BSidesCharm 2023 - Stop the Leak! Adversarial Thinking in Cybersecurity with PRE-ATT&CK- Nick Ascoli

foreign [Music] I am going to start now it is officially five o'clock so first of all I see a lot of familiar faces in the crowd who stopped by the four Trace Booth today I'm amazed that after hearing my diatribes there you decided to come hear me talk again so it's truly an honor but also why you know you've heard me talk already it's not that exciting so who I am I'm Nick you might have seen me at the four Trace Booth I'm the founder and CEO of a company called Fortress um we look for data leaks basically I'm the former VP of threat research at a fishing and anti-fishing company called pixum and if you have questions about the talk or just want to chat with me uh that's my email and you can find me on Twitter or Mastodon at Nick backwards casein418. but what I want to talk about today starts with the world of data leaks which is where I spend an overwhelming majority of my time and some of those graphics on the left are mostly screenshots uh from Forum posts recently selling uh you know recycled credentials uh selling access to things or just posting uh leaks and I think of the last like four major incidents right press-worthy uh findings of large amounts of corporate data on the internet which the ones that come to mind immediately are like the TSA no fly list the T-Mobile leak um some massive education system platform in India like an uh a ton of their their customer information leak the student information leaked and then Salesforce had something like this week or some customer attendant stuff was leaking um and in in basically every case there we're talking about uh the crown jewels so to speak of the organization that the product of the breach or leak which are different things being found just online anyone with an internet connection and an IP address can find those things they're we're not talking about post-exploitation Frameworks or custom tooling or like very Advanced persistence mechanisms we're talking about just a a Google dork and some very patient scrolling to get to uh the Crown Jewel which is something that's hard to imagine because a lot of us spend our time in a very like whatever Dr xdr MDR Sim detection content World spending and this is something I'm guilty of uh an inappropriate amount of time writing like Sigma rules for detection scenarios that are probably never going to happen and have like half and once in the wild so it's hard to imagine that the impact that we're trying to prevent as of late has just been straight up someone finding a file on the internet which leads me to uh crown jewels now old crown jewels and I'm saying 2010 is old so you're gonna have to deal with that uh are things that sat on like the crown jewels have passed say it's files or data specifically used to maybe sit on the Intranet in an application server uh that's hosting some file share software that's like very clinical and super locked down it is not accessible from the internet at least in theory and like in practice you can try that and you've got like the you know 2010 like super well-configured McAfee or Symantec DLP deployment and some fim software running on the host to keep things locked down so you can see the data when it moves now the crown jewels of today are a little more dinky and pathetic and often are accessible simply uh from the internet so a lot of them live now in places like SharePoint online um in G Suite tenants um in Salesforce tenants in uh any number of infrastructure as a service provider bucket storage options um and in a lot of cases especially the ones I just shared and in ones I'm sure many of you have seen in your day jobs are accessible by anyone with an IP address due to whatever software you're using to host it being sort of open to the Internet by default this is extraordinarily common with infrastructure as a service providers which is starting to be buttoned up now but in the case of SharePoint online a lot of the stuff I see in my day-to-day job which uh you know gets wrapped up before it hits the news even though these people have casby's is someone clicking as an example share via URL on like a SharePoint directory which uh not just a file like a directory which makes the whole thing uh open to the public and oftentimes is indexed by a search engine so again the right Google dork a week later and anyone just patient enough to find it can find that file um and then the casby in in some of these specific examples is not connected to the tenant there's no forward proxy so they're not seeing that like the marketing department has their own SharePoint instance that is billed totally separate from the corporate one and no one knows it exists so the the trend I've observed here is a shift left and no it's not the buzzwordy devsecops shift left that you might be thinking it's a shift left uh though you know there's there's a time and a place for that it's a shift left on something a little bit more familiar uh to this audience this is the miter attack framework um on the left you've got your recon techniques on the right you've got you know all of the things to get access to your crown jewels and then x-fill them now this is where in all of the exercises that I've done in an oh you know for most of my career this is the uh this is the stage where the the thing is found and the thing the Crown Jewel the target the whatever of the of the pen test or the actual adversarial activity this is what we're looking for as the end product the end result of the engagement the end result of an adversary being in there is what did they take what did they leave with um and in uh in reality the the shift left that I'm talking about uh is adversaries basically succeeding in the goal of this entire chain of x-fill in the first phase at all which is the reconnaissance phase now the answer to this problem is sort of Performing assessments using a different framework which has now been merged into the attack framework but previously this was a separate Matrix called the pre- attack Matrix now a lot of you I'm sure are familiar with the attack matrix it's all of the ttps for you know everything in in your ideal Sim deployment you've got uh you've got some detection Logic for an overwhelming majority of the ttps in the miter attack framework the idea behind pre-attack is all of the things that happen before a bad guy gets access which I think are woefully under appreciated uh in the modern era so the pre-attack Matrix has two categories uh reconnaissance and resource development resource development is like active stuff this is active scans you're gonna you're gonna get logs cut on systems from this activity but the reconnaissance phase is what not only informs resource development but is what informs everything else so the reconnaissance phase there is active portions to it and there are really active flavors of ttps to get any particular goal you want done here but a lot of it is passive a lot of it is stuff that is not going to cut so much as a log um in anything that you're tracking so you have the the greatest detection Logic on Earth for you know um if someone does land on a box and you know tries to use uh uh cert util to download some file from somewhere else uh you'll detect that in a second you'll detect much more advanced iterations of that um but like a lot of the things they use to get to that point to just plan the attack to get to that point you're not going to see anything from now a good example that will cut a few logs is that last TTP on the list or the last topic on the list a search victim-owned websites so I'll walk through the example of just how easy it is all of the ttps in Recon are so incredibly important in in the results they produce in that they inform the rest of the adversaries activity in your environment you know with with a smaller footprint they're making a lot more noise on a lot fewer sources to try and you know knock on your door but as an example let's talk about searching a victim-owned website and just how easy it is so let's say we have a Google dork man that's really tiny text but the idea is a Google dork to look for files PowerPoints spreadsheets docs PDFs on corporate uh on corporate infrastructure any domain or subdomain associated with who I'm Dorking this particular dork uh was a company that say as an example is hosting a b-sides conference uh maybe they're a hotel chain I don't know that would be in poor taste but so that's not what we're doing but as an example and say 2 000 Files come up and I start downloading them I can do this by hand I can write a million different scripts to do this there's Pi meta in fact is a in power meta there's a power cell version the python version that'll pull all these files down uh procedurally it won't get all the way through but it'll get a bunch of them um so I download these files I've got spreadsheets I've got PowerPoints I've got word docs I've got PDFs and I start pulling the exif data out of them now xif data is like um if you're familiar with pulling geolocate people pulling geolocation stuff from a photo X if Theta is like the longitudinal and longitudinal coordinates attached to a picture there is exif data that can be ripped out of uh it's not always actually exif but metadata that can be ripped out of an overwhelming majority of file types that will tell you something about that file being created now all of that metadata can also be stripped using uh a utility called exif tool there's a specific command to strip that metadata but if you don't do that which I have not found anyone who does except like a few wildly Advanced security operations centers who have that built into a process you can get all kinds of Juicy stuff from the files so particularly the author field which occasionally will contain like an actual credential like a Sam account name something associated with some IDP or IAM infrastructure which I've got two examples of here which you know these are sanitized obviously um or emails sometimes it's a first and last name the more valuable for us is emails and usernames we also get the tools and not only just the tools but typically the version of the tool that's running uh sometimes down to like specific version numbers in that last Creator tool example we have the dll involved in the publication of the file which is interesting and not something that I expected before I got into this little world and also in that last one we have uh the operating system version the version of the OS that's running on this host so taking all of the fields from from uh all of the files that we found which in in this example is 2000 this is just from three that I pulled down at random because they were different file types I can put together a really interesting inventory of uh organizational metadata and organizational data in general that exists online so just from a handful of files I get a list of usernames that I can start plugging into stuff maybe for sprays maybe for Brute Forces maybe just to see if they're active accounts I've got an email address which is cool very common to be in file metadata and more interestingly I've got a list of tools and libraries and Os versions and sometimes dlls so the idea is I can com from the outside completely unauthenticated start to put together as a bad guy a list of things to Target with my payload so I can not only with the files be really specific about who I Target but I can start putting together with this inventory of software running on the inside a sort of like idea of what the gold image laptop looks like that gets deployed within the organization what is running on it what libraries are installed on it what version of word is on it what sweets are they using you start to get a really good idea of what is going on inside the company get a lay of the land of what's actually going on on the corporate laptops being used to produce these files uh now this is something that should be and often is a part of regular old pen test reconnaissance typically for an external a fully external engagement uh and I think the the most important part of the Recon phase and the reason I think this should just be the the actual action of this whether it's just you know your team doing it by hand should be woven into the fabric of of monitoring is because the Recon phase is what informs the rest of the attack without you know with a limited amount of Recon findings there's a limited amount of attack paths to actually exhaust uh and you might have to go ask the person you're on the engagement with um for additional routes in uh if you're doing a full external or additional options because you didn't find much and also I hinted at this earlier but if you limit the amount of domains out there which this Recon ends up revealing a lot of sub-domains a lot of content that that maybe shouldn't be on the internet when you limit the amount of sources uh that a red team a pen test team or an actual adversary have uh to exhaust to try and get in they end up making more noise in less places so if you're doing you know different flavors of long tail analysis on your logs or looking for spikes in activity it's a lot easier to detect when it's not spread out wide across you know if you're a huge company you've got so many web resources out there when you've got a smaller amount of usernames to pick from because there's not like you know 200 that they're pulling from metadata but there's like three or there's no usernames out there at all and they're just guessing them from email naming conventions uh it becomes significantly easier to detect uh now I'm going to provide this is practical knowledge to start looking at pre-attack as a framework to assess yourself against in the same way you do the rest of the attack Matrix now for ttps in the actual Enterprise attack matrix it's really easy to to figure out how to assess yourself against it because it's like do I have a detection for this or not do I have the sources to provide me with the logs to detect this or not it's a lot of pretty easy yes or no Flips For The pre-attack Matrix we're not really talking about checking a detection box because a lot of these are techniques that are done on systems that aren't owned by you and you're not collecting logs from it all so the the detection use case you know only vaguely exists the what I think you should do is run the ttps against yourself on some rotating time-based Cadence whether it's a different member of your team doing things like searching for corporate data or honey tokens in open buckets with like specific Google Docs looking for exposed SharePoint files in your infrastructure or in Associated infrastructure of people who have access to your SharePoint tenant uh different flavors of dorks exploitdb has tons and tons of really valuable ones scanning the content you do find online for exif data and metadata that gives you some sort of insight into what's going on inside the company and with the goal really of understanding what exists online if an adversary were to look at you right now what exactly would they find it's helpful to understand that and makes it a little more predictive the kind of activity that's going to go on when you do engage a red team for an external or a pen test you know a fully external pen test and what I'd also like to advocate for because it's something that I I saw so much when I worked in Consulting is this is not something you want to wait for the report results to patch up because the reality is most of the time in the the couple pages of Recon you get back I mean the assessment the stuff that they found is stuff you could have patched up months ago and would never have been the path that they took to get in they would have had to find something else potentially something a lot more complicated potentially something that would have produced you know significantly larger volume of logs and I think using you know doing this sort of pre-attack Assessments against yourself is a good way to get started with threat and form defense which is a sort of a buzzwordy category and topic but the idea is prioritizing your Investments prioritizing your training prioritizing the purple Team and Red Team test cases you engage in um by what is actually going on in the wild and what tools are adversaries and what ttps are adversaries actually using against companies like yours and people in your vertical so I propose being very specific not only about the ttps that they might be using on the inside but the while it seems so simple it's so common for them to be finding things um on the outside that negate the need to ever get inside at all and to make this easier I think using honey tokens is a great idea put honey tokens in in every data set you can and are able to and search for the presence if you don't want to search for organizational data over like public sources because you don't want to put organizational data out there putting honey tokens embedding it into you know a variety of different flavors of tokens into you know code you have account databases you have username databases you have is a great way where you can just search for that it's not proprietary the token itself search for the presence of that token in public data sets which is something you can do you know again with uh with a search engine or with the exposed apis of a wide variety of tools and then on a quarterly basis I think everyone should be running table tops or at least adding this into your list of tabletop scenarios especially with the popularity of of public data leaks over the last couple months usually not of a parent organization leaking data but of a provider they work with accidentally leaking their data I think it's a super valuable um test case and tabletop scenario to be walking through because it usually is uh more procedural and more focused in the Privacy office and legal office than a lot of other tabletop scenarios end up being and it's also incredibly likely uh or at least increasingly likely to happen as we've observed in the wild so that's it those are the steps and this was supposed to be a short presentation it was a little longer than I intended um but that's it that's the end of the talk I'll open the floor for questions comments on Tim the head will also be taking questions it doesn't speak much but yes foreign yeah open source ones if you they're these there are tools that are more built for doing this against like people um that are free like maltigo and uh Spider foot uh you can do organizational stuff in there too they work for that but there are also commercial options which I will not discuss because I'm at a you know I'm on a B-side stage here I can only talk about free stuff but uh yes there are options uh out there and I think those are two great ways to get started but also a lot of this you can just kind of do you know from a search engine uh with with enough time anything else all right well uh that's it thanks everyone for coming to the talk