[Dailydave] Adversary Simulation

Adrian Sanabria adrian.sanabria at gmail.com
Thu Dec 1 13:36:17 EST 2016 

So, this has become its own market segment now, and I think
attack/adversary simulation is really important. Yes, I agree that
accurately simulating current tactics is important, but this is a hugely
valuable capability even if the simulations are older,since the average
enterprise is far from effectively defending against more sophisticated
adversaries. And let's be honest - the attackers most likely to go after
the average organization don't get terribly fancy unless they have to (they
usually don't have to).

What is exciting here is the ability to safely simulate attack/breach
activities in production as often as you want. Most orgs only have an
opportunity to do something like this once a year, during the annual
pentest, and most orgs I've seen squander that opportunity by focusing
instead on the missing patches of the day,not the fact that domain admin
creds were created, and no one noticed. To significantly improve defenses,
we need to be able to cycle through improvements weekly, not once a year,
and it is impractical to do pentesting activities that frequently. In fact,
most orgs I've seen don't have anyone qualified to run active attack tools
safely, so they're usually banned from doing so.

I see three key use cases with tools like Innuendo:

1. Functional controls testing - is your stuff powered on and working is it
plugged into the right SPAN port? Is it in monitor or blocking mode? Is it
configured they way you THINK it is configured? Run functional tests after
every major environment change, maintenance work, and on a regular periodic
basis - once a week seems reasonable. I think every integrator/professional
services team installing enterprise security tech should do some sort of
real
2. Efficacy testing - okay, you detected C2 over HTTP. What about HTTPS?
Tor? DNS? The next step past functional testing is ensuring that you can
detect the attacks you're most likely to get hit by.
3. Response training. Forget annual IRP training. How about testing your
SOC team/analysts weekly?

There's are a few other commercial offerings here with varying features and
complexity - SafeBreach, Verodin, AttackIQ and vThreat to name a few.

That's my $0.02 on this.

--Adrian

On Nov 30, 2016 08:52, "Christos Kalkanis" <chris at immunityinc.com> wrote:

Paul,

INNUENDO was created to be a framework, or a superset if you like,
of APT functionality that was common at the time but also visible on the
horizon. The most important design decision we made was to keep
the architecture flexible enough in order to both adapt to and subsume
emerging techniques used by nation states while dealing with uncertainty
and failures on the target end. This led us to fully adopt Python as
the core of INNUENDO [1].

In the years since, we've watched, with some satisfaction,
the domain shift towards the direction we had envisioned. From
Flame to Project Sauron and beyond, there is a trend towards
more flexibility and runtime dynamism including the use of languages
other than C. In short, the implants are getting more intelligent.

I think we have done a good job of matching and in many cases
exceeding the rate of change in this arena with features
such as:

+ An embedded debugger available from the get-go.

+ Implicit implant-to-implant routing, no configuration needed.

+ Peer-to-peer network for implant synchronization.

+ Ephemeral in-memory execution without artifacts.

+ In-process sniffer also exposed through Python and
  optional out-of-process usage.

+ Bidirectional Outlook exfiltration channel.

+ Programmable channel-switching behavior.

+ An executor that can transparently manage and execute 3rd party
  Python code + its dependencies at runtime.

Some of these haven't been widely observed in the wild yet,
I expect to see them out in the open sooner rather than later.

Finally, I am not aware of any criminal elements using our framework,
but I'd say that the more sophisticated actors are certainly moving
in the same direction.

[1] http://infiltratecon.com/downloads/python_deflowered.pdf

Chris

On Tue, 29 Nov 2016 14:57:37 -0600,
Paul Melson <pmelson at gmail.com> wrote:
> So are you aware of a criminal actor that uses Immunity's Innuendo in
their attacks?  If not, then which adversary are you simulating?
>
> The point to my obvious straw man is that if you really want to help your
> clients up their game in detecting and responding to real threats,
shouldn't
> you study the actors that target their industry verticals and emulate
their
> operations using the same tools and tactics they are known to choose?
>
>
>
>> On Nov 29, 2016, at 9:26 AM, dave aitel <dave at immunityinc.com> wrote:
>>
>> So obviously everything a penetration testing company does is at some
level
>> "Adversary Simulation". I like to call it "Focused Training" - because
>> penetration testing is more about education than anything else, but the
WAY
>> you do to that is by emulating and instrumenting some sort of adversarial
>> process.
>>
>> Ok, that said, we have for the past year offered a special service called
>> Adversary Simulation by which we meant something quite specific. We go to
>> some big financial company, usually super under-dressed for the cold
because
>> we live in Miami, and we install INNUENDO on a couple machines. Then we
>> exfiltrate a few terabytes of data over whatever protocols are working
and
>> we work with the company to do a hardcore analysis of their detection
>> systems for that sort of thing.
>>
>> That sounds simple. But in practice, every company at that size range has
>> multiple products trying to detect you, and they provide overlapping
>> coverage. Sometimes the Alerts are useful, and sometimes not. For
example,
>> when you're doing DNS exfiltration, FireEye will alert on the weirdness
of
>> the DNS packets. But it has no idea who the infected endpoint is, because
>> those DNS packets came from intermediary DNS servers! :)
>>
>> With web-based analysis systems I worry more about false positives, and
of
>> course, false negatives. Detecting beacons from malware but not from,
say,
>> DropBox is a hard problem. In theory, products like StealthWatch work,
but
>> in practice, that depends on the team.
>> Likewise, there are gaps in the market itself: Who is looking at all
>> outbound e-mail to find data exfiltration channels? And on the host, when
>> faced with a new product, all the protection systems we've seen have not
>> detected INNUENDO. Some of them detect injection, but you don't really
need
>> to do that. What if there is too much chaos on a big company's desktop
for
>> reputation-based protection systems to work?
>> -dave
>>
>>
>>
>>
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunityinc.com
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20161201/6836914b/attachment.html>

More information about the Dailydave mailing list