BruCON 0x0A has ended
Back To Schedule
Friday, October 5 • 16:30 - 17:30
Mirror on the wall: using blue team techniques in red team ops

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
When performing multi-month, multi-C2teamserver and multi-scenario red team operations, you are working with an infrastructure that becomes very large quickly. This makes it harder to keep track of what is happening on it. Coupled with the ever-increasing maturity of blue teams, this makes it more likely the blue team is somewhere analysing parts of your infra and/or artefacts. In this presentation we’ll show you how you can use that to your advantage. We’ll present different ways to keep track of the blue team’s analyses and detections, and to dynamically adjust your infra to fool the blue team. We will first set the scene by explaining common and lesser known components of red teaming infrastructures, e.g. dynamic redirectors, domain fronting revisited, decoy websites, html-smuggling, etc. Secondly, we’ll show how to centralize all your infrastructure’s and ops’ information to an ELK stack, leaving it open for intelligent querying across the entire infrastructure and operation. This will also help with better feedback to the blue team at the end of the engagement. Lastly, we’ll dive into novel ways of detecting a blue team’s investigation and we’ll give examples on how to react to these actions, for example by creating honeypots for the blue team.  

avatar for Mark Bergman

Mark Bergman

Starting coding COBOL85 at the ING mainframes at the age of 16 I swiftly learned several programming languages and querying formats. After aiding in compiling the first TCP/IP stack on the ING test mainframe I decided to dive into WinNT development and before I knew it I was digging... Read More →
avatar for Marc Smeets

Marc Smeets

Marc is a senior IT security expert, red teamer and ethical hacker. With 12 years experience in IT security and 3 years in IT operations he knows how to ‘make’ and ‘break’. In early 2016, he co-founded Outflank; a new company solely focussed on red teaming, complex penetration... Read More →

Friday October 5, 2018 16:30 - 17:30 CEST
01. Westvleteren University