With PlexTrac's Runbooks Module

Transcript

Welcome to cup of Joe. Today I want to talk about the talent crunch and maximizing your staff.

You know, I’m really excited about today’s video. I’ve been thinking. You hire your team members for their strengths and accommodate and train for their weaknesses. It’s just life. Not everybody can be good at everything, right? I mean, most of the time. Except once. In one of my practices, I had an operator.

We’ll just call him Jim? And he was a virtuoso of the keyboard. He knew at least half dozen programming languages and had a memory like a steel trap. He had the ability to look at most problems and just tear them apart in his head. He could whip up a bypass or an exploit nearly it will and seemed to have committed all there was to know about hacking to memory. Everybody wanted to be Jim. So I got to thinking, what if we developed something like play books? Documentation around the most common scenarios encountered, with suggested paths to take, along with the syntax for the tools we were likely to need. Now, syntax was important to me.

It was the part that always tripped me up. I’m a manager. I’m in the field only half the time. The switches for RPC clients always just seem to escape me. Now, we could have just written a bunch of cheat sheets, but I wanted to go a little deeper than cheat sheets. I wanted how to pages that could replicate and document our best hacks in a way that had the potential of making everybody as good as Jim. Well, that was the idea, at any rate.

We had a bunch of our best attacks documented in Markdown and stored in GitHub. We even had a system that allowed us to clone the repositories to our laptops and deliver them using a searchable Web server. Wasn’t quite the easiest of setups, but it had such promise. Imagine having the best minds on your team right there at your fingertips. Need to figure out how Carol sets up his banana pie to bypass the 821 X network at that big yellow client boom, right there. Or learn how Tim set up bloodhound to query the secrets of Active Directory. It was all there.

It gave the less experienced testers the skills and the confidence to go further on an engagement, to dig a little deeper on a test, but to do it safely. It was at times a bit wonky, but it was still awesome. And the team had put it together in record time. So you can imagine my excitement when I saw the PlexTrac Runbooks module.

When PlexTrac Runbooks were first introduced to me, it was described as a vital tool for conducting Purple team exercises. Now, this is absolutely true, but my first thought was how awesome the module would be for creating my homegrown version of the concept. Let me walk you through this. Let’s begin with Methodologies. So what are Methodologies? Well, there are a bunch of rules and procedures for discipline or field. Now, for what we’re doing, it isn’t necessary to follow a third party methodology. Here you could use Miter’s Attack framework, but the purpose of this is to find something that works for you.

In my practice, our books were built around key phases of Pentesting. That included starting with recon, then moving to wireless, then physical evaluation, then scanning and enumeration, doing some web apps, some exploitation, post exploitation, and finally segmentation bypass techniques. Heck, we even had separate books written specifically to handle the standard operating procedures for our different enterprise clients. So let’s start building a new set of Runbooks. To do this, let’s start by creating our methodology and let’s call it Phased Pentesting. Go to Runbooks, click on Manage and then click on Methodologies. We’re going to create a new methodology here and give it a title.

We said we were going to call this Phased Pentesting and then let’s call it Phased Pentesting in the Methodology ID here. Let’s just give it a description and let’s go ahead and click on Save and Close. Great. So now we’re ready to add our tactics, techniques and procedures also known as TTPs. In order to build our runbook, let’s define what are TTPs? So we’re all on the same page. TTPs are the patterns of activities or methods associated with a specific threat actor or a group of thread actors. Now in this case, we are the badass APts come to rain down our skills upon your security controls like lightning and thunder.

Now, tactics, generally speaking, tactics are the vectors used by bad guys to carry out their activities. That is their strategy. In the most general of terms, one such tactic could be described as accessing a network without credentials. Techniques. Techniques are the methods, not necessarily specific that are used by the attacker to help achieve their goal. For example, if the goal is to gain access to the network, maybe the technique is a brute force attack or phishing attacks or sniffing credentials procedures are more specific. With procedures, we move out of the abstracts and talk about the syntax and tools.

These are the specific preconfigured steps to be used in our efforts to ensure that we achieve our aim. Continuing with the example of network access, the procedures could include the specific steps for VLAN hopping or using Responder, or attacking a network with metasploit or so on. So let’s begin by creating the tactic of uncredentialed network access. Now, within the portal, let’s choose Tactics create.

Let’s give it a title. Let’s give it a tactic ID and a tactic description. Great. And we could add tags to it if we wanted to match this up with the Miter Attack platforms or something else. We just call it network underscore access here. Save and continue.

Now, this is going to want to have us assign this tactic to our methodology and our phased Pentesting methodology is now there. Fantastic. So let’s select that and select Assign Tactic.

Great. Now let’s go to technique. We’re going to create the technique. In this case, let’s call it Access Control Bypass and create the technique ID and save and continue. Let’s assign this to our previous tactic. Uncredentialed network access find technique.

Then let’s create a procedure for Pivoting through meterpreter session Create. Call this meterpreter Pivot, give it a procedure ID and procedure description. And now this is where we’re going to add the execution steps. I’m going to just do a cut and paste where I have the information I need to remember for how to do this. Now I could create each one of these as an execution step, but in this case I’m happy with it all just being in one place. I also probably want to create some tags like Pivoting meterpreter. It looks like I’m using Socks proxy chains and I’m done.

Click on Create and Continue and assign it to the access bypass technique that I had created earlier. Great. And I’m done. If I go back to methodologies here, I can go into Runbooks for phased Pentesting, clicking the Runbooks icon and create a new Run book.

We’re inside of the phased Pentesting methodology. Let’s give it a Run book title. Click Create and then click on Tactics and we have our uncredentialed network access Tactics. So let’s add that to the Run book and then from there select Techniques and we see our access bypass technique that we added. And let’s select that select procedure. And there’s the meterpreter Pivoting procedure that we created. Select that save and close and we’ve created an internal Pentesting run book.

Now we can go back and add additional TTPs and begin to build out this entire Run book so that it has everything we do for internal pentests. And then we can do the same for external pentests, for wireless tests, and for social engineering. The list can go on and on.

Consider this your team probably already has their cool tricks previously written up for them to use. Now they can be documented for the entire team in a way that everyone can understand and use. And this is where it can get really exciting. You can hire a talented junior with a strong knowledge of Windows and Linux who has a few CTFs under his or her belt. And by following the Runbooks, they can immediately become a productive member of the team safely. Over time, your Runbooks can be customized for specific customers and technologies. For example, as you become better at the documentation, you could move on to bigger, more complicated tests like that as 400 that nobody wants to test because of the myth of them falling over and taking days to come back.

Well, I call BS. As 400s can be tested properly. Everything can be tested properly when you know how, right? Now, when the gyms of our practices need to leave to grow their careers, we freak out, throw gobs of money at them and beg them to stay so we don’t lose all the tribal knowledge and the skills that they have. Well, not anymore. We have PlexTrac Runbooks. Sure, offer them more money if they’re due for a raise, but don’t panic, you’ll survive. Now you’ve got the Runbooks to preserve that knowledge.

Let your people go with the gratitude for the time they stuck by your side, wishing them the best and knowing that you can look them in the eyes with no hard feelings. When you see them at the next conference, you can know that your new team member will bring a fresh set of TTPs and approaches to their work, things that can also be documented to make your team stronger. Losing people stops being painful and now it becomes a gift. What will your new employees bring to the team and how can you make the best of it? That’s all the time we really have for the day. I’m so excited for you to dig into this module and ask that. If you have any questions or ideas about Runbooks, put them in the comments and I’ll answer. Answer them as quickly as I can.

For now, this is Joseph Perini PlexTrac’s product evangelist wishing you happy hacking.