1. Sacha Faust @sachafaust / Azure Red Team | Ram Shankar @ram_ssk / Azure Security Data Science DATA DRIVEN OFFENSE 2. KeyTakeAways 2 Use data to drive common scenarios How ML can be used Strategic advantages 3. Our Reality 4. Context 4 Cloud vs Cloud Red vs Blue focus Increase - MTTC and MTTP Decrease - MTTD and MTTR Engineering heavy Single target 5. AdvancedPersistentThreats 5 Specific/sequential targeting Effective reconnaissance Practiced tool usage Sophisticated planning Social engineering Advanced & persistent 6. Infrastructure 6 Feed Forward Observations Decision (Hypothesis) Action (Test) Cultural Traditions Genetic Heritage New Information Previous Experience Analyses & Synthesis Feed Forward Feed Forward Implicit Guidance & Control Implicit Guidance & Control Unfolding Interaction With EnvironmentUnfolding Interaction With Environment Feedback Feedback Outside Information Unfolding Circumstances Observe Orient Decide Act StorageService Bus Big Data ML Auto Scaling 7. NextGenerationAPT 7 Diversionary Tactics Machine Learning Varied PersistenceIntelligence Driven Multi-FrontAssaults 8. IntelligenceDriven 8 Pivoting Scenario 9. ProblemStatement 9 Compromised User Target Servers with Administrator access 0 10. Context Data available to all authenticated users Identity used - 1 Exfiltration Size - ~4Gb Data Sources Active Directory User/Groups Machines Local group membership Implementation SQL Azure Service Bus Azure Worker Role Remote Powershell 10 11. RouteDiscovery 11 Pivoting Opportunities Dashboard # Actions 0 # Routes 0 # Routes to eval - 7 Assets # Identities - 1 # Servers - 7 0 12. OneLevelDeep 12 Dashboard # Actions 7 # Routes 12 # Routes to eval - 11 Assets # Servers - 23 # Identities - 4 0 1 2 3 Untouched 13. Outcome 13 Pwned Report PtH Pivoting MTTP seconds # Actions to target - 9 # Min Pivots required 2 # Routes - 12 Blue Learnings Comprehensive TTP exposure analysis Increased awareness Measure mitigation impact Measureable (KPI) 14. Examples 14 15. Examples 15 16. Examples 16 17. StrategicAdvantages 17 Surgical Fly under most radar Limited TTP exposure Routes can be saved/replayed/measured Long shelve life Not bound to PtH only 18. BeyondPtHPivoting 18 Paving Egress routes Path avoidance Beachhead candidates Cloud Pivoting 19. MachineLearning 19 Feed Forward Observations Decision (Hypothesis) Action (Test) Cultural Traditions Genetic Heritage New Information Previous Experience Analyses & Synthesis Feed Forward Feed Forward Implicit Guidance & Control Implicit Guidance & Control Unfolding Interaction With EnvironmentUnfolding Interaction With Environment Feedback Feedback Outside Information Unfolding Circumstances Observe Orient Decide Act StorageService Bus Big Data ML Auto Scaling 20. Computer System Data Program Output Computer System Data Output Program Traditional Programming Machine Learning Source: Lectures by Pedro Domingos 21. Introduction 21 Why is Machine Learning Relevant to red teams? 22. Introduction 22 Why is Machine Learning Relevant to red teams? 23. Introduction 23 Why is Machine Learning Relevant to red teams? 24. MLDrivenSpearPhishing 24 How can Red Teams use Machine Learning Subvert existing ML algorithms that defenders have put in place Classic Adversarial Machine Learning Key goal: Game the ML System Check out: http://www.slideshare.net/RamShankarSivaKumar/subverting- machine-learning-detections-for-fun-and-profit (Derbycon2014) Think of attacks as a large scale optimization problem and ML to solve it 25. MachineLearning 25 ML driven Spear Phishing 26. ML-Approach 26 Problem: Which phishing mail should be sent to a victim? Why Use Machine Learning? -> Targeted Phishing emails increase likelihood of compromise Distinguished Engineer: Subj: Country Club Invitation Program Manager: Subj: Kanban Notes Developer: Subj: Code check In? -> Makes blue teams job of building attackers TTP and IOC much more difficult Machine Learning task: How to pick the right email per person? 27. ML-Approach 27 Recommender Engines! 28. Contextual Bandit arms -- Intuition The world announces some context information (Program Managers like meetings). A policy chooses arm a from 1 of k arms (i.e. 1 of k phishing emails). The world reveals the reward ra of the chosen arm (i.e. whether the message is clicked on). 29. Experiment 29 Objective - Recommend the most appropriate email for the user, based on his role Data Set: 1) Leverage data from (previously/currently) compromised hosts 2) Input: Email Corpus , context (title of role), action (clicked, not-click), featurization (time of click, number of words) Tooling - Vowpal Wabbit (- I/O bound, parallelizable, specific for large scale learning) Result - Overall Click through rate (CTR) increased by 23%, with the highest increase in Program Managers (+22%) and least in Developer (5.4%) 30. RedAdvantages 30 Takeaways 1) Embedding intelligence into attacks, can make it more effective. ML can make attacks adaptive too! 2) The tricky part is mapping the attack goals to the right kind of problem - Short, but steep learning curve. -> Tip: Borrow the blue teams behavorial detections and use the same tools, against them. 31. Parting Thoughts 32. Advantages Strategic Targeting and Surveillance Monitoring (IOM) Detection (IOD) Recovery (IOR) Automated and reusable attack planning Decreased MTTC & MTTP Increase MTTD & MTTR Controlled exposure Small footprint TTP/Actor Emulation/Impersonation Operational Autonomous stages Measurable efficiency Reduce Capabilities Exposure Flexible Improve IP retention Efficiency increased over time 32 33. PossibleDefense 33 Adopt Assume Breach mindset Accelerate growth War Games Consider Moving Target Defense Understand pivoting opportunities Sharing TTP/IOC 34. Thank you Sacha Faust @sachafaust Ram Shankar @ram_ssk