain behaviors that could be indicative of a threat um that

is where the kind of High versus low Fidelity piece comes in does that help mhm awesome cool uh another question yeah hit me uh do you ever work um do do you ever generate ttps off novel vulnerabilities found internally that aren't coming from the wild like from application security or product security or something like that all the time yeah um uh so yeah before I was here I was um with Kyle on prodect team at Splunk um so I have a pretty decent web background and uh we do a lot of uh engagements with uh products uh you know IG uh FB what have you um and those obviously are going to look different than these uh

infra engagements to a degree um but we also have a really great relationship with our bug Bounty crew um and so we're able to take stuff that comes in from our exceptional bug Banny hunters and uh also be able to incorporate that so we can have a lot of flows for different things that are of top of mind and maybe uh are not as easy but hey you got some of the top bug bny hunters in the world show you know throwing some pretty gnarly stuff over yeah we're definitely going to take advantage of that absolutely will those come out in uh on Armory with the uh disclosure uh so yeah basically with Armory we have to keep it

commodity that was kind of the dealio so uh we're not going to be uh releasing um hey here's how you abuse X or Y or Z but that's a good question okay cool thank you thanks man hey hey good morning stop oh cool never mind go ahead morning great talk thanks man thanks for sharing the tool looks amazing uh something that came to mind this uh different tool called Vector is there any in the projects direction or is there any feature already that brings in that project management aspect of it I see yes we are going to be using vetor um I figured out how to make it uh I figured out how to turn it into kubernetes

manifest um so uh we're hopefully going to be contributing that uh back to the community um but yes we do use vector and poor Cedric has had do some real serious stuff to be able to get that all landed um but yeah we do and it's really cool um the folks uh that that uh are in charge of it are very nice um so if I'm understanding correctly there going to be some sort of integration between vector and TDP forch rather than uh you know s side comparison yeah so the way that we're thinking about Integrations with edrs with um different tools like that is we want this engine to be mean and lean so what we're going to do is uh

effectively the concept of modules so you can have both bons that will provide you with the new yaml syntax based on the logic that you have in your module import that use it not everyone's using Vector so the folks that want to use it cool you got a module folks that don't want to use it cool it's not going to bog you down or make our tool any slower cool thank you very much yeah man for sure and uh hey youall have been awesome thank you so much for hanging out we really appreciate it the [Applause] forge after this talk I'm going to be uh just doing the dotting the eyes and the te's so uh keep an eye out on those

links that we uh threw up and uh I hope you all find it useful hit us up we want to talk to you let's drink some beers life is good cheers