Borderless Adversaries, Effective Exposure Emulation of Threat Actors

Good afternoon everyone. Uh I I mean that was fantastic right two days back I think Pat sent me this uh a link with all the images and backgrounds. Uh I really liked it because the concept more like you know a laboratory then couple of professors and students and look at the badges like you know there is the concept is kind of really cool. So uh I think Pat gave you a quick uh introduction about myself. My I mean this is going to be you know very short. My full name is abijit baba. So that's the reason why I I call myself ABX. But there was my hacker handle. Then you know I used to work with different

organizations including the Sunwater Corporation which is in Japan. Now you know right I had to change I mean kind of start addressing myself as ABX. It was oh easy to pronounce. So mostly I work mostly in the offensive security area like you know working as a consultant. I also run my own company called brief simulation range. Uh also I manage advisory village at tufcon which is a community initiative focused on attack simulation of disable security so and so activities. So uh moving on so the the stuff we are going to talk about here it's on the offensive side. So how many of you folks are coming from offensive background? All right. So my people uh how many of you are from a defensive

background let's say working for uh you know okay okay I don't like you no I'm just kidding so here uh I mean if you notice the talk of the title the more like uh you know bal of advisories so there is a reason for that heading so two months back I think one month back I was doing a session for MITER in Singapore The the event was named Apac community workshop by attack mitra attack. The thing is like APAC is supposed to be you know a community of countries where they'll be sharing intelligence cyber threatence and collaborate with with each other right. So I mean that was the purpose of that community APAC region. So now we also know that these countries

there all fighting each other right? So when I was there for the session like I had I'll tell you later like I had a couple of threat actors coming from different region in Apac all these fellows were there let's say if you are talking about Russian threat tactics there was obviously a Russian guy then you talk about Chinese threats there was also some people from China right it was not a good good situation to be in because when you talk about it I mean so we sometimes say that uh tech technology is not political but it is political in some cases especially when you talk about nation state sponsor attacks so then after my talk one guy came up to me

and asked me like okay we know that tigers are coming out of India too why don't you talk about it I said okay I don't know I don't know anything about that but you know I need to go back to my country after this talk right so you know so uh when you talk about threat tactics let's say nation state sponsor said you know cyber attacks three major things are there one is like evolving threat landscape obviously geopolitical and financial motivations then critical infrastructure the very first thing so we can say see that the threat tactics are evolving it was own kid from his basement but now I mean thousands of hackers are targeting other countries as

part of nation state you know initiated hacking attempts let's say intelligence agencies are building you know programs so that people could you know countries could keep an eye on what their advis has been doing so far right so it is that area is a you know not even gray that is a dark area right also again financially motivated ransomware gangs hacking groups which are targeting continuously targeting financial sector banks so and so industries as well for the final thing critical infrastructure it is important important because telecom and manufacturing they have been running on the same setup for the last 30 to 40 years. Let's say for aspect them if something is working let's say a manufacturing

plant is working then they will not go and touch it they'll keep it like you know air gap network as long as it is working properly and you know manufacturing stuff they don't go and touch it sometimes as I often see security professionals you will not be able to send a probing packet because they afraid that that may go down so these kind of environments critical infrastructure environments are getting a lot of traction in between that attackers whether it could be a nation state sponsored hacking group or maybe a bunch of hackers joined together malicious hackers join together to get some money you know looting people right so the these three areas like you know

these are like critical areas of the threat tactics obviously financial and geopolitical critical infra due to the nature of legacy you know legacy systems and traditional systems then also the the improvement of technology obviously people like you know if If you know about there was a breach in couple of ransomware gangs and nation state spawn attackers right so if you know I mean people researchers noticed that these fellows are working from 9 to5 as a government job obviously that is funded by the governments right okay I mean I some of uh I had a workshop yesterday I think some of these people are from there I mean attended that workshop and you got a sneak peek

of you know the stuff here right so how many I mean I'm showing you a nice looking a generated images of like let's say four different cool animals would any of you name them I mean most of you guys are like you know from the defensive background right okay >> spider >> you were not in my training yesterday right all right yeah just making Okay. Yeah. Scatter spider. >> Oh, all of them. >> Yeah. >> Okay. We got a bear. So, we got two more. >> Sandworm. >> Yeah. Sandworm. That is right. And nobody noticed the innocent panda. Yeah. So, basically, you know, this is actually ant spider. So, I mean, they're, you know, they are from a

family, right? So and spider, metallic spider, scattered spider like you know sandim again uh another tata targeting industry systems cost I mean we might be familiar with the cosy bear and the pandas right though the the funny thing to notice here uh some of these fellows are related let's say pandas pandas are kind of a family a big family like most of these hacking dudes coming out of my neighborhood neighborhood country they share tactics, TTPs and tools between other teams, more like copy tags, right? Uh I'll show you one more deck, one more image. This is the second set. We got a black cat black transformer gang. >> Yeah, we got Bet Spider. Yeah, that is

right. We got mythic leopard and we got Walt Typhoon because this is getting a lot of traction nowadays. Walt typhoon and salt typhoon. uh they targeted and compromised Singapore telecommunication back in 2024. They're also continuously targeting many organizations in US and the allies as well. So here out of these eight tatas I'm going to show you like three or four of them because we did some research on them and we created emulation plans for the same. Let's say we have the wicked panda again the the entire panda family. they have compromised different set of major organization scattered across multiple uh country multiple geographics starting from India to uh Brun and UK right again they also share taxes

between uh their you know the other family members let's say wikar panda and you know vice panda so and so here one more thing to notice here you can see that couple of other names it was it is also mentioned as wicked spider wicked panda stockfly or suckfly because there is the influence of vendors. Uh I was also tell saying the same uh you know scenario yesterday let's say you had a incident in your organization you are doing you were doing an instant uh you know response and investigation and you submitted your entire investigation report to your management or just to make sure your management is again trying to bring a third party vendor to

do all Yeah. Okay. >> All right. All right. All right. >> All these stuff all together, right? Then they are saying that okay this is now I mean you did the investigation and you are claiming that okay that is wicked panda who attacked my organization. That was your uh I mean investigation report. At the same time someone came over like a third party came over they did the same investigation and they are you know measuring that that is actually blackfly and it I mean it happens many of the time the attribution matters once the tatata name is you know wrongly attributed the chances are very high that the motivation could even change. A specific Tata group is looking for money

but the second Tata group is actually targeting organization for espanos right. So the the thing with like attribution wrong attribution that is getting a thing nowadays even though maybe they could be the same group of that tactics maybe they they are not same but again that is a you know kind of a gray area when we talk about attribution of the tactics and hacking groups. All right. Okay, I mean you you are familiar how many of you are familiar with my track navigator? Awesome. Awesome. So here uh I mean again I like I mentioned out of all those four eight track tactics we did some research and we created emulation plan we did some training. So

that's the reason we picked only a couple of them. So this is again an emulation plan created for a41 aka wicket panda using a free tool called vector. So any number of opensource and you know paid tools are there. I mean this was kind of very easy for us to demonstrate starting from initial access. They performed vulnerability scanning against exposed surveys of their certain targets. Then uh you know they compromised software supply chain. They also performed spear fishing attachment attacks against their targets. Then they kind of branched out into you know different categories starting from recon to defense evasion. So these are the different set of activities performed by wicked panda to evade their target defenses. Just look

at it. They they performed court signing. They used rootkits. They used try impersonation. They also used compel HTML file to evade detection. So many techniques right? If you move on to the next slide then from defense evasion they moved on to commercial access and finally uh you know they did some exciltration right so these are the different category again starting from commercial access to exciltation here so we did a detailed emulation of APD41 so that's the reason I'm showing you this the entire mapped out diagram so these are the activities performed by complex activities performed by wicked panda Hence the emulation plan the old typhoon here is one notable thing here that is the second point.

Yeah second point old typhoon they also breached into Singapore telecommunications in back in 2024 and they also targeting many organizations in US as well uh financial healthcare and other industries as well. So the just look at the second point the group is known for using living of the land binaries lol bins or lolb bars right these executables they are there in windows operating system itself signed binaries right even if you upload them I mean they are legitimate binaries these fellows are using the legitimate binaries uh you know to bypass defenses and carry on whatever activities they have been doing within your within the target network. So this is an important point because even though there are many projects

related to you know lolass and lol bins now there is a still now till now there is a huge gap in detection when we use lolbas I'll give you a very short story on this because a few years ago I was doing engagement for a client the challenge was they disabled powershell so how many of you like powershell only two teammates I None of the booting guys like PowerShell, right? Is that the story? Okay. So, the challenge was uh the defense people they disabled PowerShell.exe which was again a dumb thing to do, right? Then there was two levels of defense which was one was a certain antivirus product. Second one was EDF software. Then there was also another

module called EPM endpoint privilege manager because even though you have local learning credentials you will not be able to use them. Three different category of tooling tooling right the challenge was to execute PowerShell some kind of PowerShell bypass their defenses and execute PowerShell and dump credentials or whatever activities you could do right so they missed something they just simply prevented PowerShell.exe exe right they forgot that it is not about the executable it's about the library right it's about the DL underlying LL and platform because partial is kind of rooted to the kernel itself Windows kernel itself so the the remedy I mean the the bypasser was kind of very very simple what I did I tried

using unmanaged powershell I tried to I mean connect to the same deal used by powershell using uh msbuildexe another loss I mean another binary within Windows right then using that I executed PowerShells in PowerShell script in the memory itself bypassing the entire setup. So in the process I also discovered something else that this process was this activities was supposed to detected by the antivirus or EDR and none of them were able to detect it. That is a funny thing. It happened in 2018, right? The use of unmanaged PowerShell. It is again, you know, you cannot simply disable PowerShell.exe and hope that people will not be able to use Power in your environment. No, that is

crazy. So, the Blackat ransomware gang. So, again, uh they are you know supposed to be a certain language speaking from a certain language speaking country. Uh here you need to look at the third point. The Blackat ransomware uses Rust based ransomware to target multiple OS including Windows and Unix. Right? How many of you you like Rust? Obviously the team is Yeah. How many blue teams like Rust? Rest programming language. All right. Okay. Now I know. So the thing with Rust is Rust is kind of a you in a new language, right? So the the the often see people did what they did was like you know porting all the existing programs to rest all the

libraries to rush and reuse it right I'll I'll show an example as well so this is one technique you keep to keep keep in mind because the rest I mean the the black ransomware gang they extensively used rust based programs executables and ransomware you know tools to compromise their targets and you know get things done. So they have again they have wide range of targets including organizations in APAC region, US and other part of the world as well. Uh again certain language speaking you know so I I've been warned multiple times not to mention names of products or not to mention you know names of so and so origins. So that's the reason you are you know hearing kind of you know a

BP from my end. Cobalt spider right again they are also a family similar to the pandas right they again they are also coming from sorry here there's a small difference this this guy is targeting the entire financial system starting from sift payment modes to ATMs they're after the money they're after the you know big bucks so one thing to notice here tools used like cobalt strike most probably cracked versions of cobalt power strike right to get into the organization and laterally move and exploit sensitive data. There's uh one more point the last one right like you know if they want to attack you they would attack the supply chain they know that this guy is

affiliated with them and this guy is a you know trusted uh you know friend or trusted partner right so they will kind of compromise the first organization then from there to move the second organization the the actual target will not be I mean we'll be having all kind of defenses but chances are very less that the first party will not will be having the same set of defenses. So that's why the supply chain attack is getting more traction. Even if you cannot hack Google, maybe you can try to get into the company who is serving food to Google, right? I mean simple thing. So we talked about all these threat tactics, hacking groups, uh, nation state sponsored I

mean Indian sponsored hacking groups and you know a group of you know threat tactics targeting for I mean people for money right this sort of stuff now let's talk about the targets so anyone I mean uh there was a funny news like two three four weeks back do you know about blackbuster ransomware right so the the blackbuster ransomware gang. They used to launder their money with a certain financial provider kind of a you know exchange bitcoin exchange kind of thing right this guy he was actually hiding in a place in India south India and Indra they noticed the state police and the state police caught this guy from that small city in south India I mean people didn't know that

such a big guy he was staying here for a long time and you know like a king it was all over the news in India like you know this guy got caught from a south Indian state south Indian city basically a beast city this guy was chilling there okay we talked about the threat you know ransomware gangs hacking group so and so now let's talk about the targets so who are the targets here what just could you name some what are the who are the targets here targets of targeted cyber attacks like financial companies. >> Okay. Fin that means organizations, right? Enterprises. >> All right. >> Critical infrastructure, >> critical infrastructure, >> defense contractors. >> Defense contractors. Again, a part of

government right? >> Supply chain. >> Answer. What? >> Supply chain. >> Supply chain. Yes. A part of enterprises as well as government. Right. Nothing else. >> Healthare. >> Okay. again that is part of government right? Yeah. America. >> Huh? >> Healthare is not part of government. >> I'm sorry. Maybe my bad. Uh two things are here. Healthcare like in our case a majority of the healthcare is managed by government. Then the private players are also also there. So my bad. So only these two like only government organizations and enterprises. Right. I will get to get to one more point. So let's start start with the enterprises for now. So we I have personally assigned the defense level of

nine out of 10 because the enterprises especially the owns with money right they can procure all these tools I mean I'm talking about matured organizations with a with a lot of you know security budget right how many tools how many sections you can uh see here this actually from momentumcyber.com how many security products you can see here maybe under endpoint point security or under web security, data security. How many vendors you can see here actually see here? How many of them how many of them are familiar or being used by your organization? Obviously, you cannot you're not supposed to name them, but you know, so if you look at the endpoint security controls maybe 15 to 10 10 to 15 years

ago, maybe your organization might be having only one product right now. That is not the case. You have a multi- or hybrid environment. You have Windows machines, Linux machines, you have Mac machines for your endpoint, I mean end users, you have a AWS cloud, you have Ashure cloud and you cannot use a single vendor for covering everything. Let's say if you are using Windows uh defender for endpoints and you have a hell lot of Linux or Unix systems obviously you'll have to go for another antivirus to make sure of the coverage right then if if you are focusing on ashure then you need to have a different product maybe on there maybe Windows defend defender

there right so the the envirment is getting more hybrid and more complex so you'll have to buy like multiple security products for enterprises let's Say uh let's check your enterprise laptop how many user agent you can see there actually how many you can count how many I mean agents are actually running there we can count antivirus for sure EDR will be there APM will be there DLP will be there some kind of log inest for the you know sprung or in the sock setup will be there uh something to track your laptop something like uh okay not naming but a product to you know track your laptop they can monitor where exactly your laptop is sitting right

they can remotely lock down such software is there then sim agents will be there IP monitoring user analytics telemetry connection SEM SCM agents will be there right zero trust nowadays zero trust architecture they need agents to make sure that zero trust is enforced you can count at least 10 to I mean 15 to 20 different user agents there right in end user laptop. So one more question here is like even though all these enterprises are having such big tool set security products they are still getting breached. Just talk about octa. This is a very very funny you know kind of thing right what happened with octa right they had everything in place Microsoft right I mean I don't know I'm not quite

sure they still have figured out how they got initial access right one big story they also having the same certain security products but still these major organizations are getting breached something happened with MITER but they kind of accepted you know what happened they came up with an incident response report and everything. It was like last year. So my question even though they are having all those security products still they are getting breached. They were not immune to such ransomware gangs and such targeted cyber attacks. Right? So I will give an example. Let's pick an EDI product from here. I'll give you a quick demo. Right? So because as a redeemer my job is to break into

organizations and assess their security security you know posture let's say an organization with a you know a maturity level only such organization will be doing error team engagement right our job is to get in there and try to figure out okay how well are their defenses am I able to fool anything or am I able to assert some sensitive data what can they do to prevent such so let's pick on security product here I will give an example in the enterprise environment like you know more like a demo what would an advisory or a teamer would do I mean obviously we'll be trying to breach the defenses right even though you have multiple layer of defenses

so on the left end here you can notice that there is a loader created using rust programming language right this is basically very simple loader created using rest language and you can see uh cit ITM edr tool here this is free and basically they don't care if we talk about them right if I do like you know internal trainings or sessions most probably I'll be using what the I mean if I coming to your company to provide a training most probably I'll be showing a demo of bypassing your defenses right so I'm not supposed to do that but here that's the reason we are using like sitem like you know free uh tool so you can see that

it's it's it's it's put in full prevention mode And I was able to execute the payload and get a reverse connection in the open source command and control called havoc. It was so easy. There was not even alert. It was full full prevention mode. So it is running. You can see in the agent as well. There is also a web interface where we can control all the rules permission mode. So and so activities. We just simply opened that uh you know loader again. It will like you know load that shell code in the memory. a simple order written in rest programming language bypassed everything and we got the re communication in the command and control. So this is an

example of how attackers are bypassing or professional teammates are bypassing your elite defenses. So if I can do this to this product, I can obviously do the same to your EDR product. Right? One more thing here if I accept security proportional if I can do the same thing then obviously like hundreds of nation states state sponsor threat tactics just imagine what they could do against entropies. So that is the actual question here. Moving on to the next thing second point is like organiz second target right government organizations right. So here I put the defense level is like eight not because they have they have no money only because there is some you know red tape

is involved when you know procuring security products. Enterprises they can actually go and buy something you know but governments they need to go different level of approvals different level of you know validation is there. So that is the only reason the the scoring is like eight. So again government has no budget constraints but uh you know it is it is what it is. So let's take an end to user laptop as an example. The same end user laptop will be also having same set of security products similar to an enterprise maybe some maybe less. Now one point to notice here the last one focused on the limiting access and traffic. Most of the time if you did pent testing or a team

assessment against any government organization you can notice that many of them they are actually limit their motto is kind of limiting outbound traffic I mean what's even if someone something happens there will not be outbound connection that is their kind of their you know whole scenario there so here as a I'm you know simulating myself as a tatter let me pick uh the the antivirus product here you know I just did a demo of edr like you know what would a nation state threat typically do they also try to bypass defense or deployed by uh you know any government organization. So here are basically another technique used by a tactic group. Uh this is basically loading a driver file a

malicious driver file as a local admin and using that level of access to turn off any kind of security products without any detection basically. So this thing actually it's not playing.

Okay, this one actually uh you know uses a malicious driver in a window again window I'm demonstrating Windows defender only because uh you know again I'm not supposed to talk about so and so provail I mean AV provides because I also work with work closely with them you know regarding some of my clients. So everything is turned on and we just dumped by by impairing the defenses we just dumped uh the entire credential file into the into the you know machine. So if I can do this the same technique will work for all the major AV properties and EDR provies. So that is the concept here. I just try to you know use a malicious driver and use

that level of privilege. I kind of impaired the defenses. I was here targeting for only the defender endpoint executable. I can use the same logic for any number of AVs and EDRs or whatever stuff they have there. So these are two you know demos for two different targets. So this is the third target. We talked about governments and enterprises. This is the third one general public. Because if I'm yes if I'm targeting enterprises I'm a red teamer I'll be having like clearcut scope of engagement this this is the stuff you are allowed to do this is the stuff you are not allowed to do right these are your targets these are not your target this is the point your last

entry would be right but with respect to nation state sponsor tatis or you know intelligence powered tatis or any you know malicious hacking groups ransomware gang they don't have any kind of guardrails right so if like just imagine you know a specific trackic group from a country is targeting you right so if I am targeting you as an enterprise employee I will be targeting your enterprise email account only I will not be doing anywhere else like you know from being a nation state sponsorata they have no guardrails even if they cannot get can get to you because they your laptop or your USA will be having certain level of security measures. They'll be targeting your

friend then using that connection to reach you or gather information about you. Right? In that case the general public is also getting affected. Your family is going to be affected. Your friends are going to be affected. Right? Your colleagues are going to affected in case a state sponsored hacking group is targeting you as an employee. Maybe you are working for the government but these people are targeting you get to get you know obtain sensitive information or anything but they cannot get to you but they can also target your so we have seen such kind of uh you know behavior from so and so threat tact is they even kept a doxing sheet of their target what

are the who are the closed ones their handles like you know their email accounts right any of their data has been breached from any of the you know existing breacher so and so data. So that's the reason defense level is two because how many of you of you have like a secondary your home laptop other than your work laptop. All right. Okay. Obviously are you using antivirus? Right. >> Yes or no? >> Okay. Uh how many of you have Mac? Which antivirus are you using? I'm just curious. Just curious. >> Most users don't use any. >> Oh, okay. All right. Come on. So, that is the thing with our home laptops and our family. So, if if it is

a Linux or Mac laptop, most of the time we cannot find find any kind of difference, you know, AS I mean AVs or ADFs or any other security products there. If it is a Windows laptop, if you are buying it from an outlet, they will be forcing you, you know, one year license of maybe their partner antivirus. After one year, the license will be expired and the family will not be renewing it. It'll be there forever. Right? In many cases, only the Windows Defender will be your only protector, only defender of your laptop that I mean in many cases defender is not fully configured. How many of you trust Windows Defender for your end user

laptop? I mean for your home laptop. Nobody actually Windows I I think Windows Defender is pretty good because it has some customiz options like ransomware protection. You can mark couple of directories and if someone is trying to write or read from that directories it will let you know someone is trying to do this. I like Windows Defender but I will also put something behind Windows Defender in my laptop. So again less home uses mostly no Mac no I mean any I mean in your home computers are you using anything other than antivirus? All right.

>> All right. >> Okay. So, this is uh my personal comment. My personal laptop, I use like two different products. The third one is going to be an open source product called uh uh port master. I use it because I can keep track of all the outbound traffic coming from my laptop. So I mean nothing related to this. I was just just telling you like you know this is something I use in my my personal laptop. Going to the home uses here. What would a ransomware gang typically do against home uses right? This is a very small demo. He's some an emulation ransom ransome I mean how many of if you have been to defcon or hackspace con you

you can see that at advisory village we host couple of hands activities one of that is a live ransomware emulation so we have created a test emulation you know setup with a lot of defensive controls so we will give access to you know the control environment you can try to execute or emulate a ransomware the same activities can be observed in the sim as well just to understand how you can monitor a a relatively new ransomware right so so this was created as part of that engagement but it again it has the same capabilities so I mean this is the locally hosted web dashboard for the emulation controls you can see everything is turned on your beloved

antivirus uh and just executing the agent it was created using Golang and going back to the VM We can see that the connection is here there in our web dashboard. So using that angle dictate explorer buttons you can just do whatever stuff you have you want on the target. This is a new one. I mean this is I mean this is created by me for the training purpose and the same will be I'll be using the same setup for my defcon training as well. So this is important very important because how many of you actually try to procure I mean part of a procurement team let's say if you want to procure a new security product for

your organization you'll have to put take three of them you'll have to test them you'll have to evaluate them then you'll be going for the best one so how many of you actually performed a ransomware test against your edr product this a new one created using chat GBT without any guidelines using simple chat GBT I I I have to spend some time and you know purchase the license and everything but again simple so if I can do the same with Windows Defender and know showing you know actual my plan was to show one of the top antivirus products used in years I also have the demo but again you know I told you right I have been want

multiple times. So this is something you should do. Maybe you can come up with a you know test version. So this executable here there is a limitation. The code is actually hardcoded into a couple of host names. It will be working in our test bed only. So even if you copy it and execute in your machine, it will not work. Actually our environment has been hardcoded into the executable. It will be working in our environment only. It will be the data in you know selected folders only. it will not be breaking out of the system. This is only this has been created only as part of you know a training program. So what if I sent this to the home users

any of their ex your existing home user security products could detect or defend it. What do you think? So what is what if I am a thter and I have the backing of like five 500 professional offensive security funded guys what would be the impact I created this stuff with you know simple chat GBD within a couple of hours what could be the impact how would the same thing affect the general public right so that is where you know a lot of questions comes into picture that cyber attackis they actually doesn't have any kind of guard rails When we do team engagements against enterprises we have guardrail we have clearly written rules of engagement very

well defined scope cyber attack they don't have any any kind of you know anything no guard rails like we are prepared until we are not so this is this is an clear example of an organization everything is defended right you know they have all kind of armor in there until someone shoots in their Hi, right a simple fishing email. So how would you again defend against such evolving and motivated adversaries, right? Thinking like an attacker would help. So even though you are the defensive folks, you can always think like, you know, an attacker and try to emulate their activities. This is where I tell a story for only one minute because yeah uh so see when I was I I I told the same story

last day as well. So when I was in my primary school I was kind of a very very thin guy. I was very small. So other boys they used to you know bully me a lot. So then my mother she got me into a martial arts school. It's a local character school. Short can right? So when you get into any martial arts school the very first thing they will teach you is like how to take a fall. They'll push you. They need to take a fall. You need to take a fall without hurting your body. Then they'll teach you how to strengthen your body. Then you they will teach you how to attack and defend. Then they will get you a

sparring partner to practice fight. By the time you get into a street fight, you are going to learn that all everything you have learned so far is not going to protect you. You have to come back then learn again. So that's what here uh sorry mentioned as advisory emulation and advisory simulation. Adversary emulation is like we are going to take wicked panda and all the activities performed by wicked panda. Then I am going to emulate the same set of activities against my security products just to understand whether my defenses can defend against such attacks or not like you know re more like mimicking the activities of existing hacking dupes. Then we have adressive simulation that

is more like think dynamically. This is more like a teaming. We can also simulate the activities of a threat plus a different you know hacking techniques together to test against your defenses. Right? So these two concept are pretty important. Similar to martial arts you are continuously training yourself. You're continuously emulating these attack tactics in your environment. continuously fine-tuning your defenses like you know until the street fight comes into your home right so once that at that time you'll be able to defend yourself because you have been continuously training yourself so basically improving your organization's defensive tradecraft or making all the blue teammates here red teammates that is my goal I'm going to make you know all of you people into red

teammates I will give you a very very simple scenario So we can see like hundreds of open-source tools are there to create defense evasion defense evasive payloads right and many threat artists and hacking groups are using it as a blue teamer or as a offensive you know security professional have you ever tried to compile maybe five set five of these opensource products or sorry open source tools to create evasive payloads or EDR bypassing payloads and test against your enterprise tooling. You're not supposed to do it in your enterprise, but you can just set up a test environment, put your EDR in there, and you know, collect five opensource tools like CS or related tools, create

payloads and test against your EDR in the test environment. You'll be amazed about the results. So, if you are testing like five opensource tools against your EDR, you will get to know that six of them are bypassing your EDR. It's a very very funny situation, right? Then you can use that data to improve the defensor. You can add more detection rules. You can fine-tune your existing security product. So that is the concept here. So it's a case study. I'm going to skip this because we are you know so this is another concept threat informed defense which you can use to start advisory emulation or threat simulation exercises in your organization. Uh so again here we actually believe

that enterprise organizations and government organizations they can find value from advisation or continuous security control validation or attack summation can actually help them. So we have been doing the same for both enterprise organizations and government organizations as well to continuously assess their I mean systems and continuously fine-tune but there is no guarantee that one fine day someone will come go there and hit them down that is again another story one more pointer here so we can perform attack simulations using ashable threatle let's say uh wicked panda attacked you you are my friend we are in the same industry fintech companies, company A, company B. So chances are very high that the same hacking group will be attacking me as

well. Right? What I can do? I can collect intelligence from the attacks happened there and I can use that to create an attack plan do it test it in my own environment against all the security products and fine-tune them so that I can at least be ready ready to fight other time the threat attacker come to my home I mean my organization right so that is the concept behind continuous ad reimulation like uh using ashable threatel to perform continuous security control evaluation then using that data to continuously fine-tune your different systems. So it is not about purchasing more security products is more is it is this is about uh you know getting more return of investment from your existing

security products right so we don't know what is the extent of the usage of our security products we don't know I mean maybe there is a endpoint security product guy who is deploying the antivas for you edr for you a proxy for you and you know add the policies but they are not offensively testing the setup that is your job Right. See here one I I like this. I like Jackpack because I met this guy one time last year. We were driving from uh Las Vegas to Los Angeles and this guy was walking on the street like a nobody. We just you know I just dropped the car there and you know we were like

my wife wife was with me, my friends were with me. I was like oh Jack Jack he was I mean he's a real nice guy. Real nice guy. You would not believe he's a he's a real nice guy. I like him. So year one you can start small you don't have to spend anything to start ad emulation because right this is kind of basically you can start with very very simple things don't have to think very complex in the beginning always start small use of open source tools and you know other frameworks with your own that is your own responsibility because I was telling a story yesterday someone was using you know opensource tool which was created

to target them. Right? So in case of open use of open source, always check your check the code yourself. Always check who was the contributors, right? Something happened like two years back. One guy created a zero exploit for remote desktop protocol, right? And many people just blindly downloaded them and started executing in their hacking I mean test laptops. They all got compromised. So one created the same, you know, using a meme. Once you execute that code without reading the you know actual source code it would you know smile at you. You need it to read at very small. Then there was one insider story one blue team fellow leader guy kind of you know got that GitHub link

and sent the same to the entire company I mean enter you know his team asking them to test and validate big humiliation. So, so always keep use open source tools you know in your own you know so year two once you have started small and you know performed manual you know emulation plans for your organization you can maybe if you have sufficient budget you can always go for commission region attack products I do not sell any you know commercial products so you don't have to worry about that I don't sell anything so you can go there you can start think big and you can also make the team bigger because year one you have already you know showcased your

talent showcased your capabilities you can use that data and results to get more budget more funding more approvals and start doing more stuff not like this so any comments on this can you understand what is this I mean anyone could explain what this is to me blue team fellows sorry red team fellows Right. So it it is written there. Right. >> So you can just ador infrastructure and red team infrastructure. I mean basically the same. So this is basically a very very small when a small when I say small believe me this is small right a very small infrastructure set up by error team professionals to target the organization to attack the clients to break into our our clients right you

don't have to go so far and build the same to perform ad emulation that is my point if you're looking at here you can see multiple domains if my target is like google do google.com then my domains are going to be google.com like google.security security.com right so domains radar types and actual service behind two service for command and control fishing server mail server payload delivery right this is a kind of a template for setting up a red team infrastructure so this is what the attackers are going to use to target you or your organization a very small setup but as being professional team we use the same but based on it it would change based on our clientele. So my point is

you don't have to set up the entire thing to get started with advisory emulation or simulation. You can concentrate on the green line there. You can just pick only on setup. Maybe you don't even need the need the reader maybe a small server uh you know to get started. Uh you know with advisory emulation you can start thinking like an advisory. you can try to emulate a couple of non-destructive activities in your test environment then you can then slowly move to the production right very very you know so let's look at the green line there I have a very short dynamic plan for you I have shown the shown the same for the training yesterday as well so here very

very small dynamic simulation plan let's say my goal was to execute my goal was to test a certain document with a zero exploit like it's it was called fina back in 2022 to test against my edr or whatever endpoint security products I had just to understand whether they can detect it or not. So instead of creating only one activity, I created the entire scenario starting from hosting a command and control server. I have sent it sent an email to the the the target here like look at that sending maloc point one that was to validate email security control by sending one simple email you can already you can you'll be able to verify how well are your email

security controls working. So if you if that email is landing in your inbox, there is something wrong with your email security controls. Right? The same goes for the point two as well. If I am able to execute it, that was to validate two controls to validate EDR to validate the effectiveness of patching. Two more controls failed. Then if I am able to execute, then it will obviously go and fetch a payload that is to I mean test again your web proxies. Cisco umbrella, CC scalar, blue cart what stuff you have in your organization. Then the finally the communication is being sent to my command and control then I can basically control everything in there. If that is

happening that is to validate that activities was to validate network security like you know your firewalls outbound uh security rules and scenarios. Basically instead of creating one small thing here I kind of created thinking like an actual advisory. how an actual advisory would use the same fallina or malicious document to get into an organization simulated that this is kind of simulation. This is not emulation, right? Because I'm dynamically thinking here and dynamically creating a full scenario, right? So this will help you a lot because such kind of think outside the box kind of you know again the same stuff I mentioned we can use security control validation and ad emulation to continuously validate all type of security products I'm going to

skip that so for the issue we talked about about general public because organizations have money governments are also have budget they can buy security products they can bring in instant response team and perform investigation and patching But what about the general public? I think that is where the government is focusing right now. They need to focus more because many organizations are actually working together with uh the the people uh you know to to help them with ransomware incidents and target attacks. So many police departments are actually working you know in a in a good manner on this. So what is next like you know you only one answer continuous advisory emulation you know and collaboration when you say

collaboration that is not going to be easy a lot of verticals a lot of politics you know yeah so finally again I I show this image everywhere you know shamelessly because I like elephants so we know I'm from South India you know we like elephants right And we know what to do when an elephant is charging at you, right? You can run, but elephants can actually run faster than you. You know that, right? Elephant, they can actually run faster than a human being. You will not escape from an elephant if you are, you know, running in a straight line. So, okay, you can run away, you can run in a six-ack mode, you can climb a tree, you

can jump in the water, but they are also good swimmers. Uh, you can drive away, right? And we can think of many many options. But what would you do if an elephant is trying to jump up on top of you, you know, like a monkey. So what would be what would be your option there? So this is like I mean the the modern day attacks are like the same. These are like un totally unexpected, right? No emulation is going to help you. You need to think outside the box all the time. Continuously come up with new out out of the box scenarios. continuously put your defenses, you know, into test, right? So, basically, always expect the unexpected and always

come up with plans to simulate the unknown tract artist. And I think I'm over the time. So, if you have any questions, maybe you can shoot away right now or you can also catch me, you know, outside. My my blog is in there also. My my LinkedIn is also in there. Just just keep monitor keep in touch and uh yeah thank you. Thank you. Thank you folks.