The rise and rise of Advanced eCrime Threat - Incident Response edition, Anurag Khanna - BSidesCbr24

uh right now we have a great talk by anag Conor the rise and Rise of advanced e crimes threat incident response edition let's welcome him to the [Applause] sage thanks siio hey thanks everyone for showing up our first time at bides can Bry has been amazing and this is a big room and I can't see anyone I just have lights on my face so that does help uh but no stressing out thanks for showing up after lunch day three I know it's St after late night so thank you very much this is the rise and Rise of advanced e e crime threat uh incident response Edition so a few months ago I started thinking about what I want to talk about

what am I seeing uh and if you have done incident response of dealt with threat actors dealt with incidents you would realize there are typically two buckets of threat actors we deal with as in Defenders deal with uh one is Nation straight Thors the advanced advanced stuff uh also known as as a advanced persistent threat uh and the other part is e crime which is primarily ransomware multi extration and those kind of thread actors uh and I started looking at what was happening uh in thread actor activity and what are we seeing and I realized that off late like past few months maybe a year a couple uh the way these e- crime tectors were targeting

organization was evolving uh traditionally the advanced bit of AP is the nation Street THD actor they are Advanced they are sophisticated very well resourced they know what they are doing uh they use zero days and do all the crazy stuff and then these e- crime thread actors they are typically Not So Sophisticated more of a smash and grab operations uh they come in they try to get whatever they can make some money and leave but I realized that was changing the techniques the speed with which e- crime tractors were working that was evolving and that's where I started looking at it and I started calling them Advanced e- crime threat and that's what I'm going

to talk about I'm going to talk about what these ransomware tractors do how does extortion work uh and not talk I would like to not talk a lot about traditionally what they were doing uh which is lateral movement moving around pushing data out I would try to stress on or talk more about the more recent stuff evolving landscape what has changed a bit about myself uh work for a company called Crow strike how many of you have heard of crow strike yeah that that used to be a great Icebreaker a few months ago I should I should find a new one this doesn't work anymore uh I do instant response so I work with a team that deals with a lot

of nation Street thread actors lot of ransomware e crime day in day out I've been doing that for a few years 10 plus years doing insulin response ac across Asia Pacific uh moved to Australia a couple of months couple of years years back still working on my Australian accent so work with me a little uh I teach for science picked up some certifications while on the way and this slide deck is very dense uh there's a lot of text some a bit small which will be difficult for people to read in the back uh that's by Design uh this is a reference deck so this SL deck is available at that particular ring link on the slide uh you

can download this you can use this and if you're thinking should I I'm putting this up right above because I don't want people to be you know clicking pictures and so you don't have to uh this link will be there at the end of the slide deck so maybe by then you'll decide if you want this deck or not let's see how it goes so let's get going here a disclaimer my company may not agree to what I'm saying here I don't expect them to maybe they do uh going to talk about a lot of stuff a lot of stuff which is already publicly known a lot of stuff some stuff which I've researched uh so

we're going to talk about that this entire slide deck had a lot has a lot of links embedded in so while you you know maybe you download this maybe you start looking at it and you're like where have we seen this particular technique there'll be linked somewhere on the slide deck you can click go there read a Blog published by one of these big companies okay bottom line up front what we are here for e- Crime tractors are evolving they're getting more sophisticated they are ruthless they are fast they are getting things done we have seen in past couple of years more than couple of years that what e- crime Proctors do is a very very successful business model

they get a they make a lot of money what we are doing which is Defenders and maybe you're a red teamer maybe you're an exploit writer I'm making an assumption here that everyone is still trying to make their organization safer so all of us are Defenders that's our primary job making sure that our organizations don't get hacked uh they are getting better we are getting better but the bottom line here is that we need to level up faster we need to have plans in place and the ability to execute those plans that's what I'm going to talk about here okay first the good news Pat your back tell you you're doing good we as Defenders have been improving

we have better tooling now which gives a lot of Defenders better visibility which means a lot of organizations can see the threat as the threat comes in they can see what the thre actors are doing they can detect a lot of stuff we have gotten better at identity management a lot of organizations do have multiactor authentication what that has resulted in is a lower dwell time so the time when a thread actor gets in to the time when they get detected has is now in days it used to be years uh if you go back 10 years uh it was like 400 500 days now it's um double digit days which is really good so we're getting better

which is good but the problem with that is in the cat and mouse game that thread actors play they are responding they are leveling up they're using living of the land techniques making it difficult for us to detect them they leveraging Cloud so not only targeting Cloud they are leveraging Cloud to Target organizations they're targeting identity because identity is the thing these days uh with cloud and SAS applications which we'll talk about they're targeting more and more identity and they're getting faster so while the dwell time is coming down we are getting better at detecting them they are doing things fast really really fast and when thread actors move fast we need more time how do you get more

time so 120 25 years ago Einstein came came up with special theory of relativity he said if you want more time you need to move fast that's my nerd joke there that's the only one I have so that is what we need to do which is we need to move fast what happens when you move fast you break things now I'm going to come up with a lot of recommendations so I'm going to say let's do this let's contain the VPN let's pull that relationship or trust which the VPN has with the active directory do I want you to go back and do that on Monday of course not don't do that that's not what I'm recommending I

may be recommending that when an organization is under an attack when ransomware deployment is imminent when exfiltration is going to happen so that's the stuff we're going to talk about here one superpower which we all have as defenders in visibility if you want to work against these tractors or defend from these tractors we need visibility what kind of visibility we need visibility on the host so we need to have an EDR or logging or whatever works for you we need to have visibility in the cloud and also on the network once we have that visibility and we have the capability to respond in real time that's when we can have a knife fight with these thread

actors that's when we can defend against these actors so what I'm going to do is I'm going to pick up some areas where these threat actors ttps are evolving and talk through that we're going to talk about identity we're going to talk about Cloud some new form of exfiltration and data coping that is happening extration uh how they the thread actors are making sure that they are not visible or cannot be detected so those are some of the things which we're going to talk about from here starting with the most important which is identity identity is the key to success which is money for third actors now this is my favorite slide of this entire deck

and that's the hill I die on if I was walking on a beach and I picked up a lamp and I was like a genie appeared and he's like okay what do you want three wishes granted you know what will be the first one wishes that'll make security landscape better the first one will be let's make sure every account every externally exposed service has multiactor authentication you know what the second one will be let's make sure we check and make sure that every identity has MFA in place the third one will be let's use a better form of MFA I do a lot of triage I'll talk to a lot of organizations when they are

breached when they have run somewhere when data has been exfiltrated uh and most of the times on the first call I asked them do you have MFA and you know what the answer I get yep you do but uh not on this group uh there is a VPN server which is Legacy which still allows people to log in that doesn't have MFA not from this location we are still implementing it we're still deploying it that isn't cut and why am I talking about something so simple as SFA or single Factor authentication because I know this for a fact that if a organization doesn't have multiactor authentication and they are using single Factor o they will get

breached it's just a matter of time when that happens so call to action is make sure there is no single Factor o system exposed to the Internet so that's enforce MFA now as in previous day so that's the slide that's most important one I'm going to move on and I'm not going to I'm going to try not to talk about SFA anymore but let's talk about and let's assume everyone has MFA in place a lot of you do like a lot of us here work in security we know what we're doing so we do have MFA everywhere that helps but that's not the whole story let's talk about fishing the traditional fishing approach is send any

Emil withit someone to click on it maybe drop a malware if not bring up a page where they provide their username and password that classic fishing still works that works because thread actors can do what we call adversary in the middle attack aitm that's when the thread actor sits in the middle make sure that you connect you con connect to the website which they hosting through their system and they can steal the token maybe the session token maybe the M MFA token and then they use that to get into the site they were fishing for and more and more these tractors are targeting privileged identities so if you are an identity admin an ad admin

maybe you manage OCTA or any other single single signon solution which a lot of people would in this room you are a Target because that's what the tractors want they want access to privilege identities this works for end users they also Target other employees they have an instances where the third actor picks up the call calls the employ just social Engineers on the phone tell them to deploy a team viard and any desk you know whatever rmm works maybe ask them to remove that fedo key the MFA which these organizations are using and try their luck that way while they can Target an end user a lot of these e- crime Proctors they are targeting the help

desk and unfortunately that works very well for them they pick up the call they start calling the help desk of an organization and they work their way through a lot of these Trad actors are English speakers they understand the culture they know what they're doing they call outside of the business hours so that call doesn't often land up in the usual help desk which these organizations have it may land up in another country an offshore location um helping these guys or girls to walk through or get stuff done uh and they end up often resetting the password sometimes resetting the MFA getting access to applications which may include again you know single sign on Solutions SAS applications we

sometimes VPN get their way through uh now throughout the slide deck I have some recommendations here uh prepare respond I may don't have a lot of time to talk walk through each of this but that's the recommendation of what to do especially in this case just don't change passwords without a video confir video confirmation maybe asked to see an ID uh that stuff doesn't happen in a lot of organization so trctor can find their way through these trors are veryable resourced so they have done their homework they know who's the manager of this employe what's their employee number where do they live what information do I need to give to ensure that pass is reset that's targeting help

desk now that's the hill I die on I said MFA but unfortunately MFA is not a silver bullet we do need that but that's not enough some of these Trad actors have been known to do social engineering just to ask for the one-time password which was sent on the phone of the employer or the target uh some of these people they have called and asked to have that push notification accepted all that stuff has worked what they've also done which works very very well is Sim swapping a few years ago if someone would have asked me to any an MFA of course yes what should be my MFA factor and they would have told me uh how about SMS and I will not be

happy but I would be like yeah okay you can live with it not anymore some of these Trad actors are getting Sim swaps done at will they have access to a lot of these telecom companies a lot of bpos that work for telecoms they know employees sometimes insiders sometimes have their they have their way through these companies and what they end up getting done is Sim swapping which means they'll get the same number as an identity admin in an organization and when that OTP comes in instead of going to that admin whose phone doesn't work anymore because that number has imported to the thread actor Sim the third actor gets that MFA prompt or the MFA uh OTP and that's what they

use to then come in that has worked very well the other thing that has worked very well for a lot of these tractors is what we call Push bombing or MF fatigue attacks which goes something like this so you have a phone or someone has a phone and you don't use SMS good practice but you use push notification which means when you try to log in a push notification comes through says do you want to log in or are you the one who are trying to log in do you want to accept it reject it so what happens sometimes is the employee gets a push notification they look at it and they're like I didn't try

to log in it's not me reject after 5 minutes there is another login the push notification comes through it's not me it's not me I told you it's not me and then sometimes this comes in the middle of the night 2 a.m. when you want to sleep and your phone buzz buzz buzz and you're like maybe there's a misconfiguration I just want this phone to stop buzzing except done the third is in that has worked in a lot of times more times than I would like it to work that's MF fatigue that ends up working once these trors get access to the environments often as privileged accounts often as identity admins they end up often

targeting a lot of different options or lot of different features that are available in these organizations one of that that is sspr which is self-service password reset on aure works very well if you're using entry ID asure active directory you probably have SS spr it's very useful if someone forgets their password it's a password reset mechanism Exposed on the internet it often asks for two factors to be provided by default it's just one always enabled for admins by default what are those two factors or one factor often SMS sometimes email questions are really a bad choice but what these directors end up doing is if they already have access to the environment they may end up adding their

own mobile number in sspr so that now they can reset that or they may just end up doing some swim swapping getting into emails getting access to that SS spr and now they can enter it will or change password at will that's sspr while you can Target an end user to get a password often it is more beneficial to go to the source which is a lot of times password managers maybe password Walts stuff like cyber AR which does a good job a lot of these places have a lot of passwords in a password manager and we have been telling people to do that Security Professionals use password managers put all your passwords in there that's how you protect your

passwords use different passwords I do that that works but unfortunately some of these Proctors end up targeting those password managers or password walls for a lot of passwords that it organizations and system admins save in them which means if I can dump all those credentials as a trctor I have keys to the kingdom I can use all those passwords to start coming in to accessing whatever I want you know what's better than targeting password managers how about identity providers old school active directory has ntds.dit that's where all all the hashes are stored including your service accounts privilege identities machine accounts that's where all the keys to the kingdom reside trctor still dump that the Ste entity has start did now

they may figure out more novel ways to do that like creating a new virtual machine in your esxi shutting down your domain controller mounting it then copying that ntds.dit which works very well which probably the EDR won't detect because the stuff is not happening on the system where the EDR is and they may get access to the ntds.dit other more novel techniques uh which are which were usually used by APD kind of thre actors are being more used by these e- crime thre actors uh one of that is adding attacker managed identity provider as a Federated identity if I do that add a Federated identity that means I now control the identity provider that is being used for authentication which

means I can log in with whatever I want whatever accounts I like that's another thing they do they start they also Target organizations that manage identity service there have been some of these breaches that have come out publicly where organizations that run identity providers have been targeted that works some of the recommendations of what to do when stuff like this happens what I do like and do recommend is if you under a breach like this where the identity provider is getting attacked or the entity s.d has been dumped consider breaking that centralized authentication with active directory or the IDP use so a lot of solutions which we use like VPN your esxi venters backup Solutions hybrid

identity Solutions all those Solutions in the end go and talk to a centralized IDP maybe it's time to cut that so cut that link remove that trust so the thread actor cannot use the credentials which they have already dumped you may want to do some hunting across your cloud look at your identity solution look at Federation look at all that stuff and remove it if it is not needed and and if that was added by the thread actor another very common thing is targeting credentials it still happens especially in Cloud there has been some Intel some research that has happened and a lot of ir professionals now assess that a lot of these trors are constantly spidering

and looking for credentials in things like GitHub and other repos they're looking for long-term credentials keys and as soon as there's a key that pops up in any of these reppers because developers do make mistakes that's human nature they will lead they'll take that and start accessing the orchestration plane of the cloud service provider and start doing funny stuff so look at that adding new credentials is still a favorite where not only in active directory all the local systems which is really really hard to detect for a lot of organizations uh they now end up adding accounts in the cloud orchestration plane in as active directory or ENT ID maybe add long-term credentials or long-term keys in AWS accounts because

you can have two for an account maybe you don't you have one configured for an account maybe you don't have any they're just going to add one long-term credential use that to come back in that's a very effective way of maintaining persistence how do you tackle most of this stuff it goes back to using a fishing resistant MFA like the stuff here use that that's very helpful consider doing host Integrity checks for VPN that works if a system connects over my VPN is that my system does that have a certificate which I use is it part of my domain does that have the EDR which I use all that stuff is helpful to make sure that you don't have thread actor

system connecting to your environment over a VPN uh consider consider containing systems uh extreme measure if you have a thread actor in the environment maybe you want to go dark which is cut off the Internet it's not an easy thing to do for a lot of organization I've seen organizations which cut one ESS point maybe that was in Singapore and suddenly the entire data is now getting routed through Vegas and that's where the other external ESS point is because we have built all these networks for reliability we want to make sure that we don't lose Network Internet so think about what we need to do if something like this happens let's talk about something else

we talked about identity let's talk about information gathering I believe that the advanced in AP is not only the techniques they you they use but it is often the time and the effort they put in to perform information gathering to know their adversary a lot of these thread actors are doing that now the E crime thread actors they want to Target privilege identities so they're going to do a lot of research to figure out who is the identity admin who is the active directory admin who has what kind of access who's their boss who's their manager how do I get their password where do they live what information do I need that all stuff is information gathering

where do they get that sometimes just looking for credentials in the environment all that SMB tools that go to different SMB shares looking for passwords they do work unfortunately they do work there are a lot of organizations who still have credentials lying somewhere on the network which they are not aware of that works what these rectors are also doing is looking for ransomware specific details hm why do that why does it matter if I'm a thread actor which I'm not I'm an e crime thread actor and I'm like I want to extort this victim into paying up maybe $20 million so I go in I look for the insurance policy I download that insurance policy I go through that stuff

and I figure out oh not $20 million these guys have a policy that allows them to pay $25 million what I'm going to ask this company $24 million maybe that'll work so I'm like yeah guys please give me $24 million and then someone is going to come at me and say no we don't have that much money and I'm like hm yes you do look at this policy that says $25 million just give me 24 of those that's what these directors that's the length these directors go to to figure out what are the different policies these organizations have what kind of insurance policies they have what kind of processes they have in place what does it take me to change a password for

someone what information I need for that how do they create new accounts how do those new accounts get the MFA configured maybe there's a portal I need to go to where I've log in with a default password oh what's the default password maybe I can find that in the wiki which this company has figure that out maybe in the ticketing system there are credentials there maybe there's a Confluence server maybe there are others GitHub and other stuff where there is source code all that stuff is important all the company names I'm make taking I love those companies nothing against them but that's how these directors work they go to internal chat applications maybe use teams maybe use

slack and they're going to start pinging other people on their teams and say hey mate I need this can you give me those credentials can you reset a password for me they'll work their way through to find out more data more information which they're then going to use to move around to escalate Privileges and do more interesting stuff and through this process they may end up targeting your SAS application a lot of organizations have moved to Cloud we use a lot of SAS applications or those OCTA tiles you keep seeing uh that's easy to use but a lot of those SAS applications do not provide enough visibility to Defenders because they're on Prem so these Thors look at those SAS

applications they are in Cloud I need to exfiltrate data from the cloud to my cloud that'll work let me just get into the SAS application another attack which was again something AP would do or you would expect a nation state to do that which is targeting adfs to get golden saml that's a complex picture I created that picture and I did want to get an opportunity to show you that that's why it's there I'm not going to talk through that but in a golden seml attack the thread actor steals a certificate or a signing key which is in the adfs server uses that to access SAS applications that still works so they are now targeting Cloud

let's talk about Cloud that's where all the fun stuff is a lot of these are not only targeting Cloud as a victim Cloud they're also leveraging Cloud to Target these organizations there are a lot of times these rectors are moving from Cloud to on Prem uh a lot of people have asked me this and I worked with a lot of organizations and they say what is more secure is cloud more secure or is on Prem stuff more secure I've thought through that and my view now is it's just a different tax surface neither is more secure or less secure they are just completely different attack surface uh and we need to look at them in that

way but recently I came through this idea and I liked it and I kind of started trusting this a little more which is Defenders have a home ground Advantage when responding to on premises incidents we all do remember home alone like that's how the stuff works I own this place this is my house you're not going to get in if you get in I'm going to kick you out I'm going to put my traps in and you're going to fall through those trap and stuff is going to happen and I own this place unfortunately in Cloud sometimes I won't say always that seizes it's a Battleground which provides adversary sometimes very similar advantages the same level of skill and

same level of capabilities and what resources they can access as it does to us which makes it more difficult for us to pull that plug which we want to or pull that Network wire to make sure the thread actor stuff doesn't work anymore in the cloud no way I can go to a data center in the cloud and pull that wire out doesn't work like that let's talk about some of the stuff these thread actors are doing in Cloud a very interesting idea which a lot of these directors are doing is security degradation attacks that's when they reduce the defense or the capabilities which we have biged in into our Cloud logging maybe you have set that up

they're going to come in then they're going reduce that E5 license you have to maybe e E1 E2 whatever it's called which means stuff which we could see and detect we can't anymore that happens in all the major cloud service provider it's not a specific Cloud problem it is a it's not a specific vendor problem it is a cloud problem the one I like here is adding trusted locations and conditional access policies a lot of organizations use conditional access policies they are a good control uh a lot of these thread actors when they get they have the excess what they're going to do is they're going to add one additional cap or one additional trusted location in

the conditional exess policy which you already have that trusted location now allows the trctor to come in from their IP address and maybe access the environment without an MFA that's going to become difficult for us as Defenders to detect they also Target storage as a service a lot of the storage as a service Solutions like the S3 you're using Aur blobs they have a lot of data in there a lot of organizations use that these protectors end up targeting those sometimes copying the data just for the purpose of stealing sometimes just encrypting that data where it is or sometimes just deleting that a lot of the stuff is I I should not say easy to

protect but maybe easier to protect if we have things in place a lot of protectors Target this and they still will get away with this they still end up downloading a lot of data extorting the victim or maybe just encrypting them where this data is there are some recommendations I have on the deck can have a look at that that'll protect against these attacks this one is another interesting thing if you have Cloud a trctor can get access to the orchestration plane they may end up spinning their own virtual machine why do that why not use a machine which you have already compromised you know why because if I speak of my VM from my

Mi that's my machine that doesn't have all the security software the organization uses that means now Defenders do not have any visibility into that that means I can do whatever I want and no one is going to see what I'm doing that's something which the a lot of these trors are doing what we need to do if we are responding to these attack is look for any recently created virtual machines kill those burn those nuke them let them go away you don't need them that's a remediation stuff if you get into a knife fight with a thread actor that is targeting Cloud there is stuff that we can do in AWS as well in Azure in Azure Microsoft provides what

we call Microsoft admin Microsoft admin portals Cloud app you can use that and set up a policy which then you can enforce on whoever is accessing all these portals which are as your admin Center and all this stuffff you can enforce an MFA a new MFA or you can just say no one can access it only these two accounts can access it while we are battling this adversary that works very well some more recommendations for a knife fight in Cloud which often is complicated and complex to do once the director has access to the orchestration plane there are multiple ways of how they can access virtual machines there are multiple ways they can run scripts for virtual machines

that are running in Cloud dump credentials copy interesting files that they are interested in so some of these okay let's talk about what do the trors do to make sure that we can't see them we can't detect them a lot of this stuff is Network stuff some of that is security degradation let's start with network pivot pivoting is something which a lot of pentesters know of they do we a lot of Defenders have seen that a lot of these trctor have taken that to the next level using a lot of socks proxies is very common where to deploy this socks proxy I have EDR everywhere and not everywhere but you have a Nas machine which runs

Linux it doesn't support any security software that's where I'm going to deploy my socks proxy maybe that hypervisor where you cannot install the security software maybe you don't have logging on that maybe you're not pushing those logs somewhere Central that's where the trctor is don't deploy their socks proxy because that's where Defenders are not looking in once the Thor has deployed that socks proxy using any of these multiple tools they can use there are a lot of these they can now access the environment at will often without getting detected they they can even come back once uh you have you have assessed that you have kicked them out because they have that as a persistance

mechanism in their environment uh it's not pleasant to look for this it's not easy to do a lot of this stuff looking for socks Proxes that may be deployed in say a iot device a camera somewhere a a recorder all that interesting devices this is another common thing which a lot of these trors are using they're using vpns they tend to use a lot of VPN stuff some of the common ones they use are these does anyone know why use these why not use some other stuff a lot of these service providers they can take payments in Bitcoin or any cryptocurrency which means to track down so you can't track who is buying those accounts so they end up using this they

end up using a lot of what we call Data Center stuff so if you are in AWS shop you use AWS I'm going to spin up a virtual machine in AWS and that's where I'm going to come from which means you probably trust where I'm coming from you'll be okay if you use aure I'm going to use aure if you use another data service provider I'm going to use that I'm going to get in without you figuring out where I'm coming from another trend is using residential proxies which is a p which is a service which a lot of organizations are not providing where you can route your data through a local IP address from

someone's home system a lot of this is Shady stuff but it is what it is which means when a Defender is looking at those Network logs the VPN logs they're like what of the which of these IP addresses are a data center IP address I'm going to detect it that way that doesn't work because the thread actor is now routing their traffic through a home Wi-Fi which means you're going to see those connections coming from the location where you expect those connections to be coming from making it harder and harder for folks like us to detect these tractors this one is one of my favorite it's called Lost uh I made that up it's called living of the security

tooling a lot of these EDR providers which a lot of organization use have a lot of capabilities built in they can do a lot of very useful stuff including accessing those systems remotely if as a thread actor I can get into your Cloud console of the EDR service provider you're using or on Prem system whatever you're using I can probably use the capabilities that the security software has to access the systems which essentially means from the cloud I'm now coming on Prim so first I was able to maybe compromise your OCTA tiles maybe become an identity provider maybe loging through the EDR you're using and now I'm in the cloud where all the EDR control

stuff happens and now I can use that capability to come in and access your domain controller Dum those credentials add an account make all those interesting changes that's lost oh this stuff is more interesting this is using signed drivers I don't want you to detect me so what I want to do is shut down the EDR you are using how to do that it's not easy to do that a lot of the Security Solutions have temper protection they don't allow them to be shut down which is really good A lot of these trors have figured out ways to load drivers sometimes malicious sometimes vulnerable these drivers they run in the kernel mode so they are at the same

level of what an EDR is and if as a thread actor I can load a malicious driver or a vulnerable driver both of these exist I can probably shut down the EDR that you are using to monitor your systems if I do that then I can do all that shady stuff which now you're not going to see and if you're not going to see that you're not going to detect that that's another way how these trors are operating bring your own VM which is spin up a VM I talked about spinning up a VM in the cloud that stuff can also happen in the esxi or hypervisor hyperv nanic whatever you're using if the thre

actor gets in they have the right privileges they're going to spin up a new VM that VM doesn't have your favorite EDR put whatever you're using it doesn't does have the log forwarding solutions that you use sometimes they do stuff where you can't see that in the v Center or whatever console you're using which means now the trctor has a machine running the environment which then can be used to come in and access the entire environment that's bringing your own virtual machine now one thing which often comes up is the idea of unmanaged systems you'll get into conversations where like what is the EDR coverage in the environment how many systems do you have the security software on what kind

of visibility do you have in your environment and a lot of time people will say everywhere we have this EDR everywhere no you don't you don't have that on that Windows XP machine you're like I don't use XP okay maybe the developer does that does that development for legacy systems no they don't maybe they have a Kali machine running do you have EDR on that kch machine no you don't do you have that EDR on the developer system which they are doing debugging and stuff nope maybe you do you have that EDR on Old Linux machines and if you are like yes yes yes yes yes I do what are you talking about okay let's look at this a thread actor

logged in through a VPN maybe they figured out that account which doesn't have MFA there are accounts that don't have MFA uh uh maybe your security administrators thought they know better they didn't want to put in an MFA they just want to use long passwords maybe Network admins maybe that cxo they don't want to be bothered about MFA push always there are accounts without MFA maybe they TR to figure that out they came in with the VPN now they are part of your environment they're part of your network do you have EDR running on their system of course not so what they can end up doing is mapping SMB shares over the network start encrypting those files

start copying those files out everyone has these kind of systems if there is even one system that is unmanaged or doesn't have that EDR that can be leveraged to deploy ransomware to exfiltrate data everyone has that another thing that has beenen happening is opsac or operational security this next gen e crime threat actors uh they do they do understand obsc so they end up getting into teams Zoom calls which IR teams are running they read emails they figure out what kind of response you are putting against them what are you doing to detect them what steps are you taking they often end up setting up filters where all that emails that come from your whoever your

favorite security service provider is if that email comes through just don't send that email to this administrator just redirect it to me because I want to know who they are working for and I don't want to want them to get those emails so that s which you signed or the the document which you signed or the approval that you gave to mount an IR response that's not reaching you or you're not getting any emails from your service provider because the thread actor has set up a rule where all that emails that come from that service provider are redirected to them are deleted never sent stuff like that they understand obsc we also need to do that

a lot of times we need to spin up new Google environments if you use Google workspace if you use Microsoft maybe that just have something completely out of bandn even the signal app works set up a group start talking there uh all that interesting stuff work maybe force people to do a video verification when they're joining those calls that also works be obsc aware that's another interesting one living on the edge that's how tectors live I so wish if my pointer works I so wish they they live like that uh this reflects to the fact that a lot of these tectors are now targeting devices which are firewalls vpns that are on the edge not often monitored well not a lot

of security software run out it if there are vulnerabilities they use that if they can dump credentials from that they do that or maybe there's a VPN which you're using which have a few local accounts if I am a trctor I'm going to come in I'm going to add one local account to that VPN and then I'm going to use that to come in yeah I'll set up an MFA if you care about that but I'm going to use that account to come in that's living on the edge living on all those Edge devices another common concept these days is using living of the land and one of that is using rmm or remote monitoring and management tools I call

them Advanced remote access Trojans with Enterprise support which one I started to look out and I'm I was like I'm going to create a list of every rmm tool these Proctors use so that I can just put some rules to detect that stuff and I end up with this and that's not even a complete list I can recognize some of these a lot of this stuff just keeps coming up which means if you have that block list for that rmm you need to keep updating that if you're like I block any desk do you block get screen I don't even know what that is B anywhere technical rmm r sox rpod rustc teamer maybe you block some

of those maybe something you don't so these Thors are going to come in they're going to keep trying stuff and something is going to work another interesting rmm tool maybe not an rmm it's like software defined networking are these new solutions that have come out newer solutions that have come out stuff like tail scale twin gate zero tier someone use that works very well I use some of that stuff and if a Thor can deploy that a lot of this stuff works as socks proxy so you can set up that that as a proxy and now all your traffic is getting routed through that machine where you deployed that that's probably not going to trigger any EDR

because it's signed it's legit everyone uses that your system administrator probably uses any desk or Team Viewer or something else it's not going to trigger that EDR Solution that's why the trors use that now we're going to talk about actions on objectives that's why the trctor is in the environment while they there to mess up our time and our weekends our Friday evenings but the real stuff is that money which they're after they want to extort their victims there are multiple ways to do that but what has happened what is happening recently and it's an interesting trend is instead of deploying ransomware in the environment and they still do deploy ransomware some of the Thors do but what

they are focusing on is exfiltration if I deploy ransomware I need to figure out ways of deploying that I need to bypass an EDR or security solution you have then I need to deploy it then something will encryp then you're going to come to me for the key I need to maintain that I need to manage all that and then I'm going to hope that my decryptor which I'm going to sell you for millions of dollars work that's a lot of work I don't want that so what these directors end up doing is just exfiltration which is a very very effective business model we have seen that work very well how do you do exfiltration at scale not getting

detected and get that get all the data out a lot of stuff that works is targeting stuff that is important for organizations like code repositories document Management systems storage systems SharePoint SQL databases all that stuff can be copied out maybe use a backup solution maybe I'm going to use a backup solution as a trctor in your environment I'm going to deploy that backup software and now your backup is happening in my cloud this guy's Cloud so so I'm stealing all the data from your systems by using a backup mechanism again not going to trigger a lot of alerts because those are legit softwares EDR is not going to go bang bang this is bad no it works like that

so that's exfiltration which is often larger than encryption or more common than encryption these days a lot of these softwares or cloud-based Services is what the productors are using and maybe you're like I won't allow that Mega to be accessed from my environment good often that is the first one the tractors try but then are you going to block one drive Google Drive s S3 buckets probably not Dropbox whatever you use they're going to use that they're going to use SharePoint online they're just going to do an FTP out on a system they control or maybe just use htdp to push that data out there are a lot of these different ways to exfiltrate that data which the Thor is

going to choose based on what works in the environment they are targeting another interesting thing that has been happening recently is use of what we call ETL or ex or extract transform and load tools these tools I've put in some of these what they help us the help Thor to do is use an API pull data from a lot of these SAS applications a lot of organizations use that and that that data now gets pulled transformed and pushed into a solution which the Thor has an account on works very well very fast a large amount of data can be filtrated very very quickly which means instead of copying data out of that on-prem system where you have a low bandwidth internet

I'm going to use the cloud service providers internet and I'm going to just copy a lot of data very very quickly and a lot of organizations don't do a great job of looking for those API keys and other configuration that these Solutions need in the SAS applications this one still works which is hyper wiser jackpotting uh this has been there for a while a thread actor figures out a way to get into the environment they figure out ways to figure out credentials that they can then use to get into that esxi or hyperv a lot of these esxi environments are being targeted uh they don't have any security software like you can't run a security software there a lot of

organizations have SSH open a lot of organizations have their recenters integrated with their active directory so if I can get into active directory I can do some stuff get some credit itial I can use that to get to the esxi which I can then encrypt there are a lot of encryption tools that are available for esxi and that backup software server which you have which is running on the same esxi which is doing the backup of everything also gets encrypted a lot of systems that the trctor is using get encrypted which means when we do the forensic and IR all that evidence is gone it's not anymore there can't do much organiz can't recover because backup solution is

encrypted all that backup data which they thought they had is now gone the last stuff is putting more pressure to extort victims stuff like sending emails to vendors to Partners to employees saying I just asked for a million dollars this organization is not paying me a million dollars so they don't value your data why don't you ask them to pay that million dollars maybe that'll help to send mass emails to all the employees in the organization that has happened this one is interesting a thread actor reached out to the US SE commission saying this organization got breached they had their data exfiltrated and they don't report it to you that's not good that's a compliance

issue yeah I don't know what I think about that but yeah so they tend to leak data publicly and they tend to do that in pieces like not come out with everything at one go just try to put some more pressure just keep putting that pressure slowly see how things evolve reaching out to journalists and saying I have this data do you want to report something do you want to put an article in that's extortion Tech is so the call for action for the Monday is identity is the key to a secure environment get that MFA in go recheck that there might be accounts that don't have MFA please make sure there is MFA on all the accounts that you use for all

the external services that you have use a fishing resistant MFA if possible don't use that SMS secure your hypervisors that's where a lot of the stuff happens improve Cloud security remember that visibility and capability to respond is the superpower we have and if yeah I hope it doesn't happen ever uh I don't want to talk to any of you on an official call never uh if you are under an attack respond fast you will break things that's okay applications will go down that's okay so some of your users may not able to log in that's better than getting ransomware or getting your data exfiltrated that's all I have for you folks thank you very much for

listening if you need the slides that's where they are thank you