MCH2022 Curated content

How to sneak past the Blue Team of your nightmares

Battery 🔋
Wout Debaenst
If the perfect Blue Team exists, does that mean the Red Team doesn’t stand a chance against it or is there still a way to sneak their phish in the mailbox of their target? Well in this talk we investigate how a Red Team could sneak past even the best Blue Team imaginable. We analyse how a perfect Blue Team would detect malicious domains targeting their organization, how they would correlate these to other threat infrastructure to burn the whole campaign and how they would block a successful initial foothold in case they did not detect the phish campaign before its launch. By assuming the perfect adversary, we discuss techniques and important OPSEC measures Red Teams need to use to get a successful and undetected initial foothold in their targeted organization. Through practical demos and real-life examples, attendees will learn invaluable techniques and OPSEC measures to improve their Blue or Red Team tradecraft.
If the perfect Blue Team exists, does that mean the Red Team doesn’t stand a chance against it or is there still a way to sneak their phish in the mailbox of their target? Well in this talk we will investigate how a Red Team could sneak past the best Blue Team imaginable. By analyzing techniques the perfect Blue Team would use, we define OPSEC measures and techniques to remain undetected and accomplish a successful initial foothold. How would a perfect Blue Team detect malicious domains targeting their organization? o BLUE: By dissecting patterns of adversaries and resulting OPSEC mistakes, we specify how domain and Certificate Transparency Log monitoring can unveil domains impersonating your organization. o RED: We explain measures the Red Team can take to avoid being caught through domain and CTL monitoring by using wildcard SSL certificates and avoiding typosquatting. How would a perfect Blue Team correlate detected malicious domains to related threat infrastructure? o BLUE: Once a suspicious domain is identified, we can correlate this to other threat infrastructure using NetLoc intelligence techniques. Through correlation, Blue Teams can leverage OPSEC mistakes to uncover and potentially burn the whole campaign. o RED: We explain measures the Red Team can take to avoid the correlation between their threat infrastructure and avoid the detection of one domain leading to the whole threat infra being burned. How would the perfect Blue Team attempt to block undetected phishing campaigns during their launch. o BLUE: We analyze how the use of reputational scoring based on IP, Domain and Mail server, can block many phishing campaigns during the launch itself. o RED: We explain how Red Teams can age and categorize their domains to pass IP/Domain/Mail based reputation detections. What if a phishing mail sneaks by the Blue Team and lands in the inbox of one of their employees, has Red Team won? Not yet: o BLUE: The perfect Blue Team has hardened employee endpoints to make a successful exploitation after a click almost impossible. We discuss several defensive techniques on how to block successful initial foothold through Macro execution hardening, Applocker, Exploit Guard and endpoint security solutions. o RED: Assuming a fully hardened system, we discuss strategies that could bypass all off these hardening measures and have been proven to be successful in past engagements We conclude with a summary of techniques both Blue and Red Teamers can use to perfect their tradecraft.

Additional information

Type Talk
Language English

More sessions

7/22/22
MCH2022 Curated content
Elger "Stitch" Jonker
Abacus 🧮
⚠️ Warning! This talk may contain hackers. There may be hackers in the room. There may be hackers surrounding the room. There may be hackers recording this. There may be hackers listening in. There may be hackers that exfiltrate data. There may be hackers wearing shirts. There may be hackers carrying spying devices. OH NO! There are hackers EVERYWHERE! What can we do now, except having a party?
7/22/22
MCH2022 Curated content
Jelle vd ster
Abacus 🧮
What do big tech, synthesizers, the crucifixion and Matthäus Passion have in common? Find the answer in the tech performance The Silicon Passion. We’ve all embraced big tech —but is it a warm hug or a strangulation? Bear witness to a debate of biblical proportions between tech nerds, technology and its users. In The Silicon Passion SETUP, in collaboration with de Transmissie (David Schwarz en Derk Stenvers) and Rodrigo Ferreira, is looking for a way out of the pit that technology has ...
7/22/22
MCH2022 Curated content
Clairvoyance 🔮
Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki.
7/22/22
MCH2022 Curated content
Mikko Hypponen
Abacus 🧮
This is a submission for a keynote talk at MCH2022. The Internet is both a familiar, comfortable place as well as a bottomless rabbit hole you can lose yourself in. The Internet has always been like this from its inception, the difference now is the scale and consequences are almost immeasurable - and it tests the limits of human imagination. When you look into the mirror of the Internet what you see reflected back depends on what you are looking for. It has become largely a reflection of ...
7/22/22
MCH2022 Curated content
Battery 🔋
Thanks to DNSSEC and DANE, it is possible to automatically verify user@domain.name identities by checking with domain.name servers. The real problem however, is integration with existing protocols, instead of inventing something completely new and perhaps web-only. The purpose of our work on Realm Crossover mechanisms has been to design generic solutions that extend many different application protocols, without changing their protocol specs.
7/22/22
MCH2022 Curated content
Klaus Agnoletti
Clairvoyance 🔮
Utilizing collaborative security to collect data on attacks we were able to detect Log4J in a quite unusual but effective manner. We'll show you how CrowdSec enables the entire infosec community to stand together by detecting attempts to exploit a critical 0day, reporting them centrally thereby enabling anyone to protect themselves shortly after the vulnerability was made public. The unusual part is that this is done using FOSS software and by analyzing logs of real production systems but in a ...
7/22/22
MCH2022 Curated content
bert hubert
Abacus 🧮
Building on the very well attended DNA presentations ("DNA: The Code Of Life") at SHA2017, this talk will cover: * A brief recap what DNA is and how it works * It is surprisingly digital! * How reading DNA is within 'pro-sumer' reach now * (I might bring a live demo for after the talk) * An overview of DNA editing technologies (offline, and online: on living organisms) * Including the famous CRISPR-CAS, but also newer variants * How does such editing actually work in a lab? * The surprising lack ...