Adversarial Emulation

Presented at Wild West Hackin' Fest 2019, Oct. 24, 2019, 3 p.m. (50 minutes).

Today’s Red Team isn’t enough Why do we care? Because we want to move our defenses and understanding beyond a detection-based approach which has repeatedly been demonstrated to fail. Why did I build SCYTHE? What led me here? - Target Corporation Use Case - Bounded Attack Space Philosophy - the atoms of an attack (different way to look at ATT&CK) - Lessons Learned as a CNO expert coming into commercial/industry red teaming Red Team vs Adversary Emulation - what’s done today vs what should be done To white box or black box Threat Intelligence - Such a disappointment = static identifiers, but no way to machine read for emulation - Analyst reports! Sigh, you have to read and analyze to pull out capabilities and TTPs - Neutered malware - awesome! But… risky and takes a decent amount of work to do, plus very prone to signature-based detection response MITRE ATT&CK - what it can and can’t do for you. - Common mistakes - rigid adherence, signature-based Open Source Options: - CALDERA - APT3 example (although, they didn’t really use CALDERA for this…) - Powershell - great. Seen in the wild. But, not hard to defend… so limitations. - Empire - based on… Powershell. - Living off the Land - https://lolbas-project.github.io/ Host Activities - Destruction: ransomware, wiper - Escalation - Persistence - Credential Theft Network Activities - Communication/Traffic - C2 infrastructure Lateral Movement - Combination of host/network - Mapping Going Purple - Combined visibility and reporting - How do you technically do this - SIEM/Analytics, red team strings/tagging - Program strategy and direction - shared gap analysis

Presenters:

  • Bryson Bort - SCYTHE
    Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a National Security Institute Fellow and an Advisor to the Army Cyber Institute. Prior, Bryson led an elite offensive capabilities development group. As a U.S. Army Officer, he served as a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom before leaving the Army as a Captain. Bryson received his Bachelor of Science in Computer Science with honors from the United States Military Academy at West Point. He holds a Master’s Degree in Telecommunications Management from the University of Maryland, a Master’s in Business Administration from the University of Florida, and completed graduate studies in Electrical Engineering and Computer Science at the University of Texas. [@brysonbort](https://twitter.com/brysonbort) [@scythe\_io](https://twitter.com/scythe_io)

Links:

Similar Presentations: