Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses

Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses will arm you with the knowledge and expertise you need to overcome today’s threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls aimed at stopping, detecting, and responding to your adversaries through a purple team strategy.

Course Key Learnnings:

Leveraging MITRE ATT&CK as a “common language” in the organization
Building your own Cuckoo sandbox solution to analyze payloads
Developing effective group policies to improve script execution (including PowerShell, Windows Script Host, VBA, HTA, etc.)
Highlighting key bypass strategies for script controls (Unmanaged Powershell, AMSI bypasses, etc.)
Stopping 0-day exploits using ExploitGuard and application whitelisting
Highlighting key bypass strategies in application whitelisting (focus on AppLocker)
Detecting and preventing malware persistence
Leveraging the Elastic stack as a central log analysis solution
Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and group policies
Blocking and detecting command and control through network traffic analysis
Leveraging threat intelligence to improve your security posture

Business Takeaways

Understand how recent high-profile attacks were delivered and how they could have been stopped
Implement security controls throughout the different phases of the Cyber Kill Chain and the MITRE ATT&CK framework to prevent, detect, and respond to attacks

Course Content:

Module1:Introduction and Reconnaissance

Overview

Our six-part journey starts with an analysis of recent attacks through in-depth case studies. We will explain what’s happening in real situations and introduce the Cyber Kill Chain and MITRE ATT&CK framework as a structured approach to describing adversary tactics and techniques. We will also explain what purple teaming is, typical tools associated with it, and how it can be best organized in your organization. In order to understand how attacks work, students will also compromise our virtual organization “SYNCTECHLABS” during section one exercises.

Exercises

One click is all it takes…
Hardening our domain using SCT and STIG
Kibana, ATT&CK Navigator, and FlightSim
Automated reconnaissance using SpiderFoot

Topics

Course Outline and Lab Setup
- Course objectives and lab environment
- What’s happening out there?
- Introducing SYNCTECHLABS
- Exercise: One click is all it takes…
Adversary Emulation and the Purple Team
- Introducing the extended Kill Chain
- What is the purple team?
- MITRE ATT&CK framework and “purple tools”
- Key controls for prevention and detection
- Exercise: Hardening our domain using SCT and STIG
- Building a detection stack
- Exercise: Kibana, ATT&CK Navigator, and FlightSim
Reconnaissance
- Reconnaissance – Getting to know the target
- Exercise: Automated reconnaissance using SpiderFoot

Module2: Payload Delivery and Execution

Overview

Section 2 will cover how the attacker attempts to deliver and execute payloads in the organization. We will first cover adversary techniques (e.g., creation of malicious executables and scripts), then focus on how both payload delivery (e.g., phishing mails) and execution (e.g., double-clicking of the attachment) can be hindered. We will also introduce YARA as a common payload description language and SIGMA as a vendor-agnostic use-case description language.

Exercises

Stopping NTLMv2 sniffing and relay attacks in Windows
Building a Sandbox using Cuckoo and YARA
Configuring AppLocker
Controlling script execution in the enterprise
Detection with Script Block Logging, Sysmon, and SIGMA
Preventing payload execution using ProcFilter

Topics

Common Delivery Mechanisms
Hindering Payload Delivery
- Removable media and network (NAC, MDM, etc.) controls
- Exercise: Stopping NTLMv2 sniffing and relay attacks in Windows
- Mail controls, web proxies, and malware sandboxing
- YARA – A common payload description language
- Exercise: Building a Sandbox using Cuckoo and YARA
Preventing Payload Execution
- Initial execution – Application whitelisting
- Exercise: Configuring AppLocker
- Initial execution – Visual Basic, JS, HTA, and PowerShell
- Exercise: Controlling script execution in the enterprise
- Initial execution – How to detect?
- Exercise: Detection with Script Block Logging, Sysmon, and SIGMA
- Operationalizing YARA rules – Introducing ProcFilter
- Exercise: Preventing payload execution using ProcFilter

Module3: Exploitation, Persistence, and Command and Control

Overview

Section 3 will first explain how exploitation can be prevented or detected. We will show how security should be an integral part of the software development lifecycle and how this can help prevent the creation of vulnerable software. We will also explain how patch management fits in the overall picture.

Next, we will zoom in on exploit mitigation techniques, both at compile-time (e.g., ControlFlowGuard) and at run-time (ExploitGuard). We will provide an in-depth explanation of what the different exploit mitigation techniques (attempt to) cover and how effective they are. We’ll then turn to a discussion of typical persistence strategies and how they can be detected using Autoruns and OSQuery. Finally, we will illustrate how command and control channels are being set up and what controls are available to the defender for detection and prevention.

Exercises

Exploit mitigation using Compile-Time Controls
Exploit mitigation using ExploitGuard
Catching persistence using Autoruns and OSQuery
Detecting command and control channels using Suricata, JA3 and RITA

Topics

Protecting Applications from Exploitation
- Software development lifecycle (SDL) and threat modeling
- Patch management
- Exploit mitigation techniques
- Exercise: Exploit mitigation using Compile-Time Controls
- Exploit mitigation techniques – ExploitGuard, EMET, and others
- Exercise: Exploit mitigation using ExploitGuard
Avoiding Installation
- Typical persistence strategies
- How do adversaries achieve persistence?
- Exercise: Catching persistence using Autoruns and OSQuery
Foiling Command and Control
- Detecting command and control channels

Module4: Lateral Movement

Overview

Section 4 will focus on how adversaries move laterally throughout an environment. A key focus will be on Active Directory (AD) structures and protocols (local credential stealing, NTLMv2, Kerberosm, etc.). We will discuss common attack strategies, including Windows privilege escalation, UAC bypasses, (Over-) Pass-the-Hash, Kerberoasting, Silver Tickets, and others. We’ll also cover how BloodHound can be used to develop attack paths through the AD environment. Finally, we will discuss how lateral movement can be identified in the environment and how cyber deception can be used to catch intruders red-handed!

Exercises

Implementing LAPS
Local Windows privilege escalation techniques
Hardening Windows against credential compromise
Mapping attack paths using BloodHound
Kerberos attack strategies
Detecting lateral movement in AD

Topics

Protecting Administrative Access
- Active Directory security concepts
- Principle of least privilege and UAC
- Exercise: Implementing LAPS
- Privilege escalation techniques in Windows
- Exercise: Local Windows privilege escalation techniques
Key Attack Strategies against AD
- Abusing local admin privileges to steal more credentials
- Exercise: Hardening Windows against credential compromise
- Bloodhound – Mapping out AD attack paths
- Exercise: Mapping attack paths using BloodHound
- Kerberos attacks: Kerberoasting, Silver tickets, Over-PtH
- Exercise: Kerberos attack strategies
How Can We Detect Lateral Movement?
- Key logs to detect lateral movement in AD
- Deception – Tricking the adversary
- Exercise: Detecting lateral movement in AD

Modyule5: : Action on Objectives, Threat Hunting, and Incident Response

Overview

Section five focuses on stopping the adversary during the final stages of the attack:

How does the adversary obtain “domain dominance” status? This includes the use of Golden Tickets, Skeleton Keys, and directory replication attacks such as DCSync and DCShadow.
How can data exfiltration be detected and stopped?
How can threat intelligence aid defenders in the Cyber Kill Chain?
How can defenders perform effective incident response?

As always, theoretical concepts will be illustrated during the different exercises performed throughout the day.

Exercises

Domain dominance
Detecting data exfiltration
Leveraging threat intelligence with MISP and Loki
Hunting your environment using OSQuery
Finding malware using Volatility and YarGen

Topics

Domain Dominance
- Dominating the AD – Basic strategies
- Golden Ticket, Skeleton Key, DCSync, and DCShadow
- Detecting domain dominance
- Exercise: Domain dominance
Data Exfiltration
- Common exfiltration strategies
- Exercise: Detecting data exfiltration
Leveraging Threat Intelligence
- Defining threat intelligence
- Exercise: Leveraging threat intelligence with MISP and Loki
Threat Hunting and Incident Response
- Proactive threat hunting strategies
- Exercise: Hunting your environment using OSQuery
- Incident response process
- Exercise: Finding malware using Volatility and YarGen

Module6: APT Defender Capstone

Overview

The course culminates in a team-based Defend-the-Flag competition. Section six is a full chapter of hands-on work applying the principles taught throughout the course. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber security controls promoted all week long. This challenging exercise will reinforce key principles in a fun, hands-on, team-based challenge.

Note that OnDemand students will enjoy this exercise on an individual basis. As always, SANS SME’s are available to support every OnDemand student’s experience.

Topics