Every Step Counts: Strategic Defense for the Modern Blue Team

We will continue with the presentations on stage two and uh Jaro will be talking about uh layered uh approach uh for the blue teams.

[Music]

[Music]

Hello everyone, welcome to my talk. When I was on a middle school, I had a teacher which classes were a bit kind of different than the others. Uh she didn't use any textbooks in her classes. We had to write down everything she did or write on the walls or we uh draw on uh crafts about the Europes and the cities and place like those and it really felt like overwhelming at times because I was really struggling those glasses because I had to concentrate, I had to kind of contribute, I had to do something in order to learn and that is kind of the key points about this session that in order you to be good you cannot skip all the basics

basically and this is a lazy AI picture that is trying to cover my whole session so you can analyze that if it's good or not after the session so let's get going who I am my name is Kinon and nowadays I work at Microsoft been there three years as a security architect so to speak. Uh I have like 10 years background on blue teaming. I've been involved in did three different sock teams which through was I was hired when we started building those teams. So I've really seen kind of how to ramp up a sock operation on a big companies like from ground to kind of up and running basically. I used to have some real certifications

there grayed out. You can try to guess which are them. But like my son's certificate uh which I did like eight years ago. I remember to renew it once but second time I didn't remember to renew it. So I I don't have those certifications and basically that's my achievements at the bottom nowadays because I work at Microsoft to speak. I'm also co-founder and chairman of the board of quas. If you know the city seck organizations inside Finland, I saw one table there was a Talinsseek sticker there. So if if the Talinsk is still alive, you can come to say hello me after this session. I would like to stuck you more. And those are the activities there. So

that I did this before I had kids. Basically uh disclaimer about this session. Uh if I tell you something today, uh don't blame my company, blame me. That's kind of the point of here. Let's go. And this is the real reason why I'm here today because I've kind of heard this a lot in the past years that the blue team must succeed every time and the attackers have to just uh achieve one goal to get to that or do one thing right and they will compromise your environment. And this has always kind of resonated me that this cannot be the case basically that you need to do everything 100% every time right in order to defend your

organization. So today's session is about to tackle that mood down. Let's start before we dive deep more about defendantic strategies. Let's take a few reflection points from the medieval times. How then cities or civilizations defended theirelves? They invented firewalls like the castle walls there around their cities want to protect important people and they use gates. So basically proxies they see their faces are your familiar you can go and this one cannot allow in. And after that they invented the next generation firewall. They introduced the modes before the walls. So basically it's a next generation firewall because it has more layers than just the layer four basically and there are pretty many kind of examples here. One is kind of intriguing

for myself are those killing fields because if you think about nowadays defensive strategies uh we don't maybe talk that so much in our organizations because if we think back then of course we would like to lure the opponent to a favorable position to us when they're attacking our city basically. So that's something you should do basically because then you're losing less men to kind of in in the defensing process and stuff like that. But the IT world, this is the kind of topic that not maybe talk about so much. Okay, let's take a journey how to be successful depending on your organization. And this is a question that many of my customers or I if I meet a new customer

they will like ask me yo what is the kind of how I can be successful defending on my organization and usually uh my re my kind of the story the customer is this I will give you a few seconds to kind of read it

So that is typically the customer reaction if they ask me it how how can be successful do you know your organization what do you have assets what are you trying to defend for and they're like I already know that not yeah but what have you done in order to figure that out basically what kind of processes do you have there aligning with your defense strategies is okay. After we figured out what we need to do, we're starting a new quest. And what happens when an RPG player starts a new quest? You end up u multiple side quests. Basically, you start the main quest and then you are like three weeks playing and then you're, oh, I done like

100 side quests, but I never ended up the main quest. itself. kind of the purpose of this slide is to be maybe the message slide of the day and just to kind of illustrate how complicated an enterprise environment can get if you're trying to kind of illustrate everything through a one picture and kind of define that oh we have these clouds we have this endpoints we have OT what do we protect our data identity stuff like that so that kind of describes the uh estate of an enterprise uh customer and you can download this picture on aka.mcri. So you can do take this your own powerpoints also if you want to kind of mess with it.

At Microsoft we have 10 laws of cyber security risk and these are kind of the new laws. We had this immutable law for cyber security from Microsoft security response center back in 2000 and these are kind of the updated version of those and for you can see all the claws from the AK link again but I just took one because this is kind of the what resonates me personally. I just had to kind of stick with this one assumption that the number one law is that you if you're kind of depending on your organization, you need to think about that how you are going to ruin the attackers's return of investment to your organization basically because we everyone know that

there's not 100% security. That's that's quite You cannot achieve that. there's always gaps and holes and stuff like that we don't see or we miss. So kind of basic principle is that you don't have to be the best have the best tooling best team best whatn not just be better than your neighbor because if the neighbors get hit then you're a bit better than your neighbor and you're kind of safe. So that's good mentality to live on not in a perfect world but just be better than your neighbor. uh wise men said wise things 10 years ago. John Lambert who is a security fellow at Microsoft uh said that defender thinks as least an attacker thing is craft as long as this

true attackers will win. This has resonated me quite many years now. But let's say a couple of last years I have seen kind of the enterprise security tooling go that way that okay now we have kind of tooling to map our attack paths inside our organization. If you look like a CSP products or something like that they always like bring some kind of attack craft there attack path that you can kind of deal with in your organization. But how do you spot those points on a crab? How do you point those? How do you spot those out? Basically, uh Dr. H. Edmund Locart invented the loan excess principle. I don't remember the exact date, but that was the date that

he lived. And he invented this loan excess principle. What basically describes is that if if someone is doing something it leave traces like if you think think about example for your own house that if a burglar comes to your house and wants to store your TV if he he smash the window and takes the TV and runs out there's quite high possibility that he won't patch the window before he left the building basically. So there's a crumbles that you can see that there's been something going on inside my house. And this is that you can kind of implement to your own kind of tooling. What are your log sources? Where you get your telemetry? What can you see when someone is doing

something inside your organization? We have pretty many frameworks that we can kind of illustrate this attackers uh doing inside your environment. We can skip the beat quite quickly because that is something that Microsoft provide. We do that on our engagements. It's quite up level. Then we have the lockit ming. The the why I'm referring it's legacy because it's not updated like regularly anymore. It's it doesn't mean that it's a bad thing to do to use the lockit ming but it's not so updated maybe or the community driven. And then is my personal favorite the multi attack framework. uh almost all of my career I've been somewhat intrigued and involved with the mitra attack because I think that's kind

of good framework that I can lean on on different cases like illustrate what's going on or or what is kind of the impact they are doing and there is not a session for my tree attack framework if you haven't seen David Binka's pyramid this is the day that you see it the first time so this basically just describes shapes uh how the defenders can think how we can ruin the attackers return on investment in our organization. So basically if your detection tooling only relies on IP addresses they are pretty trivial the adversary to change. It doesn't really cost adversary to change those IP addresses because that's kind of easy to change but the mitra attack framework lives as the top of the

pyramid. So the TTP is acronym for tactic techniques and procedures. So the miter attack is trying to illustrate an behavior of an adversary what they're doing inside the organization not just kind of OoC's only basically and this is the micro attack framework. So basically there are different uh tactics and these are the adversary goals if they want to exfiltrate data within your organization. It's a tactical goal that the adversary is trying to achieve and they're using some techniques in order to achieve that tactical goal basically. So if they want to uh do privilege escalation that's their tactical goal and they use these different techniques there in order to achieve that. There's also sub techniques but let's

not go that deep at this point. quickly you figured out when you're working with mitro attack framework that you don't treat all tactics as techniques as equal that is kind of the number one rule that I have personally basically because 100% cover exit doesn't mean that you are okay basically because that's not kind of how it's meant to be measured the framework itself think about that yes we have the best tooling available to see the execution or impact phase which is kind of the right side of the framework that we don't have anything for the initial access. Okay, we can see every action that someone is encrypting our files, but I think we're quite late on the

attack chain there to kind of if we can see someone's encrypting our data, but we not see kind of what is the initial access or movement is basically let's take a quick example of a cyber incident. This is kind of maybe trivial to many of you but this kind of illustrates how we can map the graph and the different things about the graph. Uh before my three there's also pre-attack this is like how organizations track nation state activities how they can build their infrastructure stuff like that not an organ or normal organization have resources or skills to kind of map these capabilities. So that's typically that provide threat intelligence information that does this basically. But let's take a easy example.

There's a fishing email contains link to a office file that a link downloads office file and then executes macro stuff like that. And now if we think about the mute itself like attackers needs to do one thing in achieve their goals. But I see the three different entities at this point. We are two stages of Maitra and we already have three different entities that we can kind of lean on. The email itself, it contains some information. The recipient itself, that's the user identity and of course the device, what the user does inside this device. So there there already three lock sources that you can do something uh build capabilities and defend your organization. Okay, what happens next is really kind

of not important because they're usually back and forth doing something. But if we talk about initial access brokers, typically they want to establish some kind of C2 channel because they make a money of it. They they want to sell that access to a second stage kind of operator that comes and encrypts your whole estate basically. So this is a business. This is a security business. So it's not like everyone is doing all these phases themselves because adversaries are kind of focused on the different kind of areas of that they're good for. Okay, let's take a second example. This is from an DFI report. There's the link below there. You can go go see the whole report there. And

what's the socks is referring to a uh ghost socks malware proxy tool that they're using in this campaign. So this is for naming convention from the DFI report itself. We can see the report. It's quite I'd say it's quite overwhelming. It's quite long. If you start to kind of analyze, we've seen this kind of attack. Okay, we have organization to defend. how we can use this information in order to be able to defend our organization much better. What do we need to do to kind of get the information from this report? We can do the old manual classical way. I feel you if you have done this in the the past like manually mapping those

capabilities to a matte matrix. There's alo always different tooling that you can kind of automate this, but this is kind of the report looking at the Maitra attack framework. And if we think about this, how many spots there are that the defender team can do something in order to prevent it, detect it or evade it the initial attack basically. So what are the kind of choke points there? you guys see and how we kind kind of can identify those gaps inside our organization. Uh why I'm referring to a cyber unicorn here because this is something that rarely organ organizations have done before but you can take this at home lesson for yourself. Map all your defensive capabilities to a

mitro attack framework. So basically just illustrate that the more the green you see the more kind of detection logics we have inside our organization. Basically that's how the coloring scheme goes there. Uh this is just one tactic and then we do see the what the adversary did in that campaign and then we do gap analysis. This is not really a rocket science I will reveal you. This is just kind of illustrating how many animations I have here. Now we can see this is just a one-on-one mapping. This is not like oh we have 10 rules or we have five rules or one rule is it good enough? No. If if you do this first time back to basics yes or no. Yes

or no. Don't kind of get carried away about the complexity that you can dwell with working with Matt attack framework itself because it's quite complex framework to speak with or to deal with. So back to basics. Do we have or not? We have no we don't have cell test shops inside our detection capabilities. Okay. Then we do it for the whole all the tactics. Okay. Why we have identified that we are missing two techniques that the adversary is doing and this is the funny part about the miter attack framework. If you think about that 100% coverage that you organizations wants to achieve uh do sell jobs because it lives in three different tactic categories. So you get

better coverage if you kind of see all the test shop inside your organization. So so your kind of percent goes up quite quickly more than just focus on one uh technique. Okay. uh this example was on my master's thesis in fact uh you can read the whole I don't know 100 pages or something like that where I kind of introduce an framework how you do this cap analysis with my three attack framework just a disclaimer that I did uh mapping of micro security tooling before I joined Microsoft so this is kind of my work before I joined Microsoft so all the data there is on a public sources and it's quite outdated because it's already

5 years also but the framework itself maybe you get some good points there or not don't know go and try go and read if you want like I maybe mentioned many times already but more is not better like we see that better coverage it's not equal like we get all the things good mitra has introduced a methodology this couple years old I I hope some of you are uh seeing this in the first time. So s sub summing the pyramid methodology. Uh its goal is to illustrate how robust is your set detection logic basically. So we're basically giving a calculation how good our detection capabilities are. And let's take an kind of example how we

calculate these values. Maybe I will go this side of the stage. The below four are all what they call famil because they're easy to change. Adversaries tend to have much money to kind of change those values to their attack campaigns. But then comes the STP 2 and three. So basically STP2 is uh adversary broad tools. Web is example that adversary introduce cobalt strike or mimikatch the target environment. So that is basically uh STP2 that they need to bring their own tooling to the target environment in order they achieve their goal. But the STP3 is a bit better or kind of trickier because they're using those so-called living of the land tools. Basically they're using some components that are

found in the target environment itself. So they don't have to introduce their own attacking tooling in order to move materally or compromise the customer environment itself. And then are the STP four and five the unicorns that you rarely see. So this try to kind of illustrate that if you have STP5 rule basically that would cover the whole behavior of a Maitra uh technique basically. So you would kind of introduce one detection rule and you would kind of get all of the behaviors related to that event or or or that technique. Is this possible? Let's let's take an example here. So introducing you tax shops. We are already kind of figured out that we're missing that on the campaign. So that's

why we are taking the settle tax shops here. So basically uh for you don't maybe are not so familiar with this what what it is does what is how it's kind of worked with you can uh modify those telet shop inside windows oper operating system in many different ways uh you can use the guey tools you can use command line you can use vmi so there's not really a one way to modify this basically inside windows operating system so you need to think about all of those cases is different cases. How do we detect this? Okay, we take the STP calculation or the metrics and we introduce another layer. So this is a two-dimensional kind of calculating

the uh whole score about those techniques. And just to keep this kind of short, I started with STP3 because STP one and two are quite quite trivial. If you would think about changing the boolean logic here and to an or then this detection logic would kind of fail to the one because it's looking some either or is happening but when we have and we we need to kind of find both of them. If you're doing thread detection that's kind of basic that you need to think about and why it's like three is because uh if we have sysmon event id one so which is tracking like command line uh parameters there the sysmon does so even though you

uh change the file name it's kind of the original file name SC task comes directly from the PE header itself so you know what even the adversary is changing the running process just it cannot really change the original file name that is kind seeing on the locks basically. Okay. Can we do better? In fact, we do. This is kind of more easier even kind of there's this Windows 11 4698 that's natively locked inside Windows operating system that can see select tasks. And what is kind of good about this if you build your detection capabilities around this it that it gives a lot of context because it's a Windows event uh locks there's a lot of context kind of what

register what get set who did that and stuff like that. So there's bunch of metadata that you can lean on if you're doing those detention logics there. But are we done yet? Are we done yet? No. Because in fact you can miss all of those detections below because in order to do test jobs inside Windows operating system this registry key needs to exist. So basically, so if the adversary uh is not using VMI or or command line tools, they're just setting the registry key, the event ID never gets kind of generated because it's dependent on on some DLS that are kind of generated if someone do those in different tooling. So basically you can evade all those uh

logics just to set that registry key basically. So this kind of gets you thinking that how deep we can go here basically with just one technique basically what what are the layers of detecting this behavior. Uh I think someone already talked about today about sigma in their presentation. So basically the smitting the pyramid is also introduced the sigma repository basically. So you can find those STP scores inside Sigma repository if someone has done his homework right and kind of calculated the how good my sigma rule is basically. So if you're seeing STP 5 or four or five rules that are maybe pretty good but if you see like STP one and two and stuff like that uh

there might be cases that they are okay to depend on the context. I would say that the STP one and two are automatically bad, but maybe they're just shortlived, so to speak, that they get old quite quickly. Okay, we fell a quite deep well because I I kind of talk about how to defend our organization and now we kind of talking about sell shop inside Windows operating system. So, let's get back to the track so to speak. There is a good uh new tool that is from uh David Johnson. He's a security uh guy from uh Feedley if I remember correctly. He have built this really cool tool. Go check that out. Uh what is the tool

basically does that you can take and we we can take the DFI report URL and then we can paste it to the flow with. So this is basically running on a on my own uh own computer. I'm running this locally. It uses cloud API to fetch an LLM to do the job. So basically the LLM is scanning the images that are found in the thread in in the report seen all the indicators and then it's kind of figuring out what is kind of the relationship of this whole uh campaign that has been seen inside the report itself. So now it starts to calculate or or design create the attack flow automatically. You can this kind of

entertaining because you can see it in a real time basically that it's adding spots on the top it's adding on the below. So it's kind of defining what are the attack stages that are introduced inside this reot basically. So uh hopefully I did speed up this a lot because it takes some time to kind of generate the whole attack attack flow there because it was a quite huge report or extensive report that if you go see the ina report. So that is basically illustrates the whole attack map there. And there's the ghost socks uh C2 tool that was kind of how the report was named. Basically adversary used that to establish C2 channels in the target organization

and then we can kind of try to find okay we talk about those cell tax shops here. Can we find them here? Of course, you need to go a bit lower because it happened not not at the start, but maybe when they wanted to escalate the privilege or move laterally, they use sele jobs to do that basically. So, you can find it there. Oh, this just this was just kind of cost this cloud API cost that I run that simulation. So, 35 cents to do all that dirty job for you. So it's quite deep. If you try to do that map for yourself, you can kind of calculate which one I would use in the future.

But there's a one downside of that tooling that you cannot modify those flows. Basically just generates you a flow but you cannot kind of modify it. But the myra uh center for thread in for defense has this attack flow project. This couple of years old already. It has kind of similar use cases. And what I want to highlight what is missing in most of the kind of capabilities is the education part like when I started my talk like how you need to be good defending your organization you need to know how typically attacks are conducted basically because you cannot really defend something that you don't know that's kind of one principle you keep in mind and we can combine

these two tools because that uh flow width tool gives you an option to export uh the data to the attack flow builder file type. So there's the AFB file type. You can export this graph that the AI LLM just generated for you. Basically uh you can take the AFB file and then go to the myra flowboarder. You can run it on local on your own docker or you can use the public available website from my tree depending on the context you want to publish or not. And then you can kind of modify it. You can change order. You can add more uh points there that you see that oh you find all of the kind of

the relevant choke points that I want to introduce. So this is kind of the tooling that can be introduced if you're doing some tabletop exercises within your organization or you're a consultant doing tabletop exercises to a organization to use these tools kind of combine the attack path and then we kind of kind of go step by step. Okay, this this is how the attack went. What kind of tooling you have in order to protect, detect or evade it basically. So you can run these tabletop exercises. using these two tools. Quite simple to do this. Don't really uh have to do a lot of kind of ground work to kind of get these flows yourself. Uh just kind of couple of data I wanted

to highlight. This is from the digital difference report for Microsoft last year. I'm kind of basically highlighting why I'm talking about attack paths in overall because we introduced on the digital def reports is directly from the report itself basically that we have kind of analyzed quite many organizations and kind of tested our tooling there that we can see that there's pretty many attack patch that we can found within our customer tenants there basically and pretty many attack ps leads to a sense ensive user account or or sensitive data basically. So that is really fact that we have kind of done why I'm talking about this starting to summarize stop it because I'm running out of time and if you're

kind of figuring it out why do I have this chess board here what is kind of what is the chess board illustrate here why it exist in in my presentation because you can think about defending your organization as a chess game for adversary because the adversary cannot do whatever they want to do inside your organization because you may be lacking some components what the adversary typically want to exploit or you have hardened some uh operating system you have segmented your network. So you can kind of play chess like uh it's harder for the adversary to reach their goal if you do little effort to kind of ruin their investment uh for your organization. Okay, maybe I'll just kind of put all of

these this first one is really good lesson that don't fall into depression. I know it can be a daunting task to kind of knowing your environment basically that's kind of huge ask for organizations kind of in the begin with but from my my point of view it's really kind of pointless doing anything if you don't have kind of a facts where you're kind of building your strategy basically building your capability not just kind of buying tools because we want better security or something like that just kind of have some focus why I want to be what what I want to do better inside my organization and I have been like in many socks before so those logs they are quite

important to have somewhere kind of that's usually the first downer when you go to incident response case and go to the customer like okay show me your locks where are the kind of the events which we can investigate like we don't have any. Okay, let's start to figure it out then in in the old fashioned way what have happened and also think about strategy there kind of what kind of capabilities we need to introduce example of those choke points if you if you're analyzing different attack crafts in overall let's say that you you taken 30 attack crafts and start analyzing what are the common mit tactics that are kind of seeing all of those kind of how many uh similar attack

tactics you will see on those 30 different attack patches. Then you kind of start to look about choke points like okay this happens quite a lot maybe we should focus this basically I think that summarized my talk uh that code just my LinkedIn if you kind of uh figuring that out why there and as you can maybe seen there's a lot old airbt references on those pictures so if you want to talk about old airbt games. You can come and talk to me at the bar or some place or ask me a question about this topic session. Thank you. [Applause] If you have questions, we can pass the microphone.

So first and foremost, thank you. And I have a question about mapping the detections and preventions to the mitro attack matrix. So you mentioned mapping the detections to the mitro attack matrix and then comparing the matrices of the attacks to the matrices of the defenses to see where you have the gaps. M >> but the question I have is that we also might map the preventative measures to the attack metrics for example our EDRs our defensible network infrastructures uh or other preventative measures doesn't get difficult to track what you detect what you prevent and how do you continuously update so that these mappings on the defensive side of things are up to date and accurate.

Yeah, I would treat those as kind of you don't do that every day like try to keep out that is something that you can kind of define your year clock that you kind of do investigation points. Okay, what do we have? What do we do? And that is kind of one uh justify for the upper management maybe that we need to kind of allocate more work that we can have budget for the next year. Maybe that we have better tooling here. we have better persons doing stuff like that. So you can use that information quite kind of differently. But but my kind of takeaway is that uh don't do technical stuff for kind of technical

people only because there have to be a kind of metric that you can justify why why you're doing what you're doing basically. But every tooling nowadays are quite good kind of saying or mapping themselves like the edr xdr stuff like that they automatically kind of give you the mitra attack alignment typically nowadays that's kind of default default what I've seen so you can take those metrics and start building but like I said do do basics start somewhere and then kind of when your material goes up then do something it's not like you can build this whole system in in one way or one one once. So it's kind of continuous process to kind of think

about and iterate it when you go forward. >> Just another question. So you mentioned the matrix given by the EDR. So suppose we have a matrix given by the CM that maps the rules to the attack matrix. How do we consolidate those results into one matrix to have a comprehensive overview of the defenses? Do you have any advice on that? I have to be kind of easy on that because I'm only kind of expert on Microsoft tooling. So, uh I can say that yeah at least or a border you can see the miter pay itself you can see what are the kind of possible edr techniques and techniques that they they can see or the MDI and stuff like that.

So I can only kind of speak of the tooling that that I use daily basis but you you might have different toolings there and don't know about the process there that how difficult it is to kind of get those information as actionable for your organization basically. >> Thank you.

>> Let's give a round of applause. Thank you. Thank you. Oh thanks.