eBook - ePub

Adversarial Tradecraft in Cybersecurity

Name: Adversarial Tradecraft in Cybersecurity
Author: Dan Borges

Dan Borges

Buch teilen

246 Seiten
English
ePUB (handyfreundlich)
Über iOS und Android verfügbar

eBook - ePub

Adversarial Tradecraft in Cybersecurity

Dan Borges

Angaben zum Buch

Buchvorschau

Inhaltsverzeichnis

Quellenangaben

Über dieses Buch

Master cutting-edge techniques and countermeasures to protect your organization from live hackers. Learn how to harness cyber deception in your operations to gain an edge over the competition.Key Features• Gain an advantage against live hackers in a competition or real computing environment• Understand advanced red team and blue team techniques with code examples• Learn to battle in short-term memory, whether remaining unseen (red teams) or monitoring an attacker's traffic (blue teams)Book DescriptionLittle has been written about what to do when live hackers are on your system and running amok. Even experienced hackers tend to choke up when they realize the network defender has caught them and is zoning in on their implants in real time. This book will provide tips and tricks all along the kill chain of an attack, showing where hackers can have the upper hand in a live conflict and how defenders can outsmart them in this adversarial game of computer cat and mouse. This book contains two subsections in each chapter, specifically focusing on the offensive and defensive teams. It begins by introducing you to adversarial operations and principles of computer conflict where you will explore the core principles of deception, humanity, economy, and more about human-on-human conflicts. Additionally, you will understand everything from planning to setting up infrastructure and tooling that both sides should have in place.Throughout this book, you will learn how to gain an advantage over opponents by disappearing from what they can detect. You will further understand how to blend in, uncover other actors' motivations and means, and learn to tamper with them to hinder their ability to detect your presence. Finally, you will learn how to gain an advantage through advanced research and thoughtfully concluding an operation.By the end of this book, you will have achieved a solid understanding of cyberattacks from both an attacker's and a defender's perspective.What you will learn• Understand how to implement process injection and how to detect it• Turn the tables on the offense with active defense• Disappear on the defender's system, by tampering with defensive sensors• Upskill in using deception with your backdoors and countermeasures including honeypots• Kick someone else from a computer you are on and gain the upper hand• Adopt a language agnostic approach to become familiar with techniques that can be applied to both the red and blue teams• Prepare yourself for real-time cybersecurity conflict by using some of the best techniques currently in the industryWho this book is forPentesters to red teamers, security operations center analysts to incident responders, attackers, defenders, general hackers, advanced computer users, and security engineers will benefit from this book. Participants in purple teaming or adversarial simulations will also learn a lot from its practical examples of processes for gaining an advantage over the opposing team.Basic knowledge of Python, Go, Bash, PowerShell, system administration as well as knowledge of incident response in Linux and prior exposure to any kind of cybersecurity knowledge, penetration testing, and ethical hacking basics will help you follow along.

Häufig gestellte Fragen

Wie kann ich mein Abo kündigen?

Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.

(Wie) Kann ich Bücher herunterladen?

Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.

Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?

Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.

Was ist Perlego?

Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.

Unterstützt Perlego Text-zu-Sprache?

Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.

Ist Adversarial Tradecraft in Cybersecurity als Online-PDF/ePub verfügbar?

Ja, du hast Zugang zu Adversarial Tradecraft in Cybersecurity von Dan Borges im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Informatica & Sicurezza informatica. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.

Information

Verlag

Packt Publishing

Jahr

2021

ISBN

9781801078146

Auflage

Thema

Informatica

Thema

Sicurezza informatica

6 Real-Time Conflict

Eventually there comes a time in these attack and defense operations when you find yourself active on the same machine as an aggressor or defender. Perhaps a defender has homed in on the attacker and made the mistake of revealing both actors are on the same machine, at the same time. This chapter will provide techniques for when two hostile parties become aware of each other on the same machine. It will show quick and decisive actions you can use to gain the advantage in this situation, as either an attacker who spies on the defender or as the defender with ultimate control over the situation. In this chapter, we will examine techniques to restrict, block, or even exploit other users on the same machine for more information.

As an operator, we never really want to engage the opposition directly, rather we want to leverage our advantage over them by remaining hidden, as we have seen in previous chapters. Regardless, sometimes your hand is forced, and you find yourself face-to-face (or terminal-to-terminal) with your adversary. This chapter will show you several tricks you can use to get the upper hand and wrestle back control from an aggressor. While this chapter starts from an offensive perspective, looking at how we can exploit other users on the same machine to get more credentials or pivot through their established access, it ends with ways to shut down your opponent, restricting their permissions and ultimately their access. This chapter is split into two perspectives like the rest of the book, but this chapter is also special in the sense that many of these techniques can be used by either side. In all chapters, we want to apply the lessons of the opposition to our side, but in this chapter especially, we can apply the offensive techniques later as the defense, and the defensive techniques of kicking out unwanted operators as the offense.

In the defensive section, we will explore many ways to directly expel a threat from a machine you are on. These techniques should also be considered by attackers for fortifying their access; however, it is critical to keep in mind the principle of physical access. If an attacker completely locks a defender out of a machine, they will have no recourse but to physically collect the machine, pulling it offline, and forensically analyzing it. Likewise, at the end of the defensive section, I briefly cover the taboo subject of hacking back. If the defender can pivot into the attacker's infrastructure at any point, or potentially even keylog the attacker, they can gain tremendous insight into the offense's operations and have a much better chance of attributing the attacker. In this chapter, we will look at the following subjects:

Situational system awareness
Clearing Bash history
Abusing Docker
Keylogging
Screenshots
Getting passwords
Searching for secrets
Backdooring password utilities
Hijacking lateral movement channels
Triaging a system
Performing root cause analysis
Killing processes
Blocking IP addresses
Network quarantine
Rotating credentials
Restricting permissions
Hacking back

Offensive perspective

From the offensive side, we will look at various keylogging methods, essentially ways to get more intel from the defender or other users of the same machine. One of the major themes of this chapter will be keylogging or getting secret key material to access new hosts. By leveraging the principle of humanity, attackers can exploit the users of systems to get their keys or passwords, move to new hosts, and preferably administrative applications.

Another goal as an attacker, once uncovered by the defense, is to let the defense think they've won but maintain your access through stolen credentials or rootkits that we've explored in previous chapters. In the last chapter, we saw ways to blind the defender's tools. Later, in the Defensive perspective section of this chapter, we will see several techniques for blocking a user from accessing a machine completely, which are viable techniques the offense can use for blocking defenders as well. In this section, we will also examine pivoting to new hosts and abusing existing connections. If you are losing access to a machine, it can be worthwhile to create a diversion on a machine you care less about, while pivoting to a machine that is in line with your goals. The art of creating diversions to cover your tracks and pivoting out of bad situations is a rare attacker skill. The offense should absolutely leverage the techniques in the defensive section to hamper, delay, and thwart defensive teams to buy more time for the attacker to pivot. Now more than ever, sleight of hand is crucial. Sometimes the attacker will need to give up one position or take a server down to create a distraction while pivoting to a new host. This deception may be a way to trick the defender into thinking you have left the environment altogether while you maintain access. In the last chapter, we saw how a defender could also replace binaries on a system with their own backdoors or trap programs. It can help both the offense and defense to have your own list of statically compiled utilities. You can bring these tools over if they are not available on the victim machine^[1]. In the later parts of this section, I will show how to pivot through existing access from other users on the same machine as you. Pivoting through other users' access is another way to cover your tracks as an attacker, by mixing known malicious techniques with known legitimate access.

Situational awareness

It is vitally important that the attackers understand what defensive technologies, users, and monitoring is occurring on the machine they land on. This is a very important step in understanding where an operator has landed and is often part of the situational awareness that attackers will go through when they first land on a new machine. We covered this a bit in the last chapter with understanding and effectively shorting out some of the signal generation on our target machine. These recon techniques are also good for a defender to monitor, as this can be an early signal that someone is exploring the machine or up to no good. In this chapter, we will take a more operational look, attempting to understand what users, connections, applications, and privileges we can exploit as an attacker, especially in the context of abusing other users in real time.

We can see some of these reconnaissance techniques applied to Windows with the tool Seatbelt^[2]. Seatbelt can check for many common antivirus applications, any applied AppLocker policies, audit policies, local GPOs, Windows Defender settings, Windows Firewall settings, Sysmon policies, and many more configurations.

Aside from operational awareness, Seatbelt can also detect command history, services, downloads, and even common network connections. The general idea is to explore what users, tools, and operations are considered normal for the host, and potentially what defensive controls are also on the host. Seatbelt is a Swiss Army knife for gathering operational knowledge on a Windows host, and it is a C# application, so you can easily run it from memory if you want.

On Linux, even if you're an unprivileged user, you can leverage several operational commands to get a better lay of the land. We explore many of these basic triage techniques in the next section from a defensive perspective, but it should be understood they are just as useful from an attacker's perspective to learn who is on the same host and what they are up to. As an unprivileged user on Linux, we can also leverage a neat tool called pspy to understand the processes that are running, which will give us a lot of insight into any defensive applications that may be running on the host^[3]. pspy does this by monitoring changes to the process list, proc filesystem, and other critical filesystem events through the inotify API. This means it can easily see various events on the host and get a quick understanding of what is running under other users. pspy is another Go tool that hasn't been set up with Go modules yet, so we will have to initialize those if we plan to build this with an updated toolchain. The following should get pspy up and running quickly. Again, I don't recommend building these tools on the victim machine, and you should change the name to obscure them when you use them in an operation:

$ go mod init pspy $ go mod vendor $ go build $ ./pspy

Understanding the system

As we saw earlier, the defense can go through significant measures to restrict permissions to specific files or remove files altogether. Further, the defense can backdoor these files and set many traps for the offense. The following are some simple operational security tricks to help attackers avoid these traps. Remember, defenders are often looking for suspicious recon commands like whoami, whereas other com...