Turning To The Dark Side: Utilizing Offensive Techniques In Incident Response - Archie Essien

thank you very much everyone for coming through um so today I'm going to be running through my presentation um turning to the dark side um so basically utilizing offensive techniques in instant response so let's start off with a scenario your deal you're faced with a ransomware attack the device is fully encrypted leading to Hardware failure and complete loss of data no Network login due to the limited device storage and no remote login or alerting on the system how you deal with this scenario and that's what we're here to talk about so first of all my name is Ren I work for solid security over in London been there for about 3 years um I studied

computer networking and I got into cyber security just due to the fact is every day is interesting there always a new kind of c mouse game so um that's just my interest and it's been happy and hopefully spend my lifetime in it um so today's agenda and what we're going to be talking about um so some context in regards to inent response um red team and blue team so Cy security 101 um go through some techniques we make use of in instant response um external scanning and a few other techniques or other scenar been faced with and we'll have time for questions at the end perfect so time for a bit of context um digital forensics versus

Instant response just because um people often confused or to so in terms of digital forensics you're usually leaning towards a over collection of data whereas in instant response kind of the collection of data is based on um kind of evidence-based reasoning so we wouldn't just collect data for the sake of collecting it um in in forensics digital forensics well we got longer time constraints to provide answers where an instant response as made I hope many people here have experienced um as soon as you get the data they're kind of expecting answers as soon as possible so you're kind of having to feed them answers with the little time that you do have um in digital response as well

investigations are expected to turn over every stone whereas in instant response you kind of have the opportunity a kind of freestyle and kind of make it unique cuz you're just trying to get on as soon as possible and um lastly in regards to digital response the reporting is very much um based for litigation purposes so you're going to go to court it needs to be evidence proof and fullprof so you don't have the opportunity to kind of make a mistake at all um the main thing is with instant response you're able to focus on the most likely scenario rather than um kind of 100% foolproof evidence-based judgment um in terms of blue team versus red team again people kind of make it

seem like it's two different sides but I see it as two two sides of the same coin um or two sides of a of a coin we would say um kind of they make it seem that they're both usually opposing each other so in the red team side um they're usually kind of using the techniques and trying to see how to get into systems kind of the epical hackers we'll say whereas in blue team are usually kind of on a defense approach so um we would obviously want to make um kind of things more secure for the for the environment but at the end of the day both of us are kind of working to ensure that in

organization security is improved and it's much better for the future um I just want through run through a quick um Theory um is aam's Theory here kind of would help kind of in understanding this whole scenario so um the theory is if you have two compelling ideas um explaining the same phenomenon you should prefer the simpler one so taking that into two different contexts gen General context would be if you see a tree knocked down you can say maybe a meteorite has knocked it down and that's the reason why the tree is down the other scenario is most likely that the wind just blew it and that's why the tree got knocked down um in

instant response another example of this could be um your fa of the incident where um a device was compromised um and then the three points would be um the IDP Port is exposed um the fractor OS usually to Target dp's um devices that are exposed to the internet and the last one would be um the internet had been the RP had exposed to the internet at the time so it's most likely the fractor that's known for the emmo of targeting a device with the RDP being connected to gain access to that device through the exposed RDP so I'm going to run through U some scenarios here so sorry get

so the scenario is um we're faced with a incident where there's um reconnaissance um and scanning so this is going to be the context and I'll give you an example where we actually use the techniques in in lifetime scenario so um Gathering a list of external IP addresses on the network um utilizing open source um their intelligence P the picture of open ports and Network Services and review the available data with any clearing openers and IDP Port potentially so in the actual example I've been faced with in this the work wow color is not great there um so um the example fa of this was we've had a web server that was compromised which was running a mongodb

server um service within it um all the data have been wiped out um the server been configured with Min minimal logging um and utilizing showdown in this instance were able to identify that the web server had been exposed to the internet um at during the time um the reason for that was the IT guy had wanted to connect gain access to it remotely from home and the service made use of the default username and password so despite the lack of evidence that we had with the minimal logging was able to kind of get confirmation or point to the most likelihood of that scenario being the fact that the RDP that the device was connected to the

internet and the fror was able to bypass um or gain access to the device due to that week password and um username and password at the time another scenario I could run through quickly um is um the password um the name of the account had been um leaked on the website um we done a full scan and pulled the emails and passwords of the ad um at the time and enrich that root course through techniques using delete data so the scenario what was faced with this here was an M365 account which had MFA had been compromised um the log data confirmed a successful iMac logging um no evidence of the fishing Emil or credential harvesting had been found

within the device and the lead data research identified the compromised users password and um email um on the dark web so um in that instance we spoke to the user and found out that the user still using that um password for that device or for that username and um it's most likely the FR had made use of that lead password which provided the do equip um especially with imapp as well unfortunately doesn't um kind of provide additional Security even though you have MFA configured you're able to bypass that just due to it being a legacy protocol if you don't know um the final example as well that I'm going to run through is um the

context of it is um dumped hash passwords on the NTS dodit file um from the domain controllers and um perform active directory mapping with security tooling such as um ad Recon and blood hound um identifi the weak accounts within there and um that could allow to being easily compromised with the fact that the fror was able to map out the network and get an idea of where to get to so most likely the DC that'll be targeting in that instance so an example of this we had um was the RDS server had compromised due to the printer um service being down or being exposed to the internet um there's no clear link to that IDs server and um the printer due

to the um virtual machine encryption um created a custom password list using Elite data um and keywords and then crack that password for the printer account which um had used the company's name and used which had been reused in higher accounts previously further to that um the ad mapping showed that the printer account had RDP access and um from there we're able to see that the fractor could easily map out the network and gain access to the domain controller from the printer server that's been exposed to the Internet so again in this instance minimal data login and from there we had to make use of offensive techniques to kind of make sense of how the fractor could have got access into

those Pur devices within the account so again with all of those points I hope you can kind of see where aom's razor links in terms of we have minimal login we have to use the red red teaming skills to gain an idea of how it's possible that those accounts was compromised and the fractor would get into the main areas so again I POS this question to you at the start of this talk your face ransomware attack it's full device encryption leading to Hardware failure and complete data loss Network logging is limited due to the device storage and no remote login or alert systems are available hopefully if you have more ideas on how you could

deal with this from you did at the start of the presentation then hopefully this presentation has been useful to all of you again does anyone have any questions on there well thanks Archie for a great talk yeah any questions great Round of Applause thank you oh hello oh wa sorry question there we'll do Applause after did you ever find out how the leaked credentials and I think like the second one yeah um was actually ended up on wherever it was you found it or was that completely out of the scope of what you had to do for the job um so with ourselves we we can see where it has been uploaded so again sometimes you see

on telegram chats um sometimes you see on on specific do webs that Associates or fror in this case we don't really look into how that was that had happened again it could be someone entering their work email and password shopping on LinkedIn or using for LinkedIn or using it for shopping and it could have been compromised in that sense so we don't really go too deep into that um it's is there is there and take it as that thank you very much for the presentation so uh you use several scenarios here one is from the server side then the email then the last one which is the active directory uh as a starter right uh what

would be your advisory uh when it comes to the blue side of things which is the defensive side what would be your advise because you've mentioned rodp so apart from rodp what other mitigation do you think that needs to be in place when it comes to a web server considering that that web server needs to be public facing right yeah but there needs to be a control in place so what would be your advice when it comes to that server side of things exactly that's good then when it comes to active directory yes you know spot on yeah but what are the controls you know let's say for a stter they need to have in place

MH considering that they don't know what they need to do you know and you also talked about the red te if someone as a red man needs to kind of what are the things they need to consider when it comes to Breaking that kill sh no perfect that's a very good question um so with that again there's many different kind of um mitigation techniques or different mitigation things that they could do to kind of Harden Security on those devices again first thing foremost is make sure you're up to date with security patching um often at the time people kind of leave that out and the device becomes vulnerable and it's easy for frat to kind of compromise that device at the

time um another area is kind of rather than using IDP maybe making use of a VPN service or or something of that nature with MFA in place to prevent it just being um kind of easily connected to and what is web facing um another tech um kind of mitigation um technique could be um ensuring that um it's locked down and kind of segregated from the network a bit better um so there's a few techniques there and it's just again dependent on the the scenario and um again a lot of businesses will find a reason for why they're exposing it so um you always need to kind of make sure that if you're doing something you're

justifying it properly with an organization not just doing it for the sake of that's easier well great question great thanks again Arie I think that's all questions we got time for uh so big round of applause please I'm going to say as well um again I know it's very daunting to probably ask questions here but if you do have any questions later on in the future please feel free to get contact with me on LinkedIn and I'll always be happy to answer any questions thank you