Dailydave mailing list archives
Re: Adversary Simulation
From: Christos Kalkanis <chris () immunityinc com>
Date: Wed, 30 Nov 2016 10:44:42 -0500
Paul, INNUENDO was created to be a framework, or a superset if you like, of APT functionality that was common at the time but also visible on the horizon. The most important design decision we made was to keep the architecture flexible enough in order to both adapt to and subsume emerging techniques used by nation states while dealing with uncertainty and failures on the target end. This led us to fully adopt Python as the core of INNUENDO [1]. In the years since, we've watched, with some satisfaction, the domain shift towards the direction we had envisioned. From Flame to Project Sauron and beyond, there is a trend towards more flexibility and runtime dynamism including the use of languages other than C. In short, the implants are getting more intelligent. I think we have done a good job of matching and in many cases exceeding the rate of change in this arena with features such as: + An embedded debugger available from the get-go. + Implicit implant-to-implant routing, no configuration needed. + Peer-to-peer network for implant synchronization. + Ephemeral in-memory execution without artifacts. + In-process sniffer also exposed through Python and optional out-of-process usage. + Bidirectional Outlook exfiltration channel. + Programmable channel-switching behavior. + An executor that can transparently manage and execute 3rd party Python code + its dependencies at runtime. Some of these haven't been widely observed in the wild yet, I expect to see them out in the open sooner rather than later. Finally, I am not aware of any criminal elements using our framework, but I'd say that the more sophisticated actors are certainly moving in the same direction. [1] http://infiltratecon.com/downloads/python_deflowered.pdf Chris On Tue, 29 Nov 2016 14:57:37 -0600, Paul Melson <pmelson () gmail com> wrote:
So are you aware of a criminal actor that uses Immunity's Innuendo in their attacks? If not, then which adversary are you simulating? The point to my obvious straw man is that if you really want to help your clients up their game in detecting and responding to real threats, shouldn't you study the actors that target their industry verticals and emulate their operations using the same tools and tactics they are known to choose?On Nov 29, 2016, at 9:26 AM, dave aitel <dave () immunityinc com> wrote: So obviously everything a penetration testing company does is at some level "Adversary Simulation". I like to call it "Focused Training" - because penetration testing is more about education than anything else, but the WAY you do to that is by emulating and instrumenting some sort of adversarial process. Ok, that said, we have for the past year offered a special service called Adversary Simulation by which we meant something quite specific. We go to some big financial company, usually super under-dressed for the cold because we live in Miami, and we install INNUENDO on a couple machines. Then we exfiltrate a few terabytes of data over whatever protocols are working and we work with the company to do a hardcore analysis of their detection systems for that sort of thing. That sounds simple. But in practice, every company at that size range has multiple products trying to detect you, and they provide overlapping coverage. Sometimes the Alerts are useful, and sometimes not. For example, when you're doing DNS exfiltration, FireEye will alert on the weirdness of the DNS packets. But it has no idea who the infected endpoint is, because those DNS packets came from intermediary DNS servers! :) With web-based analysis systems I worry more about false positives, and of course, false negatives. Detecting beacons from malware but not from, say, DropBox is a hard problem. In theory, products like StealthWatch work, but in practice, that depends on the team. Likewise, there are gaps in the market itself: Who is looking at all outbound e-mail to find data exfiltration channels? And on the host, when faced with a new product, all the protection systems we've seen have not detected INNUENDO. Some of them detect injection, but you don't really need to do that. What if there is too much chaos on a big company's desktop for reputation-based protection systems to work? -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Adversary Simulation dave aitel (Nov 29)
- Re: Adversary Simulation Paul Melson (Nov 30)
- Re: Adversary Simulation benjamin heise (Nov 30)
- Re: Adversary Simulation Christos Kalkanis (Nov 30)
- Message not available
- Message not available
- Message not available
- Re: Adversary Simulation Adrian Sanabria (Dec 05)
- Re: Adversary Simulation Paul Melson (Nov 30)