00:00:00.033-->00:00:05.038 >>Welcome, welcome to uh track 101 uh for it's second talk of the day and of Defcon24 and the 00:00:08.742-->00:00:14.915 talk is Maelstrom: are you playing with a full deck? Using an attack lifecycle uh game to 00:00:14.915-->00:00:21.922 educate demonstrate and evangelize and my name is Shane Steiger. So who am I? I've been 00:00:21.922-->00:00:28.428 messing with computers in some way shape or form since 1989, um a few friends and I found out 00:00:28.428-->00:00:33.433 that a local university's computer lab, they did not check ID's at the door so we went in 00:00:35.502-->00:00:40.507 and messed around with computers for uh playing around with tan and pi and YTalk and later on 00:00:42.676-->00:00:47.681 you know Lynx and MUDs. How many people remember lynx? Yeah, that says the internet didn't suck 00:00:50.784-->00:00:55.789 back then as much. [laughter] So uh then I spent um 8 years working uh to uh secure uh scada 00:00:59.960-->00:01:06.466 and ICS systems throughout a large food manufacturer. And um you know that was an interesting 00:01:06.466-->00:01:11.471 job got to know recipes of uh some food products that are are made on kitchen tables today but 00:01:14.441-->00:01:20.414 um at the same time I started law school so please don't hold that against me. But uh, then I 00:01:20.414-->00:01:25.419 spent six years building out a functional uh security uh program role within a large uh 00:01:28.588-->00:01:34.861 pharmaceutical distributor and now currently work as a chief end point security architect for 00:01:34.861-->00:01:40.100 a large tech company building out cyber resiliency ah techniques within the end point 00:01:40.100-->00:01:45.305 space the desirable capabilities and you know as I said here you know don't hold the law thing 00:01:45.305-->00:01:50.744 against me, I'm more of a geek anyway. So that leads me into my disclaimers, the first one I 00:01:50.744-->00:01:55.048 know this sucks I have to read them off though, the first one's an employer one. The views and 00:01:55.048-->00:01:58.852 opinions are purely my own based on time in the industry and experience they don't 00:01:58.852-->00:02:05.258 necessarily reflect the views positions or policies of my employers um and oh yeah this 00:02:05.258-->00:02:09.763 presentation and discussion is not intended to give legal advice nor form any kind of an 00:02:09.763-->00:02:13.967 attorney client privilege I'm not your attorney and some of the things you might find 00:02:13.967-->00:02:20.007 interesting may require consultation with your own attorney and that is not me 00:02:20.007-->00:02:26.146 [laughter] so. So what what is this really about? It's it's it's about um it was an 00:02:26.146-->00:02:32.719 unexpected journey for me to a cyber attack lifecycle game. When I first started looking at 00:02:32.719-->00:02:38.859 uh a what I needed to do for certain projects uh I became somewhat frustrated with what 00:02:38.859-->00:02:44.531 people traditionally do and so therefor I started looking for different strategies beyond just 00:02:44.531-->00:02:51.471 the typical normal project you know management type strategies. Uh and that research took me on 00:02:51.471-->00:02:55.242 a journey um and then journey I was going to share with you guys a little bit and share with you 00:02:55.242-->00:03:01.148 the research and really cool stuff and then share how I tripped into actually developing 00:03:01.148-->00:03:08.121 the game Maelstrom. So um the first part of the journey was really as I said a strategy 00:03:08.121-->00:03:13.126 journey. From a past life I was asked by a CIO do they win? In his context it was does the 00:03:15.962-->00:03:22.602 attacker win? And um if I was completely out of context as to what he was asking me so I 00:03:22.602-->00:03:28.408 didn't know if the next words out of my mouth would be correal limiting or not. So you know I I 00:03:28.408-->00:03:34.815 I took that and found out later on he was actually interviewing for jobs so it was kind of like 00:03:34.815-->00:03:40.587 he was stealing some of the questions or answers and you know it was a question that 00:03:40.587-->00:03:47.094 really struck me. A CIO asking that question do they win? It was an assumption almost. But 00:03:47.094-->00:03:52.032 then later on I was asked to look at solutions for over three hundred thousand endpoints and 00:03:52.032-->00:03:56.937 things at that scale become kind of interesting you know, you think you've got something 00:03:56.937-->00:04:02.409 generic and and um rather standard or basic but you're you're you're working with the 00:04:02.409-->00:04:08.014 wild west at that scale. And what I did is like most folks I put together a bunch of 00:04:08.014-->00:04:13.353 requirements a bunch of vizios a bunch of powerpoints and ended up with a nice heat map for 00:04:13.353-->00:04:18.358 people to look at and maybe make choices and it didn't it didn't make strategic sense. And that 00:04:20.527-->00:04:26.299 really bugged me and that brought me back to the the the CIO question of do they win? And 00:04:26.299-->00:04:32.139 so I needed to find some different way to make choices for a three hundred thousand 00:04:32.139-->00:04:37.144 endpoints that's a lot of money make choices at that scale. So um uh in a previous life I had 00:04:39.913-->00:04:44.918 been working uh in you know the the fender space and uh at that time I was really uh looking and 00:04:49.923-->00:04:54.928 following the OODA loop as an analogy in you know 2007 2008 some folks started describing 00:04:57.731-->00:05:03.837 the OODA loop the observe orient decide act. John Boyd's OODA loop from from the air force and 00:05:03.837-->00:05:09.643 now applying it to cyber security, and you know it made sense. But at the same time 00:05:09.643-->00:05:13.246 right around the same time Lockheed Martin had been developing something called 00:05:13.246-->00:05:17.184 Lockheed Martin Cyber Kill Chain and i'm sure many of you are familiar with it and what it 00:05:17.184-->00:05:24.057 really describes is it describes an attackers um set of phases that uh a traditional attacker 00:05:24.057-->00:05:29.062 from zero to hero so to speak will go through to get to their act on objectives. The way 00:05:32.232-->00:05:37.637 Lockheed Martin describes it is you know there's a recon phase, you go through recon steps 00:05:37.637-->00:05:42.742 looking around you know for things on Google, Shodan whatever um and then you take 00:05:42.742-->00:05:48.281 what you've learned from Google, Shodan, Linkedin and you actually start to weaponize a 00:05:48.281-->00:05:53.286 package so that that package when delivered to the target actually explodes or has some 00:05:55.655-->00:06:01.494 kind of detrimental effect on the uh on the target. And you know in the cyber construct 00:06:01.494-->00:06:06.299 exploitation is part of that detrimental effect and later installation so you might be 00:06:06.299-->00:06:12.038 able to later maintain and keep presence but then also commanding control so you can 00:06:12.038-->00:06:18.111 change and adapt or dynamically position as needed. And um as Lockheed Martin kind of 00:06:18.111-->00:06:23.116 describes they uh they talk about the outcome objectives of recon destruction and pivoting 00:06:26.152-->00:06:32.359 or exaltation. So you know, it's really good work you know for anybody who hasn't seen it 00:06:32.359-->00:06:38.531 definitely go out and take a look at it but um I I have a few quibbles with it but um the next 00:06:38.531-->00:06:42.302 next set of slides starts to build out what would the defender do in each of those 00:06:42.302-->00:06:48.141 phases, what would they do against a recon? Against Google or Shodan? Or you know some 00:06:48.141-->00:06:54.347 Linkedin uh areas? And you you you start building out the structure of alright there's an 00:06:54.347-->00:06:59.753 attacker set of set of tasks or activities going on in the phase there should be some defensive 00:06:59.753-->00:07:04.324 set of tasks or activities that are going on within a phase Lockheed Martin describes it as 00:07:04.324-->00:07:10.697 the six Ds. And I won't go into them here because they're somewhat nuanced and they 00:07:10.697-->00:07:15.702 actually don't necessarily just apply in the phases so uh but it it helps to build out that idea 00:07:18.138-->00:07:24.577 of an attacker action a defender action and um their effective dispenses. But there is one 00:07:24.577-->00:07:28.648 other point that I I have you know kind of with the Lockheed Martin Kill Chain somewhat of a 00:07:28.648-->00:07:33.720 misnomer because I've had this with companies that I've worked with in the past trying to 00:07:33.720-->00:07:39.559 communicate with them about hey I like the product that actually works as a defensive product in 00:07:39.559-->00:07:45.398 the weaponization stage and in the recon stage, how do I do that? And they'll get confused 00:07:45.398-->00:07:50.403 as to what the kill chain really means. It's really about the name's somewhat misleading it's 00:07:52.439-->00:07:58.044 really about defender actions within the attacker's life cycle phase so I I throw that out 00:07:58.044-->00:08:02.816 there just as a small quibble and then another quibble is is a set of act on objectives is 00:08:02.816-->00:08:07.454 rather limited if you look at the paper and you know especially in these in these 00:08:07.454-->00:08:13.893 days where you see ransomware pretty much every day there's the idea of you know not only 00:08:13.893-->00:08:19.032 exfilling information but maybe planting false information um and then there's you know just 00:08:19.032-->00:08:24.437 the other pieces of humiliate you know things that might not have that same feel or look 00:08:24.437-->00:08:29.442 within the Lockheed Martin um uh structure. So so I said okay wait a second, why not start 00:08:32.746-->00:08:38.985 charting out the attacker's progression and do that over time. And that charting of you 00:08:38.985-->00:08:44.791 know recon into weaponization into delivering and I showed this as the simplest form I mean 00:08:44.791-->00:08:51.331 these phases could happen um in parallel to one another but you're still exiting one phase, 00:08:51.331-->00:08:54.868 you're exiting the recon phase to get into weaponization to figure out what you're going to 00:08:54.868-->00:08:59.873 build and in a wrap to deliver via commodity of modware mal- malware uh frameworks and then 00:09:02.142-->00:09:06.246 you're exiting you know that weaponization phase to get into the delivery so you're doing 00:09:06.246-->00:09:11.951 tasks you're exiting a phase to get into another phase and you're doing this attack 00:09:11.951-->00:09:18.725 execution over time. What does this look like to folks? It looks like a gantt chart or a 00:09:18.725-->00:09:23.730 project plan and as a result uh uh I throw out this concept of hey! It makes sense, it does, 00:09:26.766-->00:09:33.373 you know the campaigns that you see um are largely organized. Even the guys who are um not as 00:09:33.373-->00:09:38.378 uh you know as maybe not state actors maybe just you know uh you know less skilled you'll see 00:09:41.014-->00:09:45.819 that they're trying to follow a plan to get to the other end to get to their act on objectives 00:09:45.819-->00:09:51.257 or it might be to steal money or you know steal bitcoins or what have you. But that we see that 00:09:51.257-->00:09:55.495 these attacker or these attacker plans are organized and they're really going through a 00:09:55.495-->00:10:00.900 progression to get to an act on objectives and so you know I kind of throw out alright what 00:10:00.900-->00:10:07.207 other evidence do we see that attackers are following ah some form of plan if not a 00:10:07.207-->00:10:11.911 traditional project plan. We see different skill levels from the same attackers indicating 00:10:11.911-->00:10:18.585 different different resources or teams so you'll see team C so maybe the close to the script 00:10:18.585-->00:10:23.256 kiddies doing something. And then something breaks and they don't know what to do or how to 00:10:23.256-->00:10:28.394 respond and they'll page out to team B and team B will get through or they'll have to page 00:10:28.394-->00:10:34.000 out to their best resources team A and team A will walk in and just annihilate the thing. Um 00:10:34.000-->00:10:39.439 you'll see different teams using different tools. Some may use PSExec Some may use WMI some may 00:10:39.439-->00:10:45.478 use um your administrative tools against you and you that's you know that's actually very 00:10:45.478-->00:10:51.217 prevalent you know. Even PSExec and WMI being part of your administration. And then um 00:10:51.217-->00:10:55.755 you'll see different teams maybe are different time schedules indicating shift work I kind of 00:10:55.755-->00:11:01.628 see this as folks walking in with their lunch pail every day and you know alright I'm going 00:11:01.628-->00:11:06.633 off to work to attack xyz company or um xyz organization and um I'm going to go home or 00:11:09.202-->00:11:15.308 go to lunch at 12 and then go come back from lunch and you'll see that time set of time gaps 00:11:15.308-->00:11:20.513 it kind of indicates what's going on in terms of shift work and that actually had been 00:11:20.513-->00:11:26.419 discussed at length in some recent APT findings um and then you know following scripts 00:11:26.419-->00:11:32.025 making mistakes and then when a when a something screws up not only are they teaming out or um 00:11:32.025-->00:11:36.629 paging out to other teams but they're also redoing work and you can kind of see them making 00:11:36.629-->00:11:40.667 their mistakes and their console logs oops that script didn't run I didn't give it the right 00:11:40.667-->00:11:46.973 variable and retrying tasks. So these are all things that seem to indicate they're following 00:11:46.973-->00:11:53.012 plans and scripts and getting themselves to an act on objectives. So I throw out um a 00:11:53.012-->00:11:58.017 concept here why not attack the project plan if you're a defender? Attacking that project 00:12:00.053-->00:12:05.058 plan is uh I think a perfectly valid way to look at it. And guess what? We're IT 00:12:07.126-->00:12:13.199 organizations are experts at screwing up project plans [laughter] they do it like it's 00:12:13.199-->00:12:18.271 their job. Usually their named project managers but I'm not going to you know bust anybody. 00:12:18.271-->00:12:24.010 But they even have the methodology for trying not to screw up the project plan. And 00:12:24.010-->00:12:29.182 so I suggest look at the methodology and this methodology here kind of listed as what's 00:12:29.182-->00:12:34.187 called the PMI triangle and that's the the triangle of time scope cost and quality. So if 00:12:36.589-->00:12:41.928 you've ever had to interact with the project manager you've probably heard one of these that 00:12:41.928-->00:12:46.199 you know I don't want to see some scope creep happen and I don't want you know my timing is 00:12:46.199-->00:12:53.006 is is absolutely necessary for this thing to go before this thing and so I I suggest mapping 00:12:53.006-->00:12:59.979 these plans and finding weaknesses across um you know uh a couple of attack lifecycles 00:12:59.979-->00:13:05.451 will start to reveal weaknesses that might apply across more attack lifecycles. So I think 00:13:05.451-->00:13:11.424 it's absolutely key attacking the attackers project plan. And what techniques can we use to 00:13:11.424-->00:13:18.097 disrupt that attack attackers project plan? Guess what? Time is assumed linear in a project 00:13:18.097-->00:13:23.703 plans. Now you you might have um less than a waterfall approach you might have an agile approach 00:13:23.703-->00:13:27.573 and actually in my backup slides for anybody that wants to quibble you can go look there 00:13:27.573-->00:13:32.345 and I've also kind of broken down agiles from in the same in somewhat of the similar fashion 00:13:32.345-->00:13:37.350 but really in the end time is assume linear so we screw with time every day in IT. We we mess 00:13:40.787-->00:13:47.326 up we we um will revert to snapshots because we broke something and so you know we 00:13:47.326-->00:13:53.900 might um do certain replays of certain uh uh you know web activity to make sure that we've 00:13:53.900-->00:13:58.504 got the appropriate and substantiated integrity type response that we're looking for 00:13:58.504-->00:14:02.675 but you know assume linear time and that was actually the first thing that I noticed i'm like 00:14:02.675-->00:14:08.147 hey what if we just randomly reset these machines to different times in the past, 00:14:08.147-->00:14:13.152 what does that do to an attacker's attack lifecycle? And we see this with sand boxing and 00:14:13.152-->00:14:18.324 in detonation technologies, it breaks it and they don't get to progress through their next set 00:14:18.324-->00:14:23.329 of faces. Um Predecessors and Successors, feigning completion of work, this is where deception 00:14:26.165-->00:14:30.870 might come into play. So they went out, they reconed information they got it and it 00:14:30.870-->00:14:36.676 was uh said something about an admin that was you know worked on the company in linkedin that 00:14:36.676-->00:14:43.149 was false information, they used that information try and weaponize their um spam or their 00:14:43.149-->00:14:48.154 directive of phishing attack against that particular admin and guess what? That was not an 00:14:50.723-->00:14:56.596 appropriate set of information that they gathered they used deceptive elements to try and uh 00:14:56.596-->00:15:01.534 uh you know land uh an actual attack and so therefore feigning that completion of work becomes 00:15:04.771-->00:15:09.408 a disruptor to that project plan. Resources and tools. Attack tools and shift work you 00:15:09.408-->00:15:15.181 know, hey if if Team F is using something like cloudflare as their um you know their point 00:15:15.181-->00:15:21.420 for uh infiltration you know what's is unless it's an absolutely critical to the 00:15:21.420-->00:15:28.027 business app what is the harm in in just cratering uh a cloudflare for that particular 00:15:28.027-->00:15:33.166 stage for a period of time if they only use it during their shift work guess what they've 00:15:33.166-->00:15:38.571 got to now shift out to other resources to go out and deal with it. Uh create resource 00:15:38.571-->00:15:43.810 intection flooding your own machines or targeting your own machines um in a cyber 00:15:43.810-->00:15:49.448 resiliency construct that should always be an option you should always have the ability to flood 00:15:49.448-->00:15:52.552 certain machines I mean yes there are certain ones that you're not going to be able to 00:15:52.552-->00:15:55.822 take down because they're business critical but not everything and everyone is 00:15:55.822-->00:16:00.426 business critical so understanding and defining somewhat where where that sits 00:16:00.426-->00:16:06.399 but understanding that a um an offensive approach against your own machines might create 00:16:06.399-->00:16:11.170 disruption to the attackers plan because remember they're using your machines against you and 00:16:11.170-->00:16:17.643 therefore this removes an asset they have to have to get through their lifecycle and project 00:16:17.643-->00:16:22.582 plan. And then um you know I talked about you know different teams using different tools WMI 00:16:22.582-->00:16:28.921 PSExec and management tools against you being used against you. Scope creek utilizing 00:16:28.921-->00:16:35.094 deception and fake targets or tarpits this is this is always a fun one, I actually talk about 00:16:35.094-->00:16:41.901 with a a number of folks uh the concept of honey information, not honey tokens not honeypots 00:16:41.901-->00:16:46.472 or honeynets but honey information, things that are planted out there that the uh 00:16:46.472-->00:16:51.344 attacker has to stomp through and has no choice but to look at because it's there they've been 00:16:51.344-->00:16:56.682 numerated on the box and they see a bunch of information maybe some logs that are interesting 00:16:56.682-->00:17:00.920 and they might want to use that information for their lateral movement. This this creates 00:17:00.920-->00:17:06.893 scope creek to them if they have no idea that it's deceptive and therefore creates that ability 00:17:06.893-->00:17:13.065 to make them noisy to creates that ability to ah a make them visible to you in in their 00:17:13.065-->00:17:19.772 attack lifecycle. And also screws with their predecessors and successors. Cost I mean any 00:17:19.772-->00:17:25.611 any cost increase to the attacker is a cost decrease for you to remediate and that's 00:17:25.611-->00:17:29.982 that's something to you know keep in mind. If you start increasing costs even minimally 00:17:29.982-->00:17:34.186 even though some of these um methods might not be 100% effective they eventually get 00:17:34.186-->00:17:40.593 in, you're still increasing the costs to the attacker and thereby increasing the OODA loop 00:17:40.593-->00:17:45.565 time that they might have to uh go through and therefore you might get inside what's called 00:17:45.565-->00:17:51.504 their OODA loop to make a decision faster than they did. Uh and then lastly um noise and 00:17:51.504-->00:17:57.276 anomalies that's always a fun one you know random IPC shares are things you know as the bad 00:17:57.276-->00:18:02.348 guys enumerating through and trying to find things. That actually becomes very 00:18:02.348-->00:18:07.553 interesting the attackers are usually using some form of automation and scripts up front 00:18:07.553-->00:18:13.492 and if you start creating anomalies that starts to mess up their variables for import into 00:18:13.492-->00:18:18.497 their own automation and scripts therefore creating friction to their project plan. So, what 00:18:20.866-->00:18:25.071 would that look like? You know just visually I'll just you know draw it up maybe they're at c 00:18:25.071-->00:18:30.576 you know command control and they you've just snapshotted the machine back to an older 00:18:30.576-->00:18:35.581 version, guess what? They have to go all the way through exploit again because they've 00:18:35.581-->00:18:42.254 they've now um toasted their er the um snapshot back to a previous version has now toasted 00:18:42.254-->00:18:47.460 their ability to go from exploit to install and back to command control that sets them back in 00:18:47.460-->00:18:52.465 time and or they're sitting at install and they uh the uh the virtual machine might blow back 00:18:55.835-->00:19:02.541 to a point where they have to redeliver again that same spam message or the same phishing 00:19:02.541-->00:19:07.146 message to get the admin to open. So that's that's that's just one visual that you know 00:19:07.146-->00:19:12.151 the same type of visual for tool unavailability um and you know that that same concept of hey 00:19:15.755-->00:19:19.792 you have to exit one phase to get to another you have to progress through one phase to 00:19:19.792-->00:19:26.198 get to the next phase and that same concept for maybe an orchestrated set false targets 00:19:26.198-->00:19:31.203 that deception space again and creating uh a path for the bad guy. So alright so what I did is 00:19:35.474-->00:19:40.479 uh I I sat down and just you know in Excel started plotting out a bunch of uh attack uh you 00:19:43.349-->00:19:49.355 know patterns that have been seen in the past. And I did it by phase I said hey list 00:19:49.355-->00:19:55.995 timeframe the successors and predecessors the tools and the resources were um guessing that 00:19:55.995-->00:20:01.534 that the particular attackers are using and the timeframe in which they're doing it you know. 00:20:01.534-->00:20:06.405 That time frame is actually rather key because if you can do something in a phase quicker 00:20:06.405-->00:20:11.410 than they do, you win. So going through in completely mapping out a a few uh uh actual live uh 00:20:15.214-->00:20:21.120 you know attack patterns in doing so in terms of the cyber resiliency engineering framework 00:20:21.120-->00:20:26.425 by MITRE and that was something I was buried in at the time quite a bit for cyber resiliency 00:20:26.425-->00:20:31.630 at the end point and as a result I was looking at those cyber resiliency techniques which were 00:20:31.630-->00:20:36.635 really the money that that I started to frame these uh maps into. So as a result I I mapped 00:20:39.405-->00:20:44.510 out this one you're not going to be able to see it it's uh uh an attack pattern but really you 00:20:44.510-->00:20:50.483 just kinda see hey the the uh the general hey this is this is the what the entire attack 00:20:50.483-->00:20:55.921 pattern might look like over time for each phase and uh mapping it out. I actually 00:20:55.921-->00:21:00.760 mapped out close to ten in conjunction with some other folks mapped out axium, cleaver, 00:21:00.760-->00:21:05.764 dark hotel, finfour, uh zero to hero uh, scenario sap you for all scenario stuck on your DC 00:21:08.701-->00:21:13.439 things you know you might have seen in past lives or open your dir in this case. So I mapped 00:21:13.439-->00:21:18.410 out a bunch of them and you know it was kind of interesting I noticed something is that you 00:21:18.410-->00:21:23.415 could start to build out you know okay with these er a category of um the uh the actual 00:21:27.453-->00:21:32.224 techniques that you can use per phase and you could mix and match them obviously I mean why 00:21:32.224-->00:21:37.029 why wouldn't you do that? Start to mix and match them so that you know maybe in your recon 00:21:37.029-->00:21:40.699 phase you've got your exploratory phishing attack report scans your Google Shodan 00:21:40.699-->00:21:47.006 search you know you might use different one for another attack pattern and if you light them up 00:21:47.006-->00:21:53.946 you're essentially lighting up a path to the act on objectives for this particular attacker. 00:21:53.946-->00:22:00.152 And that that I mean right here I just show three examples per phase so that meant hey I've 00:22:00.152-->00:22:06.358 gotta get some more so rep more attack research catalog techniques and so that's what I 00:22:06.358-->00:22:12.398 did I went out and looked for some uh uh you know uh attack techniques that you know were 00:22:12.398-->00:22:17.670 you know research based and of course I found MITRE's CAPEC common attack patterns and 00:22:17.670-->00:22:21.974 enumeration catalogue but for anybody who's gone out there and looked at it there at the time 00:22:21.974-->00:22:25.544 when I started looking at it probably about four or five years ago three or four years 00:22:25.544-->00:22:30.082 ago I guess it was uh there were five hundred er there were four hundred techniques at that time 00:22:30.082-->00:22:35.120 there are now over five hundred and four and so it became slightly unmanageable yes I 00:22:35.120-->00:22:41.260 could go and map and start throwing in um to each potentially each phase those 00:22:41.260-->00:22:45.898 techniques but I realized something wait a second I've tripped across this other 00:22:45.898-->00:22:50.869 framework that was just coming out as as public work and that was MITRE's attack framework 00:22:50.869-->00:22:57.176 adversarial tactics techniques and common knowledge and that had sixty eight techniques at 00:22:57.176-->00:23:02.114 the time and this was in late 2014 early 2015 I'm like hey that's a lot more manageable 00:23:04.717-->00:23:11.357 plus it's relatively mapped to an attack life cycle and I said hey that actually works a lot 00:23:11.357-->00:23:17.162 better so I got um an attack lifecycle from you know something liek Lockheed Martin 00:23:17.162-->00:23:19.431 and I can map these attack um these attack tools techniques straight to the uh straight to 00:23:19.431-->00:23:24.436 the attack lifecycle right there therefore it was a win for me. So what does that look like? Um 00:23:26.705-->00:23:31.710 as of at the time when I started really building out my work um it looked like this around 8 00:23:35.614-->00:23:41.453 2015 I started in in uh February really uh hammering on it and then it changed just a little 00:23:41.453-->00:23:46.458 bit and this is what it looked like in 8 2015. So you can see that hey there's this list of uh 00:23:48.661-->00:23:53.499 attack techniques that you know a bad guy could put or an attacker can put in their 00:23:53.499-->00:23:58.871 pockets and start using against a particular set of act on objectives that they're looking 00:23:58.871-->00:24:05.244 to do. And the same concept is true light em up you know essentially build your path to 00:24:05.244-->00:24:10.249 to the end game. And that that really made sense to me and made it made you know logical sense 00:24:12.451-->00:24:18.223 plus it was research based but the problem is I still had the uh um I still had some things 00:24:18.223-->00:24:23.662 going on at the same time and that was the attack research was actually changing a little bit 00:24:23.662-->00:24:28.667 so the stuff you see in 2 2015 was sixty eight the stuff you see in 10 of 2015 um started to 00:24:31.570-->00:24:37.910 build out where there were some gaps and it became uh 101 and this is hot off the presses it 00:24:37.910-->00:24:43.148 was just released and it's absolutely awesome. I suggest you guys go out and take a look 00:24:43.148-->00:24:48.153 at it it was released 7/28/2016 and that's the um the latest list. And it ties back to things 00:24:50.823-->00:24:55.828 like CAPEC it actually shows um things that um other companies would show as public knowledge 00:24:57.830-->00:25:03.802 for you know attackers their actual uh tools and techniques what tools are used by a 00:25:03.802-->00:25:09.408 particular set of threat actors this is all tied into this framework now but uh you know 00:25:09.408-->00:25:15.481 back to the regularly scheduled program here this was cool stuff and this is what I was using as 00:25:15.481-->00:25:19.318 my build out to uh the initial attack patterns. But uh that question of do they win? In In 00:25:19.318-->00:25:21.320 my old CIO's life uh came up. I'm sorry this is a list that that kind of breaks it out too. 00:25:21.320-->00:25:26.325 But that question of do they win? That became uh you know kind of interesting I said well 00:25:34.133-->00:25:39.872 guess what? I have all these attack patterns listed out they're research based why not 00:25:39.872-->00:25:46.412 take somewhat of a you know kind of a magic card approach of if you have something that's pretty 00:25:46.412-->00:25:50.649 effective as an attack technique what are the defensive techniques even if they aren't 00:25:50.649-->00:25:55.621 as effective what are some of them that you can use against each and every single technique 00:25:55.621-->00:26:01.960 in the attack uh uh uh toolbag and it what it because was hey you know something like new 00:26:01.960-->00:26:06.899 service you know what what what would you do? You'd maybe whitelist services so they 00:26:06.899-->00:26:11.970 couldn't start if you know it was a bad new service or you might blacklist certain services 00:26:11.970-->00:26:17.409 that you know uh that a particular attacker is using you might service do service start 00:26:17.409-->00:26:24.316 failures and dependencies. So I started listing out this set of complimentary to the attack 00:26:24.316-->00:26:29.321 research techniques so it became a set of defender techniques and there were you know as I said 00:26:31.390-->00:26:36.395 multiple levels of efficacy from from good to really good to maybe not so good but the thing 00:26:38.564-->00:26:45.103 I noticed is hey some of these techniques appear most often and they appeared most often across 00:26:45.103-->00:26:51.343 the attack lifecycle then that really started to resonate I'm like well if I invest in a 00:26:51.343-->00:26:56.348 particular set of uh attack er uh defensive techniques like time disruption I get uh the 00:26:58.884-->00:27:05.123 most effect across the attack lifecycle. Deception, I get this enormous amount of effect across 00:27:05.123-->00:27:11.396 the attack life cycle. So things like targets like time scope creek and predecessors or 00:27:11.396-->00:27:16.401 successors as defense uh became a really key understanding in saying if I invest here I'm 00:27:19.137-->00:27:24.142 going to have to invest less in uh my defenses across the entire lifecycle being a strategy play. 00:27:26.945-->00:27:32.117 And then some of the strategies had like little payoff but high investments so you know like in 00:27:32.117-->00:27:37.389 some cases if you look at analytic monitoring maybe you're you're a big data lakes and 00:27:37.389-->00:27:41.693 trying to find that needle in a haystack that's a hell of a lot of money. It's uh you're putting 00:27:41.693-->00:27:46.131 in quite a bit of money quite a bit of time quite a bit of effort to go and find that 00:27:46.131-->00:27:51.136 needle in a haystack this this when mapped out across the attack lifecycle only showed the 00:27:53.205-->00:27:58.210 detective and potentially preventative value throughout certain phases not as a not as 00:28:00.546-->00:28:05.717 effective as the ones I had previously noticed so it started to make sense and it made sense 00:28:05.717-->00:28:10.122 in terms of what I was kind of buried in. I was buried in the resiliency engineering framework 00:28:10.122-->00:28:14.726 and I was buried in looking at something that was put out uh called the the industry 00:28:14.726-->00:28:19.798 perspective of cyber resiliency actually applying it to industries and what industries 00:28:19.798-->00:28:25.203 have done to apply it within their own organizations. So it started to validate a set of 00:28:25.203-->00:28:30.709 work that uh I was already chasing and made sense. But I still noticed something more you 00:28:30.709-->00:28:36.415 know? And I see you can kind of see the lead up. I got an attacker deck I got a defender 00:28:36.415-->00:28:43.121 deck I got a progressive board based on Lockheed Martin's uh attack lifecycle maybe I have a 00:28:43.121-->00:28:48.126 game? So I started a mock up and I didn't I didn't you know know i was going to get to this but 00:28:50.696-->00:28:55.701 that's once I saw all of those pieces I said alright let's go back to the geek days of magic 00:28:58.236-->00:29:04.776 which I may or may not have played once or twice [laughter] and I started going hey, where 00:29:04.776-->00:29:10.082 can I build these card decks? And I found a place that I could build them and I defined the 00:29:10.082-->00:29:15.087 attacker as red and the defender as blue just as a convention and started a mock up and what they 00:29:17.122-->00:29:23.095 and I um also put together a board and you'll notice that this board you know I first 00:29:23.095-->00:29:28.367 thought about the the Lockheed Martin lifecycle or whatever attack lifecycle you might want 00:29:28.367-->00:29:34.873 as a potential Candyland type set up but then I realized wait a second this is really kind of 00:29:34.873-->00:29:40.879 like a give and take between the attacker and defender because they don't always win defenders 00:29:40.879-->00:29:47.452 don't always win so it is a true give and take and therefore create that board kind of in a 00:29:47.452-->00:29:54.292 woo approach give take approach or um in a in a kind of a vortex approach and that's also how it 00:29:54.292-->00:29:59.498 got the name Maelstrom but as you see it's going from reconnaissance and all the way 00:29:59.498-->00:30:04.503 in through to act on objectives so your goal is to keep the guys uh out as as a defender or if 00:30:06.972-->00:30:12.244 you're the attacker your goal is to get to act on objectives and it made sense. I started tearing 00:30:12.244-->00:30:18.483 down um uh the cards to to make okay what could these cards look like and how would they be built 00:30:18.483-->00:30:24.256 out they have a um a set of phases they could be used in so this these sets of cards or the 00:30:24.256-->00:30:30.262 first the attacker card here can be used in recon, exploit, C2, and actions and it's a lateral 00:30:30.262-->00:30:35.100 movement card that um does apple key uh you know the uh the attacker in this case is hiding 00:30:35.100-->00:30:41.306 in the application deployment software so SMS or you know TTL or something like that. But um 00:30:41.306-->00:30:46.545 you also then have progression how far are they going to get there's plus four or a minus 00:30:46.545-->00:30:52.350 four on the defender card so that's how far they get within the attack lifecycle with that 00:30:52.350-->00:30:58.223 particular play of the card. There's also um for more advanced play there's cost and 00:30:58.223-->00:31:03.795 upkeep. And that's you know cost is kind of that that real strategy play of figuring out 00:31:03.795-->00:31:10.001 hey how much would doing a defense like this or an offense like this cost? And then there's 00:31:10.001-->00:31:14.806 the other piece and that's building out a story so you can't just throw a card down and 00:31:14.806-->00:31:20.512 not know how it's used you actually have to you know as as table rules would work you would 00:31:20.512-->00:31:26.618 say hey this is this cards being used this way in my story and some of the some of the most fun 00:31:26.618-->00:31:30.822 that we've actually had fun playing the game was with some of the stories people would come 00:31:30.822-->00:31:36.695 up with it's actually a little crazy but what do they you know how many cards are there? 00:31:36.695-->00:31:42.334 There's over six unique technique unique attacker cards within the uh sets of decks I've 00:31:42.334-->00:31:48.073 developed so far and you know these are just some examples that um sit out there or that 00:31:48.073-->00:31:53.078 i've put together and then there's over 70+ unique defender cards uh that that you know that 00:31:55.514-->00:32:01.653 I can show as examples and there's another piece and I added later on when I was 00:32:01.653-->00:32:06.191 developing the game you know it became apparent that we don't always know who are threat 00:32:06.191-->00:32:12.430 actors are and our threat actors sometimes have a certain methodology or a certain way of 00:32:12.430-->00:32:18.804 play and so mapping out unique threat actors was actually kind of interesting. So you know 00:32:18.804-->00:32:23.008 going from freelance spies corporate spy you know all the way down to warfighter or 00:32:23.008-->00:32:28.980 political social you know motivations. It was interesting to kind of break those down and 00:32:28.980-->00:32:34.486 the way it would work is the those chips go facedown on the board so the defender does not 00:32:34.486-->00:32:39.691 know what is actually being played and there are certain opportunistic cards that might 00:32:39.691-->00:32:46.598 come up and uh also allow them to take a peek. Then um you know as I've said before I have a 00:32:46.598-->00:32:51.102 little bit of a quibble with the uh Lockheed Martin attack lifecycle and some of that 00:32:51.102-->00:32:55.841 quibble you know was about hey what are the other acts on objectives behind the ones kind 00:32:55.841-->00:33:01.246 of listed out and discussed most frequently and so you as you can see here here's the example sets 00:33:01.246-->00:33:06.251 uh of those acts on objectives and the cards that are in play as a result. So that sits face 00:33:08.887-->00:33:13.391 down in the middle of the board because guess what? You don't know what the ba er the uh 00:33:13.391-->00:33:19.097 attackers act on objectives is gonna be. So there are three different versions of play. 00:33:19.097-->00:33:24.002 There's easy play that's where the cards are dealt to you but keep in mind that's not really 00:33:24.002-->00:33:29.708 real life that's not the way real life works. Tactical play is where you choose which cards 00:33:29.708-->00:33:34.312 you have and this is kind of like Magic in and of itself you choose which cards you play or 00:33:34.312-->00:33:39.150 you're going to have in your hand the uh you know the attacker chooses the defender 00:33:39.150-->00:33:45.223 chooses uh the uh chips might be facedown or dealt the act on objectives might be facedown or 00:33:45.223-->00:33:50.662 dealt but that's kind of the tactical play. And then the last one is the strategic play where 00:33:50.662-->00:33:55.767 you actually have to buy cards you're given budgets but that you know as some folks pointed 00:33:55.767-->00:34:02.040 out to me they said this is too much like real work [laughter] and not necessarily a game so 00:34:02.040-->00:34:07.178 that was one of those ones we've played a few times but one thing was kind of interesting about it 00:34:07.178-->00:34:13.218 is it made sense when folks started to see how expensive it was to do certain attacks or how 00:34:13.218-->00:34:20.091 expensive it was to do certain defenses and so I have the rules they're going to be posted 00:34:20.091-->00:34:25.630 tonight uh late tonight after the talk and after I get back to the room and so forth but the 00:34:25.630-->00:34:31.937 rules have been built they're actually on your CDs so you know they're out there but I'll post 00:34:31.937-->00:34:37.008 all that stuff to give out and os that's just a big quick overview of the game this is 00:34:37.008-->00:34:43.315 what it looks like. I have a printed outset of copies with me I also have um some that are out 00:34:43.315-->00:34:49.220 to friends on loan and this is what it looks like if laid out. So the board it's something I 00:34:49.220-->00:34:54.793 actually this board I printed up at Fedex just uh in Mandalay Bay you know what I mean it's that 00:34:54.793-->00:34:59.230 simple that easy and the cards um that's something that I'll I'll talk about in a few 00:34:59.230-->00:35:05.870 seconds. The sample video of game play there is one out there we've played uh a number of 00:35:05.870-->00:35:12.577 times but decided one time we'd actually record it just uh so people could see how it works. 00:35:12.577-->00:35:16.681 And then, what are the uses cases for this? Remember from the beginning I said education, 00:35:16.681-->00:35:22.754 demonstration and evangelism. Learn an attack concept lifecycle concept and make it 00:35:22.754-->00:35:27.759 part of a vocabulary this is not something that defenders actually do often so this is 00:35:29.794-->00:35:36.534 this is an ability or this is a way to go and try and educate defenders and attackers what 00:35:36.534-->00:35:43.074 what in some cases what they're doing as part of their actual progression plan potentially 00:35:43.074-->00:35:48.346 make themselves more organized as pen testers or what have you and then it builds a security 00:35:48.346-->00:35:52.751 mindset in those defenders who don't do offense. You know there's there when we played 00:35:52.751-->00:35:59.524 with engineers and uh played with uh other forensic investigators they didn't 00:35:59.524-->00:36:05.630 necessarily understand what the attacker was doing but they saw the forensic artifacts and then 00:36:05.630-->00:36:10.702 after playing the game a few times they understood oh now I get why they needed to do this 00:36:10.702-->00:36:16.674 before they did this. So building out an attack lifecycle concept or vocabulary and then 00:36:16.674-->00:36:22.247 also building out a security mindset demonstration many table tops. We've played that out with 00:36:22.247-->00:36:27.385 a few um you know maybe some events you've had go on how the hell does that happen what did 00:36:27.385-->00:36:31.890 you know what would a defender have done differently if they had different tool sets or cards 00:36:31.890-->00:36:36.528 in their hand if they were playing with a full deck so to speak. And then analysis and 00:36:36.528-->00:36:41.566 strategies for choosing technologies to win. It's funny that's actually where I was 00:36:41.566-->00:36:46.337 trying to go when I started this whole journey I was looking for you know some endpoint 00:36:46.337-->00:36:53.178 technologies based stuff that that was at scale and then cost benefit analysis and you know 00:36:53.178-->00:36:58.249 that's that's where really it comes down to hey you gotta make it more you're gonna make it 00:36:58.249-->00:37:03.655 harder on them cost more for them than it is for you. And and you know lastly evangelism 00:37:03.655-->00:37:07.492 people you know it's funny I've I've had this out I've played, people look at it and they're 00:37:07.492-->00:37:12.063 like oh wait what is this it draws them in and starts to you know kind of play out that 00:37:12.063-->00:37:18.303 gamification of hey how do you get to this particular act on objectives how can I get to that 00:37:18.303-->00:37:24.309 particular act on objectives and they start playing out games for themselves and draws them into 00:37:24.309-->00:37:30.515 that uh attack versus defense type role and then gets the message to non security folks. 00:37:30.515-->00:37:37.088 And so you know there's the the rationalization you saw that's a 1-6 of effectiveness I picked it 00:37:37.088-->00:37:43.728 because of dye and that you can actually use that as part of a your game play if you'd like. 00:37:43.728-->00:37:49.734 Cost rationalization based on a thousand seat company that's kind of what I was trying to do 00:37:49.734-->00:37:54.873 a thumb in the air as to how much I'd see it cost in previous uh lives and then there were 00:37:54.873-->00:38:00.445 prior art there's hacker or hacker 2 control alt hack elevation of privilege I mean 00:38:00.445-->00:38:04.949 some of these things are given away but many of these things are actually more offensive than 00:38:04.949-->00:38:11.790 defensive and so I say you know in this case we have an offensive and defensive game 00:38:11.790-->00:38:17.328 with a progressive board based on research. The attack framework the compliment to the 00:38:17.328-->00:38:22.333 attack framework and the Lockheed Martin uh cyber uh security kill chain. So what are 00:38:24.369-->00:38:31.276 the next steps? Submit work for con talks get input so that's that's where I'm at here. Uh map 00:38:31.276-->00:38:37.148 to current attack patterns play multiple rounds. Digitize and create the open source framework 00:38:37.148-->00:38:41.953 and I need I want some help with this this is actually where real money can be had this is 00:38:41.953-->00:38:48.092 interesting but I'm looking to you know give it away and see if folks figure out you know ways 00:38:48.092-->00:38:53.998 to help me digitize it so that I can watch them play the games so that we can watch them play the 00:38:53.998-->00:38:58.803 games to see what strategies are most effective and then also allow for them to update card 00:38:58.803-->00:39:04.309 decks and put in their own tactics that maybe no one has seen before and can be shared 00:39:04.309-->00:39:09.814 either as defensive tactics or offensive tactics uh there was a non technical game development 00:39:09.814-->00:39:15.720 based on the Scott Tenorman episode of South Park [laughter] I won't get into that here but 00:39:15.720-->00:39:20.625 if for those who have seen it they they probably understand how that works. And lastly you 00:39:20.625-->00:39:25.496 know let people play update their decks watch their strategies gamify it so that 00:39:25.496-->00:39:31.002 maybe it's like a Pokemon Go collect all your collect all your strategies collect all of 00:39:31.002-->00:39:36.541 your acts on objectives with your particular set actors and then lastly digitize and let the 00:39:36.541-->00:39:42.013 machine rise and play itself and that you know is the theme of defcon this year let the machine 00:39:42.013-->00:39:48.486 rise and so as a result I think that that might be somewhat interesting as the framework 00:39:48.486-->00:39:53.491 develops as well as the um defensive cards develope. And so this is a place you can 00:39:55.793-->00:40:00.265 contribute volunteer get the latest developments as I said tonight I'm going to post things 00:40:00.265-->00:40:06.037 probably uh going to be late uh Twitter uh Cyber Maelstrom Gethub maelstrom the game that 00:40:06.037-->00:40:11.042 defcon24 you're actually going to be able to print off your own copies if you want to I'm going 00:40:13.144-->00:40:18.616 to I'm working with a vendor right now to create a sku for anybody to go in and use you can 00:40:18.616-->00:40:23.888 go and even print the gameboard off at Fedex but I'm going to try to get it all as one package 00:40:23.888-->00:40:28.760 and then you can just buy it from there. Um adding cards if you want to suggest cards I 00:40:28.760-->00:40:33.498 suggest using Twitter for peer review card source it so to speak for people to knock it 00:40:33.498-->00:40:39.404 down or raise it up and then you know watch Gethub and Twitter for the digitized version and 00:40:39.404-->00:40:44.409 contact Twitter to volunteer to help and then lastly the credits I mean without the attack 00:40:46.411-->00:40:51.015 framework none of this information would have been possible nor kind of that 00:40:51.015-->00:40:55.753 concept of verging concept the cyber resiliency engineering framework was key just because I 00:40:55.753-->00:41:01.059 was buried in it at the time obviously Lockheed and Martin uh Kill Chain and then these folks 00:41:01.059-->00:41:07.031 here who uh have graciously donated a lot of time and energy and fun to play the game, play 00:41:07.031-->00:41:12.403 it multiple times and see what things can be done to uh you know contribute to the 00:41:12.403-->00:41:17.408 community. So, that's what I have. [applause]