JasonMaynard

[Music]

by

d

failed who who agrees with that it

doesn't

capabilities on those workloads and then again you might have don't have any control on say why would you do that well because maybe the manufacturer uh will void warrant right so if you're a certain medical system maybe they don't want your agent on right they have an SLA that they have to maintain so you're not going to get coverage across 100% of everything in the organization from an endpoint perspective so there's an opportunity to expand our ability to detect the point here is is that as an adversary comes in they're going to do something that something is what we want to understand and we want to understand it more specifically based on the adversaries that are targeting

oh by the way I'm um I'm field CTO I've been at cyber security for 10 years but anyways um so what happens they get on one box they never stay on one box the goal isn't that or I mean the goal would be land on the right box get everything I need out of the organization to get in right but that's not reality and so you're going to hit one box and then you're G to use that box to elate as the privilege right and eventually start moving Lally within the organization to find out where the Jews are and so the network becomes the Catalyst of this you might say of course you say that you're consist no it is

like try to jump one box to another box Network right there is an opportunity there uh bottom line is this happens day in and day out now once this happens obviously gronw like gronw you know it's in your face right it says pay me now or you'll pay later basically right you're going one way or the other you're going to pay what's interesting is there's an article of today a a a threat actor actually filed an SS SEC complaint against the company they compromise knowing that they've already exceeded the allotted time for them to disclose the breach the game is on like that's that's that's awesome I know we don't want it to happen but I think it's

creative oh you don't want to pay you don't want to talk to me right everyone says don't pay rent somewhere until you're there uh the that definitely does change so anyway so if you don't disclose know that you might be uh your uh whatever Authority might be told that you have it and they have the documentation to prove it too that's the interesting thing huh yeah that's right so there's things that they have to do in order to make be successful like fishal access next location these things all have to happen there's a lot of opportunity moving laterally there's the opportunity maybe the network can provide some insight anyways we see this time and time again and again if you don't pay

they'll just rep you that's just today right so again as we continue to add challenges for the adversary to become successful they're going to become creative in the ways to force payment right or invoke pain on you one way or another so what we might want to start looking at if we newal as much as that as possible you're never going to get 100% protection even with this if an ad lands on that box they may have access to this box because again they still have to do stuff so they may still have access and they may be able to move in a limited fashion but the goal ultimately is to understand what it is that they're doing so I can build the

right controls in place sure you need nextg firewall right and everybody that knows I I hate that term NextGen because it never expires but if I have a conversation with you and I'd say well look first question I get is never expires a problem my uh but you need those commodity based controls or what I like to call commodity based so who's familiar with the tack or minor attack oh it's amazing so minor attack is a framework that allows us to truly understand an adversary in their capabilities based on real world things like not things they might good these are things that they've actually done in the while and so when you look at the parment of pain you've

got Dom main names and these are all very trivial for the adversary to overcome very very easy block me with an IP I change the IP right block me with aain I change the domain block the Sha dynamically generates a new shot right by path of control so we still have to do this not we're not saying not to do this but what we're saying is let's understand the actual adversary that's targeting us and what are the capabilities of that adversary and then build our defensive program around it's not a perfect framework but it's certainly a good area to start it um and as you go higher in the Pyramid of P right it becomes a little

bit more difficult for the adversary to overcome the Pyramid of pain really is about leveraging these indicators or observations that you might be able to to detect in the environment and make it difficult for the adversary to invoke pain on on you but more importantly it invokes pain on them right that's the goal and you make it difficult if I have to reprogram the malware because you've taken power shell and I'm using living off the land on that particular asset and you've now mitigated me being able to use it I have to bring in my own tool if I have to bring in my own tool now you have your nextg Fireball right the ability maybe to detect it

there maybe on the end point so I I truly believe in threaten form defense and then also gives you what I believe is time based defense right the more that you make it difficult the the harder it is for the adversary to overcome if they are persistent they may alert other tools you might have in the organization or you need time uh to detect it uh later on right as it's happening based on the tooling so again time based Miner's part of uh uh like it's uh M are the folks that did the common vulnerability exposure right everyone knows CB so they're the founders of it uh every vendor now has some level of partnership with Miner

right it's a tremendously valuable tool uh or framework The Leverage but it's all about focusing on the advoc perspective The Who right their goals the why and the methods The Have and and when we talk Myer we talk in the same language as well there's no confusion right there's a t identifier or what I like to call T identifier that to every tactic and technique and sub technique that we have to and so when you look at a group a threat group they're G to the stuff in red are the things that they actually have access to uh or part of the toolkit these are all the things that they're going to do so if you're looking at a

specific thread actor I know exactly what their capabilities are and you might be saying well what if they change it yes they might again if they do change it and they are able to be successful let's hope the community feeding that back in so then you understand it and you can build in your but you can see initial access valid accounts persist or privilege culation valid accounts right so that means theyve popped somebody right they've got their username and password and they're using a valid account to log in so if I had if I know know that that's the technique maybe if multiactor authentication was in place I now remove that as a risk potentially right again

there might be gaps depending on the services that you have but that's the opportunity and so you've got thread actors that are targeting you'll get to understand each one of them more specifically and then re not only look at it from a vertical perspective like healthare or Finance or oil and gas but then as you go through this you might find that some groups um have nothing to do with your region and so maybe you put them on the side a little bit and focus on the ones that are actually targeting you and get to them maybe later as you continue to advance that program so when you look at legal as an example all the stuff in red is what you

get from legal again depends on the search terms that you use um so everything in red is what they do and again gather victim information establish accounts and so on but ultimately they have to do a bunch of stuff to be successful so I've heard time and time again the defender has to be 100% correct I don't think so I think the adversary they might have multiple options but I have an opportunity to stop them in multiple different pieces of that attack chain or or kill chain whatever you want to call it I have an opportunity as defend and so when you look at the attack chain and I just added this this morning because I I

really like this piece but based on time I'm going to have to go fast but this attack chain steps her reconnaissance and then there's St right the technique that have to use right gather Network information or IP address resource development compromised accounts use social media accounts right later on you'll see webiz PDF be sent to you on your L if you share with me right like that's the goal right is to try to get you to be comfortable with me in multiple different ways um Step One initial access execution persistence you got defensive agent Discovery lateral movement collection and command and control and then exfiltration and then the impact right game over so um and it

doesn't mean that the game isn't over in other areas it just means this is definitely a problem right when they get to this this part Point um and so this is based on a very small snippet of legal right I couldn't include everything it just D an i chart so you might be think okay that's great now I know these tactics and I know these techniques for the adversary that's targeting me what can Defenders what is the opportunity for Defenders here well first off Step Zero is very difficult so for example if I'm looking for your external IP address how do you st you can't you can you can abstract as much as you want but if I'm looking for

it you can't stop me using external sources so it's limited in what you can do at Step Zero but as you start moving along drive by compromise well I can do browser inspection right or browser isolation I should say where uh you know I proxy your browser and so there's no browser on your local machine right maybe that's way I could stop drive by maybe a proxy or web a traditional web proxy right filter that traffic make sure that you don't go to those dve by compromise sites is it 100% no but it's a control that I could add and again maybe I can't do the exploit public facing application maybe for whatever reason I can't put a

control um actually it'd be difficult to do that right if I'm exploiting a different uh vendor that you trust and I exploited their system it's hard for you to control that right you can the bottom line is red is prevention right so stopping it same thing with Windows command shell so I can use EDR Technologies or Endo Technologies I can use maybe the registry there's lots of things I can do to revoke or limit the access to certain um command shells right on on the platform if I use and there's Nuance in this as well so if I use Powershell administratively and I can't right do you stop it no you can't you need it to to maintain the the

operations of the environment so you better have a capability to at least detect and that's the Nuance in all of us right um You Look At persistence The Office application again EDR so you start seeing an overlap where your Technologies might provide different controls in certain areas of that attack chain which is great because it doesn't mean they have to buy thousands of different controls build your defensive potion modify registry for defense EV Asia um maybe you restrict access to the registry if you can't do that maybe you have an endpoint detect response can see modifications of that and do some indication of compromise against that that change of of that registry same thing with

step eight or five Discovery remote system Discovery so if I need the network and I can Baseline the environment then I know what something is changed if this individual on a layer two boundaries starts spanning the network they never done that before I'd like to know and you might be say well I've got a firewall between the de yeah well they have to cross that first but in that segment they can move laterally and freely in that segment and if you don't at least have the ability to discover it then you got to wait for that L3 boundary and you might have you know compromise the environment of a couple thousand VES right by that

time internal spear fishing email security network traffic control for data uh that's being shared on the shared drive on the network you've got NE tool transfer this is where your next gen firewall might be able to come in or your text response could be email if that's the mechanism you got intrusive prevention for CNC Channel but if you're not decrypting it you're not seeing very much of anything and even if you decrypt there's still a challenge and that challenge is is that adversaries are using C pinning right so ping the signature to the authority and the Very part to manipulate you can't so you can't be person in the middle man in the middle or t proxy whatever you want

to call it and the other one's qic so OT T is a perfect example that says oh wait so you're deting all right now I'm going to use TLS sir pinning or I'm going to use qic and if you're not controlling that o bound obviously you're successful and so that means I can't do intrusion for and they can't do advaned mod inspection and then you've got you know the impact here is well what if you had a an instant snapshot prior to compromise based on the intelligence that you've gathered in the environment and then took that snapshot so that if it does come to fruition because wasn't enough evidence to blck it that I have a very clean

recovery Point uh that's pretty curent so that's kind of the way you want to start looking at it and and so this is just a summary of that it just talks about Defenders have to elevate we're not no no lunch early um but there's are sections sections uh but anyways so the the point here is not to say look at the ttps and that's the only way area you focus on right it's really about building that whole defensive architecture and starting with the commodity based stuff but we all should be pass that by now and start looking at the other pieces to the equation uh that are a little bit more prescriptive to my organization just because you get

compromised doesn't mean it has any relevance to my organization but what happens is leaders see it on the news the first thing they say is hey what's this and the team scrambling trying to figure out have they been compromised for that but they don't have any insight maybe into the ad letters okay overview of the teams curious who does red team anybody see that that hand that that's slow right and you can see if that's low that means there must be good money in it or you're not being paid enough you take but red teaming is the offensive side the friendly offensive side and then blue team is the Defenders and I'm assume most will fall under that grp um

and so this is just an overview of those teams because again we've got a whole uh you know bunch of different skill sets different points of their career so uh blue team Defenders of the organization they're the ones that maintain the security posture so they have a toolkit of capabilities for prevention detection and response Advanced risk reduction hopefully with orchestration and automation um augments all aspects of Defense so you'll see machine learning and artificial intelligence they're almost become marketing terms in my mind right it's like Cloud it's it's become com everybody does AI like it's the newest thing that just come off but everybody now if you go look at every vendor ai ai ai ai we

all do it everybody does or do I don't uh but you're certainly going to start leveraging you know traditional machine learning capabilities but moving it more into AI right more more focusing on human behavior um and so activities could be Network Cloud monitoring workload protection Network protection response empathy protection response um extended detection response identity thre detection response uh patch management instant response forensic security operations so so that's kind of the blue team and then the red team they have probably the most fun or maybe maybe not um but anyways that they're going to test the organization's posture and usually they do this siloed in most organizations like red team does their thing they don't let the blue team

know what's happening and the ex size goes on and The Blue Team hopefully catches it but most likely doesn't the red team successful and then it t the information um leverages a variety of tools uh methodologies creates reports tells you about you know how bad things are how easy it was even though you spent lots of money but they do things like bomb skin you got penetration testing social engineering you know Wireless nwork testing application security testing exploit development reach attack simulation uh threat intelligence research purple team is that a new team red and blue coming together we're friends me and you but red and blue teams come together the whole goal in all of this

now is not to do it in silence is really to work together and say I'm going to punch him here you better get ready for it right um and they're going to say I have these capabilities here you're going go okay I'm testing this so there's no hiding right they have as much information about each other um and um and then they work from there the goal is to make sure that we enhance the security posture for the organization selectively as a team so you know the goal of that is to improve the overall posture understanding the adversaries love thre intelligence tactics and techniques and procedures remediate um anything that's detected or identified through that

process and that's kind of the purple team now I you know I cover uh Canada at large I could say we're probably pretty immature in that area we're not doing a lot of most most organizations have well- defined blue teams or defensive side they're not doing as much on the on the off side and again it's expensive they might not have the skill sets internally but there are Partners out there that you certainly leverage never mind purple team there there are certainly organizations that do it but it's not as prevalent as it should so okay so who does breach attack simulation yeah they you look around there's not one hand up nobody does oh low yeah yeah these those guys work in

the dark you know that's the way I envision okay what is what is attack s simulations um all right so first off cyber tilt chain for everybody right you got reconnaissance weaponization delivery exploitation installation demand control and when AC on OB this is what I'm talking about if I can stop the delivery anything that you weaponize the rest of these things don't they can't I got to get you that thing that's weapon in order for you to click it and that happen even if I do get into the environment I have to convince you to C it I think that's where AI is coming in and really changing the game around fishing and some of the things to get users to start

clicking because it's not now the the the Nigerian PRS acing for $500 so they can send you a milon with spelling mistakes everywhere it's not that anymore you it's very very difficult to tell that it isn't legit and so um if I do get it in I have to convince you to it if I do then there's explation right and then it's theay but again if I have an ability stop any one of these along the way the the adversary has to start over or rethink the way they do things or they have to build it into the tool to say try this doesn't work fall back to this fall back to this and again

remember as I was saying you might not be able to stop every single way that they might access the shell but if you get one that you can block and then they try another and you can word on it you know now you've actually discovered that the adversar is in the environment so re simulation uh is really testing the current posture in place but it's a real test and we're going to go through a couple of examples of that um helps identify weaknesses and vulnerability for a variety of attack vectors um determine security Effectiveness right the goal here is to see how well we can stand up to the adversaries that are targeting us and they'll do things like

reconnaissance right scan the environment understand the environment then vulnerability scanning all of these are noise maker and again they're all using the networ um exploitation you're going to do privilege escalation you're going to try to get Rude access to that system right you want to be God on everything uh as much as possible lateral movement I pop one box that's not over right the game it starts all over again I gotta make all that noise again right try to figure out map out the environment look for additional vulnerabilities here right um as I continue to move into segment to segment to seg data exfiltration so as an adversary do you start exfiltrating data from every box you compromised along the way

or do you find a box that you've compromised and use it to start hoting data and then use it to leak data out of the organization as SL as possible probably because if you're trying to get it from every box then that that's an opportunity for the Defenders to detect something uh suspect is happening and then reporting right at the end of this there has to be a report outline exactly what was seen during the exercise to allow Defenders to start building the controls needed to mitigate against that and so you might have an asset reconnaissance initial access execution privilege escalation takes place let just summarize there might be a lot of removement from there you have data

exfiltration on one machine maybe privilege escalation on another um maybe again data exfiltration so again when you start thinking about some of the controls some of these tactics that you use they're going to start applying across the entire ecosystem it's just not one area that you're building over that control so the tooling that you can use here there's a couple you can use open source or you can use commercial and so open source things likea these folks are the ones that build the minor attack train so it's from minor you know it gives you very prescriptive based test that you can do basically install an agent and now I've just saw with that t i you can do an

agent test but the point here in traditional R impack simulation P you install an agent on an endpoint as an example use that endpoint to make those commands or execute tasks that you ask it and you can test your endpoint detection of spots capabilities uh EMP protection as a whole you test anything on the network that you might have a control like an NextGen firor and so the benefits include well we can identif first off we're simulating attacks on systems in the network right so that's good uh but all obviously uncover any vulnerabilities or weaknesses within the posture of the organization we can highlight any controls that might fail uh again at the minimum you want detection capabilities

across the board uh and then you can start prioritizing based on real risk as you've identifyed compliance at health of compliance evidence evidence-based testing uh demonstrates the ability to prevent detect respond uh maybe avoid finds or they call as uh report um and then some of the other things are continuous Improvement again the one thing that I like about the whole thing is is that the team then understands the process of a specific adversary and they're almost going through a real incident before they go through real incident so it starts tuning uh people's skill sets about understanding what they need to look for uh while that process is happening so it's tremendously valuable you know being there done that

stay ahead of the threat landscape Merion threats identify areas of focus and then uh training and awareness right simulation of fishing emails engineering attacks other common tools uh Hands-On exercises and you might be thinking where do the images come from well you know I started draw no that's from so AI you know Red Team Dark background it's all in the C but all the images come from AI okay so we're almost at the demo part so adversarial emulation so the the things that you're going to do the steps involved here first off you're going to gather threat and you're going to extract the techniques you're going to analyze and organize and then ultimately develop the tools that you require in

order to be successful and then emulate the adversary and then each one of these have certain things that you're going to do right to determine the ad Ser of Interest strong focus on threat groups that would be targeting the organization where can I go to get that information anyone yeah fire right that'd be a good place to start identify post exploitation open shells exploits or root Force attack then check out the tooling right the aliases and any of the campaigns the adversaries Associated and again you can t do that you should look at some of the research paper that supports the the uh the the stuff that the adversary is doing anding me of navigated the

environment there's a ton more data than just the technique itself determine the time frame how long is this going to take so an adversary group might be wizard spider um and software that they might be using is emot so I'm learning a little bit what is Wizard spider well they're you know they have a diverse arsenal of tools condu ransomware campaigns against a variety of organization ranging from major corporations to hospitals sounds like everyone identify the behaviors collect information to build up that emulation plan identify the tactics um and this is a team effort we want to do this collectively with blue teams right if you're a red teamer that's driving this you want to certain

have and so then once you do that you can go to minor attack there's a navigator tool that allows you to build this out and what's cool here is is that I've identified maybe on Wizard fire spider the specific tactics and techniques these are the things that they're going to do and if I have the ability I can go to my manufacturers and say hey vendor can you give me your mapping to miter oh thank you and then you go to other vendors and then you add the tabs and you say show me the differences between the two and then event what you do is get maybe a subset of these that you need to focus on

because most likely you're going to have certain controls in place already so analyze and organize understand their their objectives their motivations uh again who can help here the why what and how is Miner uh and then you're going to get this for whatever reason I revers the colors in this one I I fixed it in another deck and I didn't fix this one but anyways the green are the things that they're able to do the red this they're not in this case so that's that's specific group that's only one threat actor and again the way they modify the registry even though this is modify the registry they might do certain things in order to make it

successful but if you have that ability in your defensive architecture it's most likely going to apply across the board doesn't matter the adere right there's a lot of similarities between groups as well there's certain techniques that they certainly share so then we want to figure out the tools right are we going to develop the tooling ourselves probably not we don't have enough time we don't have enough time so maybe we're going to get a commercially off the shelf product uh do we create something such as man control delivery capabilities maybe or you can use a tool you create PL uh payloads or simulate attack infrastructure as needed as well and again this is where the skill set of

that red f in um as much as you want if you haven't done it before you might want a leverage at creating this on your own is a CRA right it's an art um and then so then you get you know emulate the adversary so we're going to set up the attack INF structure whatever that might look like it could be C2 servers the install and test then you're going to emulate and drive towards your motivations you're going to attack like the X you don't go go and it's all about taking time and making sure that you're you know slowly compromising the environment like the adversary would if not you're going to trigger any of the tools that are

looking for certain behaviors in the environment uh and it's not the result or the action the adversary would take right so if you want to do it uh low and slow as possible uh and it's not done in side us right we talked about that it's all te all right so this is the demo SI I'm going to have to go over here because I I'm probably not to be able to see what I'm showing here so again I I I want to reiterate I have access to Cisco technology because I'm at Cisco pull out Cisco but in any tool that you might have I'm a big believer don't worry about vendor a versus vendor

B Because if that's where you're spending your time to displ Technologies you're probably not adding security Effectiveness to the organization you're better served to run the life that technology stack and look for areas of opportunity and this is where uh reach attack simulation you can help all right so this one is uh leveraging firewall uh and it's Cozy Bear is the adversary and I don't know how small this will be for you guys but um this is a tack IQ so this is a commercially off-the-shelf uh product again I have no association with it whatsoever so here what I'm going to do is creating and I'm going to walk you through the whole thing right what time's this one done

time 1230 oh 12 sorry 1220 1220 okay I'm G to go a little bit faster here um so what What's Happening Here is that I'm going in a attack IQ and I'm building out the scenario I want to test I I'm keeping this simple it's just an atomic test one simple test I'm going to test CNC for Cozy Bear so the goal here is I got an endpoint with an agent that's going to make it connected through the firewall and in hopes that the IPS determines the CNC and and I can tell you that that signature is not enabled here and I go through and I show you that and it fails so we're going to skip the failure part because

that's an expected outcome I wanted to show that and what I've done then is said okay it's failed now you going to do some level of control in your organization right whatever it might be you're going to build a signature um and then you're going to try the test again and see if it fit or um succeeds and so here I got thinking about oh wait everyone's talking about Ai and everything like that because this is Snort I'm able to come in and say create a s version signature that follows a certain order this is the message that I wanted to give um this is the ID um that I want to associate with it and look for that particular path

that URI that the adversary is using at with this particular campaign right uh and build that signature for and so I I did that and then um I thought okay that's kind of neat um and then it comes and gives me an answer here's the signature because again it's snort it's open source so I can do that there's the signature I don't need to be an expert here I just have to know how to build the query that that's the goal here and then because I knew and this what I love this just AI off the shelf right then come and say tell me each line item and what it means look it alert it's not proprietary

right there's no secrets here here flow the server established right here's the content this content keyword specifies the HTTP urri so I'm learning as well as building out a control in the environment so you can see how powerful but this is just using you know a data set that's open to everyone it's not even proprietary to Cisco's data set right um so I take this and I put it in notepad and it's not perfect when you import it it gives me an error it tells me exactly where it is that the error is so I had to make small adjustments and again the point here is probably based on my query I could fix that if I get

the query language right I'll get the outcomes that I like I can save that query moving forward and just replace the UR cont content in this particular case every single time and I can create brand new signatures on the fly as needed so I I do the fix here and then I go ahead and I'm just fast forwarding a little bit I've imported it and now I'm saying Block in the platform and so I go ahead into SN version three rule override I'm just double- checking that the rule that I just imported is in fact here and it set the blog okay so that's good it's set I go ahead and deploy it and then from there I'm going to go

ahead and test it and I'm testing it now I'm just fast forwarding it and I can already see intrusion detection of that event so that that failed the first time it's all greeny now based on that change I have intrusion policy in detection mode it would have blocked so even though I said block there's the ability to do it in prevention or detection mode so it's just telling you it would have been BL so now I know it's been successful and I can look at the packet and I do that in this this exercise so if anybody's interested ping me and I can give you the links to this as well it's on YouTube but um but anyways

that's a quick way of testing Maybe next it's very simple task eventually you want to be a little bit more elaborate and build out an entire scenario with a lot of different atomics that the adversaries can use build that campaign but this is one simple text and it block that particular and there's all kinds of reasons you might say well why didn't block it CNC goly everybody well there could be a variety of reasons right high levels of false positives whatever it might be right um and I specifically did this to fail right because I wanted to show you how quickly depending on the technology stack how you can build in that mitigating control so that's um using the network

as an example the next one's on the end point and so this one is U Powers shell with Mei cats uh using uh secure info so you got EDR capability um one thing about Windows Windows definitely wants to turn on their their AV or R more detection and so I come in here I built a campaign this is called they very simple to attack IQ I'm looking for miniat you can look up based on uh tactic or technique as well and there's a bunch of stuff in here I look at this one here it looks maybe pretty good um and so I go ahead and build the operation so I'll come in here and um I can select an adversary

that's a nice thing too they have some buildin adversaries that you could actually select it build it all over that's but here I'm going to create an operation specifically that one time and I go ahead and I give it a name again there's no adversary it's basic there's some parameters here I can say require manual approval do not parser I can obate the data up here as well right so there's lots of options that you can tune on it and then uh you know I go ahead and select the specific tactic that I have of Interest in this case it's going to be miniat so let's just look that up and miniat just for those that may not be aware is our

ability to harvest credentials for memory once we're on the box we've already by pass on of control most likely and now is resident on your box somebody's executed it and uh in Vol Med you don't have the capability to stop it and then it's trying to harvest all the user credentials on that particular me on that ass and again they're going to use that to to move lot so so I just refreshed or I'm about to refresh ahead of myself um oh no I've already started so you can see the policy is updated to 825 here let me check I might be and I run the task and I'm in audit mode that's what I did at the very beginning

so the reason why I'm in audit mode on the end point and you see there's a ton of Tacs it included the one that we were looking for but because theack IQ looks light CNC and other other behaviors that it mimics it also classify that so I can very quickly see the the tactics and techniques I can pivot in the miter if I need to um and that's done in audit mode and the reason why you want to do everything in audit mode is why anybody you don't break anything well what it doesn't block anything yeah the reason why because if you block up front any attempt you don't know what tactic or technique it might have L the

tooling might not tell you that and and and it might be one tactic or technique that's being used here and you miss all the other ones because you never seen it realized so you want to let it run right and so in this case they did I found a whole more tactics and Tech were associated beyond the the simple so that's good so then when went said wait a minute let's now change a few things first is maybe I want isolate it based on a critical event automatically I want to see how my Prevention tooling kicks in um when I'm in non audit what I call this protect and I say well let's go ahead and and

make sure that we're um isolating anything that triggers a critical event so an isolation can be done in the network in this case it's being done on the host itself doesn't matter where the host is anywhere in the world as long as it has access is going to be able to get that command and isolated based on any that happens and then here I'm pinging e. and what I'm trying to show you here is again the adversary wants to get on the box I'm going to try to move laterally and I want to get an idea of what my isolation looks like it's easy to isolate uh but you still might need access to could be management tools forensic

tools uh the endpoint right you don't want to block this the manager to the endpoint you want to be able to have control so all I'm doing is making sure that that doesn't block that's the now I go into that group I move it into or that particular host I move it into that protect mode so I'm just changing the policy here uh updating out I'm making sure that Windows is disabled it should do it by default but I just double check that here it shows me here um everything looks good and then I'll rerun that test against exciting yeah okay five more minutes almost maybe can okay so let me just back forward to spe the uh so again

I'm just going through and just I could have ran it I don't know why I recreated it and I'm going to go ahead and run that test now that test it it already isolated like that's how fast it was I couldn't get to one screen to the other because as soon as I executed the test from the browser I got there was already showing his I now 1.1.1 fails because it shouldn't have access to it 25 is my Gateway doesn't have access to it so I can't pay B was an exclusion that I made to allow access so if that's some tooling that you might have that you want the asset to have access to you certainly can do that so

that's the point there i' I've discovered it then we go through you're going to see similar events that take place the critical event itself is the one that triggered the event to isolate the asset so that's really cool because now not only understand the adversary that's targeting me but I'm also understanding the methods used and my tooling and how it should respond to that particular adversary or that particular tactic or technique and here I'm just showing you the ACL that allowed the 88.8 uh okay last one because I think this one's fun too is you may not have an endpoint product right so you can't do EDR you probably have a firewall of some sort

but it might be limited and so I thought okay what about liit off I know I can go to get help and grab Powers shell to do an M app scan I know it I don't need to create it myself but I thought why not ask chat GPT to create me one very specific to what I want and it does and then the next thing I do is maybe I'm not very good at at chat GPT and I say go ahead and explain each line again I'm using it as a learning tool but it creates this script for me right no big secret here but it does create with script there's nothing on this endpoint

then I take this script so I copy it out and then I jump into Powershell ice and I put it in there it there's a there's a couple of uh missing elements to it and I need a couple brackets and done but it points me right exactly where the issue is so I love chat GPT but it's not perfect right I taking bat shells and say convert to Python and then taking that and run it and it's like fail right so uh you have to at least know as much as you're asking the tool to determine whether or not it's accurate so now I've got this script and now I'm living off the land I'm not bringing in tooling right I'm

actually now on the box I'm going to run this script and is my endpoint product going to catch it no is there isn't one it's not because there not one oh it's Microsoft yeah you get you heard it here live but anyway the point is is that here's the power shell scrip I run the scrip a little bit of time because now we're using the network to detect it the network sees oh there's a again this my tool use internal for scanner so I may not have a control to stop the point here is I have the ability to identify or detect the activity and that's probably the most important piece everyone talks prevention but tell me one vendor that

does that 100% of the time no way not one so detection is more important than prevention so anyway so it shows me again the TTP was the AC was Discovery the technique was uh network service Discovery again I could pivot right and continue to learn but it detected it and now you could have this built into if this is detected as an internal part scanner like a camera now was doing an M scan of your network on ll2 maybe feed that into another mechanism that then can run a Playbook that automatically isolates take a network approach to or an end point but in this case it's a printer or a camera you might not have an inpo control so

you would use the network to automatically isolate that asset at 2 in the morning so now the the folks that are on call they get the message they say it's been triaged and mitigated they go back to bed so again this just shows you a little bit more detail so the bottom line is this is where we need to get right we have to elevate as Defenders or we're going to continue going through the cyle it's not going to be magic one techology stack buy it's going to solve every one of these problem problem and if anybody comes in and says they do solve every one of these problems ask them to

leave but anyway so you know defense is tough at best a it's almost a losing game you will uh we need to elevate understand the Pyramid of pain where the weaknesses are within our defensive posture and identify that by doing red teing and blue teing type exercises together understand the tactics uh that the adversaries that are paring us and the techniques and then continue to work your way down to do some simulation and testing within the organization to determine if the control in fact work the way you want work and you want to run prevention when you're doing these tests first audit audit audit audit right because you want to see the full life cycle of

the attack these are contained attacks right this is you doing right so again you'll you'll have a bunch of systems that you're going to install the the agent on and then you're going to perform those test on those systems so it's a controlled environment but you want to let it run the life cycle first and then add your controls because they may have been successful but you may still have bled them at the very beginning right so now you know you could stop the adversary moving in the thing is if that prevents fails the other stuff probably will be successful or you won't know and that's

it so I'm I'm here you guys are free to laun I know there'll be a line up so feel free to run out won't be offended but if you have any questions I'll be inv you have some [Music] down [Music]