00:00:07 This is the second partof our first session,
00:00:09 Defending Active DirectoryAgainst Cyberattacks. 00:00:13 During this part, 00:00:15 we're going to look more closelyat understanding the adversaries 00:00:19 in the modern daycybersecurity world. 00:00:22 >> All right. 00:00:22 And understanding theadversaries is very important, 00:00:25 because we need to tailor ourdefense strategy to the type 00:00:30 of adversary thatwe're dealing with. 00:00:32 The modern day, well, what wesee today is that a lot of 00:00:36 the defense investments andeven mentality is kinda 00:00:41 tailor towards the older typeof adversaries Where they would 00:00:45 probably send out a worm, andthat would worm would propagate. 00:00:48 But nowadays the adversariesare a little different. 00:00:50 They have a personbehind the keyboard. 00:00:52 But I get ahead of myself[LAUGH], let's go into that, 00:00:57 and start with this quote froman ancient Chinese general, 00:01:01 Sun Tzu. 00:01:03 And he says a lot ofvery smart things that 00:01:07 apply to cybersecurity todayin his book The Art of War. 00:01:11 Well, it's not really his book. 00:01:12 It was written by someone else,but anyway. 00:01:15 In relevance to this session,if you know the enemy and know 00:01:21 yourself you need not fear theresults of 100 battles, right? 00:01:26 And this is extremelyimportant to our strategy 00:01:28 that we want to buildaround cyber security. 00:01:32 So, let's go through a veryhigh level overview of what 00:01:36 the different adversaries looklike, and what are they after. 00:01:40 The first, and 00:01:41 most important one is theDetermined Human Adversaries. 00:01:45 Those are the ones thatwe're trying to address for 00:01:49 the most part in this session. 00:01:51 And because morethan anyone else 00:01:54 they target Active Directory forpurposes of persistence, and 00:01:58 we'll get into that. 00:01:59 Those are more widely known asadvanced persistent threats and 00:02:04 they are normally statesponsored in most case, 00:02:08 not always, and they showthe most sophistication. 00:02:12 Cybercriminals, they are focusedon monetization, and 00:02:17 they normally just have heists,type of thing. 00:02:21 Which is basically ways ofhaving large scare monetary 00:02:25 gains, and they base theircampaigns based on that. 00:02:29 Hacktivists are focused onpromoting a certain cause, 00:02:34 right, regardless ofwhat type of cause it is 00:02:36 through high profile hacks. 00:02:38 Normally things likedefacing websites or 00:02:41 hijacking a twitter handle orthings like that. 00:02:45 Cyberterrorists are a new one,well, kind of. 00:02:50 And they basically use theinternet as a way to recruit and 00:02:55 push propaganda videos and 00:02:57 all kinds of psychological war,I guess. 00:03:01 And then insider threats. 00:03:02 We've heard about a few of thesein the past couple of years. 00:03:05 Some being very prominent. 00:03:08 And they basicallyleverage legitimate access 00:03:12 to perform illegitimate things,like exfiltrating 00:03:15 a whole bunch of data outof the organizations. 00:03:17 There are more categoriesby the way, but 00:03:19 those are the ones that wewanted to bring up here. 00:03:22 And the ones we really want tofocus on are the determined 00:03:24 human adversaries. 00:03:26 Those are the ones thatare most likely to go after 00:03:28 Active Directory, even thoughsome of the other ones can. 00:03:31 >> The question, looking atthe different definitions, and 00:03:35 profiles, is theresometimes a group that 00:03:39 falls into a couple of differentcategories, not just one, but 00:03:42 they may expand morethan one of these here? 00:03:45 >> Yes. 00:03:46 So, I'll give youan example on this. 00:03:48 Recently, well at least forthe time of this recording, 00:03:52 there's been a number of attacksfor cyber criminals that extort 00:03:57 hospitals by sending themlocker malware, right? 00:04:02 Ransomware, basically. 00:04:04 And they would use moresophisticated techniques similar 00:04:08 to the ones DHA's used,Determined Human Advisaries. 00:04:12 And they would ask for 00:04:13 a ransom in order to unlockthe hospital's data which is 00:04:16 pretty nasty if you ask me. 00:04:18 But there is definitelyoverlap sometimes among those. 00:04:25 So in order to demonstrate theway determined human adversaries 00:04:30 work, we put together thislittle scenario if you will, and 00:04:35 It's based on a law that oneof our colleagues and mentors, 00:04:39 Keith Proctor, put togethercalled Proctor's Second Law of 00:04:44 Computing, which is thateveryone clicks eventually. 00:04:49 The smartest of the smartestof the smartest of us 00:04:51 will always click. 00:04:53 And what we mean by click isyou open up an attachment or 00:04:58 click on a link that you thinkis legitimate but it's not. 00:05:01 Depending on how good the socialengineer that designed 00:05:04 the campaign is youcould probably click. 00:05:07 So, always assume thatat least if you're not, 00:05:09 somebody else will click, right? 00:05:12 >> One thing I'llnote here too is, 00:05:14 we call these persistentthreat actors advanced. 00:05:18 And, they are but 00:05:20 maybe not always interms of point of entry. 00:05:23 Right? 00:05:24 This is a very simplepoint of entry that 00:05:28 threat actors use to eventuallybreak into the network. 00:05:32 >> Absolutely. 00:05:33 What they're using atthe very beginning, 00:05:35 the sophistication is notnecessarily technological, 00:05:39 it's more aboutthe mode of operation. 00:05:41 The way they design the entry,right? 00:05:43 Researching the organizationvery well. 00:05:45 Researching a certain person orsomething along those lines. 00:05:47 And this scenario isexactly about that. 00:05:50 So I'm gonna introduce thisgentleman, kind of, and 00:05:54 his team behind him. 00:05:55 His name is Jon andthat's his team, and 00:05:58 they received a mission. 00:06:00 Strategic developmentprogram by their sponsor, 00:06:04 whoever that is,most likely a nation state. 00:06:07 And they are interested tocollect design blueprints for 00:06:12 the following technologies. 00:06:13 Industrial solar arrays andelectrical vehicles, right? 00:06:18 So, those normally align witha strategic economic area that 00:06:25 a certain state is interestedin or a certain organized crime 00:06:29 organization is interested inthat they want information on. 00:06:33 So, here's Marcus who'sa Desktop Support Engineer and 00:06:39 works for Contoso Energyat Contoso Green Energy. 00:06:43 And Contoso Green Energy happensto be a producer of some of 00:06:46 those technologies that John and 00:06:49 his team are interested in,right? 00:06:54 So here's John again,and John and 00:06:58 his team basically startdoing reconnaissance 00:07:01 on Marcus because he works forthat company. 00:07:04 So, through his I guessprofessional social media 00:07:08 profile, they realize that John 00:07:13 loves the new Helpdesk Blazer,and I made up this name. 00:07:16 I hope it's not used by anyone. 00:07:19 And, based on this informationthey can realize that 00:07:24 help desk blazer might have a,let's say a browser plug in 00:07:27 that's vulnerable to a certaintype of exploit, right? 00:07:31 So, basically based on hisprofile they now know that he's 00:07:35 a desk top support engineer. 00:07:38 They know he works for 00:07:39 Contoso energy which is ofstrategic interest to them. 00:07:42 And he uses help desk blazer. 00:07:44 So, that's a lot ofinformation from one page. 00:07:48 And then they go on hispersonal profile, right? 00:07:51 And on his personal profile,it says he's excited that he 00:07:55 ordered Hieropolis Wars 3 andthe estimated date of arrival, 00:08:00 our time of arrival,is four days. 00:08:02 Okay. 00:08:03 So, what they know about them isthat he ordered the video game, 00:08:06 and it's coming in 4 days. 00:08:08 >> So, here we're combininga lot of professional 00:08:10 information as well personal? 00:08:12 >> Yes, yes. 00:08:14 They are not discriminate 00:08:16 when it comes tosource of information. 00:08:18 They can go anywhere, right? 00:08:20 Wherever it takes and thereare actually platforms just for 00:08:23 this purpose, right? 00:08:24 There is platform we calledA very good one called MultiGo 00:08:27 that helps you basically collectthreat intelligence on your 00:08:30 targets, right. 00:08:32 It's out there on the Internet. 00:08:34 You can find it. 00:08:35 And another thing that they didis look up his email address. 00:08:39 That's pretty easy,normally, right. 00:08:41 They use a search engine, butthere are other ways, of course. 00:08:45 And this is Paul Marcus,he's doing his work, right, 00:08:51 he's browsing the Internet andlooking at his email. 00:08:54 And at the same time on theright monitor, he's basically 00:08:57 supporting someone, because he'sa Helpdesk support engineer. 00:09:00 So he get's this email, I justmaximized it of his monitor. 00:09:04 And it says, are you stillinterested In Hierapolis Wars 3. 00:09:07 They tailored this basedon the information they got 00:09:11 of a social media, right? 00:09:13 And in this email they basicallymake it very legit and 00:09:17 they copied the exactsame branding and 00:09:19 all of that fromthe provider of that game, 00:09:23 which happens to be famousonline shopping gear. 00:09:25 And there are a number of links,but very likely all of them will 00:09:30 all link to same thing, whichis a compromise of the machine. 00:09:33 So, in his excitement aboutreceiving the game and 00:09:36 being worried that he didnot finalizing the order, 00:09:39 he goes ahead and clicks- andeveryone clicks, right? 00:09:43 So, basically what happens, hismachine is gonna contact a web 00:09:48 server owned by a third party,a legitimate website, but 00:09:52 that has beencompromised by John and 00:09:55 team In order to implantmalware on it, right. 00:09:59 So that red dot right there,that's malware. 00:10:01 And that malware's gonnadrop on his machine and 00:10:05 likely this is the first stage,only. 00:10:07 It normally could probablydrop some more malware on it, 00:10:11 depending on the purpose andall that. 00:10:13 And then this malware's gonnaestablish a back door and 00:10:16 call out a command and 00:10:19 control applicationthat's sitting somewhere 00:10:22 on the Internet, possiblya compromised server as well. 00:10:26 So it calls home,that's the terminology for 00:10:29 it, normally encrypted. 00:10:31 That way firewalls can inspectit and tell us what's in there. 00:10:35 And normally they usea multi-hub type of technique 00:10:39 in order to obfuscatetheir own identity, right? 00:10:42 So they have those connectionbouncers that go from one 00:10:45 server to the other onthe Internet, until it goes back 00:10:49 all the way to where theyare operating, right? 00:10:52 So this is Jonah's team, theyreceived the shell or a session, 00:10:56 I guess, on Marcus' machine. 00:10:59 And now, as you can see,I have never been in an APT or 00:11:03 DHA room before myself, right? 00:11:07 But I can imagine that theyhave this type of a dashboard 00:11:11 at the top left corner, 00:11:13 where they maintain all theseconnections for the different 00:11:17 victim organizationsthat they work with. 00:11:20 And as long as they're gettingtheir, I guess, beacon back, 00:11:24 they're in good shape. 00:11:25 Otherwise, there issomething to worry about and 00:11:28 they would have to go after it. 00:11:29 So they maintain parallelcampaigns to different targets 00:11:33 that match the strategythat they're working under. 00:11:36 [COUGH]Okay, so 00:11:41 let's talk about determinedhuman adversaries a little bit. 00:11:44 In terms of structure, 00:11:46 they demonstrateorganizational behavior. 00:11:49 They're not doing this randomly. 00:11:50 This is kinda likea full time job, 00:11:52 right, where they have divisionof labor, basically rules and 00:11:56 responsibilities accordingto your competencies. 00:12:00 And they coordinate initiatives. 00:12:03 They don't work randomly, right? 00:12:05 They work under certaininitiatives that 00:12:08 are called campaigns and theynormally stick to the session, 00:12:13 to the objectives, sorry. 00:12:14 And in many cases, what youwill see is that they have 00:12:19 the opportunity to destroy thenetwork if they own it, right? 00:12:23 But since they're veryfocused on their objective, 00:12:25 they only go after,say, exfiltrating data. 00:12:29 And even though they havethe opportunity to destroy 00:12:31 the network, they don't,because they're focused, 00:12:33 right, very disciplined. 00:12:35 So that's something tolearn from the adversaries. 00:12:37 And definitely somethingwe wanna adopt in our own 00:12:40 behaviors, which is aligningto objectives rather than 00:12:43 preferences to certainthings like technologies and 00:12:46 anything like that. 00:12:48 So in terms of structures, well, 00:12:49 they demonstrate verysolid sponsorship. 00:12:52 I mean, in order for you to havethis many smart people in a room 00:12:56 working together you need money,right? 00:12:59 You wanna pay their salaries andall that, 00:13:01 it's kind of a fulltime job there. 00:13:03 And in many cases,you would see that 00:13:07 they would leverage publicinfrastructure, right? 00:13:10 Which kinda meansthat in a way or 00:13:13 another, the government orthe state that's sponsoring them 00:13:18 is aware of what they're doing,right? 00:13:20 If they are usingthe main telco for 00:13:21 that nation it meansthat the government 00:13:24 at least to a certain extentknows what they're doing. 00:13:26 So it's very likely that they'revery well sponsored, right? 00:13:32 In terms of mode of operation,strategic targeting, right? 00:13:37 They don't go off randomly,those DHAs, 00:13:40 they focus on campaignsthat will achieve 00:13:44 the strategic goals thatwere set forth for them. 00:13:48 They are sophisticated,not in terms of technology. 00:13:51 I mean, from a technologystandpoint they're, 00:13:55 to a certain extent, they aresophisticated, but not really. 00:13:57 This is not the point. 00:13:58 The point is that their mode ofoperation, the way they work 00:14:01 with each other and focuson goals and campaigns, and 00:14:05 their organization is what makesthem sophisticated, right? 00:14:07 They are determined, so 00:14:09 if they fail, doesn't meanit's game over, right? 00:14:12 >> Try, try again. 00:14:13 >> Try again, 00:14:13 keep trying, adapt,retry until you succeed, right? 00:14:18 In many cases they succeed,but for 00:14:21 us, how do we make sure thatwe are that organization? 00:14:25 And there are manyof those out there. 00:14:26 Where they don't succeed,right, and 00:14:29 those are things that wewanna learn in this series. 00:14:32 They rely on both automation andhuman interaction, right? 00:14:36 So traditionally,threats have been automated, 00:14:40 like a worm that goesaround on the network, 00:14:43 does certain damage, orwhatever it does, right? 00:14:45 But with DHAs, there's a persondriving the operation. 00:14:50 They have back doorsinto the network and 00:14:52 they drive the operation toadapt to different scenarios 00:14:55 until they get to their goals,right? 00:14:58 They're very stealthy. 00:14:59 They try to use thingslike encryption, 00:15:00 as we mentioned earlier, 00:15:02 in order to gothrough the firewall. 00:15:04 Or let's see,what's another good example? 00:15:09 The use of credentials. 00:15:10 >> Right.>> That's very stealthy, 00:15:12 because, well, to a certainextent that's stealthy because, 00:15:16 instead of dropping malwareall over the place, 00:15:19 we drop it in a few places. 00:15:20 Those are your footholds, and 00:15:22 then you use legitimatecredentials that'll get you 00:15:24 around the network a loteasier and more stealthily. 00:15:28 And evolution of traditionalespionage, right? 00:15:31 In the back days you would senda bunch of people to a foreign 00:15:35 country andhave them be double agents and 00:15:37 have them take photographsof things and spy for you. 00:15:40 And it's very super risky, andyou have a sponsor for them, 00:15:43 which is the nation statethat they sent them, 00:15:45 and finances them andeverything. 00:15:47 But nowadays it's a lot easierbecause the Internet makes it 00:15:51 very hard to track,kind of a thing. 00:15:54 And the risk is a lot lessbecause if he's captured, 00:15:57 he's not gone for good, right? 00:15:59 [LAUGH] They're just gonna beposted on the FBI Most Wanted. 00:16:03 >> [LAUGH]>> [LAUGH] So 00:16:04 anyway, what are they after? 00:16:09 Exfiltration of data withstrategic value, okay? 00:16:13 And this is normally wheremost of their interest is. 00:16:19 They want things like research. 00:16:22 They want things likeindustrial specifications and 00:16:25 things along those lines. 00:16:26 Because those things help themadvance their interest in 00:16:31 the sector that is part oftheir economic strategy, right? 00:16:37 They wanna also maintainlong term access, right? 00:16:41 Which is very important becauseit'll make sure that not only 00:16:44 they got the initialdata that they wanted, 00:16:45 but anything else that comesup they have access to it and 00:16:49 they keep it asstrategic leverage. 00:16:51 In one of the organizationswe worked with, 00:16:54 speaking of strategic leverage, 00:16:57 one nation state actually kindof outsourced their access to 00:17:01 another nation state, in a way,to help them as an ally. 00:17:05 >> Work together and also bymaintaining long term access. 00:17:10 That's why they wanna be sostealthy, right? 00:17:12 They don't wanna becaught on the network. 00:17:14 They don't wanna be kickedout of the network. 00:17:18 By being stealthy, 00:17:20 they can maintain that longterm access to get their 00:17:23 ultimate goal of exfiltratingthe data with value to them. 00:17:28 >> Yep,if they cause too much noise, 00:17:29 then chancesare they'll get caught. 00:17:32 And they will conclude,the mission will be concluded 00:17:34 by an eviction beforetheir objectives are met. 00:17:37 So stealth isdefinitely part of it. 00:17:40 And finally sabotage. 00:17:41 This is a lot more rare,I would say, than espionage. 00:17:47 And this is wherethe adversary freaks and 00:17:51 starts destroying things. 00:17:53 It's happened a few times, but 00:17:55 normally DHAs are notafter this, right? 00:17:58 There's been a couplepublic incidents you can 00:18:00 read about them. 00:18:01 But one public one that I guesswe can speak about, because it's 00:18:06 very public, is the Stuxnetincident, where the centrifuges 00:18:11 in Iran were destroyed bya foreign born malware, right? 00:18:20 Okay, those are some ofthe likely roles for 00:18:22 determined human adversaries. 00:18:25 There are threat sponsors and 00:18:28 they're usually the onesgiving orders and 00:18:31 providing of financial andother forms of support. 00:18:36 And they can be things likethe army intelligence, 00:18:41 the nation state itself,the leadership, 00:18:44 organized crime bosses,things along those lines. 00:18:46 Anyone who has the capacityto sponsor a team of hackers, 00:18:52 right, or threat actors. 00:18:54 The threat actors themselvesare the ones that 00:18:56 execute the campaign, right? 00:18:58 And you need all kinds of,I guess, 00:19:03 competencies on that team,right? 00:19:05 I have social andcultural engineering. 00:19:07 We know what's socialengineering is, right? 00:19:09 It's when you talk somebodyinto something using 00:19:12 psychology tricks basically. 00:19:14 But cultural engineering is, inmy opinion, is just something, 00:19:18 I don't know if it'sa real term or not but 00:19:21 I just thought it'svery important. 00:19:22 When you're attacking assetsin a different country, 00:19:26 you need to cross thosecultural barriers, right? 00:19:28 And use their slang,understand their interests, 00:19:31 and all of that good stuff, tomake sure that the phish,, for 00:19:34 example, is successful and theperson ends up clicking, right? 00:19:37 >> Right. 00:19:39 >> So that's pretty important. 00:19:40 Malware research and 00:19:41 authoring, sometimes they reusemalware off the internet but 00:19:45 in many cases they have toauthor the whole malware. 00:19:49 Encryption, compression and 00:19:51 coding, data mining, they haveto extract all that data and 00:19:53 go through it andextract whatever's necessary, or 00:19:56 whatever's useful fortheir campaign. 00:19:59 Translation, right? 00:20:01 So they might want totranslate some of this stuff 00:20:02 to their own language ifthey're in a different country, 00:20:05 which normally they are. 00:20:06 And infrastructure maintenance. 00:20:08 They have to maintain a lot ofinfrastructure of command and 00:20:11 control, for compromised sites,and all kinds of things 00:20:14 are necessary forthe continuity of the campaign. 00:20:20 So why do they go after AD, oridentity stores in general? 00:20:25 Well, first of allthis is more efficient. 00:20:27 Instead of having to compromiseeach system individually, 00:20:30 let's compromise one that'llgive us credentials to access 00:20:33 all of them, all we want, right? 00:20:34 So it's more efficient andallows for stealth, 00:20:38 because you'reusing credentials. 00:20:39 And using credentials is a lotmore stealthy than using 00:20:42 malware all the timeon each system. 00:20:45 And finally, it allows forpersistence, right? 00:20:47 There are different tricks thatthey pull, and we'll talk about 00:20:50 them throughout the series, toallow them for long term access. 00:20:53 And allowing them to kinda havebackdoors to come back in case 00:20:57 they're evicted, right? 00:20:59 We'll also addressa lot of that as well. 00:21:04 >> So going forward intoour series, building off of 00:21:08 why go after AD, we're goingto look at how to protect AD. 00:21:11 The next part of thissession is looking at 00:21:14 the strategic defense. 00:21:16 Really adopting thatstrategic mindset. 00:21:19 So that'll be the last partof our first episode here. 00:21:23 And then every part, everysession thereafter is going to 00:21:27 be specific tactics that youcan use in your organization 00:21:31 to defend your Active Directoryagainst cyberattacks. 00:21:34 So thank you for joining. 00:21:35 >> Thank you.