 Can you guys hear me very well? Is there any kind of echo or background noise? Or is that just fine? Just give me a heart if it is okay. Okay, cool. Thank you. Once again, hello everyone. My name is Abhijit, and I am also known by the pseudo-name ABX. I belong to DevCon Group Trivandrum aka DC0471. I'm very glad to be here today. It is a pleasure to be here. I really appreciate the keynote of Jason. That was really wonderful. That was really impressive keynote. Along with me, I have a couple of team members from DevCon Group Trivandrum today. We have my DevCon Trivandrum teammates, Aditya, C-Hedy, Taufi, Alex, Praveen, Vishnu, and Plucky along with Alex. We are all happy to be here. Once again, it is a privilege to be here in this village. Moving on to the next slide. Next slide, please. Give me a second, guys. Give me a second. Let me drop the mic here. One second. I'm really sorry, guys. I'm pretty new to this platform. Give me a second. Hey, Woldy, could you please help me with this mic? I just need to drop this mic and speak in loudspeaker. Could anyone help me, please? Yes, you have to hold your left mouse button for a while, and you can just throw the mic away. Left shift key. The mouse button, right? That's how you do it. Cool. Okay, sorry again for the trouble, guys. I'm really new to this platform. Okay, once again, going back to the site, we managed the Devcom Group Trivandrum, which is in India. Our location is Trivandrum, which is a very small city in India. So we have started our Devcom Group in January 2018. We have organized a couple of hacker meetups and conferences during the past events with multiple tracks and CTF. We have more than 15 organizing team members, which are hardcore team members. This is like a brotherhood for me and everyone in my group. Also hosting, we are also hosting a hacking podcast in Mlelam language, which is our native language. You could view that URL in there. It is kind of interviewing local hackers and cybersecurity professionals. We can also, we also connect regularly before we move to the next slide, please. Here are some of the photos of our some of our events. We had the opportunity to have a good set of speakers in our previous meetups. I think that is it about our Devcom Group Trivandrum. I think we can go to the technical presentation now. Please move to the next slide. As you can see, the title of my talk would be Building an Intel Retain for your organization. It is like building a practical retain for your, within your organization. I say, yeah, next slide, please. As I have mentioned, my name is Abhijeet. And I'm also known by the student named A.B.S. I'm leading a currency security operations in a global financial technology company. I'm also the former deputy manager for cybersecurity in Nissan Motors. Prior to that, I used to work for EY as a senior security analyst. I have a really 10 years of experience in security domain. I'm also the founder of a community called teamvillage.org. And now it is not associated with Devcon villages. Like I mentioned earlier, I'm also the lead of Devcon Trivandrum community. Recently, I started running a blog called tacticaladvice.io, which is a blog dedicated to adversarial summation and the team in tactics. It is still a work in progress. I'm still working on it, you know, just to get things started. Moving to the next slide, let's make some things clear first. I don't really want to, you know, do an intro about vulnerability assessment, pentast, or redeeming. But I just want to make some statements before we go further into the slides. Moving on to the next slide, this is just a statement. I think you can see the slide, yeah, yeah. This is just a statement. Vulnerability assessment, it is not redeeming. Like, you know, also vulnerability assessment, it is not penetration testing as well. So we all know, like, what is vulnerability assessment? It is about targeting a system, an application, or a network just to identify the list of vulnerabilities. Like, you know, what are the non weaknesses in that system, list them down along with the remediation plan and hand it over to the, what can I hand it over to the, you know, appropriate teams so that they can get it fixed. So that is called vulnerability assessment. It is not redeeming. I will go to the next slide. Again, penetration testing. It is also not redeeming. But pentasting on the other hand, compared to VA, it is more focused towards the goal. Maybe, could you please go to the next slide? Oh, okay, okay, this is fine, this is fine. Okay. Maybe we are targeting an application or infrastructure or only goal would be compromising that system and get into it. The pentasting report also reflect the same rather than listing all vulnerabilities. We are facing a problem now, right? You know, nowadays we cannot differentiate between vulnerability assessment and pentasting reports. A pentasting report may list all vulnerabilities in the target system, you know, instead of the exploitation and how the attacker got into the system. I used to, you know, for my day job, I used to see external pentasting reports with SSL issues only. You know, just imagine that, just think about it. I used to see pentasting report, penetration testing reports from external ventes which are having SSL issues in a pentasting report. That is really great. It is kind of confusing now, you know. If anyone here also feeling the same, just let me know. Like, you know, the confusion between the vulnerability assessment and pentasting, we are seeing it in our day to day life, you know. These ventes, these portionals, they are giving us the VA and pentasting reports. You know, there are, it's kind of very confusing. We're not blaming here, I am getting muted sometimes, I don't know why. Okay, at the last statement, I also want to mention that pentasting is not redeeming. I'll come to this point later, later in the presentation. Can we go to the next slide? Okay. So, like, you know, most of us know the meaning of redeem or what is redeem, right? We have a cool definition from retains.net here. Historically, redeem, the team, the team, it originates from the military times which would be imitating the role of adversaries. They will try to mimic the attacks against the military bases explanation about redeeming. Could you please go to the next slide? We have a much simpler explanation in here. This is a much simpler and easy to use explanation. This is also from, I picked it up from retains.net. A retain is a group of highly skilled people that continuously challenge the plans, defensive measures and security concepts. That is pretty clear, right? This is actually called adversarial attack simulation. You know, that is what we are doing nowadays. Like, you know, I will come to the next slide. Is it the next slide yet? Yes, it is. Let me talk about confusion here. So, usually, you know, I have seen these comments all, you know, with the sales people and, you know, usually the security services executives. I'm not mocking anyone here. It is also very sad that many people are seeing retains as penetration test days. They'll be seeing, like, you know, I am a part of internal retain. I will ask, like, what are you doing then? I'm doing, you know, penetration testing and doing web application penetration testing and doing, maybe, and doing application security. But I am a part of internal retain. But it's kind of, it is kind of confusing. It is also very sad that, you know, these people are seeing retains as penetration test days. To explain the actual job, along with the retain professional, many, I mean, along with the retain professional, many security folks are nowadays using the time addressing the acceleration as well. I has recently seen a couple of similar job titles in LinkedIn. In short, mentioning a retain professional, they are listing their profile as a do-it-all-attacks-simulation-professional, or, you know, like, apply it as a do-it-all-attacks-imulation, something like that. It should be more clear, other than, you know, using confusing times. Next slide, please. Okay. So, everyone, how is this picture? Did you like this picture? Could you guys please give me hearts or claps if you like this picture? And not getting hearts from everyone, I think. Yeah, now I do. Actually, you know, I really wanted to show of this picture, you know, the perfect symphony between the attackers and the defendants. It was created based on the native Kela martial art, which is called Karalipaidu. That is the traditional martial art form of our native place. So, based on that, we created this picture. You know, it was designed for a CTF competition at a conference called Kokon, which is one of the biggest cyber security conference in India. So, I really wanted to show you guys this picture, how we, I think you guys really liked it, right? You know, the actual symphony between routines and routines, based on our native martial art form. That is kind of a show off. Thank you. Moving on to the next slide. So, most of the things mentioned here, that is from my own experience on the awesome contributors of the security community. Most of the companies, they already have their own application security and internal pentesting teams. So, what if they want to move a more mature attack, you know, simulation activities? You know, it's like, you know, they are doing fine with Absaq and internal pentests, but they also want to move into a more mature, you know, attack simulation team. So, I think, I really think this talk, it would be helpful for such people, like who wants to build an unoffensive internal team for a digital attack simulation. We are targeting, you know, that kind of audience here, I mean, the target audience. Next slide, please. Okay, I think you can see this picture. So, this like, we have created this diagram, you know, for assignments, like internal team operations framework, there is still a working progress. We are still working on this. This is like, we have split it into five different phases, internal team operation framework into five different phases. Each framework we'll be having, you know, its own models and its own concepts. So, based on that, we can start from scratch and, you know, get into more mature level teams, internal teams, or we can go and do, you know, each of these phases individually. Next slide, please. So, this is the very first phase of IRTO, which is internal team operations, you know, it's like building from the scratch, you know, we need to get our budget approved. We really need to define the practical goals and objectives. The objectives must be, you know, it's like you should ask yourself, why are we creating this team? Why do, what is the need of an internal team in my organization? You know, there should be a hard one. Each organization has its own different set of crown jewels. It is their sensitive data or assets, the crown jewels of, you know, our organization. Not only crown jewels, also pupil. For example, it is always about the critical assets or, you know, critical pupil within an organization. For example, if there is a, like, you know, a company which is handling or which is doing manufacturing, for them it is their, you know, formula architects and all this stuff, they have to keep it safe, right? So considering that, each organization has its own valuable assets, its own data set, its own, you know, data settings. So we need to identify the crown jewels of our organization. From, we need to create rules of engagement and we need to get assistance from the management and legal department. And more importantly, you know, before moving forward, we need to understand the security posture of our organization. What are the security countermeasures or what are the security implementations which are there in, for an organization? So that is very essential to, you know, understand before moving forward with this. And, like, you know, like I mentioned, identify the crown jewels and pupil. There is one more thing. People are always important. For example, you know that, you know, there are many, many, many high level, high level executives are out there. High level management people are out there. They are always, you know, vulnerable to phishing attacks. I will tell you why. Usually being technical people, we don't have the urge to open our email all the time, right? But being business consultant or being business executive, they always have the, you know, kind of an issue open and respond to their emails. So, you know, they will always fall for a targeted phishing campaign. There is kind of, you know, the key thing here. So, along with the sensitive data, we also need to identify what are the key people to my organizations? What if someone is, you know, someone has compromised their personal account? What will happen to the organization? So this kind of thing is going to build the routine. Moving on to the next slide. Next slide is here, right? Okay. How many of you know this? Should we start there? Only two of you guys are, you know, knowing about this A team. Three, four, okay. So recently in 2010 or 2012, you know, there was a movie started by Bradley Cooper. Okay, okay. So the A team, the team and skill set. This is, you know, this is how, for example, just consider the A team. This is how a team should be. Like the team must be diverse. Skill set is not on one man's job. You know, they'll have to work together as a team or work solo sometimes. Also they'll have to work under an excessive, you know, amount of pressure. You know, they'll have, they'll be able to, they should be able to handle that pressure. It is really important. For example, we know that Colonel Hannibal, right? He's also the leader of, you know, A team. And sometimes he's a solo player. And the A team, they are strong individually and stronger as a team. That is an important thing to have. You need to handle things personally and you know, you need to handle things alone and you need to handle things as a team. That should be, you know, a skill set. So the team should also contain non-technical people. We talked about technical people, right? We talked that, you know, to build a red team, we need highly technical people, you know, in different areas of attack simulation and offensive security operations. But along with that, the team should also contain non-technical people. So how many of you here, you know, they were created a phishing campaign against any kind of organization, you know, personally? Please, you know, give me some hearts. How many of you have hosted a phishing campaign? Yeah, I am seeing a couple of, you know, hearts in there. So let me ask you a question. So usually the technical guys in your team or, you know, kind of very, you know, very people-managed and friendly guys, you know, who are usually writing the phishing emails? The technical guy? Or, you know, more friendly, you know, like HR-like persons? Who is creating the phishing mails for you? Guys, you can- If it is you, then you can give me a heart. Otherwise, you can just give me a palm or something. I'm not seeing anything. Okay, okay, I can see a couple of guys. They're saying that, you know, they're writing, they do write their own phishing campaign emails. So I will tell you something. You know, just imagine a hardcore technical guy is writing a phishing email to, you know, someone like a business executive. For example, if I am writing a phishing email, there will be more technical. You know, there will be these technical jagdons and there will be a lot of, you know, technical weights. We don't want that, right? So if there is a, you know, non-technical guy or a business guy or a human resource person in our team, we can ask them to write the phishing email for us. The meaning, they can connect with people compared to the technical guys. You know, they are more, you know, friendly guys, right? They are more into human resources and they can connect with other people particularly easily. They speak, you know, a different language. So it is always better to have non-technical people in our offensive team. You know, it always helps. Could you please go to the next slide? Yeah, we have the next slide. So this is the phase two of IRTO, like internal team operations. So a couple of points here or a couple of steps here. So external infrastructure, it is always essential to mimic and advisories action. So we need to build an external routine infrastructure. For the beginning, you know, start with open-source C tools, implants, frameworks and other tools. We can modify it based on, you know, your requirements. Also, be friends always be, okay, the third point, identifying the business specific risk. So being in an internal team is all about your organizations and your organization security posture and, you know, deploy it, defense mechanisms, et cetera. So it is a key point to identify the business specific risk. It can vary based on, you know, the businesses and based on organizations. And the fourth point, always be friends with the organization's blue team. If you have a blue team in your company, you know, be friends with them. You know, just trying to understand what are they doing, you know, in their daily lives, you know, what are the tools and techniques which are they're using for detecting the attacks. It is always good to be in a good relationship. It is always good to be in a good relation with your company's, you know, cyber defense system or cyber defense team. All of your artificial activities are there to make, you know, the blue team's much stronger, right? But so it is very essential to have a good relationship with your cyber defense team. Okay, like also, you know, don't take it personally. Okay, you know, I just asked you to be friends with your organization's blue team. Once I try to be friends with an organization's blue teamer and in the end, she became my girlfriend. You know, that's a long story. So always don't try so hard, you know, just formally be friends with, you know, the blue team of your organization, you know, don't take it personally, you know, just a personal advice. Okay, moving on to the next slide, phase three. Could you please go to the phase three slide? Okay, phase three. Actually, this is where we begin to, you know, walk in our plan. You can see these phase three is where we start walking. So we can use improved tools, techniques and procedures. And, you know, we know about the current security mechanism, right? We talked about current security mechanisms in phase one and phase two. For example, you know, the need of using improved TTPs. For example, what if your organization is not allowing PowerShell or any other skills? That is where we need to improve our TTPs, right? Initially, we identified that the current organization, they do not allow PowerShell scripts or any other script, W scripts, C scripts, anything. They're not allowing anything. So in that case, we need to, you know, make some changes in our techniques and, you know, improvise. We should find, you know, the next feasible option. For example, in this case, we can try, we can try running unmanaged PowerShell. Maybe the different systems, they're not considering unmanaged PowerShell executables, you know, as malicious. So sometimes we can, you know, bypass the different mechanisms in there. And, okay. From phase one and two, we had identified the crown jewels and pupil. And the vulnerable path needs to be fixed. You know, the vulnerable path, you know, which can lead the crown jewels into, you know, a bridge. Also the next point, evaluation of instant response process. This is also important. What is your organization's process? Once it's been compromised, how much time it will take to detect the incident and respond to it? That is also important, very much important. And using the output of the previous phases, we could really improvise and make a new RTO process documentation. There is a final point, you know, we can learn from the previous phases and what have we learned from the previous phases. We can improvise from that and we can create a new operations manual or new operations process to move further. So that is the phase three, the end of phase three. Moving on to the next slide, phase four at IRTO phase four. We have the phase four here. So it's like, you know, for example, collaborative and continuous purple team exercises. So whatever tasks are being done by the red team, the end goal should be empowering the blue team, right? So it's always better to organize a collaborative and continuous purple team exercises. Just join forces with the red teams and blue teams. Also bring in more tooling capabilities. Many interesting platforms and tools are there, you know, we should empower the red teams and blue teams. Also, you can perform a targeted campaign, targeted and very specific campaigns against the crown jewels and key people. For example, business executives. Okay, you guys can see my screen, right? You guys can still see the screen, right? Could you please give me some hearts if you can see the screens? I mean, the slides. Okay, okay, okay, awesome, awesome, awesome. Moving on to the next point, all what physical security assessment. We know that, you know, physical security assessment, they are a very big part of red teaming activities. So we can, in phase three, phase four, we can start our physical security assessment. We can identify the most important data centers, manufacturing plants, processing centers, or anything based on your company's business. You know, it may be different, there may be different set of goals based on your company's portfolio. So regarding the overt security assessment, you could just go to the premises, walk around the premises with the person in charge, and perform your review in front of the, you know, in front of the reviewer as well. So that is like, you're not breaking into anything. This is just overt physical security assessment. You are just going to the client side and you are just walking around. You are just trying to find as many as physical vulnerabilities in there and report them. It is as simple as that. So, you can, you know, as an example, you can refer to the work of Devan Olam, you know, in YouTube. He's a legend. He's the very best guy out there regarding physical, you know, security assessments. He's really awesome. Also, continuous awareness program for employees and key people. Like, you know, after, for example, you've done a couple of fishing campaigns, fierce fishing campaigns, you know, you did some bad ESP drop and everything. But from that, we need to share, we need to create a set of training series and we need to perform continuous awareness and training program for employees and the top manager so that they can protect themselves from the future attacks of real adversaries. That is really important. Also, an operational tip, you know, when you go for an overt physical security assessment, do not show up in there, you know, with military apparatus or a tactical bag along with a laptop, which is full of hacking stickies. If you are going like this to the client side, you know, that raises a lot of eyebrows and that is going to be real funny. People will be looking at you all the time. Who is this guy, you know, wearing this tactical backpack and a laptop full of stickies? So that's kind of very, you know, attractive thing, right? So do not do that. Even if you're doing a covert assessment or an overt assessment, it's pretty important. Going to the next slide, phase five, which is time to five. Okay. So this is the final phase of IRTO framework. By the time we reach phase five, we'll be having a kind of a mature team operations capabilities. It is the time to grow some wings and fly away, right? Not from the organization, but, you know, like a capability size, just, you know, routine fly away. This is the phase where we have a mature team operations capabilities. Now, the main important thing would be, by this time, you should have a significant improvement of organizational security posture because we have passed four different phases, right? We did many things, you know, from the phase one. So by the time we reach phase five, it is very important to have significant improvement of organizational security posture. So that is the clear proof of having a powerful and practical internal routine. It is important for both systems and the key people. So you can also start, you know, covered physical security assessment, you know, instead of OAT, you could just go to client sites without telling them you are an internal employee. You could do assessment. That would be very much fun. So also, by the time we reach phase five, we'll have highly skilled operators and we'll be having a customer to create customer experience, make it great, you know, custom, you know, scripts and, you know, custom attack patterns. That is very important. That is very interesting capability to have. So also, continuous adversary simulation to keep the different days on their toes. So by the time we reach phase five, we attend many things, right? And one of the things would be, one of the main thing would be having continuous adversary simulation, you know, just to make sure that everything is going very well with the organization. Finally, continuous routine operations with the very different process. As an end result, we also will be having a very different process to carry this task forward, you know, just repeat the process, make this as a cycle. You know, continuous routine operation will be like, you know, the actual results of, you know, reaching phase five. That is really important. So we can assume that by the time, you know, we reach the phase five, you know, there will be a lot of significant changes within our internal security posture. That is pretty important to have such a huge change. And moving on to the next slide. So the five phases, which I have shown you, that is really customized or customizable. Like, you know, you can change that to your own needs and you can add your own points. Even if you think that some of the points are misaligned in different phases, you can just modify the, you know, steps and you can make it your own. That is pretty simple. And coming back to the strategic and tactical plans, you can see, you know, we can, there is a strategy plans, which is a total sum of a couple of tactical plans, right? So the strategy plans, they are focusing on long-term objectives, where the tactical plan focuses on short-term engagements. So you can derive a couple of tactical plans and change them together, you know, just to reach the highest goal. For example, you're planning, you are creating a strategy plan for one year. So you can split that into three. So each tactical plan is having four months to attain a certain role, a certain goal. For example, earlier, we mentioned, we need to identify the critical assets, key people and crown jewelers, right? So for the tactical plan on, you can take that as an objective and you can start identifying the critical assets and people. Then you can try to, you know, perform adversarial simulation against those assets and people. Just to identify, you know, are they vulnerable to fishing campaigns? What are the results? And we got a couple of credentials from these people. What are the privilege for these, you know, credentials? So by the end of the tactical plan one, you'll have a clear set of reports, you know, for your very first objective. So like that, we can, you know, change a couple of tactical plans to have a very long-term objective. You know, that is the, you know, end goal of creating this IRTO platform. You can create your own plans and both tactical and strategy. Our end goal should be, you know, attaining the long-term objective. Okay, cool. Could you go to the next slide, please? Okay, this is the final slide. If you guys have any questions, related to, you know, the routine, like phases and maturity models, you know, please feel free to ask me. If you have any questions or you could just send some hearts and you can start talking. Anyone? Okay. Okay, so all those who have questions, please give some heart reacts so that I can unmute you all. Actually, I cannot hear you. Yeah, I can see and strike just a second, ABG. Could you please come near me? I can't hear you. Just a second, ABG, just give it to me. Can you hear me? Yeah, tell me. All right. So do you model your adversarial campaigns off of APTs? Could you please come again? Do you model your adversarial campaigns off of APTs? Yeah, APT emulation, right? Yes. Yes. Yeah, because I think I stated in one of my previous slides that is in phase two, I think. Okay. This adversarial emulation. So, I mean, as a beginning in phase two, you can start doing emulation using, you know, atomic red team or caldera. Also, you can use mid-trace framework. You know, there are a couple of APTs are listed in there. You can, you know, check those APTs and start collecting their commands and you can execute them in your, you know, test environment. So the end result would be, you can understand the detection capabilities of your blue team. That is really cool. Mitra is doing a wonderful job, you know, collecting all these emulation and, you know, simulation plans. Okay, cool. Thank you. Cool, thank you. So you could always reach me on, is anyone asking any questions? Could you please raise your hands or like, you know, give me some hearts? I'll come near you. Could you throw some hearts? I'll come to you. Okay. Okay. So if there are no questions, you can always reach me on Discord. It is ABS on four, seven four. Also, you can reach me on my Twitter account, which is abhijitbhr. And could you guys please move to the next slide? Next slide please. Okay. And yeah, thank you everyone. Thank you for being here. Thank you to attend my talk. Thanks a lot everyone for, you know, being in the virtual village hosted by Defconn groups. Thanks a lot. Also, I would like to, you know, thank Jason E Street and Defconn groups to give me this opportunity to stand here and take this presentation. Also, I would like to thank TX and his fabulous Defconn group, Delhi. Also, Defconn group Trivandrum Mombays. Thank you, thank you everyone.