I had the opportunity to read Adversarial Tradecraft in cyber security who is written by Dan Borges. The author of the book is a friend and also a security researcher and defcon vet. The opening of the book sets the stage for the reader. By going into details about the scope of security as it is today and then starts to dive into game theory introducing and setting stage for what can be described as cyber warfare or computer war games.
Elements of cyber security and blue team vs red teaming theories are talked about through out the book. The author helps readers grasp how offense and defense intersect and interact with one another. I’ve listed some of the key concepts/repos talked about below feel free to read and view the links . I’ve also listed a link to Dan’s book to purchase above as well as at the end of this write up. Thanks for taking the time to read.
Nash equilibrium in Game theory
https://web.archive.org/web/20100610071152/http://www.ewp.rpi.edu/hartford/~stoddj/BE/IntroGameT.htm
Trying different attacks with Microsoft ATA (advanced threat analytics)
https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide
- Abnormal modification of sensitive groups
- Broken trust between computers and domains
- Bruteforce attack using LDAP simple bind
- Encryption downgrade activity
Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Encyption downgrade activity attacks a weekend Kerberos
Microsoft mentions 3 detection types:
Skeleton Key: (is malware that runs on domain controllers and allows authentication to the domain with any account without knowing its password. This malware often uses weaker encryption algorithms to hash the user’s passwords on the domain controller. In this detection, the encryption method of the KRB_ERR message from the domain controller to the account asking for a ticket was downgraded compared to the previously learned behavior)
Golden Ticket ( the encryption method of the TGT field of TGS_REQ (service request) message from the source computer was downgraded compared to the previously learned behavior. This isn’t based on a time anomaly (as in the other Golden Ticket detection). In addition, there was no Kerberos authentication request associated with the previous service request detected by ATA.)
Overpass-the-hash: An attacker can use a weak stolen hash in order to create a strong ticket, with a Kerberos AS request. In this detection, the AS_REQ message encryption type from the source computer was downgraded compared to the previously learned behavior (that is, the computer was using AES).
Bloodhound
https://bloodhound.readthedocs.io/en/latest/index.html
www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. As of version 4.0, BloodHound now also supports Azure. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
What is defense in depth
https://www.forcepoint.com/cyber-edu/defense-depth
Attack trees
https://en.wikipedia.org/wiki/Attack_tree
are conceptual diagrams showing how an asset, or target, might be attacked. Attack trees have been used in a variety of applications. In the field of information technology, they have been used to describe threats on computer systems and possible attacks to realize those threats. However, their use is not restricted to the analysis of conventional information systems. They are widely used ement of the National Security Agency in the initial development.
Attack tree and kill chain approach in cloud computing and Protection of Digital Services
Network Reconnaissance
https://attack.mitre.org/tactics/TA0043/
The adversary is trying to gather information they can use to plan future operations.
Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.
Mitre Enterprise Attack Matrix
https://attack.mitre.org/matrices/enterprise/
Raphael Mudd’s Dirty Readteaming tactics https://www.youtube.com/watch?v=oclbbqvawQg
Chris Nickerson and Read Teaming and Threat Emulation
https://www.youtube.com/watch?v=oclbbqvawQg
D: FIN& Leveraging Shim Database for Persistence
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
Bluespawn
Helps blue teams monitor systems in real-time against active attackers by detecting against active attackers by detecting anomalous activity
Bluespawn is an active defense and end point detection and response tool which means it can be used by defenders to quickly detect, identify and eliminate malicious activity and malware across a network.
https://github.com/ION28/BLUESPAWN
Computational Security Princeton Course
https://www.cs.princeton.edu/courses/archive/fall07/cos433/lec3.pdf
A look into Cyber Operations Fire-eye analysis of APT28, APT28
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
CrowdStrole CTO Explain “Breakout Time” A critical Metric in topping Breaches:
Adversarial Tradecraft and the Importance of Speed
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf
OTHER INTERESTING LINKS
FREE Malware ANALYSIS SCANNER
https://www.hybrid-analysis.com/
https://github.com/BishopFox/sliver
https://github.com/jmmcatee/cracklord/fork
https://github.com/digininja/CeWL/fork
https://fatrodzianko.com/2020/05/11/covenant-c2-infrastructure-with-azure-domain-fronting/
https://github.com/burrowers/garble/fork
https://github.com/burrowers/garble/fork
https://www.thec2matrix.com/matrix
https://en.wikipedia.org/wiki/EternalBlue
https://jeffmcjunkin.wordpress.com/2018/11/05/masscan/
https://github.com/sqlmapproject/sqlmap
https://github.com/BC-SECURITY/Empire
https://github.com/BloodHoundAD/BloodHound
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
https://docs.rapid7.com/metasploit/resource-scripts/
https://github.com/greenbone/openvas-scanner
https://github.com/vulnersCom/nmap-vulners
https://github.com/rackerlabs/scantron
https://www.darkoperator.com/blog/2015/11/2/are-we-measuring-blue-and-red-right
https://www.youtube.com/watch?v=M-ty0o8dQU8
https://www.upguard.com/blog/cybersecurity-metrics
https://github.com/gchq/CyberChef
https://www.joesecurity.org/joe-sandbox-reports#windows-evasive
https://www.virustotal.com/gui/home/upload
Free malware analysis scanner
Used to scan computers and phones,
Is also an open source project
https://attack.mitre.org/techniques/T1577/
Thanks for following and reading here is a link to purchase the book if interested.
