Professional Documents
Culture Documents
Responding To Advanced Adversaries, Anurag Khanna
Responding To Advanced Adversaries, Anurag Khanna
Adversaries
Anurag Khanna
1
@khannaanurag | SANS Blue Team Summit 2022
Anurag Khanna - @khannaanurag
* The views presented here are my own and may or may not be similar to those of the organization I work or worked for.
2
@khannaanurag | SANS Blue Team Summit 2022
What will we talk about today?
Takeaway: Understand a targeted attack and talk through response to such attacks.
3
@khannaanurag | SANS Blue Team Summit 2022
Who are these adversaries?
4
@khannaanurag | SANS Blue Team Summit 2022
Anatomy of Advanced Adversary
Perform Reconnaissance & Deploy Persistence & Maintain Continued Access &
Gain Access Maintain Access Perform
Action-on-Objectives
5
@khannaanurag | SANS Blue Team Summit 2022
Anatomy of Advanced Adversary
Perform Reconnaissance & Deploy Persistence & Maintain Continued Access &
Gain Access Maintain Access Perform
Action-on-Objectives
6
@khannaanurag | SANS Blue Team Summit 2022
Cyber espionage
7 Action on Objectives
Disruptive/Destructive Attacks
8 Action on Objectives
Crypto Heist
9 Action on Objectives
Anatomy of Advanced Adversary
Perform Reconnaissance & Deploy Persistence & Maintain Continued Access &
Gain Access Maintain Access Perform
Action-on-Objectives
10 10
@khannaanurag | SANS Blue Team Summit 2022
Covert Persistence - You do not see me!
- Deeply embedded access
- Persistent methods to maintain long
term covert access
- Backdoors and Implants
- Valid Credentials connecting over VPN
- Out of Band management software
- AnyDesk, TeamViewer, ConnectWise
- Stealthier approaches, GoldenSAML,
Golden Ticket, ESXI based persistence
11 Maintain Access
Web Shells
12 Maintain Access
I come from No-Where- Reverse Proxy Tooling
13 Maintain Access
Credential Theft – dumping LSASS
Task Manager
C:\Tools>procdump -ma lsass.exe C:\tools\lsass.dmp
….
[04:02:26] Dump 1 initiated: C:\tools\lsass1.dmp
[04:02:26] Dump 1 writing: Estimated dump file size is 43 MB.
[04:02:26] Dump 1 complete: 43 MB written in 0.1 seconds
[04:02:26] Dump count reached.
SysInternals Procdump
C:\Tools>createdump -u -f lsass.dmp -d 640
Writing full dump to file lsass.dmp
Dump successfully written
14 Dotnet Createdump Maintain Access
Credential Theft - Keys to the Kingdom – Dumping NTDS.DIT
15 Maintain Access
Anatomy of Advanced Adversary
Perform Reconnaissance & Deploy Persistence & Maintain Continued Access &
Gain Access Maintain Access Perform
Action-on-Objectives
16
@khannaanurag | SANS Blue Team Summit 2022
Reconnaissance and Information Gathering
17 Gain Access
Knock- Knock - Initial Vector
18 Gain Access
I know you were Vulnerable last summer!
19
MFA
20
Eradicating the threat actor access
21
Coordinated Remediation Event?
Whac-A-Mole Game-of-Chess
22
1,2,3 and poof!
23
Timing is the key!
Attack Knowledge
• Post understanding attacker TTPs
• Improvement of security Posture
• Incident scoped
Time
Incident Detected
24
Change All the Keys! – Enterprise-Wide Password Reset
25
Change All the Keys! – Enterprise-Wide Password Reset
26
What to do if you have an intruder ?
• Slow Down
• Fast is not Fast – Smooth is Fast!
• Stay Calm
• Create a Plan
• External support
• Improve visibility
• Create eradication plan
• Execute it
27
Take-Aways
28
Thanks for listening!
Anurag Khanna
@khannaanurag
www.linkedin.com/in/khannaanurag