I'll be mostly focusing the next several months on MacOS malware and any new or innovative threats and defenses that come up. I'll also revisit an awesome friend and discuss how the threat-landscape prioritization has evolved over the past 18 months, so I'd better share this re-post now.
Since last spring when I set out to compare "red team" emulation platforms, and explore this notion of cyber "emulation" in general, I felt like there were not enough thanks given, as well as "shout-outs" to a small selection of the folks who's work have inspired me to continue learning every week.
As well since I worked on this topic, the community at large has even further embraced "emulation" including lots of great, new documentation up on the Atomic Red Team project sites, see for example, the wiki page at the Invoke-Atomic repository There are a series of short instructional videos on this YouTube channel. You can also find an in-depth 2 hour webcast here with 11 hands-on labs here.As well, on that page, Invoke-AtomicRedTeam installation and use instructions can be found on the index to the right (in the sidebar).
My original diary is online at https://redcanary.com/blog/comparing-red-team-platforms/, and below you'll find my extended thank you's and links:
References
In terms of preexisting work on the subject, PenTestIT https://pentestit.com/adversary-emulation-tools-list/] published a long list of paid and commercial adversary toolkits a couple years back.Erik van Buggenhout gave an enlightening talk on adversary emulation at take on adversarial emulation and the ATT&CK framework at Berlin’s annual Sans Pentest Hackfest [available at https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1563791194.pdf.]
Xena Olsen(@ch33r10 ) and Ben Goerz (@benGoerz) used a modified "MITRE framework" at the Sans Purple Team Summit [https://youtu.be/isYotlCFxf8?t=880] to demonstrate how many of the MITRE TTPs related to actual, in the wild malware.
There has been a wide variety of research which never has ceased over the years to blow my mind, and keep me interested in hunting for new threats... this "next level" work, is being carried out by people like Michal Zalewski [https://www.walmart.com/ip/Silence-on-the-Wire-A-Field-Guide-to-Passive-Reconnaissance-and-Indirect-Attacks/3137200 ], FX [https://twitter.com/41414141 ], the security researchers at the Ben-Gurion University Advanced Cyber Research lab [https://cyber.bgu.ac.il/advanced-cyber/ ], and many others—which directly and indirectly explores the reality that emulation will never keep up with the real adversarial landscape, so be ready.
Special thanks to Josh Abraham [https://twitter.com/Jabra ] for also reminding me of this, and also for helping me examine a lot of these adversary emulation tools.
Thanks
I've mentioned Carrie Roberts already in the article, and when sharing this [https://twitter.com/OrOneEqualsOne ] but thanks again Carrie for encouraging the community so much to support these projects, and I also have to shout out Josh Rickhard for re-introducing me to Atomic Red Team and discussing several of his research projects with me last year! Carrie’s also made the awesome wiki for Invoke-atomic and many of the key developments in the framework for this year. Another friend Laken Harrell, made many of the initial pull requests for getting Invoke Atomic Red Team working again for Linux and OSX, so also big thanks to Laken.Roberto Rodriguez was really helpful and provided direct feedback to me on Mordor. Be sure to check out Roberto & Jose’s community repo at https://github.com/hunters-forge/ and their slack group at https://launchpass.com/threathunting; see @HuntersForge for more information. Thanks also Tim MalcomVetter and Johannes Urlich & the Internet Storm Cast community, for keeping everyone excited about this topic and re-sharing the original diary.
Shout out also to everyone at Red Canary who’s supported Atomic Red Team since day one, and particularly Brian Donohue [https://twitter.com/TheBrianDonohue], Frank McClain, Michael Haag [https://twitter.com/M_haggis], and Tony Lambert [https://twitter.com/ForensicITGuy], in addition to the leadership of Red Canary, for doing so much for the community. Brian Donohue spent a lot of time working on this topic with me, so when you see him give him a high five (currently an elbow-five) and buy him a cup of tea from me!
You can find me online @cherokeejb_ in the Brakeing Down Security Podcast’s Slack community, and the Internet Storm Center, as well in in groups affiliated with the projects discussed here in this article, so feel free to reach out, especially with any new MacOS threats you discover. I research at cherokeejb.blogspot.com as time allows.
No comments:
Post a Comment