Adversary Village

Dan Borges

Incident Response Lead at Scale

Dan Borges is an experienced incident responder and red teamer. He plays on the national CCDC red team and leads the virtual region each year annually, writing and leveraging custom red team tools. He also helped start CPTC, or the Collegiate Penetration Testing Competition. Last year he wrote a book on adversarial tradecraft in cyber security, drawing on many lessons from these attack and defense competitions, as well as real world operations. Today he leads an incident response and detection effort at a small startup.

Talk: Helpful Principles in Adversarial Operations
Technical Talk
Adversary Tactics

I released a book last year titled Adversarial Tradecraft in CyberSecurity: Offense vs Defense in real time. This book includes several red team and blue team techniques that help get the advantage over the opponent, ultimately giving the user an edge in the conflict. Throughout this book I distilled several principles or theories that either side can leverage in an abstract sense to gain these advantages. I will cover the principles, as well as several real world examples of using them from both the offense and defensive perspectives. The principles and some examples are as follows:

  • * Principle of Deception - Offensive perspective will show some obfuscation and hiding in the file system techniques Defensive perspective will show honeypots and honeytokens to get more info about an attacker
  • *Principle of Physical Access - Offensive perspective will show how physical keyloggers are so effective, grabbing creds and remaining off the wire. Defensive perspective will show how no matter what an attacker does defender can reimage and regain control if they have physical access
  • *Principle of Humanity - Offensive perspective will show how researching the people involved can help you find the path to the access you need, and who you need to exploit target to get there. Defensive perspective will show how profiling the attackers will help to understand their TTPs, and thus defend against them.
  • *Principle of Economy - Shows how both sides are limited on personal, and how understanding where they spend their money can help you avoid their strongest areas, or target their weakest spend locations. Principle of Planning We will show how planning, to get to run books or even automation will save critical time during operations.
  • *Principle of Innovation - Will show how researching the attackers or defenders tools can help develop exploits, which can be used to change the came or get unexpected access, such as the defenders getting access to a c2 server, or the offense getting an 0day to get in on the edge.
  • *Principle of Time - On the offense will show how previous automations can help get an advantage, where as doing it by hand will not get the same advantage (think killing the AV/EDR, then running an automated tool while it restarts) The defensive perspective will show how and when you respond to an incident can make or break it, depending on how much access the offense has already gained.