In this engaging presentation, MSSP Cyber Security Operations Manager Sammy Chuks and Senior Offensive Security Consultant Ash Andrews bring a fresh approach to threat defence by diving into real-time attack-and-defend scenarios. With a role-play style, they vividly demonstrate how attackers and defenders can collaborate to sharpen their skills and bolster cyber security strategies.
The session covers key areas, including credential access attacks, log manipulation, and data exfiltration, with a focus on using diverse data points to detect and respond effectively.
Prognosis – Defense With an Attacker’s Edge
Sam opens with a powerful metaphor, comparing the risk of a siloed mindset – focusing narrowly on one area of security – to an ostrich burying its head in the sand. In a rapidly evolving cyber threat landscape, organisations must take a comprehensive approach to security, anticipating threats rather than reacting to them.
Workshop Lab
Ash proceeds to introduce a simulated lab environment resembling a corporate network, a facsimile of real-world attack scenarios and their respective detection methods. This lab then served as the foundation for the speakers to demonstrate the following attacks, bridging theory and practice for attendees.
#1 Credential Access Attack
Jump to 07:50 of the video for this section.
To illustrate credential access tactics, Ash outlines a DCSync attack originating from an application server, with Sam describing how defenders can detect it using event ID 4662. A more sophisticated version of the attack is discussed, performed from a domain controller for greater stealth. Sam explains that detection methods here include identifying out-of-sequence DCSync activities and implementing network-level detection tools.
#2 Defence Evasion
Jump to 12:01 of the video for this section.
Ash reviews defence evasion strategies, such as disabling event logs to conceal activity. Sam advises on counter-detection techniques, like tracking the last log message before shutdown. They also discuss Windows security log clearing, which leaves application and system logs intact; Sam recommends detecting this through telemetry points like PowerShell and Sysmon logs.
#3 Data Exfiltration
Jump to 15:58 of the video for this section.
Finally, Ash discusses data exfiltration, covering direct file uploads via PowerShell and file extraction through encrypted channels (e.g., HTTPS) that resemble regular traffic. Sam highlights that endpoint telemetry and Endpoint Detection and Response (EDR) solutions play a key role here, especially by capturing unencrypted activity before logs leave the endpoint. They can also monitor PowerShell command-line block logging and analyse network traffic for anomalies.
Conclusion and Benefits of Collaboration
Sam and Ash conclude by emphasising that collaboration between offensive and defensive teams builds stronger cyber security capabilities, equipping organisations to anticipate and counter evolving threats.
Want to stay ahead of cyber threats? Enhance your defences with realistic attack simulations and identify vulnerabilities before attackers do.
Watch the full breakout session below:
