00:00:11:09 - 00:00:17:00
Justin Kohler
Hi. Welcome back to the Know Your Adversary podcast. I'm Justin Kohler and I’m joined by Jared Atkinson. Today

00:00:17:00 - 00:00:20:23
Justin Kohler
we have Andrew Chiles, who's talking about trends in attacker tradecraft.

00:00:20:23 - 00:00:25:08
Justin Kohler
Andrew, what, what made you want to, you know, put that article out like

00:00:25:08 - 00:00:28:06
Justin Kohler
kind of give your overview of your role and like, what gives you that?

00:00:28:06 - 00:00:51:06
Andrew Chiles
Like overview of what's going on, what my current role at SpecterOps is VP of tradecraft is really to oversee all tradecraft at SpecterOps and how we one create that, distill it into trainings and, inform our consultants on what that tradecraft is, refine it, enable them, our clients and our community as well. So triple C consultants, clients, community. There you go. I made it up.

00:00:51:09 - 00:01:10:25
Andrew Chiles
So, from that, one of the things we want to do as well is enable BloodHound, expanding the graph. So we want to look at trends across our operations now with our cadence of over 50 consultants, we're operating with about 100 assessments penetration testing, red teams every year. So that's a lot of data. And historically we haven't done a great job in like processing.

00:01:10:25 - 00:01:24:21
Andrew Chiles
That is just by like vibe coding for I hate that term but but vibe riffing off of what attack paths should we add to the graph next. Yeah. So now we have this data. My role I want to start looking at, I am starting to look at the trends and Identity Tradecraft.

00:01:24:21 - 00:01:28:08
Justin Kohler
And how that’s changed over time. So you mean like like you're exposed to all these new environments.

00:01:28:08 - 00:01:41:00
Justin Kohler
And maybe in the past we were like, what would we add to BloodHound next and where? That was maybe a little bit of, like, more of an art than a science. You're saying you're trying to collect all of that over your different engagements.

00:01:41:00 - 00:01:43:24
Andrew Chiles
Right? Right. You're more of a feel versus data driven. Yeah.

00:01:43:24 - 00:01:56:22
Justin Kohler
like, how do you determine whether this should this might be a candidate to put into BloodHound, like, like when something happens in the client environments, like how do you take that out of the consultants, for like postmortems and stuff, like, I guess, what's

00:01:56:22 - 00:01:56:25
Justin Kohler
that

00:01:56:25 - 00:02:26:07
Andrew Chiles
process, well it’s evolved over time? We do post-mortems, a retrospective after every engagement. We also have reports that have a detailed attack path narrative and a diagram, which is a representation of the graph, maybe some of that is modeled today in BloodHound, some of it's not. One of the things we can do is if we standardize on the edges or the attacker techniques and the nodes that we know that are in BloodHound today, we can say parse that report that we're working on this as well with our research team programmatically to say this is a node we never talked about before.

00:02:26:12 - 00:02:41:17
Andrew Chiles
This is technology we never talked about before, or an edge attacker technique. We don't have a model. Yeah. And so that's one instance of that that we keep seeing that there's frequency analysis. Okay. One, two, three over different clients, not just the same client. The different clients at the time, then that's a signal

00:02:41:17 - 00:02:50:27
Andrew Chiles
that goes back. But the frequency analysis, yeah, it goes back into the research as a feedback loop that just basically says, hey, maybe we should put some time into understanding how this works better.

00:02:50:27 - 00:02:51:20
Jared Atkinson
Or maybe

00:02:51:20 - 00:03:07:07
Jared Atkinson
it's it's not necessarily understanding how it works. It's how do we describe it in a consistent way every single time so that, then we can model it, right? Because it's great that individual, red teamers understand how to take advantage of a system. But the question is, how do we make it to where we enable the community, right.

00:03:07:12 - 00:03:26:09
Jared Atkinson
Everybody to have that same viewpoint? How are we like kind of pushing that tradecraft down to where now you can identify that there's a tradecraft opportunity and also like BloodHound Community Edition, for instance, will tell people this is how you actually traverse this edge. Right? So you see this edge, this is a tool or maybe a command line that you should use to be able to try to get from point

00:03:26:09 - 00:03:28:21
Jared Atkinson
A to point B to tighten that feedback loop as well.

00:03:28:21 - 00:03:37:25
Andrew Chiles
Like we don't want attack paths, let's just live in a report and we deliver and then don't do anything with them. So we have this data source, let’s tighten feedback loop with the graph and help expand an OpenGraph.

00:03:37:25 - 00:03:46:12
Jared Atkinson
And one of the things that I think we try to do, is you mentioned how some of the, some of the attack path is already modeled in BloodHound.

00:03:46:12 - 00:04:02:14
Jared Atkinson
That's great. Right. That's, that's a well-worn trail, so to speak. Right. And then and then eventually, often. Right, in order to achieve whatever your objective is in the, in the Red Team. You're going to have to bushwhack a little bit, right? So you're going off off the beaten path and you have to kind of like find your own way.

00:04:02:14 - 00:04:09:22
Jared Atkinson
Right. And that's a really cool opportunity. Can you tell us about, like, maybe what a scenario might look like in that situation?

00:04:09:22 - 00:04:14:04
Andrew Chiles
it all depends on the objective. Say a Red Team engagement. Yeah. What the client cares about.

00:04:14:04 - 00:04:21:10
Andrew Chiles
What are their Tier Zero or critical assets? Today in BloodHound, maybe that’s Active Directory and Entra these principles. And.

00:04:21:12 - 00:04:48:26
Andrew Chiles
We have privilege zones as well. Let's say they want to, their critical zone is a technology we don't see that's a Kubernetes or a SAS app that's like that. They're like electronic health records. Yeah. We want to see if you can target that application. So one thing back to my beginnings in 2012 when I started Red Teaming, you know, we were attacking, passwords and hashes, like, that's basically what we're looking for.

00:04:48:28 - 00:05:11:25
Andrew Chiles
Password spraying, pass the hash. Like, that was the tradecraft like your targets were on, on prem systems, legacy active directory. So if you got access to user, you did the identity snowball, or collection, privilege collection over time to get to a domain admin. I mean, like, you could get whatever you wanted. And it was on Active Directory. Now it's more instead of AD.

00:05:11:28 - 00:05:37:28
Andrew Chiles
And like,on prem being the perimeter. It's the identity is the perimeter. So often what we're actually attacking is what we leverage on prem as a means to an end. Everyone on Prem is more just a weak point and a jumping point to get into a SAS or hybrid environment. So in this case, the electronic health record system, that's on some SAS app, we will target Active Directory through phishing or what well-known attacker tradecraft gets you to that, or get seeded access, if it's the client is.

00:05:37:29 - 00:06:02:12
Andrew Chiles
If we're going to allow you to start from this point and then it's normal AD tradecraft to point active directory comes escalation through, active directory certificate services, for example, or NTLM Relay as Elad talked about in the previous episode to escalate to something like a management system like SCCM, for example, which is not currently modeled in BloodHound. Well, but we have a well known set of attacker techniques that misconfiguration manager.

00:06:02:14 - 00:06:24:11
Andrew Chiles
Lays those out like Duane Michael. So we can leverage that. Okay. We have access to an entire AD system. Where do we want to go. Well if the EHR systems is what we want, who has access to the EHR system. Well we can infer that through group membership and names and descriptions and AD okay this is the EHR admins workstation. Then use this management plane to pivot it to his workstation.

00:06:24:11 - 00:06:44:17
Andrew Chiles
And then from there this is the newer tradecraft. Like where what sessions does he have in his browser? What cookies with active sessions that are already you bypassed MFA claims or authenticated? You have an identity in transit. Yeah. You talked about we can compromise that using a lot of techniques that aren’t super new, but the techniques we use today are different from early.

00:06:44:24 - 00:07:05:26
Andrew Chiles
Yeah. Browser pivoting was released in 2013 by Raphael Mudge in Cobalt Strike. That was one of the first hey, if I'm on this workstation, I can be the user through the browser, I can ride their browser session. I'm not worried about the tokens or certificates whatever they’re using. I can just whatever's there, even a privilege access card or cat. Yeah. I can just ride that session now, and other tradecraft is essentially the same.

00:07:06:02 - 00:07:09:09
Andrew Chiles
And what we're targeting is not SharePoint. It's a hybrid

00:07:09:09 - 00:07:28:21
Jared Atkinson
system. Yeah. And often they, a security control that organizations often use is like network access controls, which says this system can only be it's not available on the internet. Let's say it's only accessible from our internal corporate environment. But the point. Yeah, but the the problem is, is that the attacker already has access to the corporate environment.

00:07:28:21 - 00:07:48:17
Jared Atkinson
That's where they got the cookie from. And so, they can just do the browser pivoting and then it appears as if they're coming from the corporate environment. And so that that type of attack or that type of security control doesn't address that approach. Right. It addresses like me exfiltrating the cookie or getting the username and password and trying to just go from my computer in my house to the internet.

00:07:48:19 - 00:08:02:24
Jared Atkinson
But it doesn't it doesn't resolve that issue of once I have access to the on prem environment and on prem, in a lot of cases means AD, but it doesn't. It's not limited to that. Right? You can talk about Mac, Mac OS computers, right? A lot of kind of new age companies will have, Mac OS fleet.

00:08:02:26 - 00:08:13:17
Jared Atkinson
Maybe you're talking about, like Intune or Entra devices, right? There's all kinds of different ways. But at the end of the day, users are using computers. And if I get control of that computer, I now have access to

00:08:13:17 - 00:08:20:08
Jared Atkinson
everything that you're logged into. That’s where it gets into the access graph versus the attack graph. Yeah. There is going to be a way.

00:08:20:10 - 00:08:33:15
Andrew Chiles
Yeah. They have permissions and access graph. Right. That's what keys unlock with doors. Yeah okay. Once you're in that door what other doors can you access. Right. And so we can see we can you can see they have permissions. The attacker can find a way.

00:08:33:15 - 00:08:41:10
Justin Kohler
Yeah. So it like access graph again. Like what we're talking about is not the not what I have now with the identity that I've taken over today.

00:08:41:10 - 00:09:01:10
Justin Kohler
But what can I get take over. So how can I take my identity, take over your identity, attackers perspective, accumulate all of that privilege? Yeah. I remember, explaining this. I mean, the browser cookies and all of those different ways that you, you guys use, like, elevated privilege. And pivot, on the identity side is really eye opening to people, right?

00:09:01:10 - 00:09:20:22
Justin Kohler
Like, I had to explain to somebody on the conditional access and continuous access evaluation that like, yes, I cannot take the bearer token and play it from a different computer, but I had to get access to your computer to get the bearer token, so I'll just use your computer already to pivot through. Yeah. So, it's really interesting, like just backing up your point.

00:09:20:22 - 00:09:39:08
Jared Atkinson
Yeah, it doesn't cover the source of risk. I mean, I saw an article from Slack, and this is not to denigrate the approach, right. Because it is useful to reduce the opportunity. Right. But the, Slack had a similar thing, which was we want to stop these replay attacks where somebody steals your Slack token and then is able to, like, get access to your messages and that kind of thing.

00:09:39:12 - 00:09:56:23
Speaker
And what they found is that, this is like a huge summary and paraphrase, but they, they found that, they were trying to monitor, like, where the same token was coming from two different computers. And they said that if we try to monitor like two sessions using the same token from the same computer, there was too many false positives.

00:09:56:23 - 00:10:03:20
Jared Atkinson
And so then, like, what we're going to do is we're just going to look for the same token being used, sessions being established with the same token from two different computers. And it's like,

00:10:03:20 - 00:10:11:17
Jared Atkinson
okay, that inform as an attacker that would have inform you of maybe how you should be approaching this problem. Right? Because they just told you what the gap is.

00:10:11:20 - 00:10:13:03
Jared Atkinson
And so now I'm just going to try to make sure that I

00:10:13:03 - 00:10:26:18
Andrew Chiles
And we’ve seen an operational security mistake. Yeah. All the time. Like previously you don't put cookie, just bring them locally. And then what's the easiest thing to do is to load them up in your browser and go like that. Used to work. But now detection’s are

00:10:26:18 - 00:10:26:25
Andrew Chiles
better.

00:10:27:00 - 00:11:02:14
Andrew Chiles
Yeah, it is easier. It's probably more. It's probably faster, right? It's more responsive. It's not like artifact. Yeah, yeah. For the same your network egress point is not the same. Your browser is not the same. So that tricks alerts like that. But in the active session, things like browser pivoting or, correctly dumping everything about that system and modeling it locally and then routing your connection through like computer or bypass is like what you mentioned is like, you know, that that, there's kind of a related question I have, and I'm hoping you can tell the story you're talking about, like, if I, if I pivot to somebody's workstation, I take a

00:11:02:14 - 00:11:17:28
Justin Kohler
cookie, I can't, you know, the tradecraft was I would play that from my host. Right? But now it's like, you have to stay within that window on the on the host and then execute then. And so it's kind of like it's always cat and mouse game. Right. Exactly. You're playing within the the operational cycle. The defender leads you um.

00:11:18:01 - 00:11:29:26
Justin Kohler
Do you know, like David McGuire, CEO , you know, like to tell the story about how, like, he was working or like, we were engaged with a client and all he had to do was operate within a response window.

00:11:29:26 - 00:11:37:09
Andrew Chiles
All right, you know, do you know that story. Yes this is one we tell in our Red Team operations is a story that like the game of telephone it’s been passed down generation.

00:11:37:11 - 00:11:57:19
Andrew Chiles
Yeah, I don't I know it's hard, but it's like a legend. Yeah. Man, myth legend. Dave McGuire at this point. And so that story we tell. Like, why Red Team operations, why we do Red Team operations, Red Team engagements. Yeah. Versus just like a pentest. Like why why you want to activate the defender is an exercise. That's why that's important. The challenger assumption is that your response processes are going to work.

00:11:57:21 - 00:12:20:02
Andrew Chiles
And that story effectively, we were caught and the defenders knew the Red Team team was there, we were operating for some time. And their response process was hey this domain is beaconing. I don’t know if it’s DNS ct or hp ct. But this domain name is beaconning, we need to block it. So they put in a ticket for their system for that network administrators to put in a block, I don’t know if it’s a DNS block or firewall block but.

00:12:20:03 - 00:12:37:06
Andrew Chiles
It was DNS based, it wasn’t IP based. Block this domain name. That was a 24 hour response cycle. Before that team would pick up the ticket and actually implement the block. So I don't know how we found it out, but we found it out and so you operate within say every 12 hours you rotate it then

00:12:37:06 - 00:12:41:22
Andrew Chiles
that response was effectively mitigated. So you don't but you don't lose your access because you're just staying with it.

00:12:41:22 - 00:12:59:06
Justin Kohler
Like you know, the the defender can see you. They're trying to do whatever they can. Yeah. But they can't do anything because they can't respond fast enough. As a as a former Air Force officer, I just have to point out the Ooda loop, right. Yeah, yeah. Observe, Orient, decide. Act. If you're Ooda loop is shorter than there Ooda loop, then you're going to

00:12:59:06 - 00:12:59:23
Jared Atkinson
beat them.

00:12:59:23 - 00:13:20:09
Andrew Chiles
So if you’re far enough in the network you're monitoring the defenders. What they're doing definitely have definitely done the Red Team engagements like you're in the Slack, they’re in the channels, you just sit monitor. You're like, oh, we see there’s an uptick in action. That's probably what happened. Through heatstroke logging. Yeah. You know if you're not in an actual channel just monitoring their own activity on their host, you can see what they're doing.

00:13:20:12 - 00:13:39:13
Jared Atkinson
We were, a fun story. We, there when I was in the Air Force, there was this, exercise that where NSA Red Team was the was the adversary. And it's called terminal fury 12 for those that are following along. And it's like, legendary within the military. DoD, like Red Team space, I guess.

00:13:39:20 - 00:13:53:09
Jared Atkinson
And I just remember we had this big operation where we were. We had identified where they were, we understood how their implant worked. And so we had we had created this, like response campaign where we were just going there all over the freaking place that we were going to just get rid of them all in one fell swoop.

00:13:53:15 - 00:14:14:11
Jared Atkinson
But then, like one, one general officer had sent an email to another general officer to, like, describe the timing of, of the operation. And then we ran we ran the campaign and like, literally, it was as if nothing was there anymore. I was like, oh boy, that's not good. And then the next day, they had set off.

00:14:14:11 - 00:14:25:24
Jared Atkinson
We were in like a we're in the AOC, their operations center, and they had set off a thing to where every computer started playing thunderstruck by ACDC. I thought, okay, you were you might have been the guy.

00:14:27:16 - 00:14:52:19
Justin Kohler
Okay. I have a I have a kind of a hard pivot question, but, you know, you mentioned like, back in the day, like, you know, pivoting through Active Directory, phishing getting access and, and, but and then now you mentioned like, you might use Active Directory, but it's to pivot to something else, just about like bear tokens and stealing that from our, like, playing, from our open, our host versus the, you know, host you control.

00:14:52:22 - 00:15:05:10
Justin Kohler
I guess any other like, shifts that you're seeing, across clients or consulting, like, what's something that's been you. I remember a couple of years ago we started seeing, like, CICD abuses, like, everybody was asking

00:15:05:10 - 00:15:12:08
Andrew Chiles
for a CICD, especially, I, I could talk that hybrid paths other identity providers like Ping and Okta. Then we'll

00:15:12:08 - 00:15:12:19
Andrew Chiles
log in.

00:15:12:20 - 00:15:21:03
Justin Kohler
Does a client does a client ask you to use a hybrid path, or do they say this is your objective? And then you show how

00:15:21:03 - 00:15:31:16
Jared Atkinson
It's the latter, there's the objective we care about, especially in the Red Team engagement. We want you to show impact in these ways we care. How could you get to these things? Yeah. We detect you along the way

00:15:31:16 - 00:15:39:03
Justin Kohler
How do they, you know, you might have a finding that traverses 3 or 4 different platforms or like Active Directory.

00:15:39:05 - 00:15:48:19
Justin Kohler
That's very common. Entra. And, how do you how do you break those apart? Like, what does the client see you they see like the combination of a couple of different problems. Or is it one

00:15:48:19 - 00:15:55:11
Andrew Chiles
problem. And we should always one overall attack path. Yeah. Yeah. In a Red team report that's also one of the challenges. Red team report.

00:15:55:11 - 00:16:10:14
Andrew Chiles
We show you one, two, three, maybe the attack paths we took we chose to take. Yeah. Whereas there were maybe millions depending on size of the environment that you could have. We could have actually taken to achieve that objective. That was just the shortest path for us. Right? The easiest path for there at the time, to achieve the objective.

00:16:10:14 - 00:16:16:09
Jared Atkinson
the danger of reading the Red Team report is assuming that, the Red Team report is comprehensive, right?

00:16:16:11 - 00:16:39:15
Jared Atkinson
They are, the the attack paths that are described in the Red Team report are meant to be representative of a problem. And so, like just because you fix those doesn't mean you actually fix the problem. You may have made a like by fixing the attack paths described in the Red Team report. You may have made an inconsequential change to the overall security of your environment, but it's like this is yeah, it's a it's a archetype of what is possible.

00:16:39:15 - 00:16:59:08
Justin Kohler
Yeah. It's like, to like my favorite analogies, like Bane and, The Dark Knight Rises, right? Like it's it's like if, you just shut down the Brooklyn Bridge because that's how somebody came across to Manhattan. You haven't shut down access to Manhattan. There's still 12 or 15 other bridges, right? Connecting it. So, like, to your point, this is the one that you highlight.

00:16:59:08 - 00:17:16:03
Justin Kohler
And there's, there's, like the testing response, like there's, there's certain things that attack path management can do, but there's certain things that can't, like staying within the detection response process and not highlighting that problem. That's not gonna be highlighted by an attack path. But that's just like testing your team. Right. So,

00:17:16:03 - 00:17:20:07
Andrew Chiles
there's also the Red Teaming because these are things that attack path management today.

00:17:20:09 - 00:17:23:20
Andrew Chiles
Tools. Yeah. They can't show you, yeah. Exactly. So you want to augment that.

00:17:23:20 - 00:17:29:04
Justin Kohler
Yeah. So you you you have this much visibility. But we can pivot through our expertise to

00:17:29:04 - 00:17:32:21
Andrew Chiles
want to operate on the edges. Yeah. Like, look for additional seams

00:17:32:21 - 00:17:35:20
Andrew Chiles
between what we know today, model today and what exist.

00:17:35:20 - 00:17:49:01
Justin Kohler
So I don't know if this is a fair question, but, like, is there anything that you guys are trying to get like what what would be like what do you think is an area of opportunity, I guess, that I would see popping up more and like it's like, do you want to go to more up this?

00:17:49:03 - 00:17:55:25
Justin Kohler
Do you want to like, do we want to like do some research on GCP, AWS, right Okta. Right.

00:17:55:25 - 00:18:01:29
Andrew Chiles
We have other cloud providers, although that's a can of worms, because if you say, I want to operate in AWS, which

00:18:01:29 - 00:18:06:14
Andrew Chiles
service. Yeah, I mean, AWS is it's kind of like,

00:18:06:14 - 00:18:10:05
Andrew Chiles
yeah. But I think some other identity provider again.

00:18:10:07 - 00:18:12:08
Andrew Chiles
Yeah. Okta like that is

00:18:12:08 - 00:18:34:13
Andrew Chiles
in the State of APM report. We talk about several of those. Yeah. And how they, they're interrelationships from on prem to like federating identity to these cloud IDPs and we all we, we always exploit those the IDP itself. That's not directly exploiting the IDP, we’re not directly attacking it. We're looking for the scene where it connects from an on prem environment.

00:18:34:13 - 00:18:35:26
Andrew Chiles
Most, most often.

00:18:35:26 - 00:18:52:25
Justin Kohler
Yeah. I'm like full of analogies right now, but it's like that episode or the what's it like the second Matrix where he's like using the back doors through to pivot through like the different environments, right? You're. Yeah. Not you're not attacking Okta itself. So you're using Okta to move through like the elevate privilege like as you go between different platforms.

00:18:52:25 - 00:18:53:27
Justin Kohler
Yeah. Yeah. That's really

00:18:53:27 - 00:19:20:20
Andrew Chiles
cool. And one of the scenes we talked about in the report was from Mac OS hosts. It was using Okta Federated Identity to access everything there, kind of remote first, zero trust organization. Maybe not on prem traditionally. But that user once they get access to OKta from a seated workstation or Mac OS host, you can get into GitHub and GitHub had several different repositories that they could access.

00:19:20:22 - 00:19:48:18
Andrew Chiles
And one of them was configured with an OIDC, OpenID connect configuration for a native AWS principal, and had a privilege rule effectively. And the policy assigned to that was a startup star. So while they essentially allow, any branch on this repository to assume that permissions of that privilege AWS. So from Okta to GitHub now okay, I can create a branch which is not a super privilege function, just a generic branch.

00:19:48:20 - 00:19:54:11
Andrew Chiles
Update that action and say performance privilege operation in AWS. Assume that

00:19:54:11 - 00:20:10:24
Justin Kohler
I have like reminds me like Andy did some, similar research on, like, you presented on the traversal between GitHub and Entra ID and it was pretty surprising. It's like, oh gosh, you just trust this external source. And I was like, what?

00:20:10:24 - 00:20:19:02
Justin Kohler
What is it within the the existing platform seems benign, but then you combine it with how you think, like, yeah, it's really nasty.

00:20:19:02 - 00:20:22:11
Justin Kohler
Well, we want to thank you Andrew for joining us. It was awesome.

00:20:22:11 - 00:20:31:16
Justin Kohler
It was like, the, article in the report, the transit identity security is super cool just to see what, like, your, like, your team is doing to kind of progress the tradecraft.

00:20:31:16 - 00:20:35:26
Justin Kohler
It's that's super cool. And like, although obviously you have the most fun war stories I

00:20:35:26 - 00:20:41:26
Justin Kohler
think for sure. Right. So thanks for joining us. And, we'll see you next time. Thank you.