Defending Beyond Defense - Catherine Ullman

good morning everyone we're still asleep good morning everyone thank you that's well done okay so um thank you all for coming and I am delighted that besides brought me in uh what I will tell you is that I really don't want to be the only person talking here so I'm going to be asking you folks some questions um and feel free to ask me questions as we go because frankly uh number one I don't want to be the only one talking and number two I'm one of those people where I'm 10 minutes into a talk and then I go crap there's something I really want to ask okay I can see another talk and I

forgot what the heck it was so you know you're welcome to come up to me after the talk I'll be here all day but if there's some burning question you have don't feel like you have to wait till the very end so with that this is what we're gonna cover um I'll do a little intro about myself um I'm gonna give you some background in history about this particular talk where it came from where I got the idea then we're going to focus on some Defender assumptions because uh I am somebody who works in defense myself and one of the things that I've learned over time is that the way we tend to think about defending our networks is missing

some key information that key information has to do with the offensive security side of the house so we're going to talk then about immersion in offensive security and how that can actually make your job better and and we'll wrap up so here's a little bit about me uh as she mentioned I I'm Kathy Allman uh Catherine is what my parents call me but that is the formal me so uh you know I am uh I work at the University of Buffalo I've been there over 23 years uh in a variety of capacities but um with the security office since 2009 and the joke is I am one of the OG because there were only three of us and two of them

already gone so ever since then it's been me and a variety of other people depending on the time frame I volunteer with a bunch of conferences I'm on staff with a bunch of conferences I run besides Rochester so um you know if you ever get out that way and we have Matt here from besides Buffalo I've got a I got a fellow Western New York rep um I've also done a bunch of other things like uh speak and I love slots I always have to have a sloth picture that's just a requirement for my talks so here's the background piece of this when I say how did I get here I don't mean physically here that's a really

boring story I got in the car and I drove so we're going to talk about how did I get to this sort of concept and essentially what happened was I've been working in the defense space at the University for a number of years and we started an independent study class called net deaf and that death was a class where students could come and learn about how to participate in CCDC whose familiar with CCDC a bunch of you for those of you who aren't it's a Collegiate cyber defense competition there's also a Collegiate pen testing competition which I learned about and I'm also on uh I'm also a volunteer with as well but when we started this class A lot of

these folks coming in had very little sense of of Defending it all so we had people from industry myself included who were there to help guide the students some of the people who were in this space where folks in offensive security so how many of you are in offensive security I see one yeah a couple of you um unless you do defense basically yeah okay that's what I would expect of them to talk but we do get offensive security folks come and then that's awesome um so what I learned was it's always this thing called offensive security that I didn't know existed I knew how to be a CIS admin that's the role I came up

through I had done help desk and those kinds of things and I knew about securing systems as uh assist admin it was something that was important to me and wanted to tell you is I've been doing this so long that back in the old days we didn't have whole Space firewalls that was not a thing if you had a host based firewall on your server holy crap like nobody did that okay but I did because I had always been sort of security focused and I had never heard of offensive security so getting to know these people I said to them tell me more tell me more about this space and what that's all about and the the person I

was speaking that said to me go to a b-sides and I said what the heck's a b-sides right um I'm sure many of you had a similar conversation along the way that got you here and besides was the beginning and I went to besides Rochester that was my first hackathon and I loved it so much of course now I run it so I you know full circle and all but in going to b-sides and then subsequently to a bunch of other cons I started to learn more about offensive security practices and what I realized was there really is this sort of whole other side of security and it may not seem like that but it

really is offensive security practitioners think typically in a very different way from defense and it has a lot to just do with the fact that in defense we're often so concerned about running the thing keeping the thing going supporting the mission of the thing an offense is trying to do testing against all of that so while they're looking at what you're doing that's not really their focus so I found I put the this Matrix graphic up and hopefully how many of you know the Matrix I find the longer I do this the fewer hands I see okay I got a lot of you know so for me it was very much like the red pill blue pill in the sense

that you know I I took the red pill and it was this whole other world right I didn't know it existed so ultimately that led to me recognizing there was way more to this and as I started to have conversations with my colleagues in defense I discovered they didn't know about this either and that's where this presentation originated so when I talk about defense and offense I'm going to give you a couple definitions just so that we're on the same page I'm not going to read them to you because you know I I don't want to insult anybody's intelligence um but this is what I mean by defense okay um pretty pretty straightforward and this is what I mean by offense

and I purposely am not using blue team red team here and the reason I'm not using blue team red team here how many different definitions in particular of renting do you think there are I hear at least a few Giggles right um lots of different entities you get the words pen testing red teaming like different companies call these different things different people have different senses of what those things are supposed to mean I'm going to stick with offensive security because it kind of umbrellas all of that stuff without having to call out one piece in particular because it it it's really under one side of the house so that's why I'm doing this so let's take a look at how Defenders

think about securing their systems typically right so this is what you do you're you're doing a web server build these are the basic things you do right you're gonna install the OS and you're going to install whatever web software you have and you're gonna patch it you're going to configure your your firewall you're going to configure your web stuff if you're really good you're going to volunteer on the thing and you're going to document the heck out of it and then you're good until you know a vendor comes out in a patch right I mean this is Am I Wrong folks is this not how we kind of think about doing security with a machine like a basic

build yeah I'm seeing thumbs up right okay there's nothing wrong with this in this sense right it's just that it's missing some stuff and here's what it's missing offensive Security Guys oh you left for 80 and 443 open because of course you did it's a web server but from the offensive security point of view what can I do with that can I can I do something with that that's not intended how can I get somewhere from that spot for those of you in my team am I long or offensive security am I wrong is that not what you're kind of looking for yeah exactly okay so you're looking for ways you can get in are these sealed

sanitized is stuff out you know encoded properly um you know what interesting things can we do from this point and in my opinion the most important board that's up here is what is its relationship to other systems when you as a Defender set up a web server do you ever think about that I'll see well not good because honestly most people don't they put up a server and they think about it in terms of business objectives but they don't think about it in terms of security and every system you have has relationships with other systems and types of data and other things that interacts with and those relationships are what offensive security and likewise attackers are

looking for ultimately so you know that's the problem so this quote gets attributed to a couple of different people but the person who said it originally was John Lambert and what I would say about this quote is it's not about the growths specifically it's about the relationships graphs are means to illustrating relationships Okay so relationships are key how many of you recognize this tool fear of you good more of you should be familiar with this tool so this is Bloodhound this is a free tool that a company called Specter Ops created to show relationships and what's really cool about this caveat you must get permission you can run this too if your organization will let you again

it's free you can run it you can see these same relationships and when you see these relationships for example it will show you how to get from whatever account you have access to can be you know joke you use or person to domain admin or there's even an Azure version of this that'll take you to Global admin in so many steps here are the ways I can get from here there it makes offensive Securities job much easier because nice pretty picture here's how I get from here to there okay so it's it's it's good to know about so now let's talk a little bit about some some Defender assumptions in general how many of you heard

just break the chain right this idea of the Cyber kill chain if you can break the kill chain you're good who's heard of the Cyber kill chain yeah how many of you have been told part of the goal of defense is to break that chain a few of you right here's the problem with this it's not bad that you break the chain but if I'm a determined attacker or offensive security professional likewise and you break the chain in one place am I done no this is a problem Defenders often fall into is they think oh the Chain's broken I've stopped the attacker that was doing this and I'm going on to look at something else

odds are if an attacker is trying to get into your network in a particular way and they don't succeed they're going to try something else and so if you're not looking for something else at that point you're probably missing something all right how many organizations here have some form of EDR AV oh my goodness I should see every hand go up right we all have this stuff and these tools are very useful and the the more recent ones even more useful because they can show us all kinds of things and believe it or not if you haven't heard this there are Defenders who believe if they have these tools in place they are safe which I would hope most of you know is

categorically untrue and the reason it's untrue is that both attackers and offensive security know there are places where what they do is study how to get around these things like that is their full-time job how do I get around EDR AV whatever and they sell or trade with entities that want that knowledge so it doesn't matter what product you have doesn't matter if it's you know Cobalt or Cobalt crowdstrike or Defender or they all have somebody who's researching how to get around them and there's a number of ways too so it doesn't matter if you've got tamper protection on the first thing a good attacker will typically try to do is just shut it off

how many of you are looking for your EDR to get shut off in some capacity good those of you who raise your hand awesome all of you who didn't raise your hand mental note you should be looking for that because attackers love just turning it off but they don't just love turning it off they love just bypassing it there are lots and lots of ways to bypass it you can use uh command and control callbacks those are ways to just get around it who knows what a law bin is a few of you all right those of you who don't know what a little bit is it's a living off the land binary living off land binaries are part of the

operating system they are files that are native to the operating system or the environment in question because they could be files for if you're running like VMware they could be things like VMware tools they will use files that are already on the system to do things they weren't intended to do but have extra functionality if you've never heard of Lowell bins it is worth it to spend a few minutes and Google it because there's a lot of information out there one of the reasons why attackers and offensive security people get found on systems is they bring their own tools right if there's I mean if if an offensive security person or an attacker drops a tool on your system and

EDR or something is running it might catch it right trying to get a file or something on the system is way more work than using what's already there so it's very convenient and there's a talk later today that's going to be talking about using low bins and I'm looking forward to hearing this one in particular so um it you know it happens all the time it's very common and uh it's something you should be aware of there's also like you can use the heck out of active directory in Azure if you have these in these things in your environment and you're not spending some time reading about the attacks that are done you're missing out because it is so

easy to abuse those things and your AV and your your you know none of those tools are going to see that they're not going to have any clue that's a problem all right who recognizes what a miter heat map is a few of you good okay now what I will say about miter is that miter is I'm not going to say miter is bad there's nothing bad about miter it is limited um and the reason it is limited has to do with what it's showing you and what people understand about it so what's important to know is that there are three pieces to what can happen with an attack there's the tactic which is your goal right the technique which is

how you achieve that goal and the procedure which is exactly what you do to carry out that goal so for example the tactic is still credentials the technique is dump lsas memory but the procedure is using proc dump to do that versus using task manager versus using comservices.dll there's a bunch of different ways to do that the problem is miter attack mostly focuses on the techniques this isn't bad it's just limited because if as an attacker I can do whatever it is I'm trying to do with various procedures and you have something in place to detect a technique but I use a different procedure that's not part of that detection what happens

am I going to detect anything no so these miter heat maps are problematic because what does green really mean traditionally for those of you who are not familiar the heat maps are meant to show you where you have detections where you need detections and maybe where you need to just further develop those detections the problem is they only show you a small portion of the story so be aware that it's you know it's it's not a bad thing to have detections in place and to know that you have certain detections in place but understand the limitations of what those detections actually detect this is one of my favorites so our tools work is designed we buy tools we all buy tools

and we say we set them up we follow best practices and we say awesome we have this thing in place but do you really know it's working the way it's supposed to and in most cases we don't security researchers love looking at this stuff and in particular uh will Dorman does an amazing amazing amount of research on dangerous drivers like every few weeks he comes out with a little something new that he's he's looked up and he determined that Microsoft claims there are a couple of ways that Microsoft Defender for endpoint can block a dangerous driver one is hvci which is this hypervisor protected code Integrity feature and the others this attack service reduction the problem is up until recently

the block list itself that was supposed to prevent the the drivers from even being able to load guess what didn't actually work despite Microsoft going oh we have all this protection yay not didn't work and even though it's it has been populated now they don't really have a plan for keeping it up to date and not only do they not really have a plan for keeping it up to date attackers like to just find ways to get their drivers signed legitimately and there's been research done on that recently too so what these tools look for and the way they work you can't 100 rely on so just because you have this in place doesn't mean you're good to go

similar problem who's running Defender for endpoint a few I see hey it's okay we we run it too it's it's actually a pretty good product however there are things it's supposed to be able to detect that if you don't change registry settings for it's not actually going to be detected because it's not collecting the right telemetry and there was a great talk by Olaf Hartung who um who gave this for wireless hackenfest who talks all about these undocumented features of Defender this is another one I love we have MFA we are not fishable how many people laugh at that statement yeah pretty much you know most people right if you're not laughing you should be because MFA is absolutely a good

thing to have in place you should have it in place it is absolutely still fishable and there's a bunch of different ways that that can be done right um you know who's heard of uh of push push push push push push push push push no no one ever does that right and then basically you wind up with people just being tired of the push notifications and clicking yes it happens all the time but there are other configuration issues if you have Legacy protocols even if you think you have MFA you may not have MFA not only that passcodes so pretty much every MFA system allows you to generate a set of passcodes in case you can't get back in but those

passcodes are good forever if an attacker gets a hold of those passcodes and you haven't changed them they love that and all that has to happen is they put those passcodes on a you know on a local machine somewhere and they save them off somebody has a piece of paper and drops it I mean there's a million different ways that can happen but on top of these methods there's also a tax that can be done aitm attacker in the middle trying to get away from you know some of the language that is not appropriate um pass the cookie and of course social engineering right that never happens where somebody gets an urgent call you have to just let me in right

so because of the fact that we're taking a lot of these things for granted we need a different perspective and so I brought back my friend the sloth here although the first the first one was actually the sloth that I have um adopted at Buffalo Zoo this is just a cute sloth but the idea is we need to turn some ideas on their heads we need a totally different perspective because obviously what we're doing isn't working right I mean some of it is but we're missing sections of it so to that end what I propose is that Defenders need to immerse themselves in offensive security and that does not mean change jobs it does not mean you need a new

certification it does not mean oh my goodness I have to spend a thousand hours outside of work doing all this extra stuff it means you need to know it exists you need to spend a little time getting to understand how these attacks play out so for any of you who have never seen this before and I know for offsec folks this isn't like the be-all end-all there are different variations on this and it's not necessarily linear they will go from one step to another and sometimes back again but for anybody who doesn't know what an offensive security Playbook essentially looks like these are sort of your basic steps right they got to try to get in that's the first

step um but before that they need to know what to attack so figure out what they're going to attack how are they going to get in how are they going to stay in I mean this is these are the basics this is what they're thinking about these are the relationships they're trying to build so where do you find those folks well guess what you're the b-sides and while we may only have a couple of those folks in this room I'm willing to bet there are a bunch of others who are in other rooms so this is a great place as you get to know people if you meet folks who work in the offensive security space get to

know them they can be a very valuable resource but there's other places that you can meet them meet folks too other security conferences if you have local security meetups some maker spaces um you know folks will get together and do that sort of thing there's something called Defcon groups if you're not familiar some of them do online and virtual uh there's an organization called 2600 that has meetups typically there's online security communities and you know even traditional security communities there are offensive security people who will go to things like isaka and Issa events um you know conferences that are corporate driven but you you need to seek them out and then if you can find some formal

training right there are conferences there are b-sides the one I run has training usually inexpensive training the day before security companies offer training anti-siphon I can't say enough good stuff about they have pay what you want training for certain things so if you have no money or your court company won't budget you anything you can sign up for they have a whole series of classes that are free if you want if you need them to be free they'll be free if you if you can afford to pay 25 bucks they'll take 25 bucks and even if at their full rate they're way less than something you know like Sans which I mentioned but whatever um

there are online options there are things called hack the Box try hack me there are ctfs there's one running right here and YouTube has some great stuff and higher education sometimes has classes you just have to look and see so what about understanding more about how these folks think and what they do for their craft well that's what we call tradecraft Intel so places you can find like how these things work for an offset person go to places like project zero or attacker KB there's a zillion more of these but realistically their researchers who work in the space and they do write-ups of here's an attack and here's how it happened and here's what the attacker did

offensive security people spend time in that space learning about those attacks so they can use them too but you can read about them as well and what I would recommend is if you don't have a whole lot of time to you know take classes or do other stuff this is a great way to just sit down and learn how an attacker moved through one particular attack and even if you read one of these maybe a week you'd start to see some patterns because a lot of this stuff is the same stuff over and over and over again in the same way the Defenders see the kinds of things that we see in terms of keeping the attacker out

attackers do the same things because they're successful with them Twitter and I and I know Twitter's a mess and and everybody knows Twitter's a mess but there's still a huge contingent of offset folks and people who share ideas and trade craft Intel and of course Mastodon now and probably blue sky and every other social media but but that's the idea organizational Intel on the other hand can tell you a little bit more about your own organization and what I can tell you is offensive security people love organizational Intel they love organizational Intel because the more they know about your org the more they can figure out how to move within it whether it's through social

engineering or how things might be structured so make a point of understanding what's out there about your organization that could teach other folks about you and either work with your org to maybe remove some of it or at least put mitigations in place think about how that information could be used in a bad way of some kind other places you know as you can see Pace bin GitHub Etc internal wikis I've been poned is a great site so I am not going to talk about each one of these tools because I don't want to you know stand up here and talk about tools for half an hour or more but if you are not familiar with this list of

tools if there's something on here you don't know you should so I would encourage you to take a picture of this particular slide and if there's anything you've never heard of you should learn about it these are some of the most common tools that offensive Security Professionals and likewise attackers like to use for their jobs and I'll tell you right now who here has heard of Mimi cats good there are people who do defense who don't know what Mimi cats is And when they see a reference in their EDR their AV software that says something about Mimi cats they either ignore it yes they just ignore it because they don't know or they say oh it blocked

Mimi cats we're good the problem of course what did we say earlier just one way in doesn't mean they're done so seeing something like mimicat should be a big red flag to say uh Houston we may have a bigger problem but a lot of folks don't realize it okay so in summary because I want to make sure there's time for questions defense is only half the story if you're not learning about offense going to talks about offense even if you don't entirely understand what they're talking about you're missing so much and I used to come to conferences and only go to defense stuff because I was like this is what I do I'm a Defender I want to just

understand how to defend against attackers but it never occurred to me maybe I should be learning what the attackers do too so I could you know ultimately be a better Defender so you know that's really important be careful assuming that your tools work and that things function as you expect them to where you can test them there are ways to do that jump into that other half of the story and get to know people in the offensive security side I have found most of the people in that side of the world love talking about what they do absolutely love it and they get excited and they want to share you ask questions odds are pretty good they will laugh and they

will happily share what they know that has been an overwhelming experience for me in just in general and you know the more you can learn about what they do the better and ultimately you'll become a better Defender from that I have to put this in quickbookshill uh this is my book the active Defender if you like this sort of concept of thinking about things from an offensive perspective but we're talking about defending uh this book comes out in four days the ebook is already available and it's you know most major retailer places and uh I always like to to end on this slide I started out doing support like a lot of folks did and before that I had

degree in music industry this was definitely not where I thought I would wind up but ultimately I think it was exactly where I was destined to be and with that I thank you and I'll take questions because we we still have some time now we've got about 10 minutes

sir did I see nope any questions at all

okay well thank you again