2020-009-Dave Kennedy, Offensive Tool release (Part 1)
Published March 12, 2020
|
34 min
    Download
    Add to queue
    Copy URL
    Show notes

    Dave Kennedy (@hackingDave)

    TrustedSec

    Released SEToolkit, Pentester Framework (PTF)

    PoC release for “Shitrix” bug (was disclosed after Google zero initiative India group)

    Jeff Snover, Lee Holmes - Powershell gods

    Arguments against release

    Tools are released are utilized by the ‘bad guys’

    Tooling makes it more difficult to fingerprint who are who they say they are “Fuzzy Weasel Vs. Psycho Toads”

    Makes the bad guys job harder by making them have to create the PoC (presumably most bad actors are skids)

     

     

    Arguments for release

     

    Tools allow for teaching Blue team, and SIEM/logging systems to understand 

    Learning how something was created, being able to break down the vulnerability

    https://www.bleepingcomputer.com/news/security/new-evasion-encyclopedia-shows-how-malware-detects-virtual-machines/



    Show #2:

    DerbyCom - Tell us about it

    Dave Kennedy Center for gaming and Leadship https://twitter.com/hackingdave/status/1220150360779710464?lang=en 

     

    Offensive Security Tool release (PowerShell Empire 3.0)

    Powershell is re-released, using Python:
    https://twitter.com/BCSecurity1/status/1209126652300709888 

     

    Initial tweet:

    https://twitter.com/taosecurity/status/1209132572128747520

    “We believe that Powershell and Empire framework will remain a major threat vector employed by APTs, malware authors, and Red Teams.” SO WHY ARE YOU UPDATING IT? You are improving capabilities you explicitly say are *used by bad guys.* Scottie, beam me up from this bizarro world.

    Affirmations and evidence:

    https://twitter.com/taosecurity/status/1209287582439395330 

    Nope. One example: Iranian APT “CopyKittens” uses Powershell Empire. Incidentally, I found this example via

    @MITREattack

    . https://clearskysec.com/tulip/



    https://twitter.com/michael_yip/status/1209151868036886528 

    One can innovate without sharing with the adversary no? It’s literally how the defense industry work or am I missing something?

     

    https://twitter.com/michael_yip/status/1209247219796398083 

    … “Are we really justifying lowering the R&D cost of the adversary is the only way to attract talent to the defensive side. Not to mention - no one is saying developing OST is wrong. It’s the way they're being shared that’s problematic”  

     

    https://twitter.com/2sec4u/status/1209169724799623169?s=20 

    The whole idea is that actors can't just git clone an advanced post exploitation framework which bypasses 95% of organisations defences. It should cost actors time & money to bypass these defences but because red team keep releasing new stuff with bypasses... the cycle continues.

    Comments in Support of initial argument

    https://twitter.com/IISResetMe/status/1209180945011621889?s=20 

    I really _want_ to agree. ... but I also work in an org with million dollar budgets, a dozen full-time detection engineers and analysts and an army of devs and sysadmins, and even we are having a hard time keeping up - how does this arms race "help" non-F500 orgs?

    (later discussion does mention that he has a hard time seeing it as net negative) https://twitter.com/IISResetMe/status/1209183774182907904?s=20 

     

    https://twitter.com/cnoanalysis/status/1209169633460150272?s=20 

    “If we don’t create the offensive tools then the bad guys will!” That is a terrible argument for OST release. “We might as well do something that harms because someone else will do that eventually anyway...” there are so many logical fallacies I don’t have enough space

    Rebuttals

    https://twitter.com/r3dQu1nn/status/1209207550731677697 

    Limiting yourself by not exposing more tooling to defenders is NOT how to improve security. Yikes. The more exposure you provide defenders gives you more detection's/IOC's you can build to help defend against APT's. That's the whole point of Proactive security.

     

    https://twitter.com/bettersafetynet/status/1209138002473160707

    It's vital that we continue to sharpen our swords. The commoditization of attacker techniques allows better defense against what adversaries are doing.

     

    https://twitter.com/dragosr/status/1209213064446279680 

    And this whole discussion ignores a simple fact that released information is way better than exploits passed around quietly or kept in stockpile caches regardless of anyone’s metric of responsibility (which is a debatable, very hypothetical line of what’s acceptable or not).

     

    https://twitter.com/bettersafetynet/status/1209139099979923457

    The very fact that you and others who are taking this side are trying to cajole and brow beat to this position shows how weak your argument is. MITRE ATT&CK took off like gang-busters not because they had a better trolling game, but because it was a great idea implemented well.



    https://twitter.com/bettersafetynet/status/1209139578579275776 

    It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.

     

    https://twitter.com/bettersafetynet/status/1209154592560353280 

    My stance is likely to tick off both sides here. I think there are times that limited release is good. But over and over, we've seen where vendors do not change until something is publicly released.

    It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.

     

    https://twitter.com/r3dQu1nn/status/1209346356151631873

    Security is a service that can be improved with products. Having no security or limiting exposure to offensive tool sets increases the chances of a breach. Ethical hackers sole purpose is to help make Blue better. Which is why purple teams are a great resource for any company.

     

    https://twitter.com/ippsec/status/1209354476072689664?s=20 

    To the people upset by public red team tools. If you cant detect open source tools than what chance do you have at detecting private one off tools. It’s much easier to automate a battle against 100 duck sized horses than it is to face off against a single horse sized duck.

    Defender Classification of PowerShell Empire 3.0

    https://www.bc-security.org/post/the-empire-3-0-strikes-back

     

    Is there a way to protect against it?

     

    Where does this sit in the ATT&CK Matrix? 



    Features: 

     

    Enhanced Windows Evasion vs. Defender

    DPAPI support for “PSCredential” and “SecureString”

    AMSI bypasses

    JA3/S signature Randomization

    New Mimikatz version intergration

     

    Curveball test (CryptoAPI test scripts)

    Dave’s new Esport initiative (opens in February): https://twitter.com/HackingDave/status/1220150360779710464

     

    DERBYCON community updates

    Check out our Store on Teepub! https://brakesec.com/store

    Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

    #Brakesec Store!:https://www.teepublic.com/user/bdspodcast

    #Spotifyhttps://brakesec.com/spotifyBDS

    #Pandora: https://pandora.app.link/p9AvwdTpT3

    #RSShttps://brakesec.com/BrakesecRSS

    #Youtube Channel:  http://www.youtube.com/c/BDSPodcast

    #iTunes Store Link: https://brakesec.com/BDSiTunes

    #Google Play Store: https://brakesec.com/BDS-GooglePlay

    Our main site:  https://brakesec.com/bdswebsite

    #iHeartRadio App:  https://brakesec.com/iHeartBrakesec

    #SoundCloudhttps://brakesec.com/SoundcloudBrakesec

    Comments, Questions, Feedback: bds.podcast@gmail.com

    Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

    https://brakesec.com/BDSPatreon

    #Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

    #Player.FM : https://brakesec.com/BDS-PlayerFM

    #Stitcher Network: https://brakesec.com/BrakeSecStitcher

    #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

     

      15
      15
        0:00:00 / 0:00:00