Is this thing on?

Things have been a little, well nuts. With everything going on and starting a new job blogging definitely took a back seat. Truth be told I haven’t had anything super interesting to write about, though in retrospect I could of maybe done one about the virtual Wild West Hackin fest, as it was a good con. Maybe I’ll try to get something done by end of the week.

I did finally get my laptop back up and it dose have detection lab on it now and I will say, setting it up in Virtual Box was super simple. So I think I’ll start doing some tweaks with that and using it to go though some PCAP and other detection tools. Along with using it as an add to study for CySA+ and Security Blue Team Level 1.

So long and thanks for the Response: why are we skipping post incident activities

While re-going though some Incident response topics with Security Blue Team, Cybary and LinkedIn Learning there was a common thread that they all had if they were going though NIST 800-61 (or even SANS standards) was NOT to skip the post incident activities. business is back up right? who cares? we got it all solved so post incident activities means going out to the local watering hole and having an adult beverage or six. That is what you mean right? No. not at all (although if you wanted to post post incident activities I guess this could work)

Now your might be thinking why well if your are a fan of standards/frameworks (If you are in Cyber you probably are since you do have compliance you need to meet among other things) there is this hole step that can also improve the process for next time, as it is going to happen as someone is going to have an off day and click yet another link to make your life full of fun. Also you wouldn’t hire a Pen-testing firm to come in and not review the findings and look for ways to improve the organizations security posture? You wouldn’t do Red team/purple team engagement with tools like Red Canary’s “Atomic Red Team” or MITRE Caldera would you? If not what are you really getting out of it other than doing a task to check the box for something which is not going to do anything to help you or the org (except maybe if you want to give yourself a gold star). You use these tools and skills to look at oversights, detection/alerts that are missing or not as clear. Which you would work to fix and to help your cause you could map this to ATT&CK/Shield (as we all know leaderships likes charts and frameworks are super helpful for some).

So the question is, we make time for that? why are we not making time for the post incident review? I get it. its another round table, another day potently spent going over process/procedures but if it makes your security posture better by looking at the things you would with a Pen-Test or purple teaming, why skip out on it. It’s like stomping out a fire without making sure it’s embers are fully out. In this case you don’t improve the response to a particular incident guess what happens? those embers (incident) rises into a flame and next thing you know you are dealing with a similar incident responding in the same way. Did that really work? sure you put out the big fire, but you did not ensure it was fully out because you are still getting hit in the same way you did before. now if your org is not giving you the time or capabilities to fully put out the fire, you probably do not have full management buy in into your incident response program as that should be the priority for those on the Computer Emergency Repose Team (CERT/Cyber Security Incident Response Team (CSIRT) when facing an incident.

I do understand that most are working with limited business and that security is just a coast center (unless you are an MSSP or something among those lines). but how can the business really function under normal operations if you still have kindling flames of incidents (attack vectors that your IR plan/policy lacks coverage for) if you are constantly wasting time going back to “remediating” and leaving it at that. Maybe its the military and having to instruct a few classes that thought me the importance of After Action Reviews (AAR) but not doing that security incidents and then wondering why you are dealing with the same attacks over and over again fits the definition of insanity (doing the same thing over again and expecting a different result). Doubly so if the business gets effected by this time after time, you would think they would want it to be prevented to prevent any bad publicity and having to issues statements over and over again.

Taking the time to try and close the gap with post incident activities ensure senior leadership understand that this is apart of the process and ensure that it is the plan/policy. if they do not want to listen and want you to move on to other things remind them of their buy in/enforcement. If not, use ethics committees and other tools to ensure policies/plans/procedures are being enforced and allowed to be followed though to the end, the very end. At the end of the day this is to better the security posture to allow an org to keep operations up by having plans in place to avoid shutting down production due to a cyber incident that effects the CIA triad.

I know not every org is like this, but when going though videos and other training the theme that always seems to be around is “DO NOT SKIP THE POST INCIDENT ACTIVITIES” there is defiantly something up with the industry and something we need ensure we are doing. Along with doing IR exercises (if you want some gamification of IR tabletops look at Black Hills Information Security Backdoors and Breaches card game) But I’ll save that for another time.

DEF CON 28-DEF CON Safe Mode

DEF CON needed to Run some A/V…Image (c) © DEF CON

First DEF CON, first full Virtual conference I attended. This post is going to be in different parts with with the overall experience, the things I really liked and kind of an simple overview of the OpenSOC CTF (which I thoroughly enjoyed). I am still trying to get caught up on some of the varies talks from the other villages as a lot of my time was spent working on the OpenSOC CTF and the various workshops/panels with Blue Team Village (BTV). I was hoping to do a better write up but life found away and I wanted to try and spend some extra time with my wife since me being “Out” due to DEF CON put some extra strain on her

What I really liked?:

  • OpenSOC CTF: This was my first time doing the OpenSOC CTF and was not sure what I was fully getting myself into as I was used to the other jeopardy and other styled more red team focused CTFS with web-apps to break, Stenography, and some Forensics challenges but what really captured my interest was this was more like a full fledged SOC environment and you had to investigate several different incidents. The tools I have never really used before or interrupted (PF sense, Thinkst Canary tokens, OSQuery, Suricata, Greylog, Snort, Velociraptor, and Moloch). Thankfully the Blue Team Village had some early “workshops” showcases the tools and how to use them. While learning the syntax of each of the different tools (thankfully Greylog is built on top of an ELK which I do know some of the Syntax for) But once I learned the syntax and got a better idea of what I was looking for it I was able to do good on following the trail of several challenges. Which they did lead on each new “flag” was just adding another piece of the puzzle and told the story of what you were looking at.
    The networking portion of looking at the events/logs from firewalls/IDS/email I did really well with (along with packets) but once we got into the nitty gritty of filtering though Sysmon (thanks to WinLogbeats) and other endpoints I started to falter a little, I know its an area I am currently working to improve on with DetectionLab. I was able to figure some events out (like power shell script running and what script was ran and was able to pull some “IOC’s” but what made this not fun, was trying to bounce between this, the workshops I signed up for and the various talks/panels…and you know eating XD (I know it was DEF CON but I’m not about that life).

    I was not expecting to win or even go top 10 doing it solo but for my first time using the tools and finishing at the lower end of the 50th precedential or so I’m pretty pleased with my self and I got some weak spots I need to work on and that is perfectly ok!
  • Workshops: While there was some bad as it was a FireHose at some points (and one being around 10PM EST) but these really were the bread and butter other than the OpenSOC CTF. Every since I did a splunk workshop at GrrCON last year (it was really a guided Boss of the SOC v2 AKA BOTS v2) I try to get into workshops. The ones I really liked were creating Jypter notebooks playbooks for threat hunting, NSM in the cloud (deploying Securiyt Onion on AWS..noice). and also writing Yara rules. I know I need to look back on the Yara rules and Jyper notebooks as A) I was really tired and B) in the middle of a good flow with the OpenSOC CTF XD.
    Both are tools I want to get better at using/understanding to help automate some things and to build up better rule sets (in the case of Yara). There was also one with IR which was good, but it was like a CTF and I’ll guide you (which I need to find the link for as it is always up) Thankfull the slides were shared to attendees so now that things are calming down a little a gain its time to go though them again (doubly so once I finish my Detection Lab set up as I also want to add RITA from Active Countermeasures and maybe a metasplotable or OSWAP Juice box vulnerable web app) I can start really applying these and playing around with them. That is the con that if you don’t use it right away, you lose it and this was really the case as back to the normal grind of $employer I really didn’t get a chance to work with these as catching up and other stuff I didn’t get the chance to review/play around like I wanted. If this wouldn’t of been so delayed it would of helped too XD
  • Talks/Panels: Part of the reason why It’s taken me so long to write this is I am still trying to catch up on talks from all the villages. I know being from the Metro Detroit area I spent some time getting some entry knowledge with automotive hacking and some of the basics of automotive networks which I was clueless about, it was good that it was pretty cut and dry simple and wasn’t overly complicated. I really did enjoy the panel talk on IR. As someone that has a rapidly growing interest in DFIR/Threat Hunting/NSM and more active defense (Decoys/Honeypots) this was really informative to listen too from people that do that for a living and get some insight. Another good talk was about BlueSpawn It was funny we just worked with this with on my intro to securtiy course with John Strand/Black Hills Information Security. It was neat to get more background on the tool and part of the reason for its development. If you don’t know Blue Spawn is an open source active defense/EDR product based in Powershell (at lest for what we used it for with the course).

not bad in itself, but made it hard

  • Discord…It was nice for all the Villages and DefCON to have seperate channels. however, the alerting was so distracting with people posting in all the channels. I tried to mute were I could, but then I’d miss things or just ignore channels all together (Sorry Red Team Village). Also I’m “that guy” that has the taskbar on top set to autohide (its clutter) so everytime there was a new ping start menu would drop down and just be distracting. Granted I know this is small and really it was nice to have it “break out” like that and now they are live communities still even after DefCon. But for someone that gets distracted pretty easy or annoyed with things, this was a big no from me XD.

I know this was long over due but with work and trying to take care of some projects around the house due to DEF CON and weather that needed to be taken care of. This was probably the only way I’d be able to attended a DEF CON as I’m not sure the wife would be thrilled with me taking PTO to go fly to Vegas to attended this. Maybe if I can talk to my $employer/contract house and see if they can cover some of it. Maybe life might find away and I get head out that way and maybe score a badge (or a BTV one as well)

On-words to Wild West Hackin’ Fest in a few weeks!

Wild West Hackin’ Fest/Black Hills Information Security-Introduction To Security-0(1)day

I was debating on doing this as a end of the week post with going over things that were discussed and things that I learned, but the shear amount of stuff getting covered i feel that’d just be a huge wall-o-text and need a TL;DR. While this is staying pretty wide over 11 topics that if you are doing, and doing well are a great starting point you can tell the team at Black Hills Information Security (BHIS) lead by John Strand there is still a lot…just not the firehouse SANS type or other “boot camp” styled courses.

Today the first day of the course which of course started with John going on some of his uhh…rants about treating your internal network as hostel (ie treat it like your local coffee shops network), don’t just use one security vendor/product, and compliance, which are ones I agree with in terms of compliance and just checking the box when really you should use compliance/audits to help push the org security posture. I know its easier said than done though as Security is a cost center so you need to apply proper risk to sell the point of doing more than just 7 character passwords for PCI-DSS as an example (even though its less of a requirement than the NIST green book from the 80’s…I Digress). We talked about the 11 controls/Key Tracking Indicators which they call the atomic controls they are:

  1. Application Allow List
  2. Password Controls (Good ole IAM)
  3. Egreess Traffic Analysis
  4. UEBA
  5. Advance Endpoint Protection
  6. Logging (which I noted properly, not just a log toilet for a SIEM)
  7. Host (endpoint) Firewalls
  8. Internet Allow List
  9. Vulnerability Management (done properly based on Biz/org risk and actual asset inventory)
  10. AD Hardening
  11. Back up/recovery

I’m sure to anyone who has been in the security business will know some of these and also tieing some of these things into the MITRE ATT&CK Framework (which was a good point to not play ATT&CK Bingo/Jinga)

What was super ironic is right after this we pivoted to compliance. Learned about the useful tool of audit scripts to help with auditing with various compliance standards and see where you stand. Fun fact, everyone in the course went to the site and we may or may not of DDoS the site with a hug of death. This can help break things into smaller frameworks and can cross reference into your other core frameworks

For me the next part with the Application Allow list hit home, as dealing with doing Deny list on Proxy is a pain in the butt, I didn’t even think about it from an endpoint prospective. I watched this Live at a GrrCon talk were Dave Kenedy just updated Magic Unicorn and just change a character of text and he was owning his test windows box as windows defender and other products didn’t have that signature for the deny list. it was brought up in the course that attackers are breaking up power shell into different parts of scripts now. It was cool to look at Ghost writing aka making a ruby executable with meterpreter, make it a .asm file, edit the asm file, convert back to .exe and you are an infosec wizzard because you edited something in assembly (john’s joke). We also talked about encoding and AV bypass with encoding and obfuscation (see above with GrrCon example). We then went on Application whitelisting using Whitelisting Directories (simply only allowing applications to run in certain directories). While can be bypassed many initial access attacks (drive by downloads) are executed from the downloads, desktop, or temporary directories. Hash whitelisting was also discuses, but the ease of implementing and keeping up to date is a pain, just like Digital certs as not all vendors sign all their .exe or .dlls. For this course we used AppLocker (which I’ll admit it has been a minute since I heard anyone mention this). Native to Windows can whitelist and/or deny based on Path, Ash, Cert, vendor. We created a simple policy just with the defaults of allowing the program files, and windows directories. The on thing that could catch admins off guard is needing to turn on the windows service “Application identity” on the local systems (I’m assuming you could push this out from your AD network if needed) to be enabled. You also need to push the GPO out, as was a issue the demo gods did not like as you need to wait for replication between user accounts in our case.

The next fun was everyone’s favorite Password Controls (I can hear your groan from here). There was a good discussion on password spraying with everyone favorite <sesson><year> (I’m sure password or other default creds can be used if you know any of the devices from any recon you have done as people are smart and forget to tweek those or system accounts). Of course this requires a harvesting attack before the attacker will plug the ID’s into burp and try their best. Once that account is pwned without proper monitoring or UBA it can be hard to detect. We talked about two tools (credking and FireProx).

The big issue that was discussed is that just because you have 2FA/MFA org’s still have password policies between 8 and 10 characters. This only can be somewhat good if it is 2FA/MFA across the entire board, if not bad things are going to happen as you have a 8-10 charter passwords that can get pwned in as little as an hour or so (or even faster if the attacker has a password cracking rig). A good idea for compliance and auditing is having regular scanning of authentication points (with regular penitent-John). Regardless of 2FA/MFA encourage the use of passphrases, Just a few random words that make a phrase. still for complexity and to throw off password crackers add that might be using dictionary attacks (using common dictionary words to brute force passwords) ensure there are numbers and special characters. These can be easier for users to remember as they can use dictionary words to make a random phrase they can remember. You can also use a password manager with a good passphrase and 2FA to help you or your users with passwords (it can help avoid the password reuse or just changing 1 character). But with a password manager if it gets breached, all your accounts could be compromised (again no worse if you use the same password for everything so a good first step is to stop that).

There was some basic 2FA (as mentioned above) aka something you know and have. can be tokens, SMS, or app based (all are better than no 2FA). It was pointed out how to attack SMS 2FA with SIM cloning. After this brief talk on 2FA (as you can talk vendors and different ways to set up 2FA and this is just an intro course after all) We talked about the bane of just about any IT professionals work life, Service accounts. AKA accounts that are used by products to do things, or in scripts were when you change a password you could borked production on a Friday and be the on call guy and get to have an adventure. These need to have passwords that expire and have lockouts. Even if it causes an internal outage, they are used by attackers as they can be overlooked. We then applied what we learned about passwords and how fast they can be cracked with Hashcat. I was so used to John the Ripper from School (almost 3+ years now…crazy) and doing Rainbow tables (which was discussed how now effective they are compared to lets say Hashcat). I’ll admit I will probably have a blog post shortly with some Hashcat adventures once I get my home Lab fully set up, and when its not muggy/hot in my study (its upstairs and its currently in the mid 90’s and muggy, I don’t need a 1RU server making it even more toasty up here) and get some time with that to get more experience with it. Even as someone who is more on the Blue team/DFIR side of the house, understanding how this tools work allows you to better understand the risk they pose and possible attack vectors attackers might use when trying to get password hashes.

We didn’t get to password spraying today so that will be done tomorrow. Hopefully I remember to pop in the 1/2 hour early to get the quick refresher, might be useful for poking my deception systems at work when I am back to work to see how they are alerting XD

Looking foreword to tomorrow though with egress traffic analysis, as someone that is more analytical I love looking at logs and trying to make sense of them and PCAPS and I already see the notes about Tuning with UEBA (which is part of our jobs like it or not if your more on a blue team focus).

Though wondering if we are going to make it that far tomorrow. Regardless of were we get there is going to be a lot of good info and some shenanigans along the way!