root@ssh1:~#whoami
• DIRECTOR OF TECHNOLOGY AND INFORMATION SYSTEMS 20+ YEARS
• CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL (CISSP)
• CERTIFIED GIAC SYSTEM AND NETWORK AUDITOR (GSNA)
• CERTIFIED GIAC INCIDENT HANDLER (GCIH)
• M.S. IN COMPUTERS AND TECHNOLOGY IN EDUCATION
• UNITED STATES MARINE CORPS
GOALS
• EXPLAIN RED TEAM EXERCISES
• ILLUSTRATE COMMAND AND CONTROL COVERT CHANNELS
• OUTLINE SOURCES OF DATA TO IDENTIFY COVERT CHANNELS
• EXAMINE TWO COMMAND AND CONTROL RED TEAM EXERCISES
• OUTLINE BEGINNING STEPS TO CONDUCTING RED TEAM EXERCISES
JARGON ALERT!
•VULNERABILITY SCAN
•PENETRATION TEST
•RED TEAM/BLUE TEAM
RED TEAM—OPPOSING FORCE (OPFOR)
• FINISH THE FOLLOWING SENTENCE, “THE RED TEAM’S GOAL IS TO
MAKE THE BLUE TEAM BETTER AT ________?”
• SKILL BUILDING EXERCISE
• ESTABLISH CLEAR OBJECTIVE(S) TO TEST
• PREPARE EXERCISE TO MEET LEARNING OBJECTIVE(S)
• MEASURES DEFENDERS’ ABILITY TO MEET OBJECTIVES OF RED
TEAM ENGAGEMENT
BLUE TEAM—DEFENDERS
• REVIEW INCIDENT RESPONSE PROCEDURES
• REVIEW SOURCES OF DATA, E.G. LOGS
• PRACTICE OPERATION OF TOOLS, E.G. NETSNIFF, TCPDUMP, WIRESHARK
• GATHER NECESSARY EQUIPMENT, TOOLS, AND SUPPLIES, E.G. EXTRA MONITORS AND SNACKS
WHAT KEEPS YOU UP AT NIGHT?
https://github.com/NextronSystems/APTSimulator
WHAT KEEPS YOU UP AT NIGHT? LOCKHEED MARTIN CYBER KILL CHAIN
• IDENTIFY & RECON
• INITIAL ATTACK
• COMMAND & CONTROL
• 2018 VERIZON DBIR-C2 WAS PRESENT IN 19 OUT OF EVERY 100 “BREACHES” IN EDU
• 2018 TRUSTWAVE GLOBAL SECURITY REPORT—MEDIAN TIME BETWEEN INTRUSION AND DETECTION FOR
EXTERNALLY DETECTED COMPROMISES WAS 83 DAYS IN 2017
• DISCOVER & SPREAD
• EXTRACT & EXFILTRATE
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
GOALS OF COMMAND AND CONTROL
• CREATE TWO WAY COMMUNICATION CHANNEL BETWEEN ATTACKER AND TARGET
• GATHER INFORMATION
• HARVEST ACCOUNTS AND PASSWORDS
• MOVE LATERALLY IN NETWORK TO FIND ADDITIONAL VICTIM DEVICES
• EXFILTRATE DATA
• USE DEVICES AND NETWORK FOR FURTHER GAIN
COMMAND & CONTROL (C2, CNC)
• HOW WOULD I KNOW IF A COMPROMISED COMPUTER OR SERVER IS COMMUNICATING THROUGH A C2
COVERT CHANNEL?
• WHAT SOURCES OF DATA DO I LOG THAT WILL HELP IDENTIFY A C2 COVERT CHANNELS?
• WHAT SOURCES OF DATA CAN I LOG THAT WILL HELP IDENTIFY A C2 COVERT CHANNELS?
• WHAT MONITORING SYSTEMS DO I HAVE THAT WILL TRIGGER ON COVERT CHANNELS?
• WHAT TYPE OF TRIGGERS CAN I DEVELOP TO ALERT ON C2 COVERT CHANNELS?
FIREWALL
• A FIREWALL IS A NETWORK SECURITY
DEVICE THAT MONITORS INCOMING AND
OUTGOING NETWORK TRAFFIC AND
DECIDES WHETHER TO ALLOW OR BLOCK
SPECIFIC TRAFFIC BASED ON A DEFINED
SET OF SECURITY RULES.
https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html
JARGON ALERT!
http-80
https-443
I have 80/443 open.
You can pass.
I’m listening on 80/443.
Here’s what I have.
smb-445
(Windows File
Shares)
I do not have port 445 open.
“You shall not pass.”
I’m stateful. I’ll
remember what port
you use. I’ve been
configured to permit
you access to all
65,535 tcp ports and
all 65,535 upd ports.
http-80
https-443
Email-25/110/143. You can pass.
Outgoing. Sure. I’ll remember.
I remember you. You can pass.
https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/
https://isc.sans.edu/forums/diary/Malspam+pushing+ransomware+using+two+layers+of+password+protection+to
+avoid+detection/23573/
SOURCES OF DATA FOR C2 DETECTION
“PREVENTION IS IDEAL, BUT DETECTION IS A MUST”
-DR. ERIC COLE @DRERICCOLE
SOURCES OF DATA FOR C2 DETECTION
• FIREWALL
•WEB PROXY
• DNS (WINDOWS EVENT LOGS)
• NETFLOW (SESSION DATA)
• FULL PACKET CAPTURE (IF PERMITTED)
SOURCES OF DATA: FIREWALL
• EMERGENCY (SEVERITY 0) SYSTEM IS UNUSABLE.
• ALERT (SEVERITY 1) IMMEDIATE ACTION IS NEEDED.
• CRITICAL (SEVERITY 2) CRITICAL CONDITION.
• ERROR (SEVERITY 3) ERROR CONDITION.
• WARNING (SEVERITY 4) WARNING CONDITION.
• NOTIFICATION (SEVERITY 5) NORMAL BUT SIGNIFICANT CONDITION.
• INFORMATION (SEVERITY 6) NORMAL INFORMATION MESSAGE.
• DEBUGGING (SEVERITY 7) DEBUGGING MESSAGE.
The firewall is
logging.
I think....
SOURCES OF DATA FOR C2 DETECTION
“IF YOU HAVEN'T TESTED AND VALIDATED [YOUR SECURITY MONITORING’S DETECTION
CAPABILITIES], DON'T CONSIDER IT DETECTION, IT'S JUST A RULE WITH A PRAYER.”
–RUSS MCREE @HOLISTICINFOSEC
RED TEAM #1-OBJECTIVES
• PRACTICE INCIDENT RESPONSE PROCEDURES, E.G. EVENT CORRELATION
• IDENTIFY AND CONTAIN COMPROMISED DEVICE
• LOCATE COMPROMISED DEVICE
• IDENTIFY C2 COVERT CHANNEL(S)
• DETERMINE LATERAL MOVEMENT
• TEST OUR MANAGED SECURITY SERVICE
RED TEAM #1-OBJECTIVES
INCIDENT RESPONSE—SANS “PICERL” MODEL
• PREPARATION
• IDENTIFICATION
• CONTAINMENT
• ERADICATION
• RECOVERY
• LESSONS LEARNED
SCOPE OF NETWORK
• >8500 STUDENTS
• >1900 EMPLOYEES
• >14,000 DEVICES ON NETWORK (WIRED AND WIRELESS)
• 14 LOCATIONS CONNECTED VIA FIBER NETWORK
• 71 TELECOMMUNICATIONS CLOSETS
RED TEAM: “LAN TURTLE”
RED TEAM: HAK5 LAN TURTLE20 PREINSTALLED MODULES ON LAN TURTLE:
• AUTOSSH-PORT 22
• NETCAT-REVSHELL ANY PORT (6666)
• HTTPS://WWW.SANS.ORG/READING-ROOM/WHITEPAPERS/TOOLS/NETCAT-TCP-IP-SWISS-ARMY-KNIFE-952
• METERPRETER (METASPLOIT)-ANY PORT (4444)
• HTTPS://WWW.DARKOPERATOR.COM/INSTALLING-METASPLOIT-IN-UBUNT/
DIGITAL OCEAN
• HTTPS://WWW.DIGITALOCEAN.COM/
I remember you. You can pass.
Outgoing 22, 4444 and 6666. Sure. I’ll remember.
RED TEAM: HAK5 LAN TURTLE
RED TEAM KICK OFF:
• RED TEAM WAS SCHEDULED FOR A DAY GOOD FOR
BLUE TEAM MEMBERS—DISTRICT IN-SERVICE
• COMPROMISED DEVICE STARTED LATERAL
SCANNING (KNOWN TO TRIGGER ALARMS IN
LANCOPE--NETFLOW)
• COMPROMISED DEVICE PARTIALLY HIDDEN ON
CROWDED DESK IN LIBRARY
RED TEAM: HAK5 LAN TURTLELESSONS LEARNED:
• INITIALLY DISCOVERED ANOTHER DEVICE WITH WEIRD OUTBOUND COMMUNICATIONS
• REINFORCED ABILITY TO USE TOOLS TO LOCATE DEVICES VIA DHCP, IP SCOPE, MAC ADDRESS, PHYSICAL PORT,
E.G. CAN YOU IDENTIFY WHAT DEVICE HAD A SPECIFIC IP ADDRESS TWO WEEKS AGO?
• IDENTIFIED NEED TO IMPLEMENT EGRESS FILTERING
• IDENTIFIED NEED TO FURTHER DEVELOP AND PRACTICE INCIDENT RESPONSE PROCEDURES
• USE OF SHARED TIMELINE TO RECORD IR ACTIONS
• TEAM BUILDING EXPERIENCE
RED TEAM #2-OBJECTIVES
• PRACTICE INCIDENT RESPONSE PROCEDURES
• PRACTICE COLLECTING DATA REQUESTED BY MANAGED SECURITY SERVICE PROVIDER DURING INCIDENT
• IDENTIFY C2 COVERT CHANNEL(S)
• DETERMINE LATERAL MOVEMENT
• TEST OUR MANAGED SECURITY SERVICE PROVIDER
RED TEAM: DNSCAT2
• DNS--DOMAIN NAME SYSTEM UDP (TCP) 53
• DNSCAT2 DIRECTLY TO C2 SERVER IF OUTBOUND DNS TRAFFIC IS PERMITTED TO ANY DNS SERVER
• DNSCAT2 INDIRECTLY TO C2 SERVER THROUGH VICTIM’S DNS SERVER IF OUTBOUND DNS TRAFFIC IS
PERMITTED BY ONLY VICTIM’S INTERNAL DNS SERVERS
• DNSCAT2 LINUX AND WINDOWS POWERSHELL CLIENTS
• ARBITRARY COMMANDS, UPLOAD/DOWNLOAD FILES, AND SHELL
• POLLS EVERY 1 SECOND, NOISY
DNS
DOMAIN NAME SYSTEM
I want to go to www.bucks.edu
DNSCAT2 Client direct communication with DNSCAT2 C2 Server
DNSCAT2 Client communication with DNSCAT2 C2 Server via Internal DNS Server
DNSCAT2 UNENCRYPTED DIRECT
Hex to ASCII=“whoami”
DNSCAT2 UNENCRYPTED DIRECT
Hex to ASCII=“whoami”
DNSCAT2 ENCRYPTED AUTHORITATIVE
RED TEAM DNSCAT2RED TEAM KICK OFF:
• RED TEAM WAS SCHEDULED FOR A DAY GOOD FOR BLUE TEAM MEMBERS—DISTRICT IN-SERVICE
• RULES OF ENGAGEMENT DISCUSSED, “DON’T MOVE TO CONTAINMENT UNTIL WE FULLY UNDERSTAND
COMPROMISE”
• POWERSHELL USED TO DOWNLOAD DNSCAT2-POWERSHELL
• COMPROMISED DEVICE DOWNLOADED PSEXEC (KNOWN TO TRIGGER ALARMS IN SOPHOS)
• COMPROMISED DEVICE BEGAN LATERAL SCANNING (KNOWN TO TRIGGER ALARMS IN LANCOPE)
RED TEAM: DNSCAT2LESSONS LEARNED:
• BAD CONFIGURATION IN WINDOWS CLIENTS PERMITTED ELEVATED POWERSHELL PERMISSIONS
• IDENTIFIED NEED TO COLLECT DNS LOGS
• IDENTIFIED NEED TO DEVELOP TRIGGERS FOR DNS ALERTING
• EGRESS FILTERING SPECIFIC TO IDENTIFIED SERVERS, E.G. ONLY DESIGNATED DNS SERVERS SHOULD HAVE
ACCESS TO TCP/UDP 53
• NEED TO FURTHER DEVELOP AND PRACTICE INCIDENT RESPONSE PROCEDURES
• TEAM BUILDING EXPERIENCE
THE WORK ISN’T OVER...
THE WORK ISN’T OVER WITH THE COMPROMISED DEVICE IDENTIFIED AND CONTAINED
• WHAT WERE THE INDICATORS OF COMPROMISE (IOC)?
• WHAT DATA SOURCES PROVIDED INSIGHT INTO THE COMPROMISE?
• WHAT ARE THE ROOT CAUSES OF THE EXPLOITED VULNERABILITIES?
• HOW CAN WE REMEDIATE THE VULNERABILITIES? COMPENSATING CONTROLS?
• WHAT SKILLS DO WE NEED TO IMPROVE?
• WHAT INCIDENT RESPONSE PROCEDURES NEED TO BE CREATED OR UPDATED?
• WHAT MONITORING SYSTEMS MET EXPECTATION? WHAT SYSTEMS DID NOT MEET EXPECTATION?
LESSONS LEARNED
• CONDUCT LESSONS LEARNED MEETING
• AVOID FINGER POINTING AND BLAMING
• REVIEW EXISTING INCIDENT RESPONSE PROCEDURE
• DEVELOP PROCEDURE (IF ONE IS NOT AVAILABLE) FOR TYPE OF INCIDENT
• BRAINSTORM ADDITIONAL METHODS TO MITIGATE FUTURE RISK
• IDENTIFY ADDITIONAL REPERCUSSIONS RESULTING FROM IR, E.G. IMPACT OF MITIGATION.
• UPDATE POLICIES, REGULATIONS, AND PROCEDURES
• UPDATE CSIR PLAN AND IR PROCEDURES
START SIMPLE
CIS CONTROL 12: BOUNDARY DEFENSE
• DENY COMMUNICATION OVER UNAUTHORIZED TCP OR UDP PORTS OR APPLICATION TRAFFIC TO ENSURE
THAT ONLY AUTHORIZED PROTOCOLS ARE ALLOWED TO CROSS THE NETWORK BOUNDARY IN OR OUT OF
THE NETWORK AT EACH OF THE ORGANIZATION'S NETWORK BOUNDARIES.
• HTTPS://WWW.CISECURITY.ORG/CONTROLS/
START SIMPLE-SSH/PORT 22
• SSH* TO DEVICE OUTSIDE OF YOUR NETWORK, E.G. DIGITAL OCEAN
• USE SOURCES OF DATA, LOGS, TO IDENTIFY DEVICE ACTIVITY
• CORRELATE SOURCES OF DATA
• IDENTIFY LOCATION OF THE DEVICE, E.G. SWITCH PORT OR AP
• IDENTIFY OTHER ACTIVITIES, E.G. LATERAL MOVEMENT
*SSH BUILT INTO LINUX AND MAC. USE PUTTY FOR WINDOWS.
“THE MORE I PRACTICE, THE LUCKIER I GET.”