Joaquim Espinhara
TSS Cyber
Joaquim Espinhara is a Senior Security Consultant focused on offensive security and application security testing for premier clients.

Joaquim has over 10 years experience in Information Technology, where the last 9 years were dedicated to penetration testing. Recent presentations include Infiltrate, H2HC, YSTS, Confidence, Black Hat USA, Black Hat Brazil Summit, HITB Kuala Lumpur, Roadsec. Previously, he spoke in Silver Bullet and Secure Brasil, etc.

When Red Teams and Blue Teams Cross Paths
Technical Level (3 being the highest score): 2

During the course of Red Team engagements, it's very important to carefully choose which targets will be used to persist on the network after the initial access. Persistence plays an important role in this game, being the key component that will allow operators to keep moving forward with the engagement. Although, with the help of modern threat hunting and defensive tools Blue Teams are reaching a substantial level of protection pushing the Red Teams to develop new Tactics, Techniques and Procedures (TTPs) with each engagement. From the Red Team perspective, one of the most expensive tasks is to keep the "Implant" safe which means keep the implant away from detection mechanisms. Additionally, the process of developing new implant capabilities to bypass modern security solutions are time-consuming.

Advanced Persistent Threat (APT) developers are well aware of how hard they need to protect their implants, by not storing the implant in any random server or workstation. As an example, the Equation Group (TTPs) that are based on the Kaspersky report says that the Equation Group makes sure to select highly demanded servers and workstations to persist, keeping their operation running for more time since stopping or rebooting these crucial servers is not an easy task.

Having this knowledge about how the Equation Group chooses targets to persist, we started to develop a methodology assisted by a tool, that after the initial access helps us to understand which kind of server or workstation is compromised high quality target. This understanding will guide us in the next actions against the target.

For a full understanding of the target, we need to collect several pieces of data. To achieve this, we're collecting all the required data using an opensource project named GoshtPack – Seatbelt, "Seatbelt is a C# project that performs a number of security-oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives." After the data harvesting phase, we send (exfiltrate) this data to a location off-implant for processing. This processing phase consists in calculating the "implant risk score" associated with the target, this risk will define additional actions against the target, such as persistence. The tool works by applying weights to the collected data based on the Red Team, for example:

1 – Red Team "A" have in their Tactics, Techniques and Procedures (TTPs) playbook a good approach (tooling) to bypass specific endpoint protection, let's call the endpoint protection "Melbourne".
2 – Red Team "B" on the other hand struggles to bypass the "Melbourne" endpoint protection and sometimes achieve it with an unreliable success rate.

Considering the above scenario, the weight set to the "Melbourne" endpoint by the Red Team "B" will be greater than the weight set by the Red Team "A". Which means that they don't have full capabilities to bypass this endpoint protection technology.

At first, this methodology was created to protect the Red Team's implant but turned out that it could be very useful for small and low budget Blue Teams, if they can categorize their risky assets.

This talk will give an insight into how the same data can guide two different teams to reach their specific goals. Red Teams will be able to know the risk associated with the target and draft safe actions to keep the engagement moving forward. Also, if the Red Team is able to collect data from different targets this data can be used to identify deception hosts/servers. On the flipside, from the Blue Team point, knowing targets with high likelihood to be targeted by the Red Team or bad actors in advance offers the chance to apply more restrictive permissions, additional host-based protections and fine-tuned threat hunting rules.