how to spot the blue team
play

How to Spot the Blue Team? Red Team Infrastructure Security R.A.H. - PowerPoint PPT Presentation

Sep 17, 2023 •107 likes •375 views

How to Spot the Blue Team? Red Team Infrastructure Security R.A.H. Lahaye Supervisors: Marc Smeets and Mark Bergman Outflank Research Project 2 System and Network Engineering University of Amsterdam February 5, 2018 R.A.H. Lahaye How to

  1. How to Spot the Blue Team? Red Team Infrastructure Security R.A.H. Lahaye Supervisors: Marc Smeets and Mark Bergman Outflank Research Project 2 System and Network Engineering University of Amsterdam February 5, 2018 R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 1 / 26

  2. Outline Introduction 1 Related Work 2 Red Team Infrastructure 3 Proof of Concept 4 Conclusion 5 Future Work 6 References 7 R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 2 / 26

  3. Introduction Red Teaming vs Blue Teaming Team Goals Figure: Red Team Kill Chain[mic, 2016] R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 3 / 26

  4. Project Goal Find a way to detect blue team actions so that the red team can stay undetected and achieve long-term engagement. Project is not about how to stay undetected as a Red Team R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 4 / 26

  5. Research Question 1 How to secure a red team infrastructure to detect a blue team analysis? How does a red team infrastructure look like? 1 How can a blue team analysis be detected? 2 R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 5 / 26

  6. Related Work No related work regarding detecting a blue team analysis Some related work regarding how a red team operation and infrastructure looks: Wiki to collect Red Team infrastructure hardening resources[Dimmock] Cobalt Strike - Red Team Operations Course and Notes[cob, 2013] Powershell Empire - Documentation[pow] R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 6 / 26

  7. Method Literature Study and interviews to figure out how a typical red team infrastructure look like Analysis of a red team operation software to know how an operation looks like Cobalt Strike PowerShell Empire If you know what a Remote Access Tool’s request looks like, you know what legit traffic/events are, and what not R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 7 / 26

  8. Red Team Infrastructure Figure: Red Team Infrastructure R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 8 / 26

  9. Red Team Infrastructure Security Desired Security Controls Preventive Security Controls (Limited) Firewall System Hardening Concealment Detective Security Controls Logging and Monitoring IDS Responsive Security Controls Disposing/New Infrastructure Distraction/Decoy R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 9 / 26

  10. Proof of Concept Requirements: Able to detect a Blue Team’s analysis of a Red Team’s operation Usable for multiple Red Team operations Should not trigger by random Internet scans R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 10 / 26

  11. Infrastructure Figure: Proof of Concept Basic Red Team Infrastructure R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 11 / 26

  12. Red Team Software Analysis Focused on successful callback and communication from target HTTP/(S) Requests for communication (or other protocols) DNS Domain Lookups R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 12 / 26

  13. How to Spot the Blue Team? R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 13 / 26

  14. HTTP(S) Communication Paths Command and Control Communication Paths: ”/legit/communication/uri/to/filter/with/get.php” ”/legit/communication/uri/to/filter/with/news.php” ”/legit/communication/uri/to/filter/with/login/process.php” Blue Team: ”/legit/communication/uri/to/filter/with/” ”/legit/communication/uri/to” Anomaly: No fully complete Command and Control communication path Contains first prefix (”/legit/*”) R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 14 / 26

  15. User-Agents Command and Control User-Agent: ”Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko” Blue Team: ”Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” Anomaly: Different User-Agent compared to the Command and Control User-Agent R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 15 / 26

  16. GEO Location Target Location: Country: Netherlands Blue Team: Country: Russia Anomaly: Command and Control traffic from unexpected location R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 16 / 26

  17. DNS Domain Lookup Command and Control Lookup: ”rt-1.very.legit.domain.tours.prac.os3.nl” Blue Team: ”domain.tours.prac.os3.nl” ”very.legit.domain.tours.prac.os3.nl” Anomaly: Any other sub-domain lookup R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 17 / 26

  18. Virustotal Command and Control Beacon/Payload: Known Hash Blue Team: Upload to Virustotal Anomaly: When hash is known by Virustotal while the Red Team uses unique files R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 18 / 26

  19. Logging Infrastructure Figure: Proof of Concept Logging Infrastructure R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 19 / 26

  20. Proof of Concept Advantages and Disadvantages Advantages: API Good for logging data Disadvantages: Complex Not good for events/alerts (nor with other alternatives) Hard to find needed data (especially with multiple Red Team operations) Better alternatives? R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 20 / 26

  21. Usage: query.py [options] Figure: query.py options R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 21 / 26

  22. query.py output Figure: query.py output R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 22 / 26

  23. Conclusion Typical Red Team infrastructure uses redirectors and Command and Control servers that are disposable and automated Detecting the Blue Team requires knowledge of own Red Team’s operation and its used tools Detecting the Blue Team can be done with a monitoring and logging infrastructure No good tooling is available to detect the Blue Team R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 23 / 26

  24. Future Work Build free and working plugin for Kibana for alerting Improve the Python script’s output Create a tooling that is able to learn a Red Team operation Many others.. R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 24 / 26

  25. Questions Are there any questions? R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 25 / 26

  26. References Powershell empire documentation. URL https://www.powershellempire.com/?page_id=83 . Cobalt strike red team operations course and notes, 2013. URL https://blog.cobaltstrike.com/2013/10/18/ tradecraft-red-team-operations-course-and-notes/ . Disrupting the kill chain, 2016. URL https://cloudblogs.microsoft.com/microsoftsecure/2016/11/ 28/disrupting-the-kill-chain/ . J. Dimmock. Wiki to collect red team infrastructure hardening resources. URL https://github.com/bluscreenofjeff/ Red-Team-Infrastructure-Wiki . R.A.H. Lahaye How to Spot the Blue Team? February 5, 2018 26 / 26

Recommend

WOPR SUMMIT Red v Blue Workshop What will we do today? Red / Blue Team Theory APT

WOPR SUMMIT Red v Blue Workshop What will we do today? Red / Blue Team Theory APT

WOPR SUMMIT Red v Blue Workshop What will we do today? Red / Blue Team Theory APT Emulation Kill Chain Phishing Dropper Some Detection Expansion Deep Persistence Actions on goals Exfiltration

1.58k views • 140 slides
Sketch Model Review Blue!Team!!Sec,on!A! October!3,!2013! 2.009%%Blue%A ! 1% Problems and

Sketch Model Review Blue!Team!!Sec,on!A! October!3,!2013! 2.009%%Blue%A ! 1% Problems and

Sketch Model Review Blue!Team!!Sec,on!A! October!3,!2013! 2.009%%Blue%A ! 1% Problems and Needs 117,000!child!care!centers!in!the!US! Over!10.9!million!children!under!5! 115,000!elementary!schools!in!the!US! 2011!Census! !

458 views • 13 slides
Sketch Model Review Blue!Team!!Sec,on!A! October!3,!2013! 2.009%%Blue%A ! 1% Problems and

Sketch Model Review Blue!Team!!Sec,on!A! October!3,!2013! 2.009%%Blue%A ! 1% Problems and

Sketch Model Review Blue!Team!!Sec,on!A! October!3,!2013! 2.009%%Blue%A ! 1% Problems and Needs 117,000!child!care!centers!in!the!US! Over!10.9!million!children!under!5! 115,000!elementary!schools!in!the!US! 2011!Census! !

609 views • 11 slides
Charcoal Briquettes Cheap, environmentally-friendly bio fuel and devices 2.009 Blue Team A

Charcoal Briquettes Cheap, environmentally-friendly bio fuel and devices 2.009 Blue Team A

Charcoal Briquettes Cheap, environmentally-friendly bio fuel and devices 2.009 Blue Team A Dexter Ang, John Brewer, Kevin Chen, Greg Fonder, Danny Hilton, Matt Krueger, Andres Pino 2.009 Blue Team A October 7, 2004 Piston Extrusion 2.009

420 views • 4 slides
The Secret to Capsim Capsim Success Success The Secret to its all about the sweet spot

The Secret to Capsim Capsim Success Success The Secret to its all about the sweet spot

The Secret to Capsim Capsim Success Success The Secret to its all about the sweet spot Team Andrews Fall I 2009 BUSN 6200 Presented By Team Andrews: Brad White, Tim Fish, Christina Vance, Stephanie Bogan, & Anthony Vatterott Team

192 views • 15 slides
Charcoal Briquettes Mockup Review 2.009 Blue Team A Dexter Ang, John Brewer, Kevin Chen,

Charcoal Briquettes Mockup Review 2.009 Blue Team A Dexter Ang, John Brewer, Kevin Chen,

Charcoal Briquettes Mockup Review 2.009 Blue Team A Dexter Ang, John Brewer, Kevin Chen, Greg Fonder, Danny Hilton, Matt Krueger, Andres Pino 2.009 Blue Team A October 21, 2004 Key Challenges Loading Hopper design Position of

309 views • 11 slides
Blue Teams Sharmila B. Vaswani-Bowles - Cyber Acquisition Blue Team (CABT) Management Office

Blue Teams Sharmila B. Vaswani-Bowles - Cyber Acquisition Blue Team (CABT) Management Office

Certification and Standards for Army Blue Teams Sharmila B. Vaswani-Bowles - Cyber Acquisition Blue Team (CABT) Management Office Lead Ensuring Cyber Resiliency In All Phases of Acquisition Rolando Lopez - Lead Computer Engineer 1 The

516 views • 20 slides
Network Decoding C&C Channels - gcat Brought to you by... + = Red Team/Blue Team

Network Decoding C&C Channels - gcat Brought to you by... + = Red Team/Blue Team

Network Decoding C&C Channels - gcat Brought to you by... + = Red Team/Blue Team Awesomeness This will be a series! Positive response to decoding dnscat2 We've decided to make this a series Will dissect a C&C every few

642 views • 24 slides
Welcome TEAM D Parents!! BLUE HOUSE Video from our new Dr. Lonardi-Welcome Back

Welcome TEAM D Parents!! BLUE HOUSE Video from our new Dr. Lonardi-Welcome Back

Welcome TEAM D Parents!! BLUE HOUSE Video from our new Dr. Lonardi-Welcome Back Superintendent Dr. Lonardi Members of Team D Thomas Mulvey- Principal- tmulvey@dasd.org; x4103 Megan Busby- Counseling mbusby@dasd.org; x4111 Alicia Moyer

534 views • 24 slides
Blue A Sketch Model Review Blue A Blue A Smooth Passenger Bag Be Gone Talker Blue A

Blue A Sketch Model Review Blue A Blue A Smooth Passenger Bag Be Gone Talker Blue A

Blue A Sketch Model Review Blue A Blue A Smooth Passenger Bag Be Gone Talker Blue A SMOOTH TALKER Blue A !!!! Users 515,000 children in America with ASD who communicate verbally Design Blue A Fastening

246 views • 10 slides
Cotton Incorporated TARGET SPOT UPDATE A. K. Hagan Auburn University TARGET SPOT Target Spot

Cotton Incorporated TARGET SPOT UPDATE A. K. Hagan Auburn University TARGET SPOT Target Spot

Cotton Incorporated TARGET SPOT UPDATE A. K. Hagan Auburn University TARGET SPOT Target Spot Ascochyta Blight Easily confused with Ascochyta Blight and Myrothecium Leaf Spot which are seen on 3 to 5 leaf cotton Target Spot thru first bloom.

337 views • 30 slides
Spot On Treatment Team Stockholm iGEM 2010 Andreas Constantinou Hassan Foroughi Asl Emmelie

Spot On Treatment Team Stockholm iGEM 2010 Andreas Constantinou Hassan Foroughi Asl Emmelie

Spot On Treatment Team Stockholm iGEM 2010 Andreas Constantinou Hassan Foroughi Asl Emmelie Lidh Johan Nordholm Nina Schiller sndag den 7 november 2010 Vitiligo Complex skin disorder Loss of pigment cells 0.5-2 %

1.08k views • 32 slides
SYSTEM UNILEVEL STRUCTURE YOU

SYSTEM UNILEVEL STRUCTURE YOU

GLOBAL BLOCKCHAIN COMMUNITY TM 2020 ACCELERATED REFERRAL REWARD SYSTEM UNILEVEL STRUCTURE YOU OPEN SPOT OPEN SPOT OPEN SPOT OPEN SPOT

714 views • 17 slides
Bureau for Public Health Strategic Map The Blue Team Amy Atkins Director, BPH Division of Local

Bureau for Public Health Strategic Map The Blue Team Amy Atkins Director, BPH Division of Local

Bureau for Public Health Strategic Map The Blue Team Amy Atkins Director, BPH Division of Local Health February 27, 2014 Diamond Building B10/B11 Bureau for Public Health Strategic Map: The Blue Team Defining Your Piece of the Public

378 views • 24 slides
FDP101X: Lab Assignment 2 REFLECTION SPOT ACTIVITY IMAGE ON ALU IN MICROPROCESSOR Reflection

FDP101X: Lab Assignment 2 REFLECTION SPOT ACTIVITY IMAGE ON ALU IN MICROPROCESSOR Reflection

FDP101X: Lab Assignment 2 REFLECTION SPOT ACTIVITY IMAGE ON ALU IN MICROPROCESSOR Reflection Spot time stamp : #Reflection Spot time: (12.12) Reflection Spot question What is ALU? Answer ALU is a temperory register used to hold

186 views • 15 slides
How Yelp.com Runs on Apache Mesos in AWS Spot Fleet for Fun and Profit (75% Off) Kyle Anderson -

How Yelp.com Runs on Apache Mesos in AWS Spot Fleet for Fun and Profit (75% Off) Kyle Anderson -

How Yelp.com Runs on Apache Mesos in AWS Spot Fleet for Fun and Profit (75% Off) Kyle Anderson - Yelp Yelps Mission Connecting people with great local businesses. Part 0: Spot / Spot Fleet Primer Part 1: Spot Fleet management + Mesos

1.06k views • 53 slides
Green Blue Blue Blue Red Red Text visualization Why use text in visualization? Instant

Green Blue Blue Blue Red Red Text visualization Why use text in visualization? Instant

Web-pages Email Green Blue Blue Blue Red Red Text visualization Why use text in visualization? Instant messages Digitized books, articles Lucas Rizoli CPSC 533C, November 2006 2 3 4 Fast Text can be a dense representation New York

576 views • 3 slides
2020 Blue's Tour August 2020 We would like to Welcome you on behalf of Blue Cross and Blue Shield

2020 Blue's Tour August 2020 We would like to Welcome you on behalf of Blue Cross and Blue Shield

2020 Blue's Tour August 2020 We would like to Welcome you on behalf of Blue Cross and Blue Shield of Kansas to the 2020 Blue's Tour! We are glad you could all join us virtually today! I am Jessica Moore, Education and Communication Coordinator

290 views • 26 slides
Take the Top Spot by Transforming IT 157 157 Failure itself is not fatal, but failure to

Take the Top Spot by Transforming IT 157 157 Failure itself is not fatal, but failure to

Take the Top Spot by Transforming IT 157 157 Failure itself is not fatal, but failure to change might be. Legendary basketball coach John Wooden Transformation is the only way to take the top spot Transformed organizations:

387 views • 17 slides
Writing malware while the blue team is staring at you meterpreter> getuid @mubix Father

Writing malware while the blue team is staring at you meterpreter> getuid @mubix Father

Mubix Rob Fuller Writing malware while the blue team is staring at you meterpreter> getuid @mubix Father Husband United States Marine Co-Founder of NoVA Hackers Technical Consultant to HBOs Silicon Valley Security+, Linux+, A+,

1.02k views • 60 slides
RC Claim Assist Kelly Hayes Blue Cross / Blue Care Network Provider Outreach Blue Cross Blue

RC Claim Assist Kelly Hayes Blue Cross / Blue Care Network Provider Outreach Blue Cross Blue

RC Claim Assist Kelly Hayes Blue Cross / Blue Care Network Provider Outreach Blue Cross Blue Shield of Michigan and Blue Care Network are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association. RC Claim

423 views • 7 slides
Overview ew Overview of Corporate Philanthropy Overview of Florida Blue Corporate and Foundation

Overview ew Overview of Corporate Philanthropy Overview of Florida Blue Corporate and Foundation

L ESSONS L EARNED FROM A C ORPORATE D ONOR Susan B. Towler Florida Blue October 21, 2015 Orange Park, FL Blue Cross and Blue Shield of Florida Foundation is an Independent Licensee of the Blue Cross and Blue Shield Association. Overview ew

422 views • 16 slides
Blue Apron Campaign by: Create 3 Agency MEET THE TEAM MEET THE TEAM Allison Sousan Delaney

Blue Apron Campaign by: Create 3 Agency MEET THE TEAM MEET THE TEAM Allison Sousan Delaney

Blue Apron Campaign by: Create 3 Agency MEET THE TEAM MEET THE TEAM Allison Sousan Delaney Jobe Jonah Baalman Art Director Copywriter Account Exec/PR Biggest Cooking Fail: Biggest Cooking Fail: Biggest Cooking Fail: Slicing my finger by

523 views • 30 slides
BloodHound From Red to Blue 1.5 By Scoubi @ScoubiMTL BIO Sr Security Architect at Bell Canada

BloodHound From Red to Blue 1.5 By Scoubi @ScoubiMTL BIO Sr Security Architect at Bell Canada

BloodHound From Red to Blue 1.5 By Scoubi @ScoubiMTL BIO Sr Security Architect at Bell Canada Adversary Detection Team Lead Threat Hunting Team Lead First Presented at BSidesCharm French Canadian Dont pronounce S and H

1.37k views • 104 slides

More recommend