The Active Defender – Immersion in the Offensive Security Mindset: Tech Today

CATHERINE J. ULLMAN is a security researcher, speaker, and Principal Technology Architect, Security at the University at Buffalo. She is a DFIR specialist and expert in incident management, intrusion detection, investigative services, and personnel case resolution. She offers security awareness training in an academic setting and is a well-known presenter at information security conferences, including DEF CON and Blue Team Con.

Foreword xxv Preface xxix Introduction xxxiii Chapter 1 What Is an Active Defender? 1 The Hacker Mindset 1 Traditional Defender Mindset 3 Getting from Here to There 4 Active Defender Activities 7 Threat Modeling 7 Threat Hunting 8 Attack Simulations 9 Active Defense 9 "Active Defense" for the Active Defender 10 Another Take on Active Defense 10 Annoyance 11 Attribution 11 Attack 11 Active Defense According to Security Vendors 11 Active > Passive 12 Active Defense by the Numbers 13 Active Defense and Staffing 13 Active Defender > Passive Defender 13 Relevant Intel Recognition 13 Understanding Existing Threats 14 Attacker Behavior 14 Pyramid of Pain 15 MITRE Att&ck 15 TTP Pyramid 15 Toward a Deeper Understanding 16 Return to the Beginning 16 Summary 18 Notes 18 Chapter 2 Immersion into the Hacker Mindset 21 Reluctance 21 Media Portrayal 21 Fear of Government Retribution 22 The Rock Star Myth 22 Imposter Syndrome 23 A Leap of Faith 23 My First Security BSides 24 My First DEF CON 24 Finding the Community 27 Security BSides 27 Structured Format 27 Unconference Format 28 Hybrid Format 28 Additional Events 28 Other Security Conferences 29 CircleCityCon 29 GrrCON 29 Thotcon 29 ShmooCon 30 Wild West Hackin' Fest 30 DEF Con 30 Local Security Meetups 30 Infosec 716 31 Burbsec 31 #misec 31 Makerspaces 31 DEF CON Groups 32 2600 Meetings 32 Online Security Communities 33 Traditional Security Communities 34 An Invitation 34 Summary 36 Notes 36 Chapter 3 Offensive Security Engagements, Trainings, and Gathering Intel 37 Offensive Security Engagements 37 Targeting 38 Initial Access 38 Persistence 39 Expansion 39 Exfiltration 40 Detection 40 Offensive Security Trainings 40 Conference Trainings 41 Security BSides 41 DEF Con 42 GrrCON 42 Thotcon 43 CircleCityCon 43 Wild West Hackin' Fest 43 Black Hat 44 Security Companies 44 Offensive Security 44 TrustedSec 44 Antisyphon 45 SANS 45 Online Options 46 Hackthebox 46 Tryhackme 46 Hackthissite 47 CTFs 47 YouTube 47 Higher Education 48 Gathering Intel 48 Tradecraft Intel 49 Project Zero 49 AttackerKB 49 Discord/Slack 50 Twitter 50 Organizational Intel 51 LinkedIn 51 Pastebin 52 GitHub 52 Message Boards 52 Internal Wikis 53 Haveibeenpwned 53 Summary 54 Notes 54 Chapter 4 Understanding the Offensive Toolset 55 Nmap/Zenmap 57 Burp Suite/ZAP 59 sqlmap 60 Wireshark 61 Metasploit Framework 63 Shodan 64 Social-Engineer Toolkit 66 Mimikatz 67 Responder 70 Cobalt Strike 71 Impacket 73 Mitm6 75 CrackMapExec 76 evil-winrm 77 BloodHound/SharpHound 78 Summary 79 Notes 80 Chapter 5 Implementing Defense While Thinking Like a Hacker 81 OSINT for Organizations 81 OPSEC 82 OSINT 82 Social Engineering 82 Actively Defending 84 ASM 84 ATO Prevention 84 Benefits 86 Types of Risks Mitigated 86 Threat Modeling Revisited 87 Framing the Engagement 87 Scoping in Frame 87 Motivation in Frame 88 The Right Way In 88 Reverse Engineering 88 Targeting 89 Inbound Access 89 Persistence 89 Egress Controls 90 LOLBins 90 Rundll32.exe 91 Regsvr32.exe 91 MSbuild.exe 92 Cscript.exe 92 Csc.exe 92 Legitimate Usage? 92 Threat Hunting 93 Begin with a Question 93 The Hunt 94 Applying the Concepts 94 Dumping Memory 95 Lateral Movement 95 Secondary C2 96 Proof of Concept 97 Attack Simulations 97 Simulation vs. Emulation 97 Why Test? 98 Risky Assumptions 99 Practice Is Key 100 Tools for Testing 100 Microsoft Defender for O365 101 Atomic Red Team 102 Caldera 103 Scythe 103 Summary 104 Notes 104 Chapter 6 Becoming an Advanced Active Defender 107 The Advanced Active Defender 107 Automated Attack Emulations 108 Using Deceptive Technologies 108 Honey Tokens 109 Decoy Accounts 109 Email Addresses 110 Database Data 110 AWS Keys 111 Canary Tokens 111 Honeypots 111 Other Forms of Deception 112 Web Server Header 112 User Agent Strings 113 Fake DNS Records 113 Working with Offensive Security Teams 114 But We Need a PenTest! 114 Potential Testing Outcomes 115 Vulnerability Identification 116 Vulnerability Exploitation 116 Targeted Detection/Response 116 Real Threat Actor 117 Detection Analysis 117 Scope 117 Scoping Challenges 118 Additional Scope Considerations 118 Decisions, Decisions 119 Measuring Existing Defenses 119 Crown Jewels 119 Selecting a Vendor 120 Reputation 120 Experience and Expertise 121 Processes 121 Data Security 122 Adversarial Attitudes 122 Results 123 Additional Considerations 123 Purple Teaming - Collaborative Testing 124 What Is a Purple Team? 124 Purple Team Exercises 125 Cyber Threat Intelligence 125 Preparation 126 Exercise Execution 126 Lessons Learned 127 Purple Teams and Advanced Active Defenders 127 Summary 127 Notes 128 Chapter 7 Building Effective Detections 129 Purpose of Detection 129 Funnel of Fidelity 130 Collection 130 Detection 130 Triage 131 Investigation 131 Remediation 131 Building Detections: Identification and Classification 131 Overall Detection Challenges 132 Attention Problem 132 Perception Problem 133 Abstraction Problem 134 Validation Problem 135 The Pyramids Return 135 Lower Levels 136 Tools 137 Wrong Viewpoint 137 Bypass Options 138 Higher Levels 139 Testing 140 Literal Level 140 Functional Level 140 Operational Level 141 Technical Level 142 Proper Validation: Both Telemetry and Detection 143 Telemetry Coverage 143 Detection Coverage 144 Testing Solutions 144 Atomic Red Team 144 AtomicTestHarness 145 Summary 146 Notes 147 Chapter 8 Actively Defending Cloud Computing Environments 149 Cloud Service Models 150 IaaS 150 PaaS 150 SaaS 150 Cloud Deployment Environments 151 Private Cloud 151 Public Cloud 151 Fundamental Differences 151 On-Demand Infrastructure 152 Shared Responsibility Model 152 Control Plane and Data Plane 153 Infrastructure as an API 154 Data Center Mapping 154 IAM Focus 155 Cloud Security Implications 157 Larger Attack Surface 158 New Types of Exposed Services 158 Application Security Emphasis 159 Challenges with API Use 160 Custom Applications 161 Cloud Offensive Security 161 Enumeration of Cloud Environments 162 Code Repositories 162 Publicly Accessible Resources 163 Initial Access 164 Phishing/Password Spraying 164 Stealing Access Tokens 164 Resource Exploitation 165 Post-Compromise Recon 165 Post-Exploitation Enumeration 166 Roles, Policies, and Permissions 166 Dangerous Implied Trusts 166 Overly Permissive Configurations 170 Multi-Level Access 170 Persistence/Expansion 171 Lateral Movement 172 Privilege Escalation 173 Defense Strategies 175 Summary 175 Notes 176 Chapter 9 Future Challenges 179 Software Supply Chain Attacks 179 A Growing Problem 180 Actively Defending 180 Counterfeit Hardware 181 Fake CISCO Hardware 181 Actively Defending 182 UEFI 182 Increasing Vulnerabilities 182 Enter BlackLotus 183 MSI Key Leak 184 Actively Defending 185 BYOVD Attacks 185 Lazarus Group 186 Cuba Ransomware Group 186 Actively Defending 186 Ransomware 186 Continuing Evolution 187 Actively Defending 187 Tabletop Exercises 188 Ransomware Playbooks 189 Frameworks 191 Cobalt Strike 192 Silver 192 Metasploit 192 Brute Ratel 193 Havoc 193 Mythic 193 Actively Defending 194 Living Off the Land 194 Actively Defending 195 API Security 195 Defining APIs 195 API Impact 196 Security Significance 196 Actively Defending 196 Everything Old Is New Again 197 OWASP Top 10 197 Old Malware Never (Really) Dies 198 Emotet 198 REvil 199 Actively Defending 199 Summary 200 Notes 201 Index 203