1 / 43

Critical Security Controls: Lessons From Penetration Testers

Critical Security Controls: Lessons From Penetration Testers. Today’s Presenter. Loras.even@rsmus.com. National FI leader for security, privacy and risk consulting Also National Leader, Technical Security Services Located in Cedar Rapids, Iowa

mflood
Download Presentation

Critical Security Controls: Lessons From Penetration Testers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Critical Security Controls: Lessons From Penetration Testers

  2. Today’s Presenter Loras.even@rsmus.com National FI leader for security, privacy and risk consulting Also National Leader, Technical Security Services Located in Cedar Rapids, Iowa Created the attack and penetration testing practice in RSM in the late 90s, plus about six other practices Helps clients build or enhance cybersecurity programs domestically and globally More years of experience than I openly admit to Other interests are reprograming vehicles, disabling OnStar, GPS tracking, etc. Loras Even Principal – Security and Privacy Risk Consulting

  3. Today’s Presenter Dave.cossa@rsmus.com 7 years with RSM Sits on RSM’s national security testing leadership group Specializes in penetration testing, social engineering, and tool development Located in Des Moines, Iowa Hobbies outside of work include basically doing the things I do at work Dave Cossa Manager – Security and Privacy Risk Consulting

  4. Overview Review of cyber insurance claims over the past year Take a brief look at the state of threat actor activities in 2019 Discuss the state of RSM’s offensive operations in the past year (external compromise / internal impact) Examine critical controls that were not in place or not appropriately enforced at each link in the attack chain

  5. Cyber Insurance Claim Statistics

  6. 2018 NetDiligence Claims Study Source: https://rsmus.com/content/dam/mcgladrey/pdf_download/wp_0119-netdiligence-cyber-claims-study.pdf

  7. 2018 NetDiligenceClaims Study Source: https://rsmus.com/content/dam/mcgladrey/pdf_download/wp_0119-netdiligence-cyber-claims-study.pdf

  8. 2018 NetDiligence Claims Study Source: https://rsmus.com/content/dam/mcgladrey/pdf_download/wp_0119-netdiligence-cyber-claims-study.pdf

  9. 2018 NetDiligence Claims Study Source: https://rsmus.com/content/dam/mcgladrey/pdf_download/wp_0119-netdiligence-cyber-claims-study.pdf

  10. 2018 NetDiligence Claims Study Source: https://rsmus.com/content/dam/mcgladrey/pdf_download/wp_0119-netdiligence-cyber-claims-study.pdf

  11. 2018 NetDiligence Claims Study Source: https://rsmus.com/content/dam/mcgladrey/pdf_download/wp_0119-netdiligence-cyber-claims-study.pdf

  12. State of Threat Actor Activities

  13. Threat Actor Activities Attacks coming from a mixture of internal & external sources Phishing is still the primary method of gaining network access Phishing attacks focusing on stealing credentials to be used to log into email Tables from 2019 Verizon Data Breach Report

  14. Threat Actor Activities Tables from 2019 Verizon Data Breach Report When payloads are being used, office documents containing macros, OLE (Object Linking & Embedding), or DDE functionality are the favored vector Other payload types that allow for immediate execution on-click (.js, .hta, etc.) have seen increased usage due to proliferation of offensive toolkits

  15. Threat Actor Activities Statistics obtained from 2019 Symantec Internet Security Threat Report • For the first time since 2013, there has been a decrease in overall ransomware activity over the past year • However, ransomware is trending more towards enterprise infections (vs. consumers), with business-related ransomware outbreaks up 12% • Powershell scripts continue to increase in popularity amongst ‘commodity’ attackers, but have become easier to detect • over 1000% increase in malicious script blocks in the past year

  16. Weaponization & Delivery • Next, we’ll take a look at how we gained access to networks & escalated that access to gain access to sensitive data over the past year • Hopefully by now you all have your hacker ski masks in the appropriate ‘down’ position

  17. Takeaways From RSM’s Operations In 2018-2019 External Compromise Vectors

  18. External Access Methods The number one way we’ve gained access to organizations is through a lack of Multifactor Authentication (MFA) on VPN / Email / Citrix etc. Passwords can be easily phished, guessed, or obtained from breach dumps

  19. External Access Methods Lack of MFA plays a large role in another common way we’ve been able to gain access – via insecure externally facing services such as SMB, RDP, RPC, etc. These are services which can give a user the ability to remotely execute code, potentially with administrative rights, and oftentimes cannot be configured to use MFA Moreover, these services are often vulnerable to remote code execution attacks (BlueKeep, EternalBlue, etc.) that can allow an attacker anywhere in the world the ability to ‘point and shoot’ and in turn gain admin rights on your network

  20. External Access Methods – Key Controls • So what can we do to protect ourselves? • Review your web-facing footprint, identify all web login portals and ensure high-risk services are only accessible via VPN and are not exposed to the world • Ensure all web login portals (including cloud-based portals such as Office 365) are configured to use some sort of MFA • If portal can’t be secured, consider retiring it or developing an alternative

  21. External Access Methods – Key Controls • Change password every 90 days: ok, something that’s easy to remember that changes every 90 days… 3 months… Season? summer • 8 char minimum length: Summer by itself isn’t long enough, lets toss the year on to the end, that way we also hit the 24 passwords remembered requirement: summer2019 • Complexity enabled: Well we need 3 of the 4 (lowercase, uppercase, number, symbol), oh I know, lets just capitalize the first letter! • End result: Summer2019 -- this password is completely fine if using the ‘accepted’ standards • What makes a ‘good’ password? • We historically have seen the following configurations recommended: • Change password every 90 days • 8 char minimum length • Complexity enabled • 24 passwords remembered • What does this lead to? • Predictable, repeated user passwords:

  22. External Access Methods – Key Controls • How do we fix this? • Longer minimum password length (passphrase vs. password) • Increased duration between forced changes in order to discourage simple pattern guessing (Password1, Password2, Password3, etc.) • Employee training & education • Stress password uniqeness

  23. Phishing Domains We often perform targeted phishing from expired domains or similar domains using ‘official-looking’ TLD’s.

  24. Phishing Domains – Key Controls Monitor domain records, use expireddomains.net (or a similar tool) to check what domains are available that are similar to yours. Block traffic from YourOrg.* TLD’s not owned by your organization Block or quarantine messages from senders without valid SPF records in order to increase difficulty in spoofing email messages Apply a ‘sent from external sender’ tag to messages coming from outside the organization

  25. Payload Delivery We frequently use links to dropper sites containing malicious code vs. a direct email attachment in order to evade spam filters / sandboxes Have moved away from macros in our offensive operations due to high detection rate of process creation chain / injection using static winapi calls More employees will click links vs. open attachments typically AV remains trivial to bypass in most cases

  26. Payload Delivery – Key Controls Employee awareness training focused on risks of clicking links, how to identify phishing links, etc. Block macros on documents from external senders, block suspicious filetypes(.hta, .vbs, etc.) at perimeter from non-trusted domains

  27. Post-Exploitation Offensive Tooling As noted, malicious Powershell detection is up over 1000% over prior year This doesn’t necessarily mean attackers are using Powershell more often, but that defenders are getting much better at identifying malicious usage Under most circumstances, offensive PS usage is dead for advanced attackers Attackers have been moving to .NET/CLR languages (c#, booLang, IronPython) for post-exploitation tooling, but really any language goes

  28. Post-Exploitation Offensive Tooling – Key Controls • Ensure Powershell is updated to v5.0 • A big reason for the increased malicious Powershell detections is the introduction of AMSI (anti-malware scan interface) hooks into this version • Update .NET v4 to the latest version in order to get AMSI hooks into the popular ‘execute-assembly’ functionality leveraged by attackers to execute tools • Monitor / disallow binaries on the ‘Microsoft Recommended Block Rules’ list, as these cover the majority of stage 0 execution vectors in a compromise • https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

  29. Endpoint Detection & Response / Antivirus ‘next-gen’ EDR solutions are a big improvement over their more traditional signature-based AV competitors, but bypasses are still possible There is no ‘silver bullet’ in security Defense in depth, robust monitoring & alerting at multiple points in the network are key Microsoft ATA, DarkTrace, etc. can make an attackers job of getting anything useful out of a network much more difficult

  30. Takeaways From RSM’s Operations In 2018-2019 Internal Network Lateral Movement & Privilege Escalation

  31. Internal Network Operations What happens if an attacker is able to gain code execution on one of your systems? This is the focus of an internal penetration test The goal of an attacker is not necessarily to gain administrative access to the network, but rather to gain access to sensitive data Typically when an attacker gets onto a network they have ‘user’ level permissions (the permissions of the user that opened the attachment, gave away their credentials, etc.)

  32. Multicast Traffic Poisoning • Link Local Multicast Name Resolution • Say that three times fast • Enabled by default, no security/authentication component • NetBios Naming Service (NBNS) and IPv6 have similar weaknesses • Allows us to intercept traffic and impersonate users on the network Image from pentest.blog

  33. Multicast Traffic Poisoning – Key Controls Disable LLMNR, NBNS, and IPv6 when possible These protocols are not typically used in most corporate networks Typically can be disabled on large numbers of systems via GPO

  34. Re-used Account Passwords • Built-in account password re-use • An attacker with admin rights can dump the local SAM database and obtain NTLM hashes for all local accounts • Oftentimes these accounts are shared between systems, letting attackers password spray and gain remote administrative access via pass-the-hash • Lets us turn a compromise of one system into a compromise of many systems • Service account password re-use • Similar concept, lower-privileged accounts using a password shared with other, higher-privileged accounts

  35. Re-used Account Passwords – Key Controls • Utilize Microsoft’s LAPS (Local Administrator Password Solution) or another identity management tool to set unique passwords for all local accounts on systems • LAPS is free  • Audit last password change time on administrative and service accounts, and discuss password management procedures with IT to ensure unique passwords are in use for service accounts

  36. Excessive Rights for Systems and Users • Excessive administrative rights on systems (allowing all users / large groups of users admin rights) make it much easier to move around the network • Typically a legacy setting due to old software which ‘required all users to have admin rights’ • Kerberos unconstrained delegation on systems allows an attacker to impersonate any user or system they can convince to authenticate to it • Typically seen as another legacy setting

  37. Excessive Rights for Systems and Users – Key Controls • Restrict local admin rights as much as possible • Bloodhound is a great tool for use by defenders that maps relationships in Active Directory • Can easily show administrative rights in an intuitive graphical manner • Query AD for systems configured with Kerberos Unconstrained Delegation (or via Bloodhound)

  38. Patching & Remote Code Execution Missing patches is the oldest trick in the book. I still see MS17-010 (EternalBlue / WannaCry) on 50%+ of engagements I’m involved with (this vuln is 2.5 years old) Bluekeep on 100% of engagements The bad guys will be able to find the old system sitting in the corner that hasn’t been patched in three years There will always be the next ‘Big One’

  39. Patching & Remote Code Execution – Key Controls • Prioritize high-profile and high risk bugs • Scan the internal network to ensure high-risk vulnerabilities are patched • Don’t make exclusions unless absolutely necessary, the bad guys wont. • Consider patching schedules for things such as Exchange Server which aren’t covered by traditional patch management tools • PrivExchange is still seen on ~1/3 of engagements

  40. Default Credentials • Default credentials on network devices (printers, iLO interfaces, etc.) can allow attackers to control the device • There are big lists of default passwords out there • Printers, especially multi-function devices, can be a great starting point. • If we locate a printer with an LDAP connection set up on it we can point it to our system and grab the credentials the printer is configured with in plaintext. • Ensure proper hardening and configuration standards are in place, which include changing default credentials on devices on the network.

  41. Summary • Don’t Panic. • Plan to fail, but plan to fail gracefully. • Ability to know when a control has failed • Ability to recover quickly and with minimal damage • We’ve pointed out methods to bypass individual types of controls on a case-by-case basis. • Consolidated, robust controls defense-in-depth style are the most effective.

  42. Summary • Just because the attacker got into the networkdoesn’t mean they have “won.” • Do not become a “hacker snack.” • Hard and crunchy on the outside, soft and gooey in the middle • Every hoop you force the attacker to jump through is a chance for you to detect them… if you are watching. • With appropriate controls, it is now the attacker that has to ‘be perfect’, a single slip could alert defenders and result in them losing all access

  43. Questions ?

More Related