eBook - ePub

Adversarial Tradecraft in Cybersecurity

Name: Adversarial Tradecraft in Cybersecurity
Author: Dan Borges

Dan Borges

Share book

246 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

Adversarial Tradecraft in Cybersecurity

Dan Borges

Book details

Book preview

Table of contents

Citations

About This Book

Master cutting-edge techniques and countermeasures to protect your organization from live hackers. Learn how to harness cyber deception in your operations to gain an edge over the competition.Key Features• Gain an advantage against live hackers in a competition or real computing environment• Understand advanced red team and blue team techniques with code examples• Learn to battle in short-term memory, whether remaining unseen (red teams) or monitoring an attacker's traffic (blue teams)Book DescriptionLittle has been written about what to do when live hackers are on your system and running amok. Even experienced hackers tend to choke up when they realize the network defender has caught them and is zoning in on their implants in real time. This book will provide tips and tricks all along the kill chain of an attack, showing where hackers can have the upper hand in a live conflict and how defenders can outsmart them in this adversarial game of computer cat and mouse. This book contains two subsections in each chapter, specifically focusing on the offensive and defensive teams. It begins by introducing you to adversarial operations and principles of computer conflict where you will explore the core principles of deception, humanity, economy, and more about human-on-human conflicts. Additionally, you will understand everything from planning to setting up infrastructure and tooling that both sides should have in place.Throughout this book, you will learn how to gain an advantage over opponents by disappearing from what they can detect. You will further understand how to blend in, uncover other actors' motivations and means, and learn to tamper with them to hinder their ability to detect your presence. Finally, you will learn how to gain an advantage through advanced research and thoughtfully concluding an operation.By the end of this book, you will have achieved a solid understanding of cyberattacks from both an attacker's and a defender's perspective.What you will learn• Understand how to implement process injection and how to detect it• Turn the tables on the offense with active defense• Disappear on the defender's system, by tampering with defensive sensors• Upskill in using deception with your backdoors and countermeasures including honeypots• Kick someone else from a computer you are on and gain the upper hand• Adopt a language agnostic approach to become familiar with techniques that can be applied to both the red and blue teams• Prepare yourself for real-time cybersecurity conflict by using some of the best techniques currently in the industryWho this book is forPentesters to red teamers, security operations center analysts to incident responders, attackers, defenders, general hackers, advanced computer users, and security engineers will benefit from this book. Participants in purple teaming or adversarial simulations will also learn a lot from its practical examples of processes for gaining an advantage over the opposing team.Basic knowledge of Python, Go, Bash, PowerShell, system administration as well as knowledge of incident response in Linux and prior exposure to any kind of cybersecurity knowledge, penetration testing, and ethical hacking basics will help you follow along.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is Adversarial Tradecraft in Cybersecurity an online PDF/ePUB?

Yes, you can access Adversarial Tradecraft in Cybersecurity by Dan Borges in PDF and/or ePUB format, as well as other popular books in Informatica & Sicurezza informatica. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Packt Publishing

Year

2021

ISBN

9781801078146

Edition

Topic

Informatica

Subtopic

Sicurezza informatica

6 Real-Time Conflict

Eventually there comes a time in these attack and defense operations when you find yourself active on the same machine as an aggressor or defender. Perhaps a defender has homed in on the attacker and made the mistake of revealing both actors are on the same machine, at the same time. This chapter will provide techniques for when two hostile parties become aware of each other on the same machine. It will show quick and decisive actions you can use to gain the advantage in this situation, as either an attacker who spies on the defender or as the defender with ultimate control over the situation. In this chapter, we will examine techniques to restrict, block, or even exploit other users on the same machine for more information.

As an operator, we never really want to engage the opposition directly, rather we want to leverage our advantage over them by remaining hidden, as we have seen in previous chapters. Regardless, sometimes your hand is forced, and you find yourself face-to-face (or terminal-to-terminal) with your adversary. This chapter will show you several tricks you can use to get the upper hand and wrestle back control from an aggressor. While this chapter starts from an offensive perspective, looking at how we can exploit other users on the same machine to get more credentials or pivot through their established access, it ends with ways to shut down your opponent, restricting their permissions and ultimately their access. This chapter is split into two perspectives like the rest of the book, but this chapter is also special in the sense that many of these techniques can be used by either side. In all chapters, we want to apply the lessons of the opposition to our side, but in this chapter especially, we can apply the offensive techniques later as the defense, and the defensive techniques of kicking out unwanted operators as the offense.

In the defensive section, we will explore many ways to directly expel a threat from a machine you are on. These techniques should also be considered by attackers for fortifying their access; however, it is critical to keep in mind the principle of physical access. If an attacker completely locks a defender out of a machine, they will have no recourse but to physically collect the machine, pulling it offline, and forensically analyzing it. Likewise, at the end of the defensive section, I briefly cover the taboo subject of hacking back. If the defender can pivot into the attacker's infrastructure at any point, or potentially even keylog the attacker, they can gain tremendous insight into the offense's operations and have a much better chance of attributing the attacker. In this chapter, we will look at the following subjects:

Situational system awareness
Clearing Bash history
Abusing Docker
Keylogging
Screenshots
Getting passwords
Searching for secrets
Backdooring password utilities
Hijacking lateral movement channels
Triaging a system
Performing root cause analysis
Killing processes
Blocking IP addresses
Network quarantine
Rotating credentials
Restricting permissions
Hacking back

Offensive perspective

From the offensive side, we will look at various keylogging methods, essentially ways to get more intel from the defender or other users of the same machine. One of the major themes of this chapter will be keylogging or getting secret key material to access new hosts. By leveraging the principle of humanity, attackers can exploit the users of systems to get their keys or passwords, move to new hosts, and preferably administrative applications.

Another goal as an attacker, once uncovered by the defense, is to let the defense think they've won but maintain your access through stolen credentials or rootkits that we've explored in previous chapters. In the last chapter, we saw ways to blind the defender's tools. Later, in the Defensive perspective section of this chapter, we will see several techniques for blocking a user from accessing a machine completely, which are viable techniques the offense can use for blocking defenders as well. In this section, we will also examine pivoting to new hosts and abusing existing connections. If you are losing access to a machine, it can be worthwhile to create a diversion on a machine you care less about, while pivoting to a machine that is in line with your goals. The art of creating diversions to cover your tracks and pivoting out of bad situations is a rare attacker skill. The offense should absolutely leverage the techniques in the defensive section to hamper, delay, and thwart defensive teams to buy more time for the attacker to pivot. Now more than ever, sleight of hand is crucial. Sometimes the attacker will need to give up one position or take a server down to create a distraction while pivoting to a new host. This deception may be a way to trick the defender into thinking you have left the environment altogether while you maintain access. In the last chapter, we saw how a defender could also replace binaries on a system with their own backdoors or trap programs. It can help both the offense and defense to have your own list of statically compiled utilities. You can bring these tools over if they are not available on the victim machine^[1]. In the later parts of this section, I will show how to pivot through existing access from other users on the same machine as you. Pivoting through other users' access is another way to cover your tracks as an attacker, by mixing known malicious techniques with known legitimate access.

Situational awareness

It is vitally important that the attackers understand what defensive technologies, users, and monitoring is occurring on the machine they land on. This is a very important step in understanding where an operator has landed and is often part of the situational awareness that attackers will go through when they first land on a new machine. We covered this a bit in the last chapter with understanding and effectively shorting out some of the signal generation on our target machine. These recon techniques are also good for a defender to monitor, as this can be an early signal that someone is exploring the machine or up to no good. In this chapter, we will take a more operational look, attempting to understand what users, connections, applications, and privileges we can exploit as an attacker, especially in the context of abusing other users in real time.

We can see some of these reconnaissance techniques applied to Windows with the tool Seatbelt^[2]. Seatbelt can check for many common antivirus applications, any applied AppLocker policies, audit policies, local GPOs, Windows Defender settings, Windows Firewall settings, Sysmon policies, and many more configurations.

Aside from operational awareness, Seatbelt can also detect command history, services, downloads, and even common network connections. The general idea is to explore what users, tools, and operations are considered normal for the host, and potentially what defensive controls are also on the host. Seatbelt is a Swiss Army knife for gathering operational knowledge on a Windows host, and it is a C# application, so you can easily run it from memory if you want.

On Linux, even if you're an unprivileged user, you can leverage several operational commands to get a better lay of the land. We explore many of these basic triage techniques in the next section from a defensive perspective, but it should be understood they are just as useful from an attacker's perspective to learn who is on the same host and what they are up to. As an unprivileged user on Linux, we can also leverage a neat tool called pspy to understand the processes that are running, which will give us a lot of insight into any defensive applications that may be running on the host^[3]. pspy does this by monitoring changes to the process list, proc filesystem, and other critical filesystem events through the inotify API. This means it can easily see various events on the host and get a quick understanding of what is running under other users. pspy is another Go tool that hasn't been set up with Go modules yet, so we will have to initialize those if we plan to build this with an updated toolchain. The following should get pspy up and running quickly. Again, I don't recommend building these tools on the victim machine, and you should change the name to obscure them when you use them in an operation:

$ go mod init pspy $ go mod vendor $ go build $ ./pspy

Understanding the system

As we saw earlier, the defense can go through significant measures to restrict permissions to specific files or remove files altogether. Further, the defense can backdoor these files and set many traps for the offense. The following are some simple operational security tricks to help attackers avoid these traps. Remember, defenders are often looking for suspicious recon commands like whoami, whereas other com...