JamesNov 16, 2022

While my following/reach is relatively small on here compared to Twitter, I want to start this discussion regardless.

Red Team vs.(?) Blue Team

Frequent releases of offensive tooling, specifically C2 frameworks are awfully detrimental to blue teams. As someone that works on network detections, observing newly published frameworks regularly is disheartening and frustrating. It's no secret that open source offensive tooling is adopted by APTs and cybercrime groups and that leaves me with one question, why do it?

From my perspective, I can see some value in open sourcing such tooling for the purpose of assisting other red teams with engagements but surely the fact that malicious actors adopt the same tooling heavily outweighs the pros here?

For the red teamers following me (if any), what is your opinion on this issue? Why does it feel like 'vs.' is legitimate here but for the wrong reasons? These practices are also (in my opinion) contradictory to what purple teams stand for and shouldn't be considered purple teaming by any stretch of the any imagination.

I'd like to keep snarky/passive aggressive remarks (I've been guilty in the past) to non-existent here please. If you want to call me an idiot, my DMs are open.

Show threadGoblinLucy
@ozurie If only malicious actors designed and made C2 frameworks I wouldn't be able to spend a weekend looking at 20 different samples and building detections. The more knowledge I have the better I perform. Adversaries will build them anyway so the community may as well equip it self the best it can.
Nov 16, 2022 at 10:09pmWeb
Show threadJamesNov 16, 2022

@GoblinLucy again, do the cons not outweigh the pros in this scenario? I definitely understand and appreciate additional material but when it's at the cost of assisting malicious actors, surely we draw a line? Adversaries will indeed build their own frameworks regardless but why assist them and hand them something on a silver platter that not only speeds up the rate of their operations, but can also cloud attribution efforts too?

It's the same concept as strategic detection building. Ideally you'd want to base detections on elements that are costly to the adversary. For example if your Yara rule consists of a few strings, sure you may catch samples but those strings are easily changed. If you instead base your signatures on opcodes for some custom encryption routine, that will be significantly more damaging and as a result, will (usually) slow operations.

Handing adversaries free C2 frameworks contradicts the end goal of slowing down their operations.

Show threadGoblinLucyNov 16, 2022

@ozurie Its abit of a objectless argument because what I layed out is the reality but thinking about what you said if we could wave magic wands and change whatever we like then the awnser would be the issue affects different entities differently: an SMB (of which most orgs are) would stand to gain more from C2 frameworks being scarce because they arnt going to be doing anything over then hoping not to get compromised alternatively to me because it's my job to protect stuff then C2 being such an open book is better and again for organizations who suffer uniquely high attacks (unsuccessful or otherwise) also gain more than they lose from the way C2 is now.

In conclusion if I put my non bias and SMB friendly hat on yes it would be fantastic if people didn't hand out C2 frameworks like candy but unfortunately they will forever so we can't really think from that perspective