PG - Intel-Driven Adversary Simulation for A Holistic Approach to Cybersecurity

good afternoon everyone thank you for being here today my name my name is Carlos Gonzalez I'm the CTI leader at bu Brazil and I am excited to share with you our journey and some insight on how we're doing intelligence based purple chaming and we explore how integrated intering to with purp chiming has significantly enhanced our security posture and first and information about myself here is another picture of me when I wasn't in cat was was good times at no no know white hadir yet so who am I I graduated in physics i i a postgraduate degree in an NBA I've been working in forc for the last 12 years at Bank to Brazil I managed the

incident response team and then established the first R team at the bank and right now I'm responsible for for leading the C team at Bank to Brazil and I'm say Bank to Brazil who is Bank to Brazil It's Brazil years oldest and largest public Bank we have a worldwide presence operating in 92 92 countries we have 83 million clients out of this 28 and a half are are active and 93% of the digital for transactions that are occurring through digital channels we have 110,000 internal users and to clarify common misconception in Brazil we speak Portuguese

okay and how are you doing tring TOS so we are using the M platform to facilitate the threat in Sharing we are connected with over with more than 4,000 entities in our threat sharing Network we have a CTI platform is open CTI it's it serves a central repository for ingesting data from a variety of sources including 13 feits open source intelligence the incident response efforts from the in the bank and this platform allow us to correlate several data entities and map map the techniques used by attackers allow us it gives us a comprehensive overview of the TR landscape and to tell you a bit more the data flow of the of the TR interal process at the head at the head of our

operations there is the platform I said op it's is it integrates data from all this the sources the the threat sharing Network open fits sandb analyzes and sever databases such as virus too MIT attack CV Etc and this data goes to our transal team which uses the platform to analyze and this vast amounts of information and turn the into actionable sites and with this they're able to identify ioc's uh compile threat reports and attack monitor the attack surface and extract the the top technique that being used or that will be used for against the bank to they will be used on our proping campaigns and during this campaigns so we use another tool it's called Vector this tool we are using it

as a as the as the purple CH campaign management so so to give you an example let's analyze a r wasted Locker this R will be us was used in a similar campaign so this is a bit on how you use open C the platform to visualize and manage intelligence about specific threats so we have a comprehensive overview of the mware all the data sources that we are ingesting are corelated to provide a high level description we can apply labels visualize everything related to that entity such as ioc the latest reports which groups are using this m the the attack techniques that used that I used to employ this m Etc and when you put a

it on a on a a bigger bigger review so this is how we are analyzing the all this information so this visualiz this visualization represents how we are connecting the dots across several reports to form a comprehensive overview of a threat so each node here represents an entity within the platform such as reports I's uh techniques and to give a a better better view right there is the m and each purple node here is an report on that M and they are aloh related all all this yellow nodes are are the known indicators the ioc's but for the campaign we don't actually we don't care about the ioc's what we care about are these nodes in in in green these are the

techniques that be used that are not to be used for in for when employing this Mare and when we take this techniques we put it against the M attack Matrix we get for four say lo you had 23 techniques but for simulation don't necessarily simulate all these technique of these 23 techniques because no one has all these resources and that's why the TR to team they evaluate which technique should be prioritized in the to to to be simulated so right here for that specific power these were the five techniques that were that TR the CH evaluated as the most important for the bank let me I don't don't find my C so anyhow and how we doing this

prioritization we are using um a framework called uh top attack techniques by the M Ingenuity project this this methodology has three points it's prevalence choke point and actionability prevalence it simply tells how much an specific technique is being seen on several attacks check choke point is um a measurement on on specific techniques that that will be useful to to to to to to to to to focus on a specific attack like process injection when you analyze an attack chain we can see that in minex there are several techniques that are called that are used before calling process injection there are many techniques go to process injection as the next step and after process injection they are going to

several other techniques so instead of instead of focusing on all these techniques around process injection if we focus on on that specific technique that is a choke point we might have a better chance to stop the the full attack and at the at the the last one is uh actionability is a measure of what can I do against technique so if there isn't much much I can't do much much about the technique it Hees a a lower score and all this all these the three components are combined into a a score to give us the significant the significant or the top techniques so at the matter engineer website there's a calculator to have n find out which techniques are uh you

should prioritize but I suggest that you understand the methodology and tailor it specific to envir to your Environ so okay so when we take the top techniques we we are we inest them into the the other two it's Vector for the purple chin campaign management this facilitates facilitates the tracking of the red and blue Chin T activties and with this tool we can create assessment groups that include a collateral campaigns that that that to simulate a specific threat so this campaign can cover all the that they can cover all the attack Matrix from all from Discovery to to the impact or you can make it you can make specific tailored tailor campaigns to assess specific specific techniques so let's

get back to the to thosee technique that the thre t Team de as priority prioritized to to simulate so even though it doesn't cover all the tech chain consider considering the top techniques the choke points having a good detection on these techniques would give us a better chance to stop an attack that would implo that M so let's go deeper into one of the techniques like let's go to Window Service when you click on that specific Technique we are presented with this screen and it has been populated by the tra team with with information that technique there are uh details on how it was been used on attack and there are two sides so the left hand side is used

by the red by the red team and the right hand side by the blue team and the right we information such as when the attack simulation started uh which were the targets which one were the sources and all this information have the blue team navigates through thousands of logs to find out if the red team was is being successful and we also have f for Thea the teack the description sometimes we have even depending on the reports that you receive we have specific like command lines which tools are being used to exploit that specific technique right Z so and on the right hand side it's used by The Blue Team there's information that has been also

populated by the TR team and here the blue team we specify if the technique that the red team run was successful if if it was detected if it was blocked there was a left there was a just log or there wasn't anything at all so all this information they are going to be used to assess the cap the the capability of the tting and mitigating each technique that was simulated by the the red team so let's get back to that techniques so when you R we run all these five techniques to simulated this this specific techniques we can get some reports so for this campaign for for this campaign that there was with the locker there are

five techniques our first round of of of this of this m we came up with two two techniques were block it block it two headlocks it wasn't blocked but at least headlocks and one of them we were BL we could we couldn't see anything and when you go to the right side you can you can create a hit map specific to the to the attack Matrix to to assess to assess how is our our defense capacity so it goes R is the wor scenario to green when the attack was blocked and as we moved we did the first round of of of tests during six months and during that first round we came up with this Matrix the attack

Matrix on it was over 180 tests that were done so this was the first our first hit map our first M track hit map testing whether that technique is being success was if if it technique was was used against the bank would that that attack be successful or not so with this knowing which techniques we must be stronger we are able to better inform other security teams on specific C that should be taken to improve our defenses so from this some results we got so as I said we were able to make targeted improvements identified some shortterm shortterm actions like improved logging we saw that there was a lot of log that wasn't reaching the CM

the the blue couldn't couldn't see them and some detection rules that should be improved and also some long-term actions for specific techniques like uh command command and script execution so we need we need a uh we need to to reevaluate our policies we need to change them and we bring the security team the team and The Bu teams to to to discuss this and assess the of any any action that will be taken by the by by by security and we also came up with new tools that we needed that was unavailable and okay this was all going great as I say six months we're doing tests but let's take a look at this uh the

defense success rate in this graph you have the in the y axis the defense success and on the xaxis we have the the time so when we saw it on the first six months the defense success rate was getting lower and why is that the red team was moving very fast they they able to they were weaponizing themselves and moving fast and blue team was lacking behind not because of the lack of capacity because the characteristics of the defense actions are much harder much slower to implement than simply executing tests as right team so what was happening was this the TR team was R team playing okay this is fun we break a lot of stuff we

we find a lot of lot of room for improvements but the blue team was like was was getting drowned on all this reports that that were that the r team was throwing at them so we saw this okay this isn't this is work this this we need to improve this so at the first round as I said we take more red and blue team approach where the red team was doing their their actions the blue team was coming up later to evaluate the the the actors done by the red team and then on the second round we changed the approach for a purple team approach so we saw the defense success rates increase and on this

purple team approach we we had a on a call the red team the Blue Team the T team they are all on the same call sharing screens and the red team on move to the next technique when the blue team has done has it whatever they could to to that technique so whether it be a new a new rule and improve it loging or or at least identify okay we need something we we can't we are not able to do anything against this we need a new tool we need some polic changes so only when the blue chain is able to to to to find whatever the the r te did and make that Improvement or at least okay help me I

can do this by myself the red team moves to the next technique so if we compare the hit map this is again this was for the first round red and blue when we we changed that approach to a purple Cham this was the the the the the heat map for the the attacks that were done after that that that change for purple team so this is a direct result of the Improvement as were identified by the prop by the blue chain including new tools and better visibility better process that was done by the fense team so we still have a long road ahead and as the threats are Dynamic this this evaluation must be constant and

retesting the techniques with new procedures so just to give a riew comparing side by side can see that some techniques that were read so we improve on that and add also added new techniques so yeah sure so first says there's nothing for expit butes

that yeah because on as I said you have to constantly evaluate which techniques are um should you should you should be you should assess you should test so on the first round you for for who who didn't hear that he asked if we shouldn't shouldn't have X filtration on the first round on the first round X filteration wasn't a top technique when the threat Intel team evaluated all the techniques that were all the threats for the bank the second round it went there to the to be tested so okay conclusion so is what can we take from this so testing is a very effective way to evaluate the security controls and purple teaming Ys better

results than red and blue teaming but uh from our experience we see that this this approach it's slower to move it moves slower it gives better better results but Mo it moves slower so it's it's important to balance purple teaming with red team traditional pain test so you can have a broader a broader test AO a broad broader view of your risk surface so um and bring together diverse teams is a better way to drive change to the organization we when we're discussing or when we are doing the stats we are also bringing the risk teams but it's another topic for another another discussion how we are bringing the risk teams together with the the together together with the

the the the purple team red team blue team risk teams all together and you have to constantly evaluate the top techniques the threat scar is very Dynamic the attacks are very dynamic they adapt very fast and you have to to to be able to adapt to adapt fast to so if you have any questions sure please go go ahead to the Maric so people in who watching can can hear the question go ahead go ahead uh my question was you in the first approach um you talked about doing you kind of focused on one malware at a time or at that time yeah U moving forward do you when you're working together in the purple team do

you focus on like one malware T like one malware strain or one actor at a time and then move on to the next one or do you do them concurrently how does that the first round you took on specific mare trct the techniques okay these are the techniques we are simulating for the next rounds we are we are not looking at specific MERS we are looking right now just the the techniques I don't care which M are going I be used I I care which techniques are being used by attackers and are these techniques going going to affect me or not so the mar is just a a guide to to to to to the

simulation to the campaign to tell a story for the campaign but we are focusing on techniques does that answer question so it's more of a broader like threat landscape yeah yeah specific act yeah yeah the actor is just as I said it's just a guide to exp the techniques but we are we are we are evaluating the threat scenario as a whole so not just the not the specific adversaries so you had a question so when you're doing these like prop team exercises do you actually like Target your production environment or you production production when we have some uh if there is a critical critical application a critical asset we go to another environment but

mainly on production but do you actually like dat X is that like mock data or do you actually like see if you can find data XL within the environment we didn't do we didn't do x yet so when I so sorry they did X all right we did we just T tested the the capacity of doing for example can I adversary establish a command and control and exate ex filterate data we didn't test which data would be exfiltrated we test if that exfiltrate technique would be successful successful whether the data was was real or not just testing the technique that exfiltration technique so like say you don't get initial access do you just tell them to like turn off whatever

these AC is blocking you we don't when when you evaluate the top techniques initial access is it doesn't come up come up as a as a prioritization as a top technique and we also taking assum Bridge Approach so we can have Insider with 110,000 people probably there's going to be inside sometime so we take this approach it's a assumed bridge but we do those we do some some we also do some some initial access tests when whenever needed so but it's not our Focus really informative I love the or don't the gra of the team I get it um how do you manage running purple teams like what what tools do you Dey Just A playbook that

you're kind of running and you down we are learning as we go so we are using the two Vector for mention the the Puro team each each each each team can has access to that tool they are able to to fill out their specific informations and and as I said we're learn as we go and that was the results we getting we we're not following specific book so VOR or is that it's open source it's open source it has commercial it say commercial license for support and but it's an open source too awesome thank you you all right anyone else thank you I'll be available if any if anyone wants to talk so have have a

wonderful day