The Active Defender

CATHERINE J. ULLMAN is a security researcher, speaker, and Principal Technology Architect, Security at the University at Buffalo. She is a DFIR specialist and expert in incident management, intrusion detection, investigative services, and personnel case resolution. She offers security awareness training in an academic setting and is a well-known presenter at information security conferences, including DEF CON and Blue Team Con.

Foreword xxv

Preface xxix

Introduction xxxiii

Chapter 1 What Is an Active Defender? 1

The Hacker Mindset 1

Traditional Defender Mindset 3

Getting from Here to There 4

Active Defender Activities 7

Threat Modeling 7

Threat Hunting 8

Attack Simulations 9

Active Defense 9

“Active Defense” for the Active Defender 10

Another Take on Active Defense 10

Annoyance 11

Attribution 11

Attack 11

Active Defense According to Security Vendors 11

Active > Passive 12

Active Defense by the Numbers 13

Active Defense and Staffing 13

Active Defender > Passive Defender 13

Relevant Intel Recognition 13

Understanding Existing Threats 14

Attacker Behavior 14

Pyramid of Pain 15

MITRE Att&ck 15

TTP Pyramid 15

Toward a Deeper Understanding 16

Return to the Beginning 16

Summary 18

Notes 18

Chapter 2 Immersion into the Hacker Mindset 21

Reluctance 21

Media Portrayal 21

Fear of Government Retribution 22

The Rock Star Myth 22

Imposter Syndrome 23

A Leap of Faith 23

My First Security BSides 24

My First DEF CON 24

Finding the Community 27

Security BSides 27

Structured Format 27

Unconference Format 28

Hybrid Format 28

Additional Events 28

Other Security Conferences 29

CircleCityCon 29

GrrCON 29

Thotcon 29

ShmooCon 30

Wild West Hackin’ Fest 30

DEF Con 30

Local Security Meetups 30

Infosec 716 31

Burbsec 31

#misec 31

Makerspaces 31

DEF CON Groups 32

2600 Meetings 32

Online Security Communities 33

Traditional Security Communities 34

An Invitation 34

Summary 36

Notes 36

Chapter 3 Offensive Security Engagements, Trainings, and Gathering Intel 37

Offensive Security Engagements 37

Targeting 38

Initial Access 38

Persistence 39

Expansion 39

Exfiltration 40

Detection 40

Offensive Security Trainings 40

Conference Trainings 41

Security BSides 41

DEF Con 42

GrrCON 42

Thotcon 43

CircleCityCon 43

Wild West Hackin’ Fest 43

Black Hat 44

Security Companies 44

Offensive Security 44

TrustedSec 44

Antisyphon 45

SANS 45

Online Options 46

Hackthebox 46

Tryhackme 46

Hackthissite 47

CTFs 47

YouTube 47

Higher Education 48

Gathering Intel 48

Tradecraft Intel 49

Project Zero 49

AttackerKB 49

Discord/Slack 50

Twitter 50

Organizational Intel 51

LinkedIn 51

Pastebin 52

GitHub 52

Message Boards 52

Internal Wikis 53

Haveibeenpwned 53

Summary 54

Notes 54

Chapter 4 Understanding the Offensive Toolset 55

Nmap/Zenmap 57

Burp Suite/ZAP 59

sqlmap 60

Wireshark 61

Metasploit Framework 63

Shodan 64

Social-Engineer Toolkit 66

Mimikatz 67

Responder 70

Cobalt Strike 71

Impacket 73

Mitm6 75

CrackMapExec 76

evil-winrm 77

BloodHound/SharpHound 78

Summary 79

Notes 80

Chapter 5 Implementing Defense While Thinking Like a Hacker 81

OSINT for Organizations 81

OPSEC 82

OSINT 82

Social Engineering 82

Actively Defending 84

ASM 84

ATO Prevention 84

Benefits 86

Types of Risks Mitigated 86

Threat Modeling Revisited 87

Framing the Engagement 87

Scoping in Frame 87

Motivation in Frame 88

The Right Way In 88

Reverse Engineering 88

Targeting 89

Inbound Access 89

Persistence 89

Egress Controls 90

LOLBins 90

Rundll32.exe 91

Regsvr32.exe 91

MSbuild.exe 92

Cscript.exe 92

Csc.exe 92

Legitimate Usage? 92

Threat Hunting 93

Begin with a Question 93

The Hunt 94

Applying the Concepts 94

Dumping Memory 95

Lateral Movement 95

Secondary C2 96

Proof of Concept 97

Attack Simulations 97

Simulation vs. Emulation 97

Why Test? 98

Risky Assumptions 99

Practice Is Key 100

Tools for Testing 100

Microsoft Defender for O365 101

Atomic Red Team 102

Caldera 103

Scythe 103

Summary 104

Notes 104

Chapter 6 Becoming an Advanced Active Defender 107

The Advanced Active Defender 107

Automated Attack Emulations 108

Using Deceptive Technologies 108

Honey Tokens 109

Decoy Accounts 109

Email Addresses 110

Database Data 110

AWS Keys 111

Canary Tokens 111

Honeypots 111

Other Forms of Deception 112

Web Server Header 112

User Agent Strings 113

Fake DNS Records 113

Working with Offensive Security Teams 114

But We Need a PenTest! 114

Potential Testing Outcomes 115

Vulnerability Identification 116

Vulnerability Exploitation 116

Targeted Detection/Response 116

Real Threat Actor 117

Detection Analysis 117

Scope 117

Scoping Challenges 118

Additional Scope Considerations 118

Decisions, Decisions 119

Measuring Existing Defenses 119

Crown Jewels 119

Selecting a Vendor 120

Reputation 120

Experience and Expertise 121

Processes 121

Data Security 122

Adversarial Attitudes 122

Results 123

Additional Considerations 123

Purple Teaming – Collaborative Testing 124

What Is a Purple Team? 124

Purple Team Exercises 125

Cyber Threat Intelligence 125

Preparation 126

Exercise Execution 126

Lessons Learned 127

Purple Teams and Advanced Active Defenders 127

Summary 127

Notes 128

Chapter 7 Building Effective Detections 129

Purpose of Detection 129

Funnel of Fidelity 130

Collection 130

Detection 130

Triage 131

Investigation 131

Remediation 131

Building Detections: Identification and Classification 131

Overall Detection Challenges 132

Attention Problem 132

Perception Problem 133

Abstraction Problem 134

Validation Problem 135

The Pyramids Return 135

Lower Levels 136

Tools 137

Wrong Viewpoint 137

Bypass Options 138

Higher Levels 139

Testing 140

Literal Level 140

Functional Level 140

Operational Level 141

Technical Level 142

Proper Validation: Both Telemetry and Detection 143

Telemetry Coverage 143

Detection Coverage 144

Testing Solutions 144

Atomic Red Team 144

AtomicTestHarness 145

Summary 146

Notes 147

Chapter 8 Actively Defending Cloud Computing Environments 149

Cloud Service Models 150

IaaS 150

PaaS 150

SaaS 150

Cloud Deployment Environments 151

Private Cloud 151

Public Cloud 151

Fundamental Differences 151

On-Demand Infrastructure 152

Shared Responsibility Model 152

Control Plane and Data Plane 153

Infrastructure as an API 154

Data Center Mapping 154

IAM Focus 155

Cloud Security Implications 157

Larger Attack Surface 158

New Types of Exposed Services 158

Application Security Emphasis 159

Challenges with API Use 160

Custom Applications 161

Cloud Offensive Security 161

Enumeration of Cloud Environments 162

Code Repositories 162

Publicly Accessible Resources 163

Initial Access 164

Phishing/Password Spraying 164

Stealing Access Tokens 164

Resource Exploitation 165

Post-Compromise Recon 165

Post-Exploitation Enumeration 166

Roles, Policies, and Permissions 166

Dangerous Implied Trusts 166

Overly Permissive Configurations 170

Multi-Level Access 170

Persistence/Expansion 171

Lateral Movement 172

Privilege Escalation 173

Defense Strategies 175

Summary 175

Notes 176

Chapter 9 Future Challenges 179

Software Supply Chain Attacks 179

A Growing Problem 180

Actively Defending 180

Counterfeit Hardware 181

Fake CISCO Hardware 181

Actively Defending 182

UEFI 182

Increasing Vulnerabilities 182

Enter BlackLotus 183

MSI Key Leak 184

Actively Defending 185

BYOVD Attacks 185

Lazarus Group 186

Cuba Ransomware Group 186

Actively Defending 186

Ransomware 186

Continuing Evolution 187

Actively Defending 187

Tabletop Exercises 188

Ransomware Playbooks 189

Frameworks 191

Cobalt Strike 192

Silver 192

Metasploit 192

Brute Ratel 193

Havoc 193

Mythic 193

Actively Defending 194

Living Off the Land 194

Actively Defending 195

API Security 195

Defining APIs 195

API Impact 196

Security Significance 196

Actively Defending 196

Everything Old Is New Again 197

OWASP Top 10 197

Old Malware Never (Really) Dies 198

Emotet 198

REvil 199

Actively Defending 199

Summary 200

Notes 201

Index 203