conference logo

Playlist "May Contain Hackers 2022"

How to sneak past the Blue Team of your nightmares

Wout Debaenst

If the perfect Blue Team exists, does that mean the Red Team doesn’t stand a chance against it or is there still a way to sneak their phish in the mailbox of their target? Well in this talk we investigate how a Red Team could sneak past even the best Blue Team imaginable.
We analyse how a perfect Blue Team would detect malicious domains targeting their organization, how they would correlate these to other threat infrastructure to burn the whole campaign and how they would block a successful initial foothold in case they did not detect the phish campaign before its launch.
By assuming the perfect adversary, we discuss techniques and important OPSEC measures Red Teams need to use to get a successful and undetected initial foothold in their targeted organization.
Through practical demos and real-life examples, attendees will learn invaluable techniques and OPSEC measures to improve their Blue or Red Team tradecraft.

If the perfect Blue Team exists, does that mean the Red Team doesn’t stand a chance against it or is there still a way to sneak their phish in the mailbox of their target? Well in this talk we will investigate how a Red Team could sneak past the best Blue Team imaginable. By analyzing techniques the perfect Blue Team would use, we define OPSEC measures and techniques to remain undetected and accomplish a successful initial foothold.

How would a perfect Blue Team detect malicious domains targeting their organization?
o BLUE: By dissecting patterns of adversaries and resulting OPSEC mistakes, we specify how domain and Certificate Transparency Log monitoring can unveil domains impersonating your organization.
o RED: We explain measures the Red Team can take to avoid being caught through domain and CTL monitoring by using wildcard SSL certificates and avoiding typosquatting.

How would a perfect Blue Team correlate detected malicious domains to related threat infrastructure?
o BLUE: Once a suspicious domain is identified, we can correlate this to other threat infrastructure using NetLoc intelligence techniques. Through correlation, Blue Teams can leverage OPSEC mistakes to uncover and potentially burn the whole campaign.
o RED: We explain measures the Red Team can take to avoid the correlation between their threat infrastructure and avoid the detection of one domain leading to the whole threat infra being burned.

How would the perfect Blue Team attempt to block undetected phishing campaigns during their launch.
o BLUE: We analyze how the use of reputational scoring based on IP, Domain and Mail server, can block many phishing campaigns during the launch itself.
o RED: We explain how Red Teams can age and categorize their domains to pass IP/Domain/Mail based reputation detections.

What if a phishing mail sneaks by the Blue Team and lands in the inbox of one of their employees, has Red Team won? Not yet:
o BLUE: The perfect Blue Team has hardened employee endpoints to make a successful exploitation after a click almost impossible. We discuss several defensive techniques on how to block successful initial foothold through Macro execution hardening, Applocker, Exploit Guard and endpoint security solutions.
o RED: Assuming a fully hardened system, we discuss strategies that could bypass all off these hardening measures and have been proven to be successful in past engagements

We conclude with a summary of techniques both Blue and Red Teamers can use to perfect their tradecraft.