HIP19: Who watches the watchmen? - M. Bergman, M. Smeets скачать в хорошем качестве

HIP19: Who watches the watchmen? - M. Bergman, M. Smeets

Who watches the watchmen? Adventures in red team infrastructure herding and blue team OPSEC failures by Mark Bergman and Marc Smeets https://hackinparis.com/talks/#talk-2... In this talk we explain our approach for red team infrastructure herding and using that to bust OPSEC failures of blue teams. We discuss our latest research on this topic and present a new version of our opensource tooling RedELK. When performing multi-month, multi-C2teamserver and multi-scenario red team operations, you are working with an infrastructure that becomes very large very quickly. This makes it harder to keep track of what is happening. Coupled with the ever-increasing maturity of blue teams, this makes it more likely the blue team is somewhere analysing parts of your infra and/or artefacts. In our ongoing quest for better red teaming services, we started research and tool development to achieve 2 goals: 1) Control of the operations - e.g. get a 1-click overview of all our IOCs, quickly search back through all keystrokes, or answer questions like did we touch system ABC during operation X on day 39. 2) Know when the blue team is on to us - e.g. get an alarm when it’s not just a regular internet scanner touching our redirectors, one of our IOCs show up in VirusTotal or similar databases and so on. This all led to the development of several inhouse tools that support us greatly, most notably RedELK – our infrastructure herding and SIEM tool. After using this with great success across a number of engagements, we released RedELK to the community in 2018. In this talk we share several new additions on the topics of infrastructure herding as well as new ways for busting blue team OPSEC failures by closely ‘watching the watchmen’. Lastly, we will release and demonstrate a new version of RedELK.