GT - How to prioritize Red Team Findings? Presenting CRTFSS: Common Red Team Findings Score System

good afternoon everyone and welcome to bides Las Vegas um Sienna track this talk is about um one second how to Prior prioritize red team findings presenting crtf common red team findings score version one it is given by Mr GMO who is one of the red team lead at one of the biggest cyber security Insurance here in the US and he's having over 10 years of experience in the field before we begin I have few announcement to make here we will first like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors Toyota Prisma Cloud Sam grap blue card press track and just to name a few in their support along with our

other sponsors donors and volunteers to make this possible we have few policies here and one of them is about our cell phones these talks are being streamed live except in underground and as a courtesy of to our speakers and audience we ask that you check your phone and make sure it is in silent mode please we have a mic in the middle of the room if you have questions you can use it we also have photo polic sees here so the bides Las Vegas photo policy prohibits taking picture without explicit permission from anybody in the frame so please make sure you have permission before taking a picture that contains someone there uh that being said uh welcome GMO

and thank you for coming to bite Las Vegas Sienna hi can you hear me okay okay thank you for attending the official presentation of CRT FSS or common rting finding security score system so you can take pictures of me so don't worry near the mic okay I will need to be a little bit closer to the mic anyway before starting I want to mention that this project is licensed on Apache 2 the data set that I am using in the crtf SS website comes from my inunity from their project top attack techniques also licensed by apach 2 and I'm using the mar attack uh for this project so we need to include their license okay so let's start in this 20

minutes talk we will go over what is the current problem with PR prioritizing rating findings the current efforts and the crtf SS as a solution to this problem I will present this new methodology and its process and to finalize I will share with you a use case on how to use this methodology to prioritize your wrting findings as well as how to use the CRT FSS site so I am dirting lead in one of the biggest insurance company in the USA I have almost 12 years of working in only offensive security roles this is my second time speaking of besides Las Vegas and I have also participate in besides Manchester hackfest Canada and Devcon also I'll will be giving a

workshop on this methodology this year in the roting village um I'm member of the staff of besides Mexico City so the the current Pro problem is that after running many assessments a team generates a lot of findings Defenders struggle to keep up with their remediations and it takes time to create a use cases or develop new detections for each of one of the rating findings also organizations cannot fly defeat against all the myor attack techniques and organizations also need a system or directive to help them with uh PR prze their findings they have so many of them that they can optimatic assign resources and focus on the critical ones did you know that more or more or less

500 techniques and sub techniques are documented on the my attack knowledge bch this task uh then comes overwhelming so as an organization where do I start um I was looking at solution and I couldn't find anything similar there are some efforts like the attack IQ methodology but the problem is that it is based on CVS to assign a numeric value for to a finding but all not the ratin findings are based on a vulnerability or have Associated a CV so you can't use this methodology for all your retin findings also there is a fantastic project called my my top attack techniques but the the problem is that they only aim to prioritize the most relevant ttps still

that project will not help you to prioritize your rating findings so I created the crtf SS my solution is a methodology to prioritize rating findings using adversary behaviors observed in Real World Trade intelligence side things and mapped to the myor attack based on the most frequented ttps that is scor each finding based on the complexity of the remediation and exploitability and this is the formula behind the methodology the TTP frequencies how often tractors use a specific TTP during the during a time frame based on real world side things theability refers to the technical requirement level an attacker needs to perform that TTP successfully and complexity refers to the difficulty of REM mediating the rtin finding or generate detections of

it here you you will find the guidelines to run these methodology successfully first all routin findings are critical but if everything is a priority nothing is this methodology is try intelligence Source agnostic currently I am using the top attack techniques data set to obtain that information but you can use open source paid source or any private shared intelligence source to get more relevant ttps for your environment or your industry the TTP Trends needs to be based on real world SI thingss and also the TTP Trends could be based on monthly quarterly or yearly sightings and if if there is a rating finding the finding was already tested and it is an actual finding not a theorical one and

the methodology is not meant to categorize ethical hacker or pentest findings there are a lot of methodologies to organize them and finally this methodology doesn't calculate security risks so the following bullets represent the CRT FSS process the first step is to understand the top dtps that thread actors are currently using and are training this information can be obtained from various s sources such as industry reports or even security blocks as I mention it you can use open source or pay tailored intelligence fits to have the most used ttps by attacker in an specific industry or region once you have a comprehensive thread intelligence report you need to analyze the data and count how many times the same TTP attack

ID is present and wait each of one for their prevalence and as I mentioned this project use the myop attack techniques which is which has an extensive database with the most common commonly observed adversary activity provided by their siting contributors and a comprehensive methodology to prioritize the ttps but H you can use any tralan source with this methodology then you need to map each routing finding that you have on their corresponding Mar attack ID after that you need to evaluate the exploitability and complexity and with those values calculate the severity for each one then prioritize your findings b h based on their severity it is important to mention that for all the purple ones you can use the

CRT FSS website so don't worry I'll explain you later how to use it okay in these graphs you will find the values for each of one of the elements of the formula the TTP frequency is from the less present to the most present TTP in the real world settings the exploitability comes from the ability to successfully exploit the TTP using a Sur day exploit on the wild or private POC to a TTP that you can run using bar various open source tools or Frameworks and the remediation is how easily or difficult is for the blue team to remediate the rtin finding Implement a security control or generate detections of it and after run uh the calculations you

will obtain a value which is the severity and using this table you will obtain the score based on the severity of the rating findings so in the following slides I will show you how implement this

methodology okay there we go so metaphysics company contracted the services of CH Consultants a very important firm experts since yesterday shevy Consultants performed a red team assessment simulating a an outsider thread using real world adversary techniques and the goal and the goals for the red team assessments are finding an entry point from the outside and getting a full hold inside the network move around with Excel techniques identify critical data uh during their operations and finally exfiltrate the critical data sh Consultants successfully finish the assessment during their actions they perform a successful fishing campaign targeting the HR department after that they install a k logger in the com ised endpoints when the information obtained they dumped the credential store on

Elsas using mimic ads and use them to move laterally later they identified host with critical information and they use Dropbox to exfiltrate the critical data the problem is that sh Consultants didn't prioritize the routing findings so metaphysics company doesn't know where to start so metaphysics company took the report and MPP it each of one of the findings to the correspond Mar attx ID and metaphysics uses the CRT FSS side to calculate the severity of each of one of the mara tax ID based on their organization and their environment metaphysics metaphysics company took each of one of the mar tax ID that they Ma and they searches then in the TTP frequency score searching tool to obtain

the TTP frequency and determined the exploitability complexity and calculate the CRT FSS score using the calculator and this is how it looks each of one of the mar tax ID and results on the calculator and I want to show you very fast how it how it looks the the CRT FSS site well it is it is Tiny there you go so here you have the the Searcher so you can uh search oh I don't have

internet there we go there we go we're back so you can search each of one of of the ttps that you that you map for each of one of your rating findings and you will obtain the TTP frequency so this this value you you can put on the calculator here and then with the tables that I showed you two minutes ago you can calculate this flotability and the complexity and you will obtain the CRT FSS score and this is this website is fully available right now so you can use this method uh as today and we will back to our presentation there we go so to finalize metaphysics move from the sh consultant report to this nice table and

metaphysics started at addressing the most critical findings earlier based on their crtf SS score so CRT FSS is a methodology that will help you to prioritize rating findings according to their severity based on real world trade intelligence SI thingss you can effectively allocate your resource your resources and enhance your defense against sophisticated attacks and there are some takeaways that you need to take in considerations to run this methodology you need to use real world Trad intelligence and sometimes you will have multiple findings um based on the same attack ID and that's okay there are many ways to execute the same TTP and your security tools needs to be ready and if you are interesting you can

check the Spectre of's perspective on the deep and breadth of how to approach HTP there is no one siiz fits all detection solutions for a singular my attack ID and in the future I will focus on refining the CRT FSS scoring system to represent the value more accurated I will continue enhancing and adapting the this methodology to ensure that will effect effectively address the Walling cyber security challenges and I will do some improvements to the website and I will include a friendly user guide to use this methodology efficiently so we have reached to the end of my talk if you want to share ideas or have questions or suggestions here you will find my Twitter SL

X and also I want to to give a shout out to Myro inunity since I am using their TTP data set in my website also chpe who helped me to build the website and he's helping me with the future changes and bleet do who helping me with the sh shiv Consultants Arts chap GPT and of course all the 19 floors team for the inspiration thank you again and I'll see you [Applause] thank you uh Mr G GMO if anybody is having a question please uh feel free to come here and ask you a question thank

you so from what it looks like You' mentioned that sort of this is unique to each organization and their ability to identify the risk score to their organization specific infrastructure is there any potential for future work to for this tool or this website to assist companies in developing uh the risk score for their organization or identifying their weak points with vulnerabilities well um this methodology meant to categorize rting findings so um and any sources can can use the methodology a red team an internal red team and a consultant red team and or also internal cyber security teams can can use the methodology to translate the the reports that they have for external um providers to to allocate the their resources for

uh for for each of one of the wrting findings any other

question all right thank you Mr GMO and uh we will have just for a quick notice we will have uh the next talk will be social engineering training the human firewall thank you thank you so much for his time