Creative Red Teaming

Mandiant, A FireEye Company | July 22-25



Overview

As cyber security professionals and technologies continue to evolve and become better at prevention, detection, and remediation, attackers are forced to continually evolve their Tools, Tactics, and Procedures (TTPs) in order to remain effective. This is especially true with the most advanced attack groups operating that need to remain undetected for extended periods of time in order to effectively accomplish their mission. Mandiant is on the front lines investigating these types of breaches. This gives us unparalleled access to understand not only how advanced attackers operate and what TTPs they're leveraging, but also what attack methodologies are most effective across industries.

Standard red team classes teach students how to run vulnerability scans, Nmap, Metasploit and other commercial tools to obtain domain administrator access. This class covers the important open source tools required to perform a red team assessment, but more importantly, teaches you how to be creative and "live off the land" by using native tools to accomplish the same goals without getting caught. Getting domain admin is just par for the course, we go deeper into accomplishing objectives that prove big impact to clients. For example, if your client is a big retailer and you got access to their retail network where they store encrypted credit card numbers, we teach you how to go the extra mile and understand how applications encrypt that data. If an application can decrypt credit card numbers, we teach you how to analyze code to decrypt data as well. This not only proves you can get an initial vector, escalate privileges, bypass firewalls to get access to secure networks, but also weaknesses in how they encrypt their sensitive data…and that's just one example!

This intense four-day course is designed to teach advanced offensive techniques to provide you with the ultimate skillset to test your existing security controls. You will learn proven Mandiant Red Team methodologies that start with the successful TTPs we see used by advanced attackers and builds upon them to be even more effective and stealthy. You will even learn how to successfully complete your mission even if part of your team is caught. This course makes heavy use of labs so that you get to practice everything you learn in a realistic scenario. By learning how to implement and protect against effective TTPs you learn how to help your organization best prevent, detect, and respond to cyber threats.

Modules Included:
  • Overview and Introduction – Covers the basics required to proceed through the course.
  • OSINT, Initial Vectors, and Bypassing Anti-Virus (AV) – Learn how to identify your target, fingerprint your target, initially compromise your target, and how to bypass AV to avoid detection when executing your initial payloads.
  • Persistence – Covers older techniques and the latest techniques to persist your target. Does not just cover host based persistence, but also creative ways to persistence networks without a host and privileges.
  • Privilege Escalation and Lateral Movement – Tools and methodologies that take the lowest privileged user and escalate to high privilege user while covertly moving through your target network. Covers both local and domain privilege escalation.
  • Overcoming Challenges – Will teach you have to avoid and bypass various challenges such as application whitelisting, encryption, multi-factor authentication, sandboxes, and more.
  • Completing the Mission – learn how to covertly take data off the network in a secure fashion and moving pivoting through firewalls to take data off "secure" networks.
  • Project Management – Understand how to setup and manage projects, measuring risk, the reporting process, and rules of engagement.

Who Should Take this Course

This is a fast-paced technical course designed to provide hands-on experience conducting covert no-holds barred cyber-attack simulations to accomplish various objectives within in a corporate environment, similar to how an advanced adversary would perform. This course provides an opportunity to learn how real attackers conduct offensive operations, how we improve upon those operations, and to understand how to be creative with exiting technology to accomplish your goals. The content and pace is intended for students with a background in conducting penetration tests, security assessments, IT administration, and/or incident response.

Student Requirements

Students must have working knowledge of the Windows Operating system, file systems, registry and use of the Windows command line.

Students should have some experience with the following:
  • Active Directory and basic Windows security controls
  • Common network protocols
  • Linux Operating Systems
  • Scripting languages such as PowerShell, Python, or Perl
  • Assessing web applications using the OWASP top 10

What Students Should Bring

Laptop with a Kali Rolling virtual machine. Students must possess local administrator rights to their host OS and VMs and must be able to install software provided on a USB stick. Students must also have an Ethernet port, for laptops that don't have one, please bring an adapter.

What Students Will Be Provided With

The course will provide the students with:
  • Class handouts and slides
  • A vulnerable virtual machine for some labs
  • Thumb drive containing class materials, labs, and tools
  • FireEye/Mandiant gear

Trainers

Evan Peña is a Principal Consultant and Red Team Functional Lead for Mandiant, the Professional Services Division of FireEye. Mr. Peña has years of experience in enterprise information technology administration, employing covert penetration testing to evaluate incident response procedures, and assessing enterprise network defense capabilities from the perspective of an attacker. Mr. Peña leads the Mandiant Red Team for the west coast region and has conducted and led covert red team operations for several fortune 500 corporations in a diverse group of industries including retail, financial sector, health care, legal, and energy. In addition, Mr. Peña has software development abilities that enable him to quickly respond to a variety of problems that may arise with large amounts of data. With these capabilities, Mr. Peña has created cutting edge tools for Mandiant that enable his team to stream line tedious tasks in common methodology. Mr. Peña graduated from the University of Texas at San Antonio with his Bachelor of Business Administration in Infrastructure Assurance and Information Systems. While pursuing his undergraduate degree he was heavily involved in extracurricular activities in an association called "The Computer Security Association" (CSA). Through this association, he and his team were able to compete in many competitions such as the National Collegiate Cyber Defense Competition (CCDC), MITRE Capture the Flag (CTF) competition, and other CTF's that companies sponsored for colleges around the nation. Prior to joining MANDIANT, Mr. Peña was a member of the Marine Corps Information Assurance Red Team (MCIART) where he was responsible for conducting network and web-based application penetration tests, physical security assessments, logical security audits, and hands-on technical security evaluations. These evaluations were all conducted on the live enterprise production networks of all Marine Corp bases around the world. In addition, he was responsible for developing courses to teach the Marines web-based application penetration tests and wireless security assessments.

Chris King is a Senior Consultant within the Security Consulting Services division of Mandiant, A FireEye Company. Mr. King's specialties include performing Red Team assessments and comprehensive security reviews. He has extensive experience working in the retail, financial, and oil/gas industries. He has years of experience as a software developer and freelance security consultant. With his software development background, Mr. King is able to quickly automate processes to achieve objectives faster. Additionally, as a security consultant, Mr. King has done extensive penetration testing to evaluate vulnerabilities of clients as well as remediation assistance. Mr. King graduated from Southern Methodist University with his Masters of Science in Security Engineering, Bachelor of Science in Computer Science, and Bachelor of Science in Mathematics. During his time at Southern Methodist University, he immersed himself in activities including working as a research assistant in cloud security for the Chair of the Computer Science Security Department, guest lecturer of multiple undergraduate security computer science classes, and co-founder of Security Special Interest Group (SSIG). As the leader of SSIG and the Collegiate Cyber Defense Competition (CCDC) team, Mr. King led his group to compete and win in multiple CCDC competitions as well as other local Capture the Flag (CTF) competitions.

Christopher Truncer is a Senior Consultant within MANDIANT, the Professional Services Division, of FireEye. Mr. Truncer's specialty lies with performing red team assessments and penetration tests. Mr. Truncer's experience lies within a large number of industries, such as Federal and State government, critical infrastructure, and many locations within the private industry. Christopher Truncer also is a large contributor to Open Source Software, many of which are his own projects. Mr. Truncer has the ability to modify, or develop new tools which help carry out the tasks he needs for every assessment. Having the ability to create custom tools ad-hoc allows Mr. Truncer the flexibility to be successful in any environment that he operates in. Prior to joining MANDIANT, Mr. Truncer was a Red Team Lead where he directed all steps of red team assessments for web applications, network level tests, and social engineering engagements. Mr. Truncer is an active member of the security industry by participating in various capture the flag events and speaking at industry conferences.