Preview Mode Links will not work in preview mode

Mar 12, 2020

Dave Kennedy (@hackingDave)

TrustedSec

Released SEToolkit, Pentester Framework (PTF)

PoC release for “Shitrix” bug (was disclosed after Google zero initiative India group)

Jeff Snover, Lee Holmes - Powershell gods

Arguments against release

Tools are released are utilized by the ‘bad guys’

Tooling makes it more difficult to fingerprint who are who they say they are “Fuzzy Weasel Vs. Psycho Toads”

Makes the bad guys job harder by making them have to create the PoC (presumably most bad actors are skids)

 

 

Arguments for release

 

Tools allow for teaching Blue team, and SIEM/logging systems to understand 

Learning how something was created, being able to break down the vulnerability

https://www.bleepingcomputer.com/news/security/new-evasion-encyclopedia-shows-how-malware-detects-virtual-machines/



Show #2:

DerbyCom - Tell us about it

Dave Kennedy Center for gaming and Leadship https://twitter.com/hackingdave/status/1220150360779710464?lang=en 

 

Offensive Security Tool release (PowerShell Empire 3.0)

Powershell is re-released, using Python:
https://twitter.com/BCSecurity1/status/1209126652300709888 

 

Initial tweet:

https://twitter.com/taosecurity/status/1209132572128747520

“We believe that Powershell and Empire framework will remain a major threat vector employed by APTs, malware authors, and Red Teams.” SO WHY ARE YOU UPDATING IT? You are improving capabilities you explicitly say are *used by bad guys.* Scottie, beam me up from this bizarro world.

Affirmations and evidence:

https://twitter.com/taosecurity/status/1209287582439395330 

Nope. One example: Iranian APT “CopyKittens” uses Powershell Empire. Incidentally, I found this example via

@MITREattack

. https://clearskysec.com/tulip/



https://twitter.com/michael_yip/status/1209151868036886528 

One can innovate without sharing with the adversary no? It’s literally how the defense industry work or am I missing something?

 

https://twitter.com/michael_yip/status/1209247219796398083 

… “Are we really justifying lowering the R&D cost of the adversary is the only way to attract talent to the defensive side. Not to mention - no one is saying developing OST is wrong. It’s the way they're being shared that’s problematic”  

 

https://twitter.com/2sec4u/status/1209169724799623169?s=20 

The whole idea is that actors can't just git clone an advanced post exploitation framework which bypasses 95% of organisations defences. It should cost actors time & money to bypass these defences but because red team keep releasing new stuff with bypasses... the cycle continues.

Comments in Support of initial argument

https://twitter.com/IISResetMe/status/1209180945011621889?s=20 

I really _want_ to agree. ... but I also work in an org with million dollar budgets, a dozen full-time detection engineers and analysts and an army of devs and sysadmins, and even we are having a hard time keeping up - how does this arms race "help" non-F500 orgs?

(later discussion does mention that he has a hard time seeing it as net negative) https://twitter.com/IISResetMe/status/1209183774182907904?s=20 

 

https://twitter.com/cnoanalysis/status/1209169633460150272?s=20 

“If we don’t create the offensive tools then the bad guys will!” That is a terrible argument for OST release. “We might as well do something that harms because someone else will do that eventually anyway...” there are so many logical fallacies I don’t have enough space

Rebuttals

https://twitter.com/r3dQu1nn/status/1209207550731677697 

Limiting yourself by not exposing more tooling to defenders is NOT how to improve security. Yikes. The more exposure you provide defenders gives you more detection's/IOC's you can build to help defend against APT's. That's the whole point of Proactive security.

 

https://twitter.com/bettersafetynet/status/1209138002473160707

It's vital that we continue to sharpen our swords. The commoditization of attacker techniques allows better defense against what adversaries are doing.

 

https://twitter.com/dragosr/status/1209213064446279680 

And this whole discussion ignores a simple fact that released information is way better than exploits passed around quietly or kept in stockpile caches regardless of anyone’s metric of responsibility (which is a debatable, very hypothetical line of what’s acceptable or not).

 

https://twitter.com/bettersafetynet/status/1209139099979923457

The very fact that you and others who are taking this side are trying to cajole and brow beat to this position shows how weak your argument is. MITRE ATT&CK took off like gang-busters not because they had a better trolling game, but because it was a great idea implemented well.



https://twitter.com/bettersafetynet/status/1209139578579275776 

It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.

 

https://twitter.com/bettersafetynet/status/1209154592560353280 

My stance is likely to tick off both sides here. I think there are times that limited release is good. But over and over, we've seen where vendors do not change until something is publicly released.

It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.

 

https://twitter.com/r3dQu1nn/status/1209346356151631873

Security is a service that can be improved with products. Having no security or limiting exposure to offensive tool sets increases the chances of a breach. Ethical hackers sole purpose is to help make Blue better. Which is why purple teams are a great resource for any company.

 

https://twitter.com/ippsec/status/1209354476072689664?s=20 

To the people upset by public red team tools. If you cant detect open source tools than what chance do you have at detecting private one off tools. It’s much easier to automate a battle against 100 duck sized horses than it is to face off against a single horse sized duck.

Defender Classification of PowerShell Empire 3.0

https://www.bc-security.org/post/the-empire-3-0-strikes-back

 

Is there a way to protect against it?

 

Where does this sit in the ATT&CK Matrix? 



Features: 

 

Enhanced Windows Evasion vs. Defender

DPAPI support for “PSCredential” and “SecureString”

AMSI bypasses

JA3/S signature Randomization

New Mimikatz version intergration

 

Curveball test (CryptoAPI test scripts)

Dave’s new Esport initiative (opens in February): https://twitter.com/HackingDave/status/1220150360779710464

 

DERBYCON community updates

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#Pandora: https://pandora.app.link/p9AvwdTpT3

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec