00:00:05 Hi, welcome back.

00:00:07 This is the second partof our first session,

00:00:09 Defending Active DirectoryAgainst Cyberattacks.
00:00:13 During this part,
00:00:15 we're going to look more closelyat understanding the adversaries
00:00:19 in the modern daycybersecurity world.
00:00:22 >> All right.
00:00:22 And understanding theadversaries is very important,
00:00:25 because we need to tailor ourdefense strategy to the type
00:00:30 of adversary thatwe're dealing with.
00:00:32 The modern day, well, what wesee today is that a lot of
00:00:36 the defense investments andeven mentality is kinda
00:00:41 tailor towards the older typeof adversaries Where they would
00:00:45 probably send out a worm, andthat would worm would propagate.
00:00:48 But nowadays the adversariesare a little different.
00:00:50 They have a personbehind the keyboard.
00:00:52 But I get ahead of myself[LAUGH], let's go into that,
00:00:57 and start with this quote froman ancient Chinese general,
00:01:01 Sun Tzu.
00:01:03 And he says a lot ofvery smart things that
00:01:07 apply to cybersecurity todayin his book The Art of War.
00:01:11 Well, it's not really his book.
00:01:12 It was written by someone else,but anyway.
00:01:15 In relevance to this session,if you know the enemy and know
00:01:21 yourself you need not fear theresults of 100 battles, right?
00:01:26 And this is extremelyimportant to our strategy
00:01:28 that we want to buildaround cyber security.
00:01:32 So, let's go through a veryhigh level overview of what
00:01:36 the different adversaries looklike, and what are they after.
00:01:40 The first, and
00:01:41 most important one is theDetermined Human Adversaries.
00:01:45 Those are the ones thatwe're trying to address for
00:01:49 the most part in this session.
00:01:51 And because morethan anyone else
00:01:54 they target Active Directory forpurposes of persistence, and
00:01:58 we'll get into that.
00:01:59 Those are more widely known asadvanced persistent threats and
00:02:04 they are normally statesponsored in most case,
00:02:08 not always, and they showthe most sophistication.
00:02:12 Cybercriminals, they are focusedon monetization, and
00:02:17 they normally just have heists,type of thing.
00:02:21 Which is basically ways ofhaving large scare monetary
00:02:25 gains, and they base theircampaigns based on that.
00:02:29 Hacktivists are focused onpromoting a certain cause,
00:02:34 right, regardless ofwhat type of cause it is
00:02:36 through high profile hacks.
00:02:38 Normally things likedefacing websites or
00:02:41 hijacking a twitter handle orthings like that.
00:02:45 Cyberterrorists are a new one,well, kind of.
00:02:50 And they basically use theinternet as a way to recruit and
00:02:55 push propaganda videos and
00:02:57 all kinds of psychological war,I guess.
00:03:01 And then insider threats.
00:03:02 We've heard about a few of thesein the past couple of years.
00:03:05 Some being very prominent.
00:03:08 And they basicallyleverage legitimate access
00:03:12 to perform illegitimate things,like exfiltrating
00:03:15 a whole bunch of data outof the organizations.
00:03:17 There are more categoriesby the way, but
00:03:19 those are the ones that wewanted to bring up here.
00:03:22 And the ones we really want tofocus on are the determined
00:03:24 human adversaries.
00:03:26 Those are the ones thatare most likely to go after
00:03:28 Active Directory, even thoughsome of the other ones can.
00:03:31 >> The question, looking atthe different definitions, and
00:03:35 profiles, is theresometimes a group that
00:03:39 falls into a couple of differentcategories, not just one, but
00:03:42 they may expand morethan one of these here?
00:03:45 >> Yes.
00:03:46 So, I'll give youan example on this.
00:03:48 Recently, well at least forthe time of this recording,
00:03:52 there's been a number of attacksfor cyber criminals that extort
00:03:57 hospitals by sending themlocker malware, right?
00:04:02 Ransomware, basically.
00:04:04 And they would use moresophisticated techniques similar
00:04:08 to the ones DHA's used,Determined Human Advisaries.
00:04:12 And they would ask for
00:04:13 a ransom in order to unlockthe hospital's data which is
00:04:16 pretty nasty if you ask me.
00:04:18 But there is definitelyoverlap sometimes among those.
00:04:25 So in order to demonstrate theway determined human adversaries
00:04:30 work, we put together thislittle scenario if you will, and
00:04:35 It's based on a law that oneof our colleagues and mentors,
00:04:39 Keith Proctor, put togethercalled Proctor's Second Law of
00:04:44 Computing, which is thateveryone clicks eventually.
00:04:49 The smartest of the smartestof the smartest of us
00:04:51 will always click.
00:04:53 And what we mean by click isyou open up an attachment or
00:04:58 click on a link that you thinkis legitimate but it's not.
00:05:01 Depending on how good the socialengineer that designed
00:05:04 the campaign is youcould probably click.
00:05:07 So, always assume thatat least if you're not,
00:05:09 somebody else will click, right?
00:05:12 >> One thing I'llnote here too is,
00:05:14 we call these persistentthreat actors advanced.
00:05:18 And, they are but
00:05:20 maybe not always interms of point of entry.
00:05:23 Right?
00:05:24 This is a very simplepoint of entry that
00:05:28 threat actors use to eventuallybreak into the network.
00:05:32 >> Absolutely.
00:05:33 What they're using atthe very beginning,
00:05:35 the sophistication is notnecessarily technological,
00:05:39 it's more aboutthe mode of operation.
00:05:41 The way they design the entry,right?
00:05:43 Researching the organizationvery well.
00:05:45 Researching a certain person orsomething along those lines.
00:05:47 And this scenario isexactly about that.
00:05:50 So I'm gonna introduce thisgentleman, kind of, and
00:05:54 his team behind him.
00:05:55 His name is Jon andthat's his team, and
00:05:58 they received a mission.
00:06:00 Strategic developmentprogram by their sponsor,
00:06:04 whoever that is,most likely a nation state.
00:06:07 And they are interested tocollect design blueprints for
00:06:12 the following technologies.
00:06:13 Industrial solar arrays andelectrical vehicles, right?
00:06:18 So, those normally align witha strategic economic area that
00:06:25 a certain state is interestedin or a certain organized crime
00:06:29 organization is interested inthat they want information on.
00:06:33 So, here's Marcus who'sa Desktop Support Engineer and
00:06:39 works for Contoso Energyat Contoso Green Energy.
00:06:43 And Contoso Green Energy happensto be a producer of some of
00:06:46 those technologies that John and
00:06:49 his team are interested in,right?
00:06:54 So here's John again,and John and
00:06:58 his team basically startdoing reconnaissance
00:07:01 on Marcus because he works forthat company.
00:07:04 So, through his I guessprofessional social media
00:07:08 profile, they realize that John
00:07:13 loves the new Helpdesk Blazer,and I made up this name.
00:07:16 I hope it's not used by anyone.
00:07:19 And, based on this informationthey can realize that
00:07:24 help desk blazer might have a,let's say a browser plug in
00:07:27 that's vulnerable to a certaintype of exploit, right?
00:07:31 So, basically based on hisprofile they now know that he's
00:07:35 a desk top support engineer.
00:07:38 They know he works for
00:07:39 Contoso energy which is ofstrategic interest to them.
00:07:42 And he uses help desk blazer.
00:07:44 So, that's a lot ofinformation from one page.
00:07:48 And then they go on hispersonal profile, right?
00:07:51 And on his personal profile,it says he's excited that he
00:07:55 ordered Hieropolis Wars 3 andthe estimated date of arrival,
00:08:00 our time of arrival,is four days.
00:08:02 Okay.
00:08:03 So, what they know about them isthat he ordered the video game,
00:08:06 and it's coming in 4 days.
00:08:08 >> So, here we're combininga lot of professional
00:08:10 information as well personal?
00:08:12 >> Yes, yes.
00:08:14 They are not discriminate
00:08:16 when it comes tosource of information.
00:08:18 They can go anywhere, right?
00:08:20 Wherever it takes and thereare actually platforms just for
00:08:23 this purpose, right?
00:08:24 There is platform we calledA very good one called MultiGo
00:08:27 that helps you basically collectthreat intelligence on your
00:08:30 targets, right.
00:08:32 It's out there on the Internet.
00:08:34 You can find it.
00:08:35 And another thing that they didis look up his email address.
00:08:39 That's pretty easy,normally, right.
00:08:41 They use a search engine, butthere are other ways, of course.
00:08:45 And this is Paul Marcus,he's doing his work, right,
00:08:51 he's browsing the Internet andlooking at his email.
00:08:54 And at the same time on theright monitor, he's basically
00:08:57 supporting someone, because he'sa Helpdesk support engineer.
00:09:00 So he get's this email, I justmaximized it of his monitor.
00:09:04 And it says, are you stillinterested In Hierapolis Wars 3.
00:09:07 They tailored this basedon the information they got
00:09:11 of a social media, right?
00:09:13 And in this email they basicallymake it very legit and
00:09:17 they copied the exactsame branding and
00:09:19 all of that fromthe provider of that game,
00:09:23 which happens to be famousonline shopping gear.
00:09:25 And there are a number of links,but very likely all of them will
00:09:30 all link to same thing, whichis a compromise of the machine.
00:09:33 So, in his excitement aboutreceiving the game and
00:09:36 being worried that he didnot finalizing the order,
00:09:39 he goes ahead and clicks- andeveryone clicks, right?
00:09:43 So, basically what happens, hismachine is gonna contact a web
00:09:48 server owned by a third party,a legitimate website, but
00:09:52 that has beencompromised by John and
00:09:55 team In order to implantmalware on it, right.
00:09:59 So that red dot right there,that's malware.
00:10:01 And that malware's gonnadrop on his machine and
00:10:05 likely this is the first stage,only.
00:10:07 It normally could probablydrop some more malware on it,
00:10:11 depending on the purpose andall that.
00:10:13 And then this malware's gonnaestablish a back door and
00:10:16 call out a command and
00:10:19 control applicationthat's sitting somewhere
00:10:22 on the Internet, possiblya compromised server as well.
00:10:26 So it calls home,that's the terminology for
00:10:29 it, normally encrypted.
00:10:31 That way firewalls can inspectit and tell us what's in there.
00:10:35 And normally they usea multi-hub type of technique
00:10:39 in order to obfuscatetheir own identity, right?
00:10:42 So they have those connectionbouncers that go from one
00:10:45 server to the other onthe Internet, until it goes back
00:10:49 all the way to where theyare operating, right?
00:10:52 So this is Jonah's team, theyreceived the shell or a session,
00:10:56 I guess, on Marcus' machine.
00:10:59 And now, as you can see,I have never been in an APT or
00:11:03 DHA room before myself, right?
00:11:07 But I can imagine that theyhave this type of a dashboard
00:11:11 at the top left corner,
00:11:13 where they maintain all theseconnections for the different
00:11:17 victim organizationsthat they work with.
00:11:20 And as long as they're gettingtheir, I guess, beacon back,
00:11:24 they're in good shape.
00:11:25 Otherwise, there issomething to worry about and
00:11:28 they would have to go after it.
00:11:29 So they maintain parallelcampaigns to different targets
00:11:33 that match the strategythat they're working under.
00:11:36 [COUGH]Okay, so
00:11:41 let's talk about determinedhuman adversaries a little bit.
00:11:44 In terms of structure,
00:11:46 they demonstrateorganizational behavior.
00:11:49 They're not doing this randomly.
00:11:50 This is kinda likea full time job,
00:11:52 right, where they have divisionof labor, basically rules and
00:11:56 responsibilities accordingto your competencies.
00:12:00 And they coordinate initiatives.
00:12:03 They don't work randomly, right?
00:12:05 They work under certaininitiatives that
00:12:08 are called campaigns and theynormally stick to the session,
00:12:13 to the objectives, sorry.
00:12:14 And in many cases, what youwill see is that they have
00:12:19 the opportunity to destroy thenetwork if they own it, right?
00:12:23 But since they're veryfocused on their objective,
00:12:25 they only go after,say, exfiltrating data.
00:12:29 And even though they havethe opportunity to destroy
00:12:31 the network, they don't,because they're focused,
00:12:33 right, very disciplined.
00:12:35 So that's something tolearn from the adversaries.
00:12:37 And definitely somethingwe wanna adopt in our own
00:12:40 behaviors, which is aligningto objectives rather than
00:12:43 preferences to certainthings like technologies and
00:12:46 anything like that.
00:12:48 So in terms of structures, well,
00:12:49 they demonstrate verysolid sponsorship.
00:12:52 I mean, in order for you to havethis many smart people in a room
00:12:56 working together you need money,right?
00:12:59 You wanna pay their salaries andall that,
00:13:01 it's kind of a fulltime job there.
00:13:03 And in many cases,you would see that
00:13:07 they would leverage publicinfrastructure, right?
00:13:10 Which kinda meansthat in a way or
00:13:13 another, the government orthe state that's sponsoring them
00:13:18 is aware of what they're doing,right?
00:13:20 If they are usingthe main telco for
00:13:21 that nation it meansthat the government
00:13:24 at least to a certain extentknows what they're doing.
00:13:26 So it's very likely that they'revery well sponsored, right?
00:13:32 In terms of mode of operation,strategic targeting, right?
00:13:37 They don't go off randomly,those DHAs,
00:13:40 they focus on campaignsthat will achieve
00:13:44 the strategic goals thatwere set forth for them.
00:13:48 They are sophisticated,not in terms of technology.
00:13:51 I mean, from a technologystandpoint they're,
00:13:55 to a certain extent, they aresophisticated, but not really.
00:13:57 This is not the point.
00:13:58 The point is that their mode ofoperation, the way they work
00:14:01 with each other and focuson goals and campaigns, and
00:14:05 their organization is what makesthem sophisticated, right?
00:14:07 They are determined, so
00:14:09 if they fail, doesn't meanit's game over, right?
00:14:12 >> Try, try again.
00:14:13 >> Try again,
00:14:13 keep trying, adapt,retry until you succeed, right?
00:14:18 In many cases they succeed,but for
00:14:21 us, how do we make sure thatwe are that organization?
00:14:25 And there are manyof those out there.
00:14:26 Where they don't succeed,right, and
00:14:29 those are things that wewanna learn in this series.
00:14:32 They rely on both automation andhuman interaction, right?
00:14:36 So traditionally,threats have been automated,
00:14:40 like a worm that goesaround on the network,
00:14:43 does certain damage, orwhatever it does, right?
00:14:45 But with DHAs, there's a persondriving the operation.
00:14:50 They have back doorsinto the network and
00:14:52 they drive the operation toadapt to different scenarios
00:14:55 until they get to their goals,right?
00:14:58 They're very stealthy.
00:14:59 They try to use thingslike encryption,
00:15:00 as we mentioned earlier,
00:15:02 in order to gothrough the firewall.
00:15:04 Or let's see,what's another good example?
00:15:09 The use of credentials.
00:15:10 >> Right.>> That's very stealthy,
00:15:12 because, well, to a certainextent that's stealthy because,
00:15:16 instead of dropping malwareall over the place,
00:15:19 we drop it in a few places.
00:15:20 Those are your footholds, and
00:15:22 then you use legitimatecredentials that'll get you
00:15:24 around the network a loteasier and more stealthily.
00:15:28 And evolution of traditionalespionage, right?
00:15:31 In the back days you would senda bunch of people to a foreign
00:15:35 country andhave them be double agents and
00:15:37 have them take photographsof things and spy for you.
00:15:40 And it's very super risky, andyou have a sponsor for them,
00:15:43 which is the nation statethat they sent them,
00:15:45 and finances them andeverything.
00:15:47 But nowadays it's a lot easierbecause the Internet makes it
00:15:51 very hard to track,kind of a thing.
00:15:54 And the risk is a lot lessbecause if he's captured,
00:15:57 he's not gone for good, right?
00:15:59 [LAUGH] They're just gonna beposted on the FBI Most Wanted.
00:16:03 >> [LAUGH]>> [LAUGH] So
00:16:04 anyway, what are they after?
00:16:09 Exfiltration of data withstrategic value, okay?
00:16:13 And this is normally wheremost of their interest is.
00:16:19 They want things like research.
00:16:22 They want things likeindustrial specifications and
00:16:25 things along those lines.
00:16:26 Because those things help themadvance their interest in
00:16:31 the sector that is part oftheir economic strategy, right?
00:16:37 They wanna also maintainlong term access, right?
00:16:41 Which is very important becauseit'll make sure that not only
00:16:44 they got the initialdata that they wanted,
00:16:45 but anything else that comesup they have access to it and
00:16:49 they keep it asstrategic leverage.
00:16:51 In one of the organizationswe worked with,
00:16:54 speaking of strategic leverage,
00:16:57 one nation state actually kindof outsourced their access to
00:17:01 another nation state, in a way,to help them as an ally.
00:17:05 >> Work together and also bymaintaining long term access.
00:17:10 That's why they wanna be sostealthy, right?
00:17:12 They don't wanna becaught on the network.
00:17:14 They don't wanna be kickedout of the network.
00:17:18 By being stealthy,
00:17:20 they can maintain that longterm access to get their
00:17:23 ultimate goal of exfiltratingthe data with value to them.
00:17:28 >> Yep,if they cause too much noise,
00:17:29 then chancesare they'll get caught.
00:17:32 And they will conclude,the mission will be concluded
00:17:34 by an eviction beforetheir objectives are met.
00:17:37 So stealth isdefinitely part of it.
00:17:40 And finally sabotage.
00:17:41 This is a lot more rare,I would say, than espionage.
00:17:47 And this is wherethe adversary freaks and
00:17:51 starts destroying things.
00:17:53 It's happened a few times, but
00:17:55 normally DHAs are notafter this, right?
00:17:58 There's been a couplepublic incidents you can
00:18:00 read about them.
00:18:01 But one public one that I guesswe can speak about, because it's
00:18:06 very public, is the Stuxnetincident, where the centrifuges
00:18:11 in Iran were destroyed bya foreign born malware, right?
00:18:20 Okay, those are some ofthe likely roles for
00:18:22 determined human adversaries.
00:18:25 There are threat sponsors and
00:18:28 they're usually the onesgiving orders and
00:18:31 providing of financial andother forms of support.
00:18:36 And they can be things likethe army intelligence,
00:18:41 the nation state itself,the leadership,
00:18:44 organized crime bosses,things along those lines.
00:18:46 Anyone who has the capacityto sponsor a team of hackers,
00:18:52 right, or threat actors.
00:18:54 The threat actors themselvesare the ones that
00:18:56 execute the campaign, right?
00:18:58 And you need all kinds of,I guess,
00:19:03 competencies on that team,right?
00:19:05 I have social andcultural engineering.
00:19:07 We know what's socialengineering is, right?
00:19:09 It's when you talk somebodyinto something using
00:19:12 psychology tricks basically.
00:19:14 But cultural engineering is, inmy opinion, is just something,
00:19:18 I don't know if it'sa real term or not but
00:19:21 I just thought it'svery important.
00:19:22 When you're attacking assetsin a different country,
00:19:26 you need to cross thosecultural barriers, right?
00:19:28 And use their slang,understand their interests,
00:19:31 and all of that good stuff, tomake sure that the phish,, for
00:19:34 example, is successful and theperson ends up clicking, right?
00:19:37 >> Right.
00:19:39 >> So that's pretty important.
00:19:40 Malware research and
00:19:41 authoring, sometimes they reusemalware off the internet but
00:19:45 in many cases they have toauthor the whole malware.
00:19:49 Encryption, compression and
00:19:51 coding, data mining, they haveto extract all that data and
00:19:53 go through it andextract whatever's necessary, or
00:19:56 whatever's useful fortheir campaign.
00:19:59 Translation, right?
00:20:01 So they might want totranslate some of this stuff
00:20:02 to their own language ifthey're in a different country,
00:20:05 which normally they are.
00:20:06 And infrastructure maintenance.
00:20:08 They have to maintain a lot ofinfrastructure of command and
00:20:11 control, for compromised sites,and all kinds of things
00:20:14 are necessary forthe continuity of the campaign.
00:20:20 So why do they go after AD, oridentity stores in general?
00:20:25 Well, first of allthis is more efficient.
00:20:27 Instead of having to compromiseeach system individually,
00:20:30 let's compromise one that'llgive us credentials to access
00:20:33 all of them, all we want, right?
00:20:34 So it's more efficient andallows for stealth,
00:20:38 because you'reusing credentials.
00:20:39 And using credentials is a lotmore stealthy than using
00:20:42 malware all the timeon each system.
00:20:45 And finally, it allows forpersistence, right?
00:20:47 There are different tricks thatthey pull, and we'll talk about
00:20:50 them throughout the series, toallow them for long term access.
00:20:53 And allowing them to kinda havebackdoors to come back in case
00:20:57 they're evicted, right?
00:20:59 We'll also addressa lot of that as well.
00:21:04 >> So going forward intoour series, building off of
00:21:08 why go after AD, we're goingto look at how to protect AD.
00:21:11 The next part of thissession is looking at
00:21:14 the strategic defense.
00:21:16 Really adopting thatstrategic mindset.
00:21:19 So that'll be the last partof our first episode here.
00:21:23 And then every part, everysession thereafter is going to
00:21:27 be specific tactics that youcan use in your organization
00:21:31 to defend your Active Directoryagainst cyberattacks.
00:21:34 So thank you for joining.
00:21:35 >> Thank you.