Dave Kennedy Keynote

helps if I turn this on first so we have we have David Kennedy he is the founder of trusted SEC LLC and he's also the co-founder and CTO of binary defense systems Dave had guest appearances on Fox News CNN in other high-profile media outlets such as the Katie Couric show where he was dubbed the sexiest man alive I can't disagree Dave's also the founder of derbycon a large-scale security conference in Louisville Kentucky I'm sure many of you have been to it if you haven't please do dave also co-authored Metasploit the penetration testers guidebook which was number one on amazon.com security for over six months david's also one of the founding members of the penetration testing execution standard and i also

asked for quotes about dave from some of his friends Paul comm of security weekly had a few choice things to say but I kind of kept it clean for the hour Dave defined the serious hacking day for me which I think has something to do with bucks and watches that's Paul and Dave loves his box so Dave is also the creator of the severely sorry soap of several widely popular open-source tools including these social engineers toolkit and many more who's ever used set the social engineers toolkit awesome that's good to say but if you ever read the terms and conditions it's kind of important if you've never read it it says also note that by using

the software if you ever see the creator of set in a bar you should give him a hug and should buy him a beer and a bourbon I don't have a beer but lastly Dave was a US Marine thank you for service working for the intelligence community and spent several years in the Middle East including Iraq I am proud and honored to introduce our keynote speaker Dave Kennedy Wow how do I uh

all right well thank you everybody for coming on a Saturday morning to come hear me talk and a lot of other great speakers here today hopefully you get to see a lot of great great talks the list here is absolutely amazing but after warning I lost my voice two days ago and it came back slightly yesterday and this morning got worse but it actually sounds like it got a little bit better so we'll play with it and see how it goes but my son brought home the plague and literally destroyed our entire household so I got back from Hong Kong on Monday attacked like Jason Street was right there a Jason this Jason's tree right

there right making brown applause for Jason he hates that he hates that that's I waited I got back from Hong Kong on Monday and actually as I was getting the Hong Kong Jason was flying away from Hong Kong but my son went on a Cub Scout thing and they went to a naval vessel to kind of see the naval vessels when they got home everybody that went on the Cub Scout Pack was completely definitely sick including my dad who took them and then killed her a whole household so that was wonderful but we were glad to be here glad to be in Boston go Cavs so I made the mistake I didn't realize where I was going yesterday today and I

wore the Cleveland shirt you know big cap sure I went down to the bar yesterday go get a drink and I literally got stopped like eight people that weren't happy with me so we'll see how it goes good luck I don't need to go through any of the bouts but what I'm talking about today is you know if you look at at what we're dealing with in information security there's a lot of different things I mean obviously everybody's been seeing a lot of what's been happening with the whole shadow brokers dump and I'll talk a little about that I was actually up till two o'clock in the morning getting a remote code execution working with our own custom payload so

I'll show you how to do that here in this a little bit but what was interesting what we see out there is this industry has a lot of things coming at it a lot of different attack vectors everything from fishing all the way to zero days and it's really difficult for us in companies to get a handle around what we need to do and a lot of the technology a lot of Defense's that we build are real generic in nature to stop some of the most basic of things but they don't look for a lot of the patterns of behavior that we do as attackers and as an attacker going into you know countless organizations most of

the stuff that is built is literally for off the show you know what you can download from the internet good example is PowerShell a lot of people flag on encoded command for a PowerShell flag there's 12 different iterations of encoder community here's a call and coded command in order to get power sucks execution so some of the things that I just see commonly in the industry some things that can hopefully help you out with but also show you some cool hacks along the way and so first how about them leaks that happen right so if you're not familiar with what leaks happened over as of yesterday actually happened last night the leak should be no surprise and I'll talk

about what the leaks are here in just a second but the link should be no surprise I'll contain a mixture of 0 days as well as already patched vulnerabilities that are out there but what was interesting to see is that you know a lot of these countries including ourselves have capabilities of 0 dates as we've been saying for years and years and years and years so there's no real surprise on what our capabilities are who they are and what they're doing the interesting thing though is that we just didn't expect a large leak like this all at once or now we have a whole stash of code they have to go through and a lot

of it's actually executable so we have to disassemble reverse-engineer how it's working do packet packet dumps already a lot of research going into that in fact as of like five minutes ago I think we just got our Python prototype done for the latest it's a mess 1710 which is remote code execution and SMB version one for all versions of Windows so that's a fantastic one it's MSO a 2 6 7 on steroids I'm sorry I think it's Windows 8 1 but it also reported to Windows 10 which is fantastic so it's the next MSO 86 7 so we can all celebrate for like the next 9 years so we can have birthday cakes and everything else made for MST I wish you

wouldn't have been amazing like the world aligning if it had been ms70 no 67 I mean it would just would have been I would have I would have just I could have died happy so but if you're not familiar what's happening you know the Shadow Broker is is loosely attributed or attributed to Russia okay the equation group has been loosely attributed to the NSA Kaspersky was one of the first ones but you know I've tied it back the Stuxnet a lot of the other components where we kind of become public and a lot of our offensive capabilities and so what's been happening lately is that and what the shadow brokers claim which seems to align up is that the equation group ie

the NSA was conducting operations abroad including compromising a large percentage of the Swift Network for the banking transactions and the financial backbones to monitor transactions intelligence gaining purposes things like that and what Russia did is they identified where the equation group is coming from and by way I'm not going to talk about anything classified so if you're in the military don't worry I'm not going to start seeing any TSS CI stuff then you have to leave the room so I'll make sure not to go to any classified information that's been leaked because you still are subject to that but what the shadow brokers ended up doing was tracing back the infrastructure that the NSA was using to

conduct operations abroad and so they actually hacked the infrastructure that the NSA was using and and stole a large percentage of their tools so we saw a couple weeks ago that the Shadow Broker dump was actually released they had put it up on a dark red for auction for a significant amount of money I think was like like fifty million dollars or something crazy and then literally as soon as we bomb Syria the you know lo and behold the the first dump was released which contained a lot of remote exploits for Linux based systems then we saw just yesterday where they released a large cache of Windows exploits everything ranging from IAS 6 exploits all the way to you know SMB exploits and

everything else there's also a really cool exploitation framework which I'll talk about here in a little bit that the NSA also got leaked on it's basically the Metasploit for the NSA which is now getting forked and now developed now so it's gonna be like the next you know python-based Metasploit which will be fantastic I'm just curious what's the licensing for using NSA's Co can you fork it and like do like a BSD license how does that work you know I guess it's taxpayer dollars and technically you know like the government has no copyright over there material so technically we should be able to use it right so there's a lot of great stuff that was actually released inside of it

but it just shows you what's actually happening right now is a lot of of information warfare around you know different government attacking each other exposing other data and based on on foreign policy releasing a lot of the data on that's out there so it's kind of a scary time when you actually look at it and so let's just say hypothetically the shadow brokers are Russia and at the equation group is the NSA there's some serious stuff going on right now between the two countries between US and Russia obviously escalation criteria Tromp has said that you know it's probably the worst relations that we've had same thing for Putin we're launching offensives in Syria or going after North

Korea cut key allies of those Iran is against us so there's a lot of foreign policy things that are happening around this time and the release is coincide with a lot of what's actually happening out there in the industry now the scary part about a lot of this is you know if you look at what Russia leaked as far as the exploits that means that Russia either has had already been using those exploits for a large period time because the dump goes back to about 2013 so these exports have been compromised since 2013 they've been known to be compromised since 2013 we've never published anything around that to say hey these exploits are on the wild

Microsoft you should go to fix these Linux you should go on fix these things there has been any release to actually go and do it now a lot of these have actually been fixed luckily just through normal disclosure Lee Google's zero-day Pross your project has actually gone through and fixed a lot even found these blogs ahead of time they're actively being used that means that Russia probably has the same capabilities if not better to launch offensives against us and didn't care if we burn these specific sources on them now one thing I want to say is I you know I it's not a good day for our intelligence community when you leak a large amount of this data especially

exploitation frameworks direct exploits that we use for offensives implants a large percentage of what was leaked was still what we would consider today as being very significant around you know hey we fish first we get access to an infrastructure and then we need to do lateral movement to move to other systems and how do we do that latter movement well hey we have a whole bunch of zero days and implants that we can use to get access to different systems so you know it's a bad day for the intelligence community because they lost a large sentence in cash around what they do as far as weaponization of their stuff so it's not a good day for the intelligent

it shouldn't be a good day for United States we should be bragging like hey know hey we got these great exploits that's fantastic well yeah as a security researcher it's great to be able to say okay yeah you know the zero de inglês still a very big play in what we're seeing today but at the same time we should be pretty alarmed at what's been happening around these the leaking of a lot of this data so I want to say a special thanks to exploit as possible you know it's you know to me personally and this is you know you maybe have different varies of views but I believe that we need to have these types of

exploits and capabilities on for our military it's extremely important our adversaries have the same type of capabilities they're using the same things against us so in order for us to be able to go on the offense as well we need a same type but at that same time with great power comes with a great responsibility effort right a big spider-man fan right so with that I mean you can learn everything you can in life based on spider-man including how to be cool in a uniform and tights and stuff like that I try that doesn't work very well but um but what we learned from that is you know the government does have a responsibility that once an

exploit has been burned to work with you know the different parties like Microsoft and Cisco and Linux to actually address those exposures because they are actively being used that wasn't done here it doesn't 13 it was it was compromised the infrastructure was known burned and they didn't contact anybody to notify them that something had actually been compromised that's a problem so we have no responsible disclosure method when it comes to developing these weapons and then when we're conducting operations our offensives to have them actively going fixed afterwards so what this league tells us is you know the information warfare campaign is not dying down it's legit and there's a lot of power against this I mean there's a

lot of people developing significant substantial amounts of efforts I mean like literally what the shadow brokers leaked was probably a couple mil worth of exploits a couple of million dollars he just like literally lit on fire and you know didn't care about what was actually happening because of how we're actively going and doing things and so you're looking at a time now where we're literally having the best military doesn't mean anything right now you know we haven't we are a direct peer competitive playing field when it comes to who we're going after Iran is probably a couple years behind us but Russia and China are very close to what we're doing if not better so we have a problem now where

you know military capability wise having the best military the most amount of bombs the most amount of you know advanced military doesn't mean squat when it comes to what we could do offensive ly so here's a video that I did two years ago when I was on by the way is Fox News sorry I should have put a medal in here as well I try to balance so much here I don't care which one come on I tried to them all I think all politics suck so I don't felt anything so this is one thing where two years ago this is general Dempsey and and I don't know the military has been and especially the NSA

director I'm everyone else has been very open about what our capabilities are and where our shortfalls are and they're not joking around with what we're talking that's not a way to scare us and to giving away privacy and stuff like that which by the way and I got in a huge argument on Fox and I'm judged mean where I got three people yelling at me that I was wrong about giving the FBI the backdoor to an iPhone would be you know kinda like the downfall if we can't protect our most awesome weapons how is the FBI going to protect having access to every iPhone so anyway so it's all coming fruition which is great this is

back in 2015 and general Dempsey I was talking about our our cyber capabilities and what that actually means the incredibly destructive it can be disruptive it can disrupt anything destroy and it can destroy Hardware it can it can it can disable critical infrastructure which could lead to loss of life and I think those capabilities are out there and you know we have in every domain Chris we generally enjoy a significant military advantage but we have peer competitors in cyber in other words we don't have an advantage over that we we don't have an advantage it's a level playing field and that makes this chairman very uncomfortable so why are we not ready how devastating could

this be in assists just beginning tech expert David Sanders joins us David should the is this the tip of the iceberg this awarding or advancing this I have a gym shorts on memo I do the Charles Barkley you're not familiar with that Charles Rossini's I need like a suit and tie on and it doesn't typically wear pants I do the same thing there's no big deal so walking is stupid eyes for Greta and it's not really a thing we've been actually warning about this for a number of years in the security industry you've had some big players like Russia and China where they've hacked into us for more military preparedness and that was so that was two years ago so you know we

know that this is a problem with what we're dealing with today now if shadow brokers are responding to world events of bring reliable exports again it means that they already have things that are comparable or better than what they released out there so it's good to understand you know what our adversaries now there hasn't been a large leak of Russian exploits or Chinese exploits we know a lot of what they do from an infrastructure perspective like China like using plug acts Russia likes using PowerShell and W my persistence but we don't know their exploitation techniques or how good their a teams or Tier one and tier two teams actually re at at this point at

least not in our our field so if you look at the leaks what was actually caption though this is a screenshot from campus coding so here's a list of all the different things that we're releasing this last dump here yesterday so we have everything from you know em daemon email server vulnerability to Lotus Notes exploits to is-6 exploits a reliable 2000 RDP 2003 exploit it was nice about it is it if you had a EULA a license agreement it even clicked through for you and hit OK and then exploit the machine which is great so it's accepting the licensing agreements is fantastic that you won't hack unauthorized there anyway should perform so thank you thank you we have a number

of smbx boys talking everything from windows xp service pack our Windows XP fully past no patches obviously can be released past this point all the way to Server 2012 so a large range of different exploits that are out there currently everything affecting SMB version 1 and SMB version 2 now I know I'm the guy that wrote responder I was talking yesterday about the specific vulnerability version 1 there was a project currently back in 1996 or so called Cairo which was integrated into SME version 1 that never got fully implemented that's where a lot of these bugs and them and as of late is in the Cairo project which was actually never fully implemented but is in actual every

version of SMB version one that's out there so a lot of good exploits that are coming from this one specifically that's out there now good news is a lot of use of our demon address you know as security researchers go through these protocols when they find things you know there are obviously proof of concept denial services and may not be actively weaponized Microsoft's actually fix a lot of these the the big one which was eternal blue which is which is the new MSD way 267 which is ms 1701 0 got fixed on Tuesday Tuesday so it's been accurately exported since 2013 by Russia and other adversaries and by the way I'm not a conspiracy theorist here but in 2013 you

know it all the information around the swift anon banking network got hacked by Russia okay and then in 2015 to 2016 all of the Swift infrastructure got hacked and a whole bunch of money got sent out that seems kind of suspicious or coincidental right and it's Lucy attributed back to North Korea at that point so it's all weird how this is all kind of playing together in this specific dumper leak but eternal blues really the the most awesomeness one they had their own MSO a two six seven so he knew about emissary six seven well before I was ever publicly released out there so a lot of great capabilities you can see kind of coming from the NSA what

was less about and probably I got to give the NSA a round of applause floor ASCII art it is that's some legit hackers okay when you got ASCII art and you got like beer mugs and you know you got a bunch of other things they're legit on what they're doing as far as hacker so every good hacker has to have a ski yarder it's not not legit but you look at eternal romance what would happen and the way that the the framework of working I'll talk of it about fuzz here in second FP is you would compromise a system and then you would use on their exploitation framework as a pivot point and what I

mean thermal romance would do is a profile a target system looking for vulnerabilities in and say hey this this specific system is vulnerable to six exploits do you want to deploy these and it would go in and run an exploit and then it would hit an implant and then it wouldn't you know call back to the command control infrastructure for the NSA and then have full access to everything so a lot of really cool stuff on being built and you know very similar to what we would use in the private sector so good at the station around what we're doing in the industry so just when we thought MSA to six seven was killed we got as bigger brothers nine

hundred pounds and carries guns riding a flaming unicorn breathe fire so what was nice about this one specifically is it targets all versions of Windows so it's fantastic for us you know less for the next nine years because we are still absolutely terrible with patch management we just got rid of like MSO two six seven like last month like literally people just started patching and finally got rid of that last you know legacy server they finally went through hell in a handbasket or change control like seven million dollars to remediate a old version that they couldn't get their ERP system up Korea to and finally got rid that last MSO two six seven only to have this one

pop up so let me give for like the next nine years as pen testers so you look at it multiple zero days I'm a lot of them again have been addressed but we finally have multiple windows XP and Server 2003 ones which there's still plenty of them out there um someone did a showdown query on who has Microsoft Windows out there with 4.5 or 135 open you know something like two million three hundred thousand different IP still had NetBIOS and our PC expose in the outside like five hundred ninety thousand were in the United States I'm like seriously what's wrong with us so last night I didn't go to bed for like 2 a.m. because we're working on trying to

get on a stable payload through the framework in order to get some like COBOL strike or Metasploit I'm directing to it and so it was just recently present Tuesday but ms 1710 does work we got to fully work out a window seven fully patched - the patch off of Tuesday and so here's an example of using fuzz bunch so funds punched by the ways that men tom is a framework and obviously blow this up a little bit in fact I'll actually go to full screen on this one real quick hang in just just a little bit loose mover

so this is fuzz Bunch and when you to do in Windows is just basically install PI 132 Python and you're all set and you just run FB dot P Y which is fuzz Bunch which is the exploitation framework is very similar to Metasploit half it has a lot of different similarities you can type things like help use these different payloads you know it's very similar to do everything else out there now we're and here we're going to be using on the specific exploit of ms 1710 we enter IP address in where we want to put our logs at and any specific project if we're working on specific campaign to target somebody so let's call this demo

one now you can see it even has tab completion which is fantastic and so we're going to the eternal blue which is the export that we're gonna actually go on target we're going to send the target IP address which is we've already predefined we're going to verify the backdoor it's actually implanted and we can target the different specific systems and which payload we want to use it has the two built-in ones and then we'll go and execute it it goes in triggers the overflow uses a hunter which is a way of searching for your shellcode somewhere in the memory so it's probably a memory corruption flow once the triggers our backdoor is installed now we have access to the

computer now this is using their implant right so this is something that we wouldn't necessarily be able to leverage yet so we did this we earned a second video let me blow this up again

this is using our own custom payload in this case we're using a octave skated cobalt strike payload but you can use an interpreter anything else I'll we just use the DLL but it supports shell code so over here we're going to go ahead and use the exploit again so we turn a balloon in the IP address we specify our target just like the same steps as we did before

and once we get into our exploit itself before we execute we actually import our dll and we run artifacts that dll we get access the COBOL strek most down on the bottom or cobalt red pale it's been imported will see a beacon here in just a second so we have to specify our dll that we're going to checked the way that we use this is all what we call double pulsar so we have deploying our own payload head cool names so set function run DLL we have our artifact ID allows we're going to be using

sorry for the delay we're literally at 2 o'clock in the morning trying to type all this

so we set the dll orbital our orbital to five and then we actually set the DLL payload which is execute to the actual path and then we execute it

now once we execute takes a second we'll see our beacon hit back in just a second execute plugin yes and we get our beacon pretty awesome stuff free exploits so we want to pull right up if you want to pull right up in a step-by-step it's up there it also has analysis on all the different exploits on what was contained in the dump files analysis of all the different structure payloads everything that's out there all up on that site plus we'll be continuing on more and more than alysus we're actually disassembling the executables because the actual source code for these for FBI py and stuff like that that was all the framework is all open source to the

actual exploits were in executables so we have to disassemble and do packet captures to figure out what's actually triggering those in the next with themselves we're currently underway for the prototypes of that so we should hopefully have those done within the next day or so for a lot of the exploits out there but if you look at what the tactics techniques and procedures what we call TTP sr of this you know it's nice to look at what's happening with the NSA what's happening with russia it's happening with china what's happening with organized crime and ransomware and everything else that we see out there because as Assessors and pen testers were supposed to be simulating what's happening in the real

world we're supposed to be doing things that that are very similar to what our risks and threats are going to be in this landscape in this or in this community in order to build better defenses and so looking at something of what the NSA the capabilities are the equation of group's capabilities are it's very beneficial for us to get an understanding around the zero two angles because a lot of what we eat here today is just hey it's just phishing it's just basically it's just phishing no we still on zero days out there let's go a lot of them out there it's just gone underground because they're very expensive to develop nowadays and so what is the information that we've

actually learned from from this and what can we learn from this specific dump with all the other dumps have been happening out there so the first thing is understanding that users are still by far the number one most attack surface out there today that's not changing you know if you look at a lot of what the tools were for the NSA in the equation group it was specifically designed for lateral movement it was designed to compromise a host and goes to the next one until they get access to the objective data they needed to you or the intelligence gaining purposes or for collection so what we learn too is is what the NSA does is not magic right

what the CIA is doing is not magic what Russia's doing is not magic there's no magic out there you know we have a lot of money we spend millions of dollars with third-party contractors with exploit researchers to build these and then weaponize them that we can use for intelligence purposes we conduct operations the same thing that Russia does same thing that everybody else does it's just not you know it's just more public now in Asia because we're seeing a lot of information leaked so that's the top right is what you see from the jar file now by the way that's probably the best well-made graphic I've ever seen come from the government it probably cost like seven million dollars

of taxpayer money so I'm going to use the heck out of it because I know I paid for that for that diagram but we know from what we can see you know from from a lot of what happened from grisly step and all the whole DNC hacking stuff which is all now in question by the way of you saw that happened but I guess Crosstrek retracted their statement that it was Russia because didn't actually do a lot of the analysis and they didn't get a lot of access to the server stuff so they actually work recanted a lot of it so who knows what's going out there but what we're seeing is a lot of a lot

of massive resources stuff at going and targeting specific infrastructure and what the other thing what was interesting about the CIA leaks is not necessarily code which by the way a huge fan at if anybody here or listening is part of the CIA you guys look like you have a ton of fun I mean like the CIA playbook said everything that the programs they had were huge Doctor Who fans so you're near near in my heart the weeping angel program the sonic screwdriver program those are all sweet things that I thought was really cool but the codes and techniques that were used by the CIA wasn't necessarily the most interesting piece the most damaging was the CIA playbooks the politicus

actually talked about how they conduct operations how they do espionage how they do all that like and that's very hard to change tactics and shift tactics based off of that information being leaked so here's a thing that I did on on Fox I get it in as Fox again some of them I need to I know jasonich I would have switched him out let me because getting caught off a little bit minam moved down here today here's when I did it Fox talking about the CIA playbook and they most specifically why it's important for us to have these capabilities in general and hopefully not get them leaked it's been 48 hours is close to 9,000 pages

from the CIA cyber spying playbook revealed all kinds of holes in our laptops and smartphones the documents flooded the internet silence until today when that died the WikiLeaks founder Julian Assange surfaced saying he's the one who put it all out there and that the CIA has lost control of this entire weapons arsenal but then there's this Assange now says he plans on helping the tech companies protect their devices with hearing these calls from some of the manufacturers we have decided to work with them to give them some exclusive access to the additional technical details we have so Bali they may know what the stipulation was in order to get access to the files if you

had a promise in sign legal documents and never ever work with the government ever again okay so that fixes can be developed and pushed out so people can be secured how sweet of him it's Asajj suddenly becoming an angel of assistance by offering to do what some say that CIA should have done from the start and that's warn companies about their own vulnerabilities let's bring in two white hat hackers they get picked always team outfit by the way how look at that look at that to expose lapses in security at firms across the country CTO Alex rice and trusted trusted sects founder and CEO David Kennedy welcome - hi I'm glad I named my company trusted

sack because news anchor people have the worst time pronouncing because they don't want to say trusted so they always either abbreviate it to trusted SEC are they like trusted trusted trusted SEC you know so every time every time you look at all my news interviews it's like trusted SEC SEC security advisors every time never failed and really been asking beforehand like hey how do you pronounce your company like its trusted SEC okay got it got it got me still stumbled great the view I'm Alex I'll begin with you and before we get to whether the CIA should have notified these companies it's Julian Assange bluffing or is he to be trusted these tech companies are

defending against attacks every day and it's a battle that most of them have been losing and so they need every advantage they can get they they absolutely should receive and and analyze this information independently verify all of it it is a a positive step no matter what the motivations behind WikiLeaks might be but David Assange is saying that he is willing to to extend a hand and help them boy is that the devil and angels close I'm just wondering well we've seen previous WikiLeaks before word that hasn't been the case where they've exposed a lot of data that was very damaging and there's there's two components to what was released there's the the documents in

the play books but there is also code and techniques the CIA actively used in order to go after different government agencies that seriously really goodies names from it's amazing wrecking crew crunchy lime skies elder piggie anger quake McNugget Magog I can understand but fully damaging both to the intelligence operations that we perform abroad as well as put you know the United States in harm's way against adversaries that is you know there were they were actively doing campaigns again I'm against these so we have to have these trades of craft we should definitely be hoarding these exploits and keeping them for going act after these different countries for what types of technology that they're using because the same

things happening to us Russia China they all have the same I won't go through all the specifics and those are the kind of long segments but what was interesting that it and you could be on either side and so there's a lot of arguments made for all sides of this aisle to hey we the government should give all of the security exposures that we get better on defense and that's that's that's a very plausible way as well you know I firstly believe that we should keep them because everybody else has them as well and then we we actually burned them and it gets noticed we should fix those issues but you look at a lifecycle of an attack and

what we're seeing everybody's doing the exact same thing regardless if you're the CIA the FBI a hacker pentester or anybody else we all follow very much the same consistent format about how we target our organizations first thing we do is we define who we're going to hack right we're going to go after a company we've got their individual people what are we going to actively go and do we build or buy our tools in the NSA's case or you create in a group they a lot of them are BOTS from the you know excellent market or third-party contractors or they may have on people at house doing them or build your own tools build an attack profile maybe test

for some detection via some fishing to understand what organization you're targeting for and then from there on the deployment of the infrastructure that we're going to actively go and use and then the initial intrusion now in the security industry we have all of our eggs in one basket right now around that one component that initial intrusion so if our endpoint agents don't detect something and all of a sudden now an attacker is sitting on our system becomes much more difficult for us to detect the patterns of behavior about moving to different systems such as lateral movement and everything else that's why we design these things called Sims because they'd be all this aggregator of data that we can then use

all this information so that we could you know hopefully find you know weird abnormal patterns in our environment but what we found is that there's so much data we have no idea what to do with it it's like literally all we look for now is if someone added a domain admin today the domain admins group and that's our that's our sim use cases that we spent five million dollars on right fantastic right there's a good return on investment you know once once we don't detect the persistent sucks maybe I'm using power shell injection I'm using a way of getting around application whitelisting there's a lot of techniques around application whitelisting Power Cells a great version red just VR 32 is also

another green one has a built-in browser too which is awesome so these are all different techniques that you can use to get around things like application whitelisting or traditional techniques you know once I do lateral movement try to find what I need get my get my information and then move out maybe a whole persistence if I want to on the stain in the facility and more information but one thing's for certain humans still continue to be the largest exposures we have like you know 99% of the issues that we have today still come to the users and so if you you make something anything believable like literally you could like call the salesperson you're like hey I'm going to

give you a million dollars because I need to spend it by Friday but I need to infect your system with soft malicious software can you open up this executable it says malware died exe the sales guys do me like woah am I still going to get the million dollars well yeah ok long as it's believable we're good right so you know certain scenarios and situations make things extremely easy for us because people are are trustworthy and in their positions were designed to trust and culturally were designed to trust and so when we were talking about building security programs we have to build a program that is built off of abnormal behavior things that aren't normal in our environments so the

times the perimeter like we have no perimeter whatsoever anymore right we decided to move to the cloud and all BYO DS and everything else that we're doing out there we've become less and less on tone to more restrictions a good example is we decided to get next-gen with with next-generation firewalls right so we all have next-generation firewalls now or next-generation right it all stopped all the hacking right let me ask when you went with that next-gen solution ok so let's just say you're a Cisco shop right and and you have you know all these awesome old-school Cisco guys that are all command-line dudes and like you know like they're rocking out and like you don't talk to them because they're

like you know deep into the crazy network voodoo stuff that they do and Cisco and you're like hey we're going to go a Palo Alto because like your next generation right and you have all these dudes that have like you know 10 years of Cisco experience you're like hey we're going to switch you to a brand new technology of no idea what it does that's all gooey to be great right yeah yeah okay so so what we're going to do is we're going to redesign our network architecture to do network segmentation to find roles responsibilities and actually RER connect our solutions so that we no longer have like it's wide open network right or are we going to use the Cisco

importer tool to Palo Alto and take those 10 years of about an hour next-gen fantastic so a lot of things that we do don't make sense in the industry but hey that's fine we have the tools that we already have in our environments they work we just have to think a little bit differently on how we protect our infrastructure a good example is we move to the cloud you know we need to either a have the same type of detection capabilities or prevention capabilities or better right that would be my criteria to reduce risk or to have the same level of risk that I've already looked at when moving to a new infrastructure now a good example is is

on office 365 I got a little bit of a tiff out well with somebody on Twitter recently one of the employees at Microsoft long story I'm not going to go into it at all it's all go we're all happy now we're all friends we Pat each other back but what it caused me to do is do analysis around office 365 and its protection mechanisms now obviously five has a product called ATP advanced threat protection or a promoters that advance reputation has two components you have safe attachment and you have Seif links now save attachments is supposed to be a competitor to Palo Alto wildfire or fire I or things else what's interesting about that is if you send an email it

takes 15 minutes of analysis so that means if someone sends you an attachment you have to wait 15 minutes does that work for anybody in business can you imagine like hey we're gonna put in this we're gonna go to officers if I be up to 8 15 minutes to get your attachment ok I'm sure once I'm sure it's fine anyways so I started doing analysis around hey I'm going to office 365 am I going to get the same or better than I could have on Prem and so when I started looking at what's a flakes at first now what's interesting about safe links is they tout dynamic inspection of content also other stuff right now what they do is

they when you get a link sent to you in an email it rewrites the link and makes it a safe links so when you hover over the link it says safe links now why is that a problem what do we tell our users to do over over that link right no longer you do it anymore you have to trust Microsoft now what I started doing is saying ok what was mine Mike sugar maybe have some amazing protections and I can trust it my users can just click whatever they want to right what I found out is they aren't doing anything if they have a basically a static black list of sites that they know are compromised sites they do a

comparison to Iran m/s 14 o 78 which is an IE memory corruption flaw that gets checked about every single antivirus vendor out there got right through an executed code and crash my browser I used HCA files that were not octa skated doing PowerShell injections got right past that I'm like okay well let me just write it like random malware like I mean you sub seven from like the 90s got right past that no problem download executable is no problem so doesn't do anything safe attachment same thing if it does if it gets past Windows Defender you're okay so you can it does do a little bit on macro so don't use auto open just use unclick so

when something clicks it it just compromised them anyway no big deal all good so we have to think about things a little bit differently and I'm a huge advocate as is the number of us in industry I'm like Matthew graver who's a fantastic resource he now works at Microsoft so they're gonna be doing fantastic things but this isn't a ripoff Microsoft it anyway I think it's very difficult to put you know things in the cloud and scale to the size that Microsoft has to deal with so they will get better and and with the team that they have in Matthew an everybody else in lis homes and you know just Justin over the Creator PowerShell the father

PowerShell they have some brilliant brilliant people there so they will get better but right now I not not confident but the concept unknown good is saying okay what's my baseline in my environment and how do I make it better how do I look for deviations of behavior in my environment that are abnormal so you've seen to certain concepts of this come out like purple teaming and hunt teaming looking for things that are outside of our traditional monitoring detection programs of hey there's an alarm let's go investigate that alarm there are things that we need to do outside of that to make a little bit better the first thing of known-good is baselining I'm a huge advocate of application

whitelisting everybody cringes when I say that but you need to do it you need to say hey application but you say by the way it's got a lot easier like if you could just say hey I'm gonna block all not non code signing executables in my environment only put exceptions in for where I know you literally reduce like 90% of your noise out there like 90% of the malware infections 90% of the ransomware you know you literally get 90 percent of your noise gone by a really easy tick and if your vendors aren't come signing you need to boot them the hell out of your company cuz that's not right so don't allow any non-code sign so you

compiled you can do it by default in device guard and Windows 10 you have the the technology right now to do it right now so base lining your environment unknown unknown good and what your environment isn't based on your configurations is one thing that you can do to make it substantially easier right today to make it harder for attackers the second thing is monitoring monitoring for deviations there are ways of circumventing application whitelisting monitor off of those why is notepad.exe contacting not to China that's straight up not legit right by the way equation group likes using minesweeper so why is minesweeper beaconing out to an infrastructure in the United States strange that legit you know you're probably targeted NSA right

so minesweeper is also one there's like too cool for notepad and then when you figure out is when I start to monitor flows deviations what can we do to help after that so they started getting some of cool stuff however it looks a lateral movement lateral move it is very easy to spot why is one user minting um and you can do this in your sims by the way I look for network login type 3 which is remote logins look for a key length of 0 which means that they're using a lower level protocol such as SMB version 1 and maintain record active sessions are on who's logging into what systems based on those two criteria you can see where

people are logging into why is Jane and sales now logging into Bob and IT that's not legitimate that's weird behavior why is this service account now spring across the network in our environment that's lateral movement those are things that you can predict patterns on deception techniques putting in fake things in your environment such as fake credentials on spraying multicast across your network giving things for attackers like hey make a domain admin account that is like the most God of all domain names make them enterprise admin I make make make that that that that domain name account look like the sexiest thing ever right I mean it's like the super God of your entire infrastructure give it a super long password and then

use something like honey tokens and spray that password across the board and wait for someone to login with that account now it put a fake password in there you know what I'm logging into your infrastructure to be bad but you know when you see a failed login at after that one user account that's just sure sign indicator that something's wrong I'm looking up for suspicious behavior you know PowerShell injection device guard is so much more um if you're from if you want to look up the honey tokens on one of our guys a trust it's like been 10 if you go to github that / Ben 0xa he created a honey tokens PowerShell script that you can run as a

scheduled task that creates deception tokens across your network as well as does multicast so you can send fake lmn our usernames and passwords across the network can be see that username with a failed login attempt there's a good chance that someone's using invader respond during the infrastructure pass the hash detection very easy to detect on event log 4624 login type 3 remote login key link 0 which means that it's using a lower level protocol and the account name ntlmssp now there might be some false positives things like necess services scanners can use on low level protocols to authenticate with but you waitlist those and look for deviations to pattern off of those so another great

one suspicious processes these are some process that you can use they get remote code execution to bypass application whitelisting tracker 90hz run dll 32 msbuild you see msbuild calling out to unc path that's probably not a good good thing register our city to CBD THC as well as many many more that's out there monitoring for specific registry changes everybody familiar with the sticky keys um thing that you can do this like it's like old-school right like you know back in the day we feel like you know reboot and like kali and then rename like you know or backtrack or wapis and iraq's before that you still like take you know command a DHT and then rename it to set

HCG which is sticky keys then you reboot the computer a shift key five times and it pop about command prompt running a system now you get a reboot during that period of time well with this registry key you don't have to reboot you can actually set on a specific window of Windows protective process and debug mode and give it another specific executable and so you can actually backdoor on the new sticky keys in environment that what's interesting is the past 5 pen test that I've been on past 5 I have found sticky keys on all five machines developers love those guys they forget to pass this all the time guys in Galilee they forget their

passwords all the time and they'll use sticky keys and forget to change it back afterwards so I recommend going through your environment looking for sticky keys because they're always out there for some reason I don't know why I'm detecting non PowerShell stuff MPs is another thing from from Ben you can do things like a inject PowerShell without ever using PowerShell itself you can detect that if you see system management automation DLL running from not power saw a THC and not power shot underscore is exe it's probably a good indication that someone's trying to inject and use PowerShell in your environment to actually go and use it technique specific commands now we try to flag off of things like encoded

command and things like that that's not a very reliable method like we go into customers all time they have a carbon black any of these things called watchlist but oh we look for DHE - you see - en - en co and co2 come in do you know you it's possible to using coded command without ever calling a code of command ever so there's a recent version of unicorn that just updated recently and here's using - string and this never calls in co2 command ever and it resembled a co2 command after it's executed so you never call on co2 command you get full execution rights it's all random eyes variable names and everything else so doesn't get picked up

by any antivirus and it also chunks the commands up so the PowerShell commands are chunked up so if you take one string it's not basics different going to be at everything else it works perfectly fine so a way of getting around most of the detection capabilities just by using two string there's a whole bunch of them ah daniel has invoke a key station which totally mangles the code which you're never going to see you need to be looking more at the length size and behavior on PowerShell than anything else a good example of power so is recently John stranded us John strands company Bo who's loved John and Bono's guys are amazing folks they did a part

one of five series I think of silence and so obviously a lot of claims being made around artificial intelligence and machine learning we are nowhere near artificial intelligence and machine learning in this industry by the way but one thing that was interesting is sign Lansford flag on if you ever ran PowerShell that eh scene so what do you do just rename powershot ADC to whatever you want student no longer detected it so simple things to get around a lot of these technologies out there based off of that and not off of behavior if you're not familiar with system on system on is absolutely amazing it's free so a system on is a Microsoft product it's MSI install and it opens up

what's called etw or event log tracing and it exposes a lot of things like process injection a lot of memory things that are half out there and you can put these in and use like windows event forwarding a movement to your sim and there's so many things you can detect with just egw it's a little small footprint environment but you can design things like Mimi Kats a good example Mimi Katz calls vault Clyde at dll and if you see that happening from a non-windows process is probably good indication that he had Mimi cats in your environment or why is power cell calling the baulk line ideal I should never happen in any way shape or form so

patterns are behavior you can do you can find everything from like process injection I'm injecting my memory space into another memory space sis Mon sees all that so those are great things that you can look for I'm gonna get indicators off of just based off a free stuff that's out there but regardless though I just went through a lot of information right and I'm about poster slides up but regardless of what we talk about this stuff takes hard work it requires us actually understanding what our environment is first having good configuration management good you know patch management things that we all talk about as the foundation of the security principles which we should be doing and

focusing on making application whitelisting a priority and then looking for deviations of patterns in there it's just a matter is it is hard work it takes a lot of effort but it's something that once you get to a maintainable state it is manageable it is something that you can actually go and use and it reduces our risk substantially for technology you probably already have in your company today does it require purchasing a new piece of technology or going something next generation it allows you to use what you have in your existing tool sets be able to leverage what we see a lot of these these specific attacks happening what the equation group did is no different these

lateral movement you should be able to detect that you mean they use some crazy awesome 0 that no one's ever seen before using SMB version 1 that's all memory as soon as they move the different systems you should spot-on no one person being compromised is irrelevant compared to the mass organization or company being compromised but it requires us to do and understanding around what our environment is first in order to do it last but not least oh alright but no I just joking at your fair fair play but I want to thank you only thing everybody who puts on b-sides I made this possible thank you very much

you