Purple-teaming outbound HTTPS

[Music] welcome to purple teaming outbound htps I'm going to give a chance to describe what this talk is about so if you realize this isn't for you it's okay you can you can change um all the materials are online like I said oh my God something happened to the formating of that anyway um yes there's a GitHub repo where you can reproduce all the proof of Concepts I'm going to show today because I don't I only have screenshots of like success but if you're skeptical you want to find out for yourself you can go do that so who is this talk for um it's for hey purple teams um really it's for anyone who's interested in what can the

bad guys do the the the good guys can protect and how can you all learn from each other uh and add add detections um so yeah um what are we going to cover so there's kind of the intro material of like what why how um I'm going to then int intro what the attack piles are going to be and that's actually most of the material like 90% of the material is the attack side and I've actually got quite a lot of time for my talk so I'm going to take a QR break Q&A break at that point couple of minutes give it a chance see if there's any questions that fell out the attack paths and then I'll go on to

preventions and detections which are fair in terms of content uh not so much um I'll summarize and then we'll have time for Q&A if there's time so what like this is like a really simplified uh like text a uh architectural diagram you might have at work you're some SAS you know you're go customers who use browsers to talk to this internal service that uses the database and your internal service talks to this third party external service now if you're looking at this um okay who here uh does like Security reviews at work yeah quite a few anyone do uh answer any uh third party uh like vendor vetting where they say hey is all your

data encrypted in transit okay yeah do you ever like me just go we're good it's htps job done I don't even think about this anymore turns out this is actually a huge blind spot because you got an adversary that compromises the host um you know things like uh the incoming data coming through htbs kind of Open Season because normally um it's uh the the handshake is terminated before you get to a particular process so you can normally you can TCP dump that the um the credit foress in the database normally lying on around as well um but this this part here that's a bit of a blind spot um and without thinking too hard about it I would just say oh yeah you're

totally safe so this talk if anything uh is is it's a a list of ways in which you are not safe um so why if you're a purple team are you going to choose this as an exercise well really it's for one of these three reasons so it might be that there's really sensitive data that's in transit that's maybe not easily accessible through other means um you might be an adversary you've compromised something you don't know what you have yet and really you want to go Recon like oh what is this interacting with and how what's the protocol here um and intercepting your outbound htbs can really can be really stealthy you're not going to trip any

alarms because you got these new connections to databases that are like like executing these unusual queries or anything like that um so a bit of the how uh there's this concept of assumed breach uh when you're emulating adversaries and doing purple teams um and really it's the scope what so the scope of this talk is we're not going to worry about anything that happened up until the point where the host that's running this internal service got compromised and similarly we're going to assume exfiltration we're not going to worry about well once I intercept this data how do I get out again so remember that once we start talking about preventions and detections because a lot

of you you're going to be like oh what about ESS what about ESS and I was like well yep calm down that's out of scope um and really you want to do these things because you could just say well let's just prevent exfiltration forever ever happening let's prevent breaches from ever happening how does that pan out right now you want to plan for failure of those things um yeah and then lastly you know I'm going to present you with a menu of options um and you want to choose one of those so there's there's four by the way mid journey is amazing just put like aggressive red My Little Pony conducting cyber attacks that's what I

got um I love that maybe too much um yeah so I'm going to go through four they've really when I when I look at them and try to contrast them they got varying degrees of coding skill um and then possibly more importantly they got various varying degrees of preconditions that they need uh I think a lot of that would inform which ones would your which ones are your adversaries capable of um and then what are the actual limitations you have in the host that you've compromised like maybe you don't have you know what Linux capabilities do you have um do you have Rude access that kind of thing um and I think in a a good

Framing and someone in the audience knows that they told me this um these are all really variations of person in the middle now we think of person in the middle is someone out there in the internet is like intercepting my packets and doing something bad well just imagine that in the context of inside the computer on the actual host that has been compromised and that's basically what we're doing all right oh I didn't mention by the way I'm if you want to interrupt and just ask a question just raise your hand or start or start talking I'm I'm good with that so yeah feel free um so there's going to be four uh there's this is you know between the

internal service on the compromised host and the external service your crown jewels is inside that htps data so there's four I'm going to walk you through um the first one is your interpreted code which is really uh it's everything that you your sofware engineers have used to make this internal service work so it's both you know maybe it's your server JS file right which is um code that your engineers wrote and then a whole bunch of other libraries like 95% of the code is probably other people's code from open source and then if you're interpreting code you uh you're you're bringing a binary with you to do that like maybe node or

Python and um shed library is is starts to get a little bit surprising um like your your operating system uh comes with a whole bunch of shared uh functionality common functionality and openl is a really common one um and that's the one that we'll focus on here which is you know every single executable you have is not shipping with an entire implementation of how to do https that is that comes with your uh operating system kind of like a Windows D and that's an opportunity to do nasty things um and a transparent Pro proxy this is it's kind of like that classic um man- in the middle uh htps proxy um and you can see

like legit examples of this although this isn't on host would be like a Palo Alto firew that just ships with like break and inspect functionality cuz that's an awesome idea um so I'll I'll show you a really cool tool that actually if there's only one thing you take away from the tool from the talk the tool that I use for this transparent proxy is it is so good I use it all the time for everything um but having a htbs proxy transparently on the host that's a real surprise I don't think anyone in on instant response is looking or uh detect responses looking for that one all right so onto the first one so this is attacking the interpreted

code itself uh there's quite a lot of coding uh maybe you're not changing many lines of code but the the uh the kind of skill and fluency that you need with coding is a little demanding on the upside though my God you don't really need to have too much access to be successful with this one and I think might be quite hard to detect as well so what does this look like um I've got here this server JS because this is Javascript yeah you don't you don't need to be a coder and understand what this is doing but imagine instead of this this this code here is saying hey I'm going to go call example.com

Post with my super sensitive data cool that's that's what internal Services look like right totally totally now normally they're like this hardly really hard to in uh to make sense of sprawling code code bases um so yeah so really simplistically you got like two files you're applying you're deploying anything sound wrong about that yeah um this this Library here note fetch that we're using to do to to give us this um HPS functionality it's going to come with a whole load of baggage um and what's of most interest oh right yes and then if we this is where it comes to the significance coding effort is if you're an attacker you you could quickly browse through the code of this uh

internal service oh they're using node fetch you know what I know about node fetch they support agents cool so if I can add in my own agent here I get to intercept everything that goes on um so that's that's the effect we want to achieve and it means we're going to want to modify I not not for nothing no accident I mentioned index JS here inside of node fetch because if we can change that we can we can can make that behavior occur um and so what are these change going to look like we're going to basically we're going to go into this we're going to go we're going to go into this um Declaration of the effect

function and we're just going to override the agent's option and say hey it's it's our agent actually but then we also have to Define this this logging agent don't worry again if this doesn't make sense to you but we got a logging agent that is does everything in htps agent does normally but it this moment where you create a connection is the moment where we get to go oh we have access to the socket like the moment right before everything gets encrypted so let's change that right method to be able to intercept it and you know over here we'll you know keep it working uh we'll add a listener for any new data that comes in and just with

those changes that's it we've proved that we can intercept the data so just to give you an idea of what the diff looks like you know this is a crazy long file but like really early on we just inserted those two blocks of code quick time check here see how long I'm taking oh this is fine okay um so yeah uh I'm a big fan of prove it because slides are great um and on the downside then I'm introducing yet another thing you have to grock which is Docker files that's fine if you've seen it before and if you haven't I'm sorry um right so your internal service might look something like this oh yeah we're

node on on Buster and we're going to be in the user Source app directory we'll put files there we'll go install everything and this is the important line we we'll go run node with server JS um and then so I've prepared a dock a file of what this looks like so that it'll it'll uh be compromised is uh first off I mean it's actually ity easy look there all you do one liner um I'm defining my own uh I'm saying I'm building off this nodejs internal service and all I'm doing is I'm going to take my pre-prepared modified index JS that's the one you saw on the previous slide and I'm going to overwrite the original index GS and just

doing that gets the behavior we want and folks the back will not see anything it's it's proof that everything works so yeah if I so if I go run this you know Docker build blah blah blah and uh it's going to do all the steps and I'll say Docker run and my uh no GS app all it outputs is 200 because if you if you totally noticed in in the example code uh all it's going to Output is the the status code of the response but when we look at the the version We modified oh my god look we got to see all of the outbound stuff uh and and then the the response you'll notice I

just trimmed this to 15 lines so we didn't actually get everything but uh MD drop I'm done thank you actually I got to say it was pretty exciting to get that working uh cool but um that's great but you know when can I use this or more importantly when can I not use this uh if you can't write to the file system that's it I inan short of like somehow hooking into a running node process and like injecting your code and getting to re yeah that sounds like a nightmare basically you need to be able to write to the file system um and then a big assumption here is that you can change those files that

doesn't do nothing on its own you need to get the node process that's running this internal service to restart um and the big assumption I have because this is how I've seen it done everywhere as a for engineer is you have a governing process that says oh if this thing dies just restart it because the cost in a high availability scenario at least of like tearing down and restarting a container that's a lot of time you're not you're not uh in operation so very cheap to start restart the process but if that doesn't if that's not around uh then you're going to have to start it again yourself which may may run you into trouble or if

you're really unlucky you kill the process and cumes just says you're done great I'll throw away your instance now and then the non-trivial one is you know if you're going to go in blind to some to do an exercise on some internal service and it's in a language you don't know in an ecosystem you're not familiar with that's that's kind of like uh yeah a challenge in of itself cool that's the end of attack path number one number two let's go attack the binary let's go attack node itself um this is probably the most intimidating one uh if you think it's intimidating to go browse like some uh moderately large sized uh internal service codebase go go

browse the entire code base of node right there there's a lot there um not to say you can't do it but you know you you got to be uh got to be ready for that so back to our example uh we got the the very straightforward imagine something way more complicated is happening here got our server

Js um and what's really noteworthy here is when fetch uh does its work it's going to call to some underpinnings of node Library I think like socket um TLS something like that um and then under the hood of that you kind of segue into uh the C code uh of node where there's various layers and then eventually it uh uses op SSL um but the so the openl that I mentioned before you know commonly reused like a Windows D node doesn't do that actually it compiles it in so it's part of your node executable and I my guess is that's really just so that people don't have a whole load of pain installing node you just bring your

binary you're good um so what we're going to do then is obviously we're going to find out the responsible part of like the dependency I see this is somewhere buried deep inside the specific node version they have this function called uh SSL right internal which is kind of awesome because it means they've forced all of their interactions with open SSL to go through one function which means hey we got a point to tap into woohoo um so my little cheat here is let's just go add a couple of underscores in front of that H see the function disappeared and then let's go add our own see like hey we are the one true SSL right internal

um and what's really interesting here is basically we we have all of the data there we we got it it's in the clear woo success job done um and then then we can make sure the app still works by you know going on to call the real one true function um and then we can do the same for the the read flavor uh if anyone knows a lot of C they're probably looking at the side going that's not quite right um I I made it like simpler so that if fits slide and I don't have to worry about it scrolling off to the right um don't worry the real proof of concept code works and is not a

lie so the diff pretty you know I'm going to call it straightforward you know in retrospect it's like that's it ah you know that didn't take me hours um it's really just yeah that same kind of like yep believe me look see I changed this I added that added these underscores added that function it's all I needed um and and uh yeah the the docker file for this is you know there's a lot going on here and actually so what is it it's you know we're getting uh the no a node Buster um Docker for doing our builds we're updating everything installing everything we need um grabbing the uh the the particular node tar that I

previously downloaded extracting it this is the this is the the right here we go great we have our own modified SSL lipy that's what I showed you a diff of in the previous slide and now let's go build make and do all of that and by the way that's the bit that takes like 15 minutes so every time you make a mistake here you got another 15 minutes to wait before you find out if you're right um and then oh right I did this awesome Docker thing where we can say from this as build so this whole Docker image has all the gubbins to get it built and then I I can just say oh good I'm going to

take this this internal service in node and I'm just going to copy this one file from this this build Docker over there that that makes reproduction really really nice and again people at the back you got to trust me this just works see look see small amount of output large amount of [Laughter] [Applause] output um still not so many conditions for this you need to be able to write to the file system got to modify that node bannery and some of you might think well that's game over because that's somewhere that only you know users can read and execute but only root can update right that's that's not how it goes down normally no yeah I see some head shaking in yeah no

this is normally installed by the user that's actually running um so generally this doesn't come with a condition for root uh and then the biggest challenge is you you you know if someone's like hey I got this thing in I don't know lure right something crazy crazy I'm trolling someone in the audience um you you're going to be like great what's L written in some hope hopefully not Oak Hamel or something uh now I got to know that code base as well uh yeah although on the upside you do that maybe once you get figured out for node once you can use it again and again so still fairly light on the preconditions all right uh shared

Library attack path this is probably the one with the most conceptual potential for confusion um it's kind of relying on on a bit of how uh the Linux operating system works so if you're not immediately like oh yeah I totally get it don't worry everyone's been there so this one needs a moderate amount of coding it's really really reusable you could I can I could almost write a tool of like here's a shed Library I'll just go nuts right it's you could use it everywhere you might need root depending on the context and if you want to know more about this it's called the LD preload trick so as I said before L it's a Linux Shar Library

kind of think of this as a Windows DL it's some really highly reused code that everyone uses again without like just bundling into the executable so I wondered whether I should include this slide because uh it was incredibly useful for me to kind of understand how this is all going and then figure out what the actual uh SSL function is called because I I didn't know um there's this awesome uh in in Linux LD debug and you can say all symbols bind various things and then you run the command you're interested in and then you can look for what you're interested in so what's noteworthy here is if I run python to print high on the screen there

is no uh reference to open SL SSL happening um whereas if I say uh hey get me the request library and let's go talk to our web page um then all of a sudden it's going whoa whoa whoa I need this slsl redex function is it here no there no there no there aha I found it um so another way of saying it is is python is not it's elf binary hasn't said I always use op SSL or lib SSL in this case uh it's it's contextual so as soon as you hit a code path that has to do some htps that's the moment you're going to uh look up the library and uh the LD

preload trick is the part where we get to go no no no no we we offer that we offer that method we're the that come to us um so some python code uh basically saying what I just said uh if you say request post you know Python's going to use open SSL for that um a lot of scary C code follows sorry I I I got a bit lazy with the the presentation is not a slow reveal here uh there's a whole bunch of includes you need type type de to say what this thing means this is important this is what shared libraries say hey I have an init function like before anything happens in

node call me call my init function give me a chance to set everything up I'm I'm I'm good I'm a nice guy honest um and that's where you can say I'm going to dynamically load lib SSL open SSL and I'm going to do a dynamic lookup for the real SSL WR X function and the real SSL read function I'll keep those and then uh I'm going to actually declare the real totally legit every time you you do anything any SSL right X you're going to see mine first and when I get called I'm going to call the underlying real one and if it was successful I'm going to print that out and when of you

read I'm going to call the real thing uh and I'm going to print that out as well and that shockingly is a really really concise C program and I I didn't Adit anything here that's that's all the code um building it is is not terrible you want like a GCC friendly uh Docker image for that um there's some gubbins I don't know you need position independent code that's a thing with shed libraries you know you can't be relying on being loaded into memory particular addresses and you want to produce uh uh a shared library and so this so prefix is convention for that um and then yeah again uh using it is is fairly straightforward I use that

same Builder pattern here so I said hey copy from the the Builder that Interceptor so that's the thing I need uh and then you got two options if you've got root you can basically uh put the full path to this Interceptor so into this magic file name called ET ldso preload uh any blue team folks in the room got not very many well done or bad um I I'd suggest you watch for file changes on that file yeah oh right what does that do I'm sorry um every time uh a new execut is being started up it's going to look at the elf binary to see what all the libraries it needs and the very first Library it's going to

load on that list is going to be these whatever is in that file in the order they're listed so by being on the front of this file you're ensuring you're the very first library that ever gets loaded which means you can do anything you you override the entire file you yeah that's that's in this in this example the file didn't exist uh good point I would probably want to have a slightly more complicated command to put myself at the front actually or you could just depend like chances of something ahead of you on that list going no no no no no I'm Ain going to intercept open SSL pretty unlikely generally this file doesn't exist again another hint for the blue

teamers with their detection rules here so option number two because you're not always going to have root is uh you know if you can modify the moment where this uh your you know your your services being launch launched um you can uh use this LD preload environment variable again with the full path there is a difference between these two though any any guesses all right everyone's too shy oh guess system yes uh this will affect everything everything that's doing htps on the system will go through your library if it use if it doesn't bundle open SSL with it and this one will just be laser focused on uh what what your internal service is doing so you might

have a preference for one or the other but generally you're not because you compromise a host doesn't mean you got root

necessarily yeah I got lazy with doing the little highlights but you can guess at this point lots of output good thing oh yes go ahead interesting attack on that might be to do the LD preload then unlink the file but keep it open and see if the operating system keeps processing it even though it isn't there anymore I didn't follow it so I keep the file open so as long as you as long as you have the file open the colonel knows that it's there right so you know if you delete it but keep my reference open it's not fully deleted which file are we talking about I'll repeat the question once I get it

okay oh so for evasion rather than just append and move on you could open the file append flush it and maybe don't close it oh sneaky I hadn't been aware of that one you put a bug in my brain I'm going to try that now uh again you know if you want to go try this for realy uh follow the link all right so what are what about the preconditions here again we need right access to the file system I don't have any examples that don't need right access to the vile system uh you're going to need either root privileged toor modify that file in the Etsy folder or you're going to need to be able to control that LD preload

file um environment variable and then you're going to need to be able to kill the process and have it restart again or kill the process and start it yourself without setting off any alarms and you you're going to need some C coding for that but again I mean someone could almost write this tool and then you know open source it and then you don't have to write it very very reusable okay on to the last one how are we doing for time oh I'm actually a bit longer than previously cool um this one is the closest to a kind of uh you know it's okay you can leave it's cool I'm scaring them off transar

proxies uh yeah um this one's the closest to bring your tool you right everything else has been like do this coding this is kind of bring your tool um so very little coding very reusable but because you're bringing your own tool and it kind of needs deep hooks into your operating system chances are you're going to be too constrained to be able to use it and I just love it because it's the classic person in the middle uh except with the surprise Twist of it's got to be on the same host um and I don't think people are looking for that cool um so we've got uh the same old code as before again uh you know

this Quest library is going to do a HTTP post and uh yeah that's going to go off and use open SSL that directly connects to the internal service external service so here's the entirety of the coding we have this intercept Pi which is a mum proxy script we got to import the one liner there and Define this response method and basically uh the man in the middle Pro person in the middle proxy will do its work at the end before the client gets the response you get the flow when the flow includes the request and the response you can log whatever you want and incidentally you can actually change whatever you want too uh that's not the scope of this exercise

but good to know about so that's it we're done with coding uh all we have to do now is get the damn thing set up and I've got to say doing this in in do in a Docker file oh God I was cursing because I had this all working on my own machine I was like oh yeah for the talk I'll just throw in a Docker file and I'm up to 11:30 going does it have to be this hard does it so you got to get you know IB tables that's got to be installed uh you're going to need uh Python and pip pip is the package Mana to install things and uh I'm demonstrating this intercepts

everything so I'm going to demo it with curl this time um this is a quirk of this method you've got to actually add a new user and I'll explain y later but if I assume the ster file assumes the identity with this user and they put the intercept file there uh you've got to then install U mitt proxy this is annoying the latest version of M mitt proxy is busted because it has some sort of transitive version problem so that's why this specific version is specified um cool um and then you've got this kind of chicken and egg problem problem you want to install the man in the middle proxy person in the middle proxy needs

like a a certificate or authority certificate that you can go install and trust but how do you get it before you've run it so this is my hacktic hey let's just go run that thing real fast and that'll create us aert um switch over to the root grab thiser um stick it in a good location for that uh and then say to the operating system hey okay update the ca certificates so blue team is are thinking wow I got all sorts of things I can detect you know it's like packages being installed users being created like processes being run uh certificates being updated yeah this is like open season for detection but do you have

those detections already maybe a purple team exercise would be a good idea cool um and then this is the the more of the pain that I had I actually I want to do some privileged things now like modify IB tables but I can't do that inside a Docker file because you can't just say Das Das privileged when you do a Docker build because that's not how that works you have to install a build extension and just oh my God pain so I just moved it to this entry point shell um and that's going to do this magic oh my God this is awesome all right I'm going to read this so IP tables it's like a wrapper in

front of the net filter kernel you can say okay I'm going to do some gatting uh it's for the TCP protocol where the the originator of this uh connection is not the Mitten and proxy user that's an important detail that's that's why we created this user over here where it's not this Mitten and proxy user and you want to connect to 443 send it somewhere else and what I love about this is nothing notices that this is happening like from the client perspective like any anything talking to the outside world when they get their socket back after they've connected it's got all the Met met data as though this thing didn't exist love it love it um

don't worry if like pre- routing redirect whatever just like what the hell is this because that's okay um and then uh we actually need to be this mum proxy user uh this is just logging in and then saying hey the the uh mum mum dump which is like the Headless version of Mitten and proxy uh let's go run that in transparent mode and here's my script to go run and that is all you need except you actually also need to go exercise it did it work if I call example.com and I post super sensitive data and I suppress my output what do I get clearly complete success look [Music] [Applause] output all right um so oh my God a boatload of

prerequisites you you need right access to the file system who doesn't uh you need python python pip and to install mid and proxy you need IP tables to add pre- routing rules you need root privilege you got to create a user you need to be install a CA certificate you need the net filter kernel to be around you need cap net admin so uh in dock pance you basically in know Das Das privileged to your run um and you you need a you know small amount of python uh scripting skills although chat gbt is probably going to be fine hey who doesn't no shame no shame cool um Q&A break I I'm going to take a complete tangent onto the blue

side and uh feedback I got was here's a good moment to take a pause and see if there are any questions good for well it doesn't necessarily have to be used by an attacker um I use proxy security ruse when I have a piece of software that is basically a black box and understand what's doing like who who talking toing yeah so member for the audience said mitt and proxy is amazing you should use it for everything especially pen testing and Security reviews and I concur it is just great if anyone uses bur suite and you're kind of stuck in like clicking and yeah no just use mid and proxy it's amazing uh if you're comfortable writing

python uh then yes definitely use mid proxy I think I saw a hand yeah m

i okay the question is Mitten and proxy is a whole load of preconditions how about you um have you considered definitely have you considered modifying environment variables so things just use proxies no I hadn't thought of that at all that would be

awesome

Mike Mike is saying it works totally although Docker file or it didn't happen just going to say you know yeah no actually I'd love to see that I'm personally super curious there if you can shoot me that yeah I will use that if that works great but do file already it didn't happen so all right if you're feeling like I might want to raise my hand but should I yes all right I'm I'm going to move on and you know if you're if you're like oh you oh

question why are we using Docker files it's because I have a Docker file fetish no no no it's because no actually if I have a fetish it's for like making the work that I do be reproducible by other people so it's not just complete I I want to be able to see someone else's work and go how do I know this works show me and they go oh here's a Docker file that shows me it works great now I'll pay attention uh and so that's

why no although if you did get that cicd access maybe you want to add a few commands that dock Docker file but no no it's just purely for reproducibility it's purely for for you to yall to go okay this is working I believe it yeah no uh you know where the docker file is saying hey copy from here to here that's you know you're going to be in a shell somewhere going copy this file you know or curl and output it to this location all right and time oo moving on a little bit all right cool mid mid Journey love anybody I said proudly defending against cyber security attacks blew My Little Pony all right so uh preventions this

just one slide ready okay so you got a lot of options like a readon file system done uh anyone thought at work this was a great idea and a team should just go do that cool how did that go it went just great I didn't I haven't got that to happen yet um if you no wait actually if you got a brand new thing spinning up and you go to security view review and you're like let's start with a readon file system yeah that might work something has already exists forget about it um this one is probably the easiest kind of almost a read only file system like what if you know the node binary is just read

and executable and it's owned by a user you don't have access to and you don't have root on the system hopefully that's pretty good it's pretty good um so I assert you can get a long way with this um and then you know other practices like if you're going to install your own node have you know have that not be owned by the user that's running the service um generally not having a root user uh like who's how many times do you see an engineer like shipping something they have a Docker file and it says there's a line in it says user and then some not root name I actually haven't seen it like everybody just runs their

services as route like oh please you're making it too easy make it harder just say use the not rude success um but actually this this you know blocks maybe just one of these techniques but it makes it hard right you want to you know defense in depth right mhm I hear that's a good thing um and then you know please just don't run privileged Docker containers any any one seen a privilege Docker container at work running actually in the wild do you get that do you manage to get that privilege taken away you did well done um and again something you can do from the get-go really hard to do later is hey let's just use Alpine let's

use some really Slim OS and add the things you need let's not leave GCC lying around you're right oh or just just go distrus like what about a single goang binary and that's it right again you can't can't come to a project that exists already oh go ahead um I don't know if this is like an appropriate time to add this uh I work on re system stuff uh if I have R in a normal system you can still remount right REM it and if I can't remount it I can buy over historically I have worked on a system where we that code out of the system we were compiling everything from scratch and we said can't do that we

that code out great I want to repeat the question and it's like so what if you have this readon file system because what if I unmount it and remount it well crap um um depending on the environment like uh I think kubernetes makes this really easy to do uh there's uh was it Linux security module something something Stardust go go Google it um that will do this for you uh actually I've experienced this myself I've you know off hours bug mounting yay I've got Roo oh why can't I see proc why can't I mount my own things ah damn it they've locked it down um yeah I mean actually a tip for that in general without going too long

hopefully is uh you go pretend you're a hacker who's broken into one of your containers just go run one of those ene for all the things scripts that you can find um and follow you know anything that's in red or like highlighted and what is it brown with white letters or something saying it's basically saying this is the thing to look at go go check that out see if you're missing something and in case you all are thinking why didn't you stop anyone from breaking into this host in the first place or stoping getting the data out is like you're yes you're already working on that but not in this talk okay last slide of any material

content and 15 minutes to go we got this actually five minutes too we don't got this so detections um and the reason this has a purple pony because you know you don't tend to get the detections detections is a blue team thing right right but um you tend to get to that level of maturity once you're starting to do this purple teaming once you got the adversarial mindset working with the defensive mindset that's when you're all like we need detections don't we right okay so you got a lot of options and the downside is this tuning required and maybe the other downside is do we need a team now to go listen to this stuff okay um this is not my forte

so a lot of this is keywords I have from friends um file integrating Integrity monitoring it's kind of like am I going to notice a file changed uh binary file attestation is going to like get half of these is like hey this node process what's the hash I'm expecting to F hey it's different stop it or um maybe something like Falco where you can say yeah you know there's some really important commands no one should be running on this host um and why can't you just remove them but anyway there's a really important commands no one should be running uh and let's go uh alert on those uh and that's going to detect everything asterisk um and then like process

monitoring like and then maybe I guess I should add to this list intrusion detection for all the things like creating users and installing certificates and various things like that I had in mind some cool tools that people use for this like Falco no falling out of my brain come talk to me if you need them all right so what did we cover well we covered things with awesome names uh interpreted code attack path so like this is lots lots of coding uh but is like the most flexible uh you've got the uh language binary attack path which is frankly you you you want to tap the shoulder for your software engineering friend to do this

because it's it's not light amounts of work um a shared Library attack path you know let's leverage that awesomeness of uh preluding libraries in in Linux there's a moderate amount of coding but once you have it you can use it again and again you might need root depending on your circumstance uh transparent proxy is awesome and you should use it try it out just cuz how fun it is um very little coding very usable oh my God like why didn't I just do what Micah said and and it just set the proxy as an environment variable um and then for preventions and detections you got lots of options um my God if you can just lock down rights to

files you can walk away at least for the examples that I've shown um and all of your detections you're going to need some tuning and that's all I wrote Q&A slide mum proxy how does it deal with hsts um I think that's not a problem at all it's not pinning to a particular certificate it's just saying this site can only be visited uh when it's uh I think well gole I can oh I use Firefox so you know I don't know good point anyway I'm not sure if I repeated the question but what about hsts which is that header which is saying hey only htps please for this um for this site I have not run into any problems at all

with mid proxy and doing that I'll have to play with it uh lesser proxies will generate uh like fail certificate errors and so I've been kind of exploring what works what doesn't and what's the difference between my Enterprise we filter that's transparent and I can go to Source Forge but then I use my little hom World python one and I can't and the browser throws a bit and you know so so if I want to summarize um give me tell me if I got it's wrong because not everyone can hear you right um like how well does mum proxy handle all the things that I've seen go wrong um I've not had any problems at all is

my short answer uh it's got a lot of active development it's not like some stagnant thing uh yeah uh if you wanted to contact me there's an email address if you can PA out what these words mean um and if you got an idea like hey why don't you just use the environment variables for proxying yeah I want to know about that um and if you're like well that's cool what else is there um i' I've created a throwaway Alias for this talk uh um come talk to me in person if you want some other related material all righty thanks very thanks folks [Music]