 Hello, I'm Philip Wiley. Thanks for everyone for attending my talk, The Way of the Adversary, Threat Actor, Philosophies, and Mindsets. I appreciate this opportunity to present here this year. A little bit about myself. My name is Philip Wiley. I have my CISSP, OSCP, and SAMS GWAPT certifications. Most proud of those is the OSCP. That was a tough process to study for and get certified. The exam was pretty tough, but I learned a lot. When I was getting started as a penetration tester, I'd moved over from application security, got laid off from my job, and went to work as a consultant doing pen testing. I'd run vulnerability scanners and worked in AppSec for several years and security and worked as a sysadmin. But I needed to learn how to hack, so I went through the OSCP. That was a really great experience, so I'm very proud. To get that, it wasn't easy for me. I had to learn how to hack, and that was a really good one for me to learn how to hack. In my career-wise, I'm an Offensive Cybersecurity Professional Instructor. I have been in Offensive Security for a little over nine years of my 23-plus years of IT and cybersecurity. I have a little over 17 years of dedicated cybersecurity experience. I'm an adjunct professor at Dallas College. I teach ethical hacking and web app pen testing. I'm also the Pone School Project founder. The Pone School Project was created to give my students a way to further their education. Students down towards the end of the very first semester I taught were asking me, where do I go next? Where do I go to learn more about this subject? The college didn't offer any more than just the ethical hacking class at the time. So I decided to found the Pone School Project. It started out mainly being topics on offensive security, but with our Denton meetings, Denton Texas didn't have a security community there. So those meetings tend to be more than just offensive security. We spread into other areas because the goal is to help people get started in security or people in security to advance their careers. So I'm also the concept creator and co-author of the pen tester blueprint starting a career as an ethical hacker. This talk came out of a lecture that I used to give my class at the beginning of each semester. Some of the other professors at the college asked me to give the talk to their students. And the first time I gave this presentation was in January 2018 when I was starting out teaching at Dallas College. So from January to November of that same year of 2018, it became a conference talk. And I gave the talk at several conferences. I was featured in the Tribe of Hackers Red Team book and the publisher Wiley Publishing asked me if I'd be interested in writing a book myself. And I thought for a while that the pen tester blueprint would be a good book to write about. A lot of other resources teach you how to be a pen tester, teach you pen testing, but no one was really telling you this is what you need to learn before you start. These are some good learning resources to learn pen testing. I'm also the host of the Hacker Factory podcast and in the spirit of a lot of things I do, it's to help people get started as pen testers. So I have different guests on each episode telling about how they got started in cybersecurity and pen testing and their tips on how to get started. So this is in the spirit of the other thing the other things I do is try to help people and help people get started. I'm also an Innocent Lias Foundation ambassador. The Innocent Lias Foundation helps unmask anonymous child predators. So they work with volunteers, the duo set that try to collect this information that they turn over law enforcement to hopefully apprehend these, these, these people that are harassing children online, these predators. I'm also hacking is not a crime advocate. And this, we're trying to take back what the true meaning of hacker because the media has portrayed it as, you know, as we're all cyber criminals. And so the goal of that is to help the name of the hacker you know when hacking started out. It was more about people that were actually coding building things. And some of this came out of the MIT railroad club where, you know, people were there working with different technologies and stuff and that in general, you know, hackers are really been more of makers and people that were able to enhance, you know, capabilities of product of different products and software is different technology. And that's kind of where the hacking turned came about they were able to hack it or make it do things it wasn't supposed to do, enhance the capabilities and then, you know, over the years we got to learn the term, you know, it came to be more about, you know, hacking into something build bypass security controls or something like that finding bugs and systems but the original term was based on, you know, development because you look at the hackathons hackathons are programming competitions so these aren't really anything about computer hacking so so hacking is not a crime we're just trying to bring awareness to the media and the public, because as an ethical hacker or a penetration tester offensive security professional over the years people ask me what do you do for a living and it's easier to say ethical hacker than penetration tester, because people don't understand it that term and it takes a little more interaction. When you say ethical hacker, the intent is to make it easier for them to understand, but I've had several people ask me is there such a thing as an ethical hacker so, you know, there's a lot of work that we need to do to, you know, help bring awareness to and make up for what what the the media has done. So the way of the adversary threat actor philosophies mindsets. Most of your, most of your talks and most of your trainings and stuff that you go through in cybersecurity, especially offensive security. So many times we focus on the victims the targets, the people were testing and focusing on the psychology of those specific targets and sometimes overlooking the psychology and mindset of the adversaries. While understanding the psychology of the victims or the end users how to successfully social engineering them is very important, but I think to be a really good adversarial professional or you know, offensive security professional is to understand the psychology of who we're trying to emulate. So threat actor philosophy and psychology should be considered war teaches us to know our adversaries. Same thing is in martial arts, or other combat sports and sports in general know your adversary know your opponent. So all teams will review videos of their opponents prior to the game to see how they work and cyber for cyber professional cyber security professionals are fighting cyber war so we must know our adversaries in that same way. I wanted to get into some of the philosophies and stuff. The conscience of the hacker also known as the hacker manifesto is a small essay written January 8 1986 by a computer security hacker who went by the handle or suited them of the mentor is a hacker named Lloyd blankenship. We belong to the second generation of the hacker group, Legion of doom. It was written after the authors arrest and first published in the underground hacker easing frack, and can be found in many websites as they tell as, as well as on t shirts and films. Consider the cornerstone of the hacker culture the manifesto acts as a guideline to hackers across the globe, especially those new to the field. It serves ethical foundation for hacking and asserts that there is a point of hacking that supersedes selfish desires to exploit harm harm other people and that technology should be used to expand our horizons and help keep the world free. This is a good reference here for like the philosophy of hackers and this is more in the mindset of, you know, professional hackers, or ethical hackers people that try to do this for good. You get into some of the cyber criminals and hacktivist and sometimes they don't always take these things into consideration. Hacktivist sometimes will be not wanting to injure people but maybe they're, you know, activists towards, you know, climate change in the environment and they'll just want to do things like deface websites or do things to get attention not harm people. But then again there's other, there's other types of people that use these adversary techniques that that don't keep this in mind so they that this can kind of vary from the type of hacker adversary. And keep in mind we're talking about hacker we're talking about the, what I'm referring to the skill set not set you know because hacker and cyber criminals criminals are not used interchangeably. It's just the tools and techniques that are that are shared. So these the philosophies vary between different types of hackers. For example, some nation states and cyber criminals aren't concerned with the safety and well being of their targets, which contradict the hacker's manifesto in some cases during, you know, nation states during cyber wars. And, you know, they're not concerned with the safety of people maybe the person doing the action maybe they are but the people that they are working for, don't know that. So these philosophies vary that's why it's really hard to define a philosophy so if you went to like a criminal philosophy compared to just a hacker philosophy it's going to be different but there's going to be some things that are even similar in all types of hackers all types of people that that hack. So, learning and practicing TTPs would also you know known as the long term techniques tactics and tech techniques tech tactics and procedures help develop the hacker mindset so developing the hacker mindset is developed by hands on practice so working in labs working in bug bounties and doing the same hands on hacking is going to help build that mindset. That's one of the things once you've worked as a penetration tester or done some sort of hacking. You kind of learned that you know you see things. For instance, I was an airport at an airport back during my consulting days waiting for my luggage at the luggage center so and I saw USB stick laying on the ground. And the first thing I come to mind is something of what malicious payload is on that, that USB stick, because I know as an adversary emulator of penetration tester that a lot of times we deliver payloads that way and so will adversaries so will the bad guys. So when you see those things you just kind of learned if you get that hacker mentality. You start to think like a hacker, and you know you see certain vulnerabilities on a system, you know, you see a patchy web server, or you see Tom cat, and you know sometimes they're vulnerable to to payload uploads, and you know unrestricted uploads, or something like you know default credentials so sometimes you know you're able to get a payload to that system and maybe get access so as you see those things and you develop those hacking skills learn the different vulnerabilities and exploits. You kind of learned that you put those things together when you see it, you think okay this is what I do next and that's that's kind of a description of the hacker mindset the hacker mindset is universal. It's not what you use for good or bad you know it's the intent that is different, it's not necessarily. So the, the understanding how to get into things piece kind of is universal. So the different adversary types. So we have hacktivist state actors cyber crime groups insiders scammers in script kiddies. You know there, there can be more groups and it's going to be broken down further. Your hacktivists are usually just in this because it's for a cause some ideology. You know you could be people that are that are you know, for the environment, and they may go after some companies or energy companies that are pluting the environment. They're doing it for a good cause they're trying, you know, it's just taking activism a step further. You know one of the things we look at in a digital age, you know, protesting certain things were in person just some of the old school hack activist type of opportunities and ways of doing things have transformed along with, you know our digital age in the communications. This could be any, you know, foreign country nation states that this could be their cyber warfare team this they're trying to possibly still intellectual property from other countries they're trying to disable, you know, power grids or something for other countries in different, you know, enemy states, and yet cyber crime groups, which just can vary the types. There's a lot of times people overlook, and there's a higher percentage of people are insiders and this could be disgruntled employees. And this is not always, you know, an actual employee this could be at someone is implanted in the organization. I was speaking with a company last year and they were kind of sharing some intelligence with us and they were talking about a company that that produced hardware that someone was implanted from another government there to still intellectual property. And so these insiders can also be disgruntled employees. You hear the stories of past where someone a programmer for a bank programmed the application to put like, like a tenth of a percent into his account from all the accounts in the bank and after so long they got this money. I never verified if that's true or not. It could could well possibly be sometimes those stories come from from facts but I can't validate for sure but you hear those kind of stories so you see people that are doing all sorts of things for job security. They want to document things they don't want people to be able to replace them so sometimes they do malicious activities they get, you know, upset with their employer they do things still intellectual property and all sorts of things so insiders are also a threat. And so the motivation. And so we some of these are going to kind of over. You know kind of overlap with some of the with the the other slide but hacktivism. Financial retaliation cyber terrorism curiosity challenge in thrills. These are some of the motivations. And these last three the curiosity and challenge. These are the more the universal traits motivations because a lot of people whether they're, you know, a malicious threat actor, or just someone that does bug on is someone that is playing around hack the box the curiosity and the challenge and the thrill is kind of a motivator. And this is really some of the things that motivate like script kitties. You know they may find some tool they're wanting to see if it actually works on a production website. And so they try it on a website. And so, but this the curiosity and challenge and thrills what gets people into hacking in general. And so financial one of the things we're seeing a financial you know this could be someone directly breaching a system and getting access to funds or things of value. And then there's also, you know, ransomware has been one of the more popular ways that attackers can monetize their attacks. So using ransomware, you know, files are encrypted and then the victim has to pay to, you know, get the decryption code keys to be able to decrypt their data. So this is one way attackers have have found to to monetize attacks and using cryptocurrency they're able to get the funds without being traced as easily as you would back in the days of someone just doing a wire transfer to a bank or or actually sending money physically or whatever. So these are kind of ways that those things have kind of evolved over the years. And so how to start so getting to know the adversary. So to get to know the adversary you need to understand their attacks. So one of the ways to start out that is kind of a good shortcut to that. Because otherwise you can do a lot of studying and I advise that too if you're interested in offensive security, especially more towards the red teaming or adversary emulation, then it's good to study all the different attack techniques and stuff out there but MITRE is made this more easy for us through the MITRE attack framework and you can find that attack dot MITRE dot org. And so they've got like a resource there that you can go through and see these different ATPs and the different TTPs that they're using for their attacks. So this is kind of a way to get to understand you look at these different APTs and see how they're operating. So the cool thing about that is, you know, just from the TTP standpoint, this is something that could go across different APTs. But getting to understand different APTs can be important to your organization. So maybe you, you work for a power company, or some of the resource like natural resource type company, and you can go out and look and find these different APTs and find out what maybe the ones that may be attacking your industry more specifically so that way you kind of know to understand that adversary more. And then cyber security threat intelligence. So cyber threat intelligence is something good to know whenever you're trying to learn what these adversaries are doing. So that is a good area to know is knowing your adversary from threat intelligence. And so if you're not familiar with MITRE attack is at the address mentioned above, attack dot MITRE dot org. MITRE attack is a globally accessible knowledge base of adversary tactics techniques based on real world observations. The attack knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector and government and in cybersecurity security product and service community. So this is a good way to, you know, you're working on they mentioned here, your threat model so you're working your threat model, you know, they're specific when you're building out that threat model. You want to take in consideration the adversaries that you may have trying to attack your environment. So that's one of the good ways to know that so this kind of gives you the definition from MITRE attacks website. So using the, the, so getting more into the cyber threat intelligence, Katie Nichols has some really good stuff out there and she's a sands instructor, and she's also believe she works for think canary possibly not real short that I was looking preparing the slides but anyway, Katie created this, this intelligence training with Adam Pennington so you can access that on MITRE's websites they get some videos and stuff to teach you how to to learn that threat intelligence and where I first found out about Katie and the threat intelligence, I follow her on Twitter for years but where I found out about her threat intelligence involvement was going through looking at some some material from sands some information on on purple teaming and red teaming. And when they cover some of the stuff on threat intelligence, you know, saying sands has Katie is an instructor there. So looking at some information she had to offer there some links back to MITRE and some, and also some other resources. So on that resource there's actually like some videos and stuff to so that's a good resource and a cyber threat intelligence self study plan by Katie Nichols. This is on our medium page. And today to believe what there was just the part one out there but this is a really good place to start this shows you some different place ways to do self study on threat intelligence. A good low cost I mean it doesn't cost anything it's free resources so you can go out there and use this to to learn about threat intelligence, and also crowd strike has some good information out there. And what is a what is cyber threat intelligence by crowd strike. So you can find that on their security one on one section on their website. So that's that's a good resource there that you can use. And so defending against the adversary so you you've learned you've learned this knowledge of how threat actors work. So you can use this to defend against threat actors. So you know this threat intelligence is good for, you know, red teamers to emulate adversaries but this is also good and very important to the defenders to know what to defend against you can go out look at MITRE. You can get the different type of apts what TTPs that they're using, and you can go in and make sure you're protecting against those you know to watch for those try to detect and prevent against those type of TTPs. And so for the offensive side, this is kind of the more the area that's more that I'm more passionate about but I wanted to include some of the defense stuff in there too because in my pentester blueprint talks in my book. I want to share with how the fences cyber security knowledge is good for defenders. It's good for for sock analysts is good for network security operations security different defenders not necessarily just the offensive team but it's good for the defenders to be able to defend against the bad guys. So for offensive security, using the knowledge to emulate threat actors. So you got red teaming this is true adversary emulation. And I want to make sure to, you know, clarify there is a difference. Red teaming and blue teaming are used to generically identify offense and defense, but true red teaming is adversary emulation. So what you're doing is using the adversary TTPs during security assessment so you're performing a security vulnerability assessment, you're using these different TTPs during that test. A pentester is trying to find every vulnerability that can be exploited and exploiting those as a red team or during a red team operation you're trying to find high impact vulnerabilities that can be exploited to emulate a breach. So you're finding one or two ways in, having a secondary way in in case you get that first option is blocked, or something happens the system gets rebooted you can't get back on, having a backup plan other way to get in. So you're doing things that lead to a break breach is more emulating what a threat actor would do like a nation state, or those type of actors. So you're, like I said you're looking for the things that can be breached. You're going through and trying to, you know, get access trying to X filled data see if that's a possibility see what you could get to, you're trying to go undetected penetration tests. You've got limited time so you're really not trying to go undetected you're using vulnerability scanners, whereas in red teaming, you're not using the vulnerability scanners. You don't want to be caught you're doing techniques that are there to go undetected so you keep this in mind pen testing less time, you're trying to find every vulnerability and try to exploit everything is vulnerable. And purple team is collaborating with the blue team. So red team and blue team working together to try to prevent these types of attacks. And when it comes to ready operations, you know plan to execute your, your operation so you leverage leverage MITRE to emulate adversaries we all screenshot here of what the attack matrix looks like. And you can see there's a risk condescents resource development initial access execution persistence privilege escalation defense as defensive Asian credential access discovery and lateral movement. And so, you know, also maintain persistence one of the things that goes on during this time. So you can go through here and pick the APT that you want to use. Choose the APT for your engagement and execute the operation, and then write your report. And also one of the things you can do is you can be more creative. Well, as far as choosing APT first choice you might find APT's that are common to your industry and work with those work on those first then later on you can get more creative and just kind of do your own come up with your own TTPs and own attack methods because you know these things before the community knows about it before MITRE has it in their database. They're unknown so being creative and building your own TTPs is a good practice as well. And so pentesting so you leverage the TTPs during the security assessment. So, in this case, you know you're using whatever, you know like eternal blue when it was, you're still seeing the TTP environment but that's one of the ones that you could try to leverage, see if these vulnerabilities are vulnerable to something like that. So you try to see if you can, you look for your vulnerabilities and see if they can be exploited. And then you see how far you can go. So you're still leveraging some of the same techniques as an adversary using these TTPs. You're doing this in a way where you're not worried about going undetected and to also kind of share. It's good to do pentest and red team engagements both because the red team engaged the blue, the pentests are going to get your security defenses up a little bit quicker you're doing your regularly reoccurring vulnerability scans you're doing your pentests. So, red team engagements are more for more mature operate more mature organizations. So once your organization gets a little more mature, then you don't have to, you know, then you can kind of move on to the adversary emulations of red team engagement. So purple team as we kind of mentioned a while ago, you're working with the red team, red team and blue team are working together to, to make sure that things are being detected. So, going back to MITRE, you know, selecting the different APT groups, select specific APT, seeing if you can run Mimicats in your environment, or if PowerShell is enabled by default, just going through and working on those executing Mimicats. If that executes successfully, then you need to make sure your endpoint protection is detecting and blocking those. And so you work, this is really good to do after a red team engagement or a penetration test. Because by going in and shutting down certain tools, then you make it more difficult for attackers to get their attacks through. So this is a great resource. And really one of the things when you're starting your pentests, and your vulnerability assessments are running, purple teaming is something to put in there because that helps bring up the maturity of your, your security environment. And so thanks for attending my talk. Before I became an instructor, I was also sharing information with people that wanted to become OSCP certified wanting to become pentesters. So I've done a lot of mentoring before I started teaching and I do a lot more now mentoring and teaching. So feel free to reach out to me I'm happy to answer your questions. And I'll be answering your questions on the DEF CON Discord. But if after the factory just want to connect, feel free to connect with me. I'm always big on building my community, my network of professionals and and so forth. So you see my LinkedIn there, my Twitter, my hacker factory podcast can be found on ITSP magazine. And for all the rest of my links, you can go to my link tree link there that's got my Twitch channel I stream once a week on Twitch. I have a YouTube channel. And so some other social media stuff I share in there so for the rest of the links you can go there. So thanks again for attending my talk and I hope you enjoy the rest of DEF CON. And thanks to Abby and all the adversary village volunteers for putting this on, and I hope everyone has a good time. Thanks.