Guarding Your Identity

Once upon a time, we thought of cyber attacks in terms of recon, port scanning, enumeration, vulnerability identification and exploitation and we had various approaches we would use to frustrate attackers at every phase. As the cat and mouse game of security continued, this eventually morphed into an endpoint compromise focused process involving initial access, exploitation, persistence, command and control and lateral movement inside a complex internal network. But with the remote working and SaaS revolution, the way organizations work has changed radically – so what does the cyber kill chain look like now?

This talk will consider what a new SaaS cyber kill chain looks like for modern organizations that are fully SaaS native without any concept of an internal network, and the surprising number of attacks that are possible without touching company owned endpoints or infrastructure. We will consider topics like how the initial access stage is changing due to the availability of so many potential beachheads, what lateral movement looks like in a world with no internal infrastructure to migrate to and how persistence methods have changed and are much more resilient to common containment measures such as password resets and secure device wipes. Finally, we’ll consider how the open-source SaaS attacks matrix can be used by both red and blue teams to help navigate this new world.

In its 7th year, the SOC Survey continues to be a valuable source of peer comparison for Cybersecurity Operations Centers. Christopher Crowley, Founder of Montance®, has authored this survey for each of its editions. He will provide insights, unknowns, and some details of the analysis performed to author the document of more than six hundreds SOCs surveyed.

Crowley will review key findings from the 2023 survey: SOC capabilities, funding, staffing, and challenges. He’ll discuss how SOCs use Threat Intelligence, what technology gets good grades, and which technologies are failing to fulfill their promise.

After executive summary highlights of some survey findings, he’ll delve into details using the public release data from the survey responses. This includes a quick fundamentals review of the setup for jupyter notebook, pandas, and seaborn.

Then, using this environment he’ll discuss analysis considerations starting from data cleaning issues and moving into more advanced analysis. He’ll also provide instructions and code samples that would allow attendees to answer their own questions from the released data. Attendees can download the python Jupyter notebook and data set to follow along during the presentation, or work on afterward.

Then, using this environment he’ll discuss analysis considerations starting from data cleaning issues and moving into more advanced analysis. He’ll also provide instructions and code samples that would allow attendees to answer their own questions from the released data. Attendees can download the python Jupyter notebook and data set to follow along during the presentation, or work on afterward.

This session gives you the headlines, but also the skills to get into the details if you choose. Or, you can come watch and laugh along with him as he typos his way through the python and pandas code.

We’ll dive into Active Directory domain persistence techniques focused on identifying attacks and reclaiming control over organizational domains after a breach. The presentation explores various advanced adversarial techniques such as credential theft on domain controllers, NTDS access, DCSync, and the creation of Golden and Diamond Tickets. It emphasizes the importance of detecting these methods to effectively triage and counteract them. The presentation highlights the need for organizations to be vigilant in monitoring and securing their domains, as adversaries continually seek innovative ways to maintain access, posing significant threats to data security.

Additionally we’ll cover post-compromise strategies, detailing the steps necessary for rotating domain secrets and enhancing Windows Security event auditing to better detect domain persistence activities. We’ll provide a comprehensive guide on resetting and securing various account types, including machine, user, and service accounts, and emphasizes the criticality of rotating the KRBTGT account to prevent the abuse of Golden Tickets. This presentation will serve as a starting guide for critical technique detection generation and organizational recovery scenarios.

It’s rare to find organisations who haven’t dipped their toe into the world of cloud-based Identity Providers. Whether it’s Okta, Ping, Entra ID, or the myriad of other providers gaining traction, the days of managing federated identities with on-premises solutions like ADFS are fading, instead replaced by third party services offering to offload the burden of securing the gates to critical assets.

However, as 2023 has continued to show us, attackers are quick to adapt. And with the rise in breaches coming from targeted attacks against Identity Providers, perhaps the Idp cloud-topia isn’t everything it was promised to be. Nevertheless, there remains a limited availability of information regarding the techniques used in these attacks.

In this talk I’ll aim to lift the lid on the methods we utilise during a Red Team assessment to target Identity Providers. I’ll show the tactics I’ve found to be effective, demonstrate tools and techniques that have proven useful when meeting objectives that lie beyond the Single Sign-On portal. We’ll look at why synchronisation servers should be treated with the same level of protection as domain controllers, look at how attackers within an organisation can pivot to external services protected by Identity Providers, and hopefully equip you with few new tools for your offensive arsenal.

The attack surface within modern cloud-native organisations is vast, with often tens or hundreds of thousands of application instances. Understanding interdependencies in a system of this scale, in particular gaps left open by seemingly innocent configuration changes, is beyond human capability. As such, the current mental model of defense remains list-based; attempting to identify vulnerable configurations of single resources. This illustrates the well-known adage: “Defenders think in lists, attackers think in graphs; as long as this is true, attackers win”

In this talk we will focus on Kubernetes security, using our open source attack path calculator – KubeHound – to pivot the mental model of defense from list-based thinking to graph-based thinking. We will first highlight some of the shortcomings of list-based approaches. We will then demonstrate how attack graphs can address these shortcomings using KubeHound as an example. Finally we will walk through the development process of KubeHound, how we created an abstract graph model of attacks in Kubernetes based on public research, and how the process could be expanded to other domains.

At the end of the talk you should have a good understanding of how graph-based techniques can help address the complexities of security in modern Kubernetes deployments, and a roadmap for creating your own graph based attack model in other domains.

In the evolving landscape of cloud security, automating identity attack path discovery has emerged as a critical strategy for mitigating cyber threats. This talk delves into the concept of “Tier 0” security within the AWS ecosystem and introduces Apeman, a novel prototype tool designed to map and visualize AWS identity attack paths. The discussion will also delve into the challenges encountered during Apeman’s development.

Accessing LSASS memory has been a common goal for attackers due to its management of user credential material. Microsoft has added multiple features to Windows to make gaining such access more difficult including Credential Guard, Remote Credential Guard, and Protected Processes Light (PPL). These features are helpful but irrelevant if an attacker is able to request credentials from the LSA directly. The presentation cover such an approach and how accessing LSASS memory is unneeded to recover a wealth of credential data and to perform other attacker tradecraft.

Configuration Manager (SCCM) attack paths have become more and more common recently. The impact of these attack paths is significant, as they often directly lead to domain compromise, else enable it. In this talk we discuss some of the most critical and common SCCM attack paths we’ve discovered and abused in the wild and how to best mitigate and manage them. Additionally, we introduce a model for SCCM attack path management that can be used by both red and blue.

As we enter 2024, the legacy of NetNTLM, a 30-plus-year-old authentication protocol, continues looming over enterprise security. Despite Microsoft’s advice against its use since 2010, NTLM’s deprecation remains a challenge. Contrary to the belief of most security practitioners who consider NTLM-related attacks to be a solved problem or of negligible risk, attackers have been developing advanced adversary tradecraft abusing NTLM for decades, and it is now one of the most effective avenues for compromising internal systems, including Active Directory and the entire enterprise identity infrastructure.

In this talk, we delve deep into the world of NTLM, uncovering the most impactful techniques for exploiting its vulnerabilities. We’ ll review sophisticated NTLM-related attacks orchestrated by top-tier threat actors, highlighting tradecraft that remains largely unknown in the security community. Our journey will traverse the evolution of NTLM, from its basic concepts to advanced real-world relay scenarios, including subtle yet impactful abuses.

But there’s more than just exposing the problem. We’ll engage in a solution-oriented discussion, exploring effective mitigation strategies, Microsoft’s plans for addressing these vulnerabilities, and the practical challenges in eradicating NTLM’s legacy. Whether you’re a seasoned security professional or new to the field, this presentation will equip you with a nuanced understanding of NTLM’s current risks and prepare you to better attack or defend networks against these enduring threats.

Security domains like Microsoft Entra, Active Directory, AWS IAM and others are highly complex and difficult to examine. BloodHound is a tool that utilizes graph constructs to make these domains easier to reason with to shorten time to discovery of interesting attack vectors. Throughout SpecterOps’ journey in producing BloodHound with a focus on Attack Path Management there have been many engineering hurdles that we have had to overcome. This talk dissects several of the problems encountered and the engineering solutions employed to solve them.

Active Directory Certificate Services (ADCS) is Microsoft’s native PKI solution, used by many organizations to facilitate smart card authentication, TLS certificate issuance and verification, code signing, and other tasks. ADCS is a complicated system with many moving parts and possible configurations, out of which privilege escalation opportunities often emerge. Discovering those opportunities by hand is a tedious, time-consuming, and error-prone process.

In this talk, we will explain and demonstrate how BloodHound dramatically simplifies the discovery, analysis, and execution of attack paths traversing ADCS objects. We will show how with just a few clicks, BloodHound reveals these attack paths in seconds that would otherwise take hours or even days to discover by hand. We will demonstrate how attackers execute these attack paths as well as using common tooling such as Rubeus and Certify.

Dive deep into the world of BloodHound, a tool that has revolutionized the way we identify and analyze attack paths. Despite its benefits, we encounter many teams that struggle to maximize its potential due to time constraints or knowledge gaps. This talk aims to bridge these gaps, unveiling tips and tricks to keep your BloodHound database up-to-date and use it for automatic detection and enrichment.

We’re excited to introduce you to FalconHound, a toolkit designed to augment BloodHound’s capabilities. Discover how FalconHound integrates with a host of security tools, offering features like tracking sessions, environment changes, alerts, and incidents – all in near-real time!

Embrace the power of bi-directional contextual information to prioritize critical alerts better and stop attackers in their tracks before they reach their goal. Learn how tools like BloodHound and FalconHound can serve as extensions of your live monitoring capabilities, helping you catch attackers in real-time and limit the impact of breaches. One of the coolest features is the ability to track active lateral movement, which allows the possibility to stop an attacker in their tracks.

2023 was a breakthrough year for all things Machine Learning, especially for generative use cases. The community saw models and frameworks released at a blistering pace thanks to innovative solutions to fit LLMs onto smaller and smaller devices (LoRA, PEFT, etc). The industry saw the rise of risk assessment frameworks and legislative actions, leading to new requirements for organizations to follow.

Our talk will cover various pairing of these state of the art (SOTA) models and techniques with the traditional security and identity tools like Bloodhound, Seatbelt, and Mythic. We’ll introduce the framework of “Offensive ML” as a discipline and work to use machine learning to support better security solutions. AI promises massive change across cybersecurity, but rather than speculate in the abstract, we’ll focus on practical solutions and demonstrations.

Three years after we published the Attack Path Management Manifesto, BloodHound Enterprise (BHE) has become a cornerstone of the Identity security strategy for hundreds of organizations, uncovering and mitigating billions of Attack Paths in the process.

Join this session to delve into the practical insights gained from real-world deployments and explore leading practices for managing Identity Attack Paths

In this presentation, we delve into the uncharted territories of offensive security using the Mythic C2 platform. Moving beyond traditional red teaming approaches, we explore unconventional agents that redefine how operators interact with target environments. Discover the power of remotely controlling webshells seamlessly alongside beaconing agents from a unified interface, and the creation of agents designed not to act directly on victim systems but to intelligently interact with external services, such as Bloodhound, Ghostwriter, or Nemesis. Join us as we unravel Mythic’s versatility and uncover innovative strategies for achieving red teaming success in today’s dynamic cybersecurity landscape.

Red team operators are often faced with the conundrum of running SharpHound and risking detection, or fighting the uphill battle of mapping Active Directory attack paths without BloodHound’s aid. In this talk, we’ll examine a workflow that grants operators granular control over the speed and depth of Active Directory enumeration, while still leveraging the power of BloodHound’s relationship mapping and Cypher queries. The discussion will also cover common SharpHound detection strategies and how to account for them when approximating a SharpHound data collection.