Mirror on the wall: using blue team techniques in red team ops

Presented at BruCON 0x0A (2018), Oct. 5, 2018, 4:30 p.m. (60 minutes)

When performing multi-month, multi-C2teamserver and multi-scenario red team operations, you are working with an infrastructure that becomes very large quickly. This makes it harder to keep track of what is happening on it. Coupled with the ever-increasing maturity of blue teams, this makes it more likely the blue team is somewhere analysing parts of your infra and/or artefacts. In this presentation we’ll show you how you can use that to your advantage. We’ll present different ways to keep track of the blue team’s analyses and detections, and to dynamically adjust your infra to fool the blue team. We will first set the scene by explaining common and lesser known components of red teaming infrastructures, e.g. dynamic redirectors, domain fronting revisited, decoy websites, html-smuggling, etc. Secondly, we’ll show how to centralize all your infrastructure’s and ops’ information to an ELK stack, leaving it open for intelligent querying across the entire infrastructure and operation. This will also help with better feedback to the blue team at the end of the engagement. Lastly, we’ll dive into novel ways of detecting a blue team’s investigation and we’ll give examples on how to react to these actions, for example by creating honeypots for the blue team.

Presenters:

• Marc Smeets
  Marc is a senior IT security expert, red teamer and ethical hacker. With 12 years experience in IT security and 3 years in IT operations he knows how to ‘make’ and ‘break’. In early 2016, he co-founded Outflank; a new company solely focussed on red teaming, complex penetration tests and trainings for blue teams. Besides working for his clients, Marc spends his time making tools to optimise the red teamer's workflow, some of which are publicly released, e.g. Invoke-ADLabDeployer. Besides infosec, Marc is a great fan of fast cars and champagne.
• Mark Bergman
  Starting coding COBOL85 at the ING mainframes at the age of 16 I swiftly learned several programming languages and querying formats. After aiding in compiling the first TCP/IP stack on the ING test mainframe I decided to dive into WinNT development and before I knew it I was digging in the concepts of classic memory overflows and how they can be abused. After this adventure in the banking industry I've spend some time with a bigger consultancy firm. In 2016 I co-founded Outflank, we now perform advanced attack simulations (others might call this Red Teaming). I’ve found my role in offensive moves and scripting everything that someone in the team had typed more than three times, we now spin up new redirectors at 40 new IP’s per minute when needed.

Links:

• https://brucon0x0a.sched.com/event/FXIi/mirror-on-the-wall-using-blue-team-techniques-in-red-team-ops
• https://infocon.org/cons/BruCON/BruCON 0x0A 2018/Using blue team techniques in red team ops - Mark Bergman & Marc Smeets.mp4
• https://infocon.org/cons/BruCON/BruCON 0x0A 2018/Using blue team techniques in red team ops - Mark Bergman & Marc Smeets.eng.srt (subtitles)
• https://www.youtube.com/watch?v=OjtftdPts4g

Similar Presentations:

• May Contain Hackers (MCH2022) / How to sneak past the Blue Team of your nightmares
• Diana Initiative 2020 Virtual / No Mom, I’m not a Hacker
• BSidesLV 2017 / Purple Team: How This Color Can Help You And Your Organisation Learn and Get Better