Bodies LV 2023 - Ground Floor - Wednesday

[Music] I [Music] [Music] he [Music] e [Music] [Music] n [Music] he [Music] [Music] n [Music] a [Music] w [Music] [Applause] [Music] [Music] [Music] baby you give me ice and five you giving me Wind and Rain some kind of butterfly baby you me whip up [Music] my don't leave me I don't want to jinx it baby and myself SP [Music] don't to over it baby just [Music] body baby you me you giv me Wind and Rain some kind of baby you me you whip up my appe don't leave [Music] me I don't want to jinx it baby let not [Music] get but I don't want to miss you baby so I stand up at speak by my [Music] oh mayy you give me I say by CH rain butterfly baby [Music] you my don't leave me baby you me I gent wind rain some kind of fly baby you me feel that you whip up my appe don't leave me [Music] oh oh oh [Music] oh [Music] [Music] oh [Music] oh [Music] [Music] [Music] [Music] [Music] I can't move it up you moving [Music] moving [Music] oh [Music] [Music] keep [Music] [Music] minging keep moving on keep moving [Music] on [Music] [Music] yeah [Music] and prevention a few announcements before we begin we would like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsor Prisma Cloud blue cat and Toyota it's with their support along with other sponsors owners and volunteers that makes this event possible these talks are being streamed live and as a courtesy to our speakers and audience we would like you to make sure that your cell phones are on silent if you have any question please use the audience microphone so that YouTube can hear you and uh with that let's get started and welcome our speakers hey hey besides how the hell y'all doing excellent y'all are here for we're here for it let's get it huh so my name's Jason hello uh I formed and co-lead the purple team at meta with Cedric Owens that phenomenal human being right there uh the team was officially established back in January of 2022 uh and uh before I got into Tech I used to be a touring death metal musician that was a lot of fun doesn't pay well uh and my Tech Career has focused on pen testing red teaming devops and Tool development uh I also have several years under my built as a systems administrator so I'm old and um this isn't the first team I built uh I actually created the corporate red team at Sania National Labs which I was able to grow to a size of about seven hackers before I moved on back in 2019 uh I was in a black hat class yesterday and uh uh some of the folks that are now on the team were there so it's still going well they have uh stickers so I have a I have one of the stickers from the team which is pretty cool and yeah feel good about that buddy hey everyone I'm Adam I'm a tech lead for threat intelligence at mattera U my background is significantly less interesting than Jason's uh I've been in cyber security for about 11 years um I did the first five years of my career working in Security operation centers in the UK I apologize for the accident in advance uh after that I kind of got involved in threat intelligence after trying to broker information between clients of the mssp that I was working for and joined a Dutch intelligence company for two years went all over the world with them helping government agencies and large corporations building intelligence capabilities then 2019 I jumped to meta um and joined their team tracking financially motivated thre actors so um we've got a hell of a lot to cover today and not a lot of time to do it so we're going to touch on how purple teaming and threat intelligence is set up at meta we're going to introduce TTP Forge which is the tool we're like releasing open source as part of this talk that helps teams test T like tactics techniques and procedures at scale we'll delve into how purple team threat intelligence and TTP Forge fit in with the wider security teams um and delve into some of our both shared and unique pain points but then the meat of this talk is going to be on how we use all of that together to respond to sudden changes in threat landscape and we'll have some demos to show how that looks like under the hood at the end so what do we mean by sudden changes in threat landscape and the stuff on the screen happened in summer of 2022 when a group that's tracked as scattered spider or octopus depending on where you buy your intelligence from um started like causing major headaches for large Tech companies and overnight leadership wanted to know who are this group what are they capable of um have they targeted us um have they been successful and we've we've missed it and they wanted to know answer to that now because companies within our sector were being popped and it was in the news like overnight so like as an Intel nerd I'm often expected to like peer into a crystal ball and predict the future with 100% confidence but despite all the resourcing you can throw at it like that's still not a feasible objective we still get caught by surprise new actor groups come out overnight that like we can we learn about from incident response teams embedded in different companies or like we learn about them from the news articles and have to build some kind of response the same goes for when vulnerabilities are announced or proof of concept exploits get released where there's like no existing patch for them and like the world has to scramble to resp to work out what the response to that looks like and I know that's super topical for this conference so like a lot of talks yesterday and today are about the ethics of responsible disclosure so what we hope this talk does is lifts the curtain on what it looks like for security teams to be on the other side of that and the work that has to go into place when something like that happens so backing up a little bit threat intelligence at meta um first and foremost like there are many intelligence teams at meta there's awesome people doing amazing work in everything from anti- scraping election Integrity influence Ops but the team I'm embedded with is within our incident response function so we track adversaries that Target our employees our end points and our infrastructure and dayto day we sit side by side with our incident responders our detection engineers and our threat Hunters so by virtue of that we have a huge tactical and operational Focus we don't do too much on the Strategic side where our Specialties lie is in turning intelligence research and tradecraft into applied security changes in the shortest time possible all right let's talk about purple huh so um as I'm sure most of you in this room are well aware dedicated purple purle teams are a fairly nent Concept in the security space um we're seeing a lot more in the way of red teams that will run purple team engagements but there's just not that many dedicated purple teams and all that is to say there we go we're not feedbacking anymore there isn't much of a golden standard at this point and we're aiming to provide information as part of the general conversation uh around that topic and so the first iteration of purple teaming at meta was technically done by Chris Gates a carinal owned shout out to that dude uh while he worked here from 2014 through 2015 um although this looked significantly different from what we think about when we do purple teaming today so the purple team of today is built as an internal consultancy so we have customers deadlines and stakeholders across the entire company uh that rely on our deliverables and taking this approach really helps us to maintain a certain quality and consistency for our outputs uh which is really important when you have a variety of customers in different organizations across the world doing dramatically different work and uh we spent time right out the gate creating engagement offerings or a menu if you will of the various things that we can do that accommodate a wide variety of needs uh in turn this allows us to work with a lot of different teams and uh keep swort fun so for one engagement we could be doing something around web and then the next one could be around infra or mobile or VR so um I don't like just doing one thing and uh this really checks that box for me uh so if you are more interested in the program side of that Cedric Owens and I gave a talk at sans's pentest hackfest back in November uh covering how the team is structured and functions so if you want to learn more about that go check out that talk and above all a key principle on purple team is to align pragmatism with enjoyment and so what we mean by this is if you have a endpoint detection and response system that isn't detecting basic ttps you should not be sitting there trying to develop a sophisticated bypass pass let's let's learn to walk before we can run yeah and at the end of the day the effectiveness of creating useful adversary simulations depends largely on their realistic nature speaking of ttps I want to introduce you all to the TTP Forge which I am absolutely jazzed to finally be putting out so this is our homegrown tool for purple teaming at meta um this tool is going out live a bit after the talk as free and open- Source software so I really hope you all get the chance to check it out see what you think the primary goal of the TTP Forge is to simplify the process for engineers with diverse backgrounds to test and build detections and preventions uh and we're able to accomplish this by simulating malicious activities uh using building blocks described with yl you can think of it as Legos effectively you can stack and we use this to automate and execute dtps uh to give you a sense for how the dtps look uh this particular image here is uh going to be a part of our the demos a bit later um but it's part of a TTP that steals secrets from the AWS Secrets manager uh and as mentioned by Adam we're going to be doing some demos towards the end of the talk so stay tuned yeah so like every large company security doesn't happen in isolation there's a lot of teams that plug into threat intelligence in purple team but while putting this deck together it's like palpable that we're a security rich company and we can appreciate that not all companies are in that position a lot of the teams that we plug into may exist in a single person or May in worst case exist in less than a single person and that's been one of M and Jason's drivers for releasing TTP Forge is to put the research of a large function like ours into the hands of the community so if you're on your own facing this or you're a part of a small team you can still leverage the same research and tradecraft that we're using so first up in teams that we plug into is instant response and that's everything from like our tier one to tier three responders they plug into threat intelligence to get low latency access to intelligence about the groups they're facing in the cues and we've done a lot of work to embed intelligence directly into the tooling they use so it's there and readily apparent but if it's not and they're encountering something brand new they can press one button and tag threat intelligence in to do rapid research to fill in the blanks for them to help them understand what they're dealing with what the next steps are what this actor's motivations is and ultimately how to rip it out of our environment if we detect it where it plugs into purple team and TTP Forge specifically is they have a high need for low latency sorry low false positive rate detections if threat intelligence is pushing to land a new detection in response to some threat we we're tracking but It ultimately results in crazy high load and blowing up the cues for them this is the team that feels it and because our team's embedded in incident response they're our primary source of leads about 70% of all of our leads come from people on the front lines answering tickets saying hey this is interesting I've never seen this before so it pays to keep them happy and next up is threat hunting and threat hunting's moved around a lot of matter it's a fundamental capability of a lot of our different security teams but we've recently crystallized it into to its own dedicated function and they plug into threat intelligence in a few ways primarily we're there to help them prioritize the giant backlog of everything they could possibly hunt for and narrow that down to these are the probable groups that are going to try to pop our company or have tried to pop our company in the past so maybe prioritize the ttps they use for threat hunting over something else where they plug in sorry where they plug into TTP Forge is TCP Forge allows them to run a TTP and get signal of what that looks like when it detonates in our environment for a lot of the things threat intelligence sends over to our Hunters we're lucky enough to have never experienced that type of attack in our environment so we don't have the logs in the signal they need to know what that looks like in our environment to go and hunt it retroactively all right so detection engineering detection engineering is a very important partner ultimately detection engineering is going to be amplifying our security by using High Fidelity detections to accurately identify legitimate threats and ideally minimize false positives and negatives uh purple team in collaboration with these folks uh we utilize a TTP Forge to simulate varied threat scenarios and work to be able to empower the Defenders to do this themselves so for more simple ttps they don't even need to talk to us they can just do it themselves which uh it's been going pretty well so far in terms of generating high quality signals for folks that don't necessarily have a strong offs background um Now red team this is a real interesting one especially when you think about plugging it in with threat intelligence uh if you threat intelligence as a team their primary function is to research real world adversaries and threats this knowledge can be incredibly incredibly valuable for informing red team operations so by integrating threat intelligence into the planning and execution of red team operations we can gain a more focused lens through which we can examine particular threats and this targeted approach allows us to anticipate and address potential threats with some answer to can we detect this will we see this uh and in turn that uh it leads to a lot of nice proactive and accurate security winds so that's pretty great and to maximize the effectiveness of red team operations uh purple team automates ttps that are used in a red team operation uh with the forge uh so in doing this we're able to use the ttps uh either to control commits to trunk uh for infra deployments or to run them as needed to see if uh a detection has regressed or stopped working and so by Clos ly examining the various paths that red team exploits we can ensure a more secure and responsive approach to our security measures all right so now we're going to talk about some of the difficulties that are unique to each of our teams on the purple side first and foremost information overload um it is vital for purple teams to prioritize quality over quantity when it comes to ttps if you're just running a bajillion ttps simultaneously I mean that's almost as bad as the traditional model of just yeting a pen test report over the fence and be like yo dog fix this like they have a queue they have a lot of stuff going on that's not going to help uh so by just giving them a ton of signal like where are they going to start uh so instead we should aim for focused indepth exploration of fewer ttps for more effective improvements let's focus on the outcomes and next up as I mentioned before uh purple teaming is a fairly nent field and so a lot of people think of it as pent testing and I can tell you as a career pentester uh very different they're both quite important um but with purple teaming we are a lot more focused around trying to generate signal that will be used to check and see hey does this work does this not work let's see if we can iterate uh and ultimately uh by executing these in a controlled environment and repeated uh really as many times as needed to uh ensure that we can improve our defenses or address any gaps so on our side of the fence the first up is rless prioritization there are thousands of groups that we could track on any given any given day and tracking is a super intensive procedure like it's costly for us to do we don't want to track the entire world and that's especially true in a world where every kid with a laptop can throw up a WordPress blog and call himself the next round someware crew and at the same time like we don't want to drown our stakeholders as well and it's a common of intelligence teams that they just pipe everything that they see to a downstream team in the hope that you care about something that lands that problem gets compounded if you have vague intelligence requirements like contrary to popular belief tell me what all the bad things are isn't a brilliant intelligence requirement for a team so if you haven't told your team what you care about what you care about there's two things that will happen one your intelligence team's never going to send you anything and you don't see anything or they're going to throw everything at you in the hope that something sticks and like that's become a massive industry trap for intelligence teams where we're perceived as just the producers of reports nobody reads so that's one thing we've had to dig ourselves out of with really tight intelligence requirements and the last is uncertainty and probability so one of the taglines of my team is threat intelligence exists to remove uncertainty and to inject probability and two like sudden landscape changes they're shrouded in uncertainty we don't know who this group is what they're capable of if they've hit us are we capable of Defending against them all of those are uncertainties that threat intelligence should exist to help teams remove and Empower stakeholders to find the answers to those questions but when we're doing that we have a fundamental language Gap intelligence Works in a murky world of partial pictures confidence ratings TS classifications and probabilities that traditional blue teams don't use every day every day the blue teams that we deal with are much more absolute they deal in true positives false positives can we detect this can't we detect this so that's where TTP forges helped us bridge that translation Gap so it's not just me rocking up at your desk and telling you a spooky story about what's happening on the internet we Sorry with like we're doing it from a point where there is this thing that poses a credible risk to our business but we've tested it and here is the data that proves it's a problem and we need to move now and here is all the signal that arms you to take the next stop all right so with that context and information in mind why don't we talk about the shared problem spaces our teams have in common first and foremost and I think this applies to hey I think this applies to anyone and and everyone who does Security in this room how do we get people to care about this stuff uh so on the purple side uh securing resources to address gaps can be a real bear and so the key is effectively communicating the impacts of these gaps as far as the organization security posture goes you don't want to just think about your little area that you're targeting we are saying in the grand scheme of things what does this mean and in doing that we're able to highlight potential risks and percussions if they are left uh these risks are left unaddressed and that in turn allows us to advocate for the value added by remediating them and so our advice is typically in the realm of utilize purple team reports which are a joint report that everyone involved gets to contribute to more on that later and TTP Forge to support your case and convey the necessity for allocated resources uh next up t