A few days later as been pretty busy with some house work, and forgot I was on call this week and had a fun situation to deal with on Friday. Day 4 was better sweet as it was the last day of training and this really started to get a community vibe to it. To be honest it feels a little odd not interacting with everyone. We started today off with some fun! Nmap and using responded to get LLMNR passwords and John the Ripper before moving on to allow list (versus Deny list, which I have been living on and make me sad). Malware and allow list, open DNS and domain name (which I had to re-watch as I missed out on this as I had an appointment for an hour…part of the reason for the delay), Vulnerability management, threat emulation (again) before some DevSecOps/SDLC/Webapps and automated testing with ZAP! There was some breif talk about AD hardening, Plumhound (Blood hound for purple/blue teams). Breif talk on Mimikatz/Ping Castle, Cyber deception and some last little bit of off roading with Active Defense Harbinger Distribution).
Deny list do not work well, is A) you generally going to be behind trying to add “new” IP’s/Domains is that the internet is HUGE, and generally once those “new IP’s/Domains get added, they are already old and attackers might of found a new site to take over/hijack. Not to mention even with ALL the great user awareness training someone is going to have a bad day and click the link. Going back to the other point it is super easier for attackers to get domains by buying existing or expired domains. Instead Allow list categories (as adding ALL the sites by themselves is a bad idea). You can be compromised with a legit/”good” site with drive by downloads (malvertisement for example were the dropper or a bad link could be place in an ad on the legit site and next think you know, you are talking to a C2 Site/Server). There was a good conversation about using OpenDNS for home use to help allow list to protect yourself at home, Which I have been playing around with that and tinkering with a PiHole (but I still need to talk to my wife about getting our own cable modem/router as PiHole and ISP all in ones do not mix..). There was a pretty good discussion on DNS over HTTPS while its good that it is now encrypted and protected, but the issue is that defenders in the enterprise is you lose visibility
John had some really good tips with vulnerability management and still running same program as they were 10+years ago. Vendors have not changed and test/scans for internal/external vulnerabilities. Seems simple right? who needs to think about it and no real new innovation at all. But John also noted to use authenticated scans (which is a risk, as that account can have read only into the servers and other assets that it scans and uses that account for, and if it gets owned, you can be up a creak without a paddle.) Do it, having done some stuff with Tenable/Nessus un-authenticated scans look like a glorified NMAP scan and really do not give you much. You are better off authenticated OR if you can support it using agents. John went on what we called a STRANT or a STRAND RANT, Which can be summarized with the snap from the slides
You need to see the context of vulnerabilities even with Low/informational issues as attackers might start with those low/information issue and use them as the straw to break the camels back, and gain access via the medium/low/informational. You need to look are more than an IP list to freak out, a good slide again (not going to share this one) but you want to break it up by IP address to help make it easier to look at and go by patch and fix that computer with that IP…and is stupid and don’t do it. the magic?
GROUP BY VULNERABILITY-NOT IP ADDRESS (AKA the crap the report spits out). instead of worrying about the total vulnerabilities you have to deal with a few that repeat on certain systems and use the tools to focus on that group of issues. IANS faculty have used this (versus the listing by IP) and addressed over 1 million IP address, all vulnerabilities in less than 3 weeks. To help think of this vulnerabilities as more than missed patches or bad configs, think about what could happen with post exploitation, what happens after an attacker gains access? this is were threat emulation can help direct with the low hanging fruit and get those vulnerabilities address. I did miss a chunk of this discussion and it was brought up that vulnerability scanners are getting hardening tools/tips and can also implement CIS benchmarks in the case of Tenable for example, but they still have a long way to go and do not work as well as one would hope.
When talking about Software Development Lifecycle (SDLC) it was talked about how security is just bolted on at the end, which frankly does not work at all and just leaves issues. One of the problems is people want to do it quick, cheeply and because it takes time (because security is hard) versus having it be done along with the software development. Fun fact is that most security testers know less about development as it is a different skill set, and it is easier to teach a web developer some basic security practice using free tools that can be used. Using tools to test should be done by a different team member (it helps to have a different set of eyes than the one doing the development). The tools are easy to use and should be done weekly as a best practice (even better if done nightly) and it will make you a better developer because you will start having code/applications that are less vulnerability and you will become more effective.
Don’t worry about testing for the crazy new hotness 0 day vulnerability get the low hanging fruit like:
- Cross Site Scripting
- SQL Injection
- Command Injection
This takes away a large suface area and gets rid of the easy attacks. Most attackers are going to look for the easy way in, and not try complex attacks unless your dealing with an ATP (nation state group) or someone who is targeting the company, which if you have proper NSM,application/server logs, logs from perimeter network defense (like Firewalls, NIDS/NIPS, Web Application Firewall (WAF)) you might notice someone knocking on your door. While these tools do help test a lot of things, they do not get logic errors, permission errors, stored cross site scripting, cross site request forgery as they need manual testing. John also brought up a good point, self test and fix the easy vulnerabilities before you get an external test. Do you really want an external test done were you get handed a bunch of XSS (Cross site scripting) attacks or rather make the testers look for the logic errors or harder issues at hand and allow you to get more value for test. Really though these self test should happen on the regular. what are those tools? Burp Pro is awesome (and pretty cheep) and of course everyone’s favorite OWASP Zed Attack Proxy (ZAP) and went over laps on how they are used and set up (which since there are free version of burp and ZAP is open source, there are plenty of resources out there for getting started with these tools.
We then started to wrap up to the focus we need to stop focusing on “can we be hacked?” to “what can we detect?” start with finding gaps, trying to fill them and move on. John noted to “steal this idea/framework” and use these tools to at lest get started and to show worth if you want to spend the $$$, but lets be real, how much budgets to must Cyber Security/Information Security teams have? (news flash not a lot, unless you have an organization that has A)either gotten breached, or B) has a good security culture). Before warping up we talked about AD hardening and using a tool like plumb hound to look for ways to harden AD, and talked about Honey accounts (spoofed domain admins for example) which lead into the pivot point of using Honeybadger which is apart of ADHD. John had one last slide about Threat intel and how it should be your AV/Firewall/EDR vendors doing that work and to make actual threat Intel with things you are noticing on your decoys and were threat emulation found weak spots use that information to start hunting in the environment for possible attackers.
I’m slowly plucking away at getting my lab set up were I will hopefully have ADHD set up so I can write about that..uh..fun adventure. As I already put the firewall I set in transparent operation mode and pretty much killed the internet in my home, which lead to an annoyed wife :P. Still made add some things to this Lab that John gave us (like wirehsark to look at the actual traffic going on and get better with wireshark..I’d say TCP Dump but Linux subsystems…)
If you enjoyed these post and wish you had taken the course. Good news!! its happening again in November!!!! Still the pay what you want model same instructor with most likely updated coursework/labs/slides. Sign up here!: https://wildwesthackinfest.com/online-training/getting-started-in-security-with-bhis-and-mitre-attck-november-0-395-16-hours/