Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn

The Dirty Secrets of Enterprise SecurityEight things that plague (almost) all companies!

The Dirty Secrets of Enterprise Security

• Working in security consultancy for over 12 years, I’ve had the pleasure of working with a lot of companies.

• In recent years, my focus has been on enterprise risk assessments, penetration tests that look at the company as a whole and Incident Response. The visibility from these projects has been eye-opening.


• Common themes exist at nearly every company

• (In one form or another)

• This talk highlights those themes

• Providing guidance on how to address them.

Image credit: http://cdn2.hubspot.net/hubfs/264546/playbook.jpeg

http://cdn2.hubspot.net/hubfs/264546/playbook.jpeg

Session Overview


Speaker Introduction

1. Weaknesses in Physical Security

2. Susceptibility to Phishing

3. Vulnerability Management Immaturity

4. Weaknesses in Authentication

5. Poor Network Segmentation

6. Loose Data Access Control

7. Poor Host or Network Visibility

8. Lack of General Incident Response ReadinessImage credit: http://cdn2.hubspot.net/hubfs/264546/playbook.jpeg


Speaker Introduction

• Technical VP for NCC Group, based in Austin TX.

• 15 year career focused on Attack & Penetration techniques & defenses

• Prior to that security focused government/military background

• Currently Responsible for:oDevelopment of Strategic Technical Practices

o Strategic Infrastructure Security (SIS)

o Security Defense Operations (SDO)

• Specialist in Red Team / Black Ops engagements

• Physical Security Assessment

Kevin Dunn

www.nccgroup.trust/us

• Formed in June 1999 showing immense growth over the past 16 years.

• 1800 employees, in 32 office locations.

• North America, the UK, Europe, Canada, Asia and Australia.

• We strive to provide Total Information Assurance for our clients.

• Offices: NYC, ATL, CHI, AUS, SEA, SFO, Sunnyvale and Waterloo.

• NCC combines US security teams from:o iSEC Partners, Matasano, Intrepidus Group and NGS.


Image credit: http://itiscool.be/wp-content/uploads/2014/06/security.jpg

http://itiscool.be/wp-content/uploads/2014/06/security.jpg


• Unguarded and Unmonitored Secondary Entrance Points

• Systemic Susceptibility to Tailgating

• Camera Monitoring Ineffective at Preventing Physical Breaches

• Desk Security Policies Rarely Enforced


Unguarded and Unmonitored Secondary Entrance Points (1)


Unguarded and Unmonitored Secondary Entrance Points (2)


Systemic Susceptibility to Tailgating (1)


Systemic Susceptibility to Tailgating (2)


Weaknesses in Anti-Tailgating Technologies


Camera Monitoring Ineffective at Preventing Physical Breaches

• In the very high majority of physical intrusion tests carried out

• CCTV monitoring has not hindered the testing in any way

• Including when cameras were attacked

• Why is that?

Image credit: https://www.popularresistance.org/wp-content/uploads/2013/08/Camover-Double.jpg

https://www.popularresistance.org/wp-content/uploads/2013/08/Camover-Double.jpg


Desk Security Policies Rarely Enforced

Quick Wins - Physical Security

• Do not treat it all the same

• Put more effort into securing your most important things

• Recognize that your employees will not always make the right choices

• Sometimes there is no substitute for a security guard presence

• Make physical access hard and noisy

• Make network access hard and noisy

• Make theft of assets hard to achieve

• Provide staff incentives to be your eyes and ears


Image credit: https://www.redhawksecurity.com/images/Phishing.jpg

https://www.redhawksecurity.com/images/Phishing.jpg


• User Awareness Training Only Partially Effective

• Technical Security Countermeasures Lacking or Under Developed

• Security Team Follow Up on Phishing Events Often Incomplete


User Awareness Training Only Partially Effective

• Many people believe that the way to ‘solve’ the phishing problem is via training of users to spot and report phishing attacks.

• By itself, user awareness training does not completely answer the threat of phishing - users will make mistakes!

• Most organizations are susceptible to a high degree.





Technical Security Countermeasures Lacking

• Protection against macros or malicious sites are not effectiveo Users will enable macro content when prompted

• Web browsers and content plugins are not kept up-to-dateo Internet Explorer, and Adobe Flash are still targets that work

• Application whitelisting at the desktop endpoint can be circumventedo Use of VBSCRIPT and PowerShell typically allows bypasses

• Domain whitelisting can be bypassed (or not applied)o Use of pre-authorized domains for C2 is easy (GitHub, Twitter etc.)


Security Team Follow Up on Phishing Events Often Incomplete

Quick Wins - Phishing

• Your employees will fall for phishing emails

• They will give away their credentials and run malicious payloads

• Use MFA for all services that support it

• Separate their privileges from other actions

• Email and web browsing should be contained away from ‘corp’ desktop

• Several ways to achieve this:oVirtual Desktop Infrastructure (VDI)

oWorkstation Virtual Machines

o Server Virtual Infrastructure


Image credit: https://eatingheavendotcom.files.wordpress.com/2014/04/messy-baby-176-e1396475370535.jpg

https://eatingheavendotcom.files.wordpress.com/2014/04/messy-baby-176-e1396475370535.jpg


• Visibility of Assets is Typically Partial or Incomplete

• Investment in Internal Vulnerability Scanning Varies

• Depth of System Hardening is Typically Shallow

• Vulnerability Remediation Workflows are Under-Developed


Visibility of Assets is Typically Partial or Incomplete

• You can’t secure what you don’t know about

• Manual, semi-automated and automated discovery

• Assets: o Find servers / workstations / printers etc.

o The services they provide…

o…and their general purpose within the org.

• There are still a lot of firms that don’t have that complete picture.


Investment in Internal Vulnerability Scanning Varies

• Software license costs for commercial vulnerability scanners $$$

• Network design may contribute to needing several scanner hosts

• Based on this, we see companies forced to prioritize scanning

• This is troublesome in a domain environment

o ‘Low Risk’ hosts can be the entry points to domain compromise

o If they have been de-prioritized in VMP, they may have flaws that are missed


Depth of System Hardening is Typically Shallow

• Patching - Where do you get your patches from?o Software manufacturers

o Typically first party patching

• Hardening - Where do you get your hardening guidance from?o Software manufacturers - Microsoft, Oracle, Ubuntu etc.

o Third party organizations - Center for Internet Security (CIS)

oGovernment organizations - NSA, NIST


Hacks that work waaay more than they should!

• Poor / No HardeningoMSSQL Weak SA Password

o Tomcat Manager Weak Password

o Jenkins Groovy Script Command Execution

oPrinter Default Credentials


MSSQL Weak SA Password oA few simple steps to full control of server!


Tomcat Manager Weak Password


Tomcat Manager Weak Password


Jenkins Groovy Script Command Executiono Jenkins Integration Manager (source code build env.)

Image Credit: www.pentestgeek.com

http://www.pentestgeek.com/


Jenkins Groovy Script Command ExecutionoWhen poorly configured visiting /script gets you to a ‘Script Console’

Image Credit: www.pentestgeek.com

http://www.pentestgeek.com/


Jenkins Groovy Script Command Executiono That’s OS command execution! You never know how many privs you have!


Printer Default CredentialsoPrinters can be useful!

o Here we are using a default password on a printer to gain access to LDAP credentials stored as part of the enterprise search function.


Vulnerability Remediation Workflows are Under-Developed

• Consider:

oA missing patch for Oracle a Windows Server 2012 host

oAn internal DB permission flaw for Oracle on Solaris

oWeak credentials on Apache Tomcat running on Windows Server 2003

• Who fixes each of these?

• Same people or different people in your IT org?

• How? When? How frequently? Etc.

Quick Wins - Vulnerability Management

• You cannot secure your network 100%

• New vulns; missed assets; forgotten things etc.

• Patching - as ever!

• Don’t neglect hardening - create hardened builds

• Plan for failure:o ‘Other things’ should prevent access to most critical data

o The security of any one system should not be a single point of failure


Image credit: https://static.securityintelligence.com/uploads/2014/09/2FA-multi-factor-authentication-defeat-cybercriminals-future-how-to-938x535.jpg

https://static.securityintelligence.com/uploads/2014/09/2FA-multi-factor-authentication-defeat-cybercriminals-future-how-to-938x535.jpg


• Weak Passwords in Use

• Passwords Written Down Insecurely by Users and Administrators

• No Separation of Duties between Normal & Privileged Accounts

• Poor Adoptions of MFA and / or EPV


Weak Passwords in Use


Passwords Written Down Insecurely by Users and Admins

Whenever a user is asked to remember a password, the potential exists they will write it down. The same is usually also true for admins - because they have more than one password to remember.


No Separation of Duties between Normal & Privileged Account

• The Local Admin Problemo Some users need to be local admin on their own machines to ‘do their job’.

• The ‘admin in the Domain’ Problemo Some users are DA or some other kind of privileged user in the domain to ‘do their job’.

• The Email, Web Browsing & Day-to-Day Work Problemo Those local or domain admin users need to do regular non-privileged IT things as well


Poor Adoptions of MFA and / or EPV

• Multifactor Authentication (MFA)oCompanies are not using it enough

o Externally for cloud services or internally for priv. access

• Enterprise Password Vault (EPV)oCompanies are not using it

oCompanies are deploying it with domain SSO

oCompanies are deploying it without MFA

Image credit: http://cdn03.androidauthority.net/wp-content/uploads/2013/09/YubiKey-NEO-smartphone-token-password-google.jpg

http://cdn03.androidauthority.net/wp-content/uploads/2013/09/YubiKey-NEO-smartphone-token-password-google.jpg

Quick Wins - Authentication

• Users will continue to pick bad passwords

• Even with a complexity filter - Summer2016!

• Organizations do this to themselves with ‘company defaults’

• Implement hardware-based MFA wherever possible

• Make this mandatory for privileged accounts (admins)

• Remove local admin rights / sudo from user’s own workstation

• Separate duties and even workstations for highest risk

• Use an EPV without SSO / domain auth or single-factor


Image credit: http://www.puppy-training-solutions.com/image-files/dog-jumping-fence-15990511.jpg

http://www.puppy-training-solutions.com/image-files/dog-jumping-fence-15990511.jpg


• Completely Flat Internal Network

• Network or Host Segmentation Governed by AD Memberships

• Segmentation of Corporate / Operational Networks via Weak Means


Completely Flat Internal Network

• The Domain Controller Connection Challenge!

• If you are not an admin on your corporate network…

• Try to access a Domain Controller over RDP



Network or Host Segmentation Governed by AD Memberships

• Companies still rely on AD to govern access to systems

• If the last 10 years of pentesting has shown you anything:

• Microsoft Domains can be compromised by a number of avenues

• An attacker / pentester can typically achieve Domain Admin

• Based on this, your most critical systems should not be accessible via domain credentials alone, and group membership.


Segmentation via Weak Means

• Jump Servers - These seem like a good idea to move between segments, but they are often deployed insecurely.

• Consider this common deployment:o Jump server is domain joined

oAdmins Access it via RDP

oNo firewalling of other services

oUse of single-factor authentication

Quick Wins - Network Segmentation

• There is little justification for a flat network these days

• Design your network, like a castle

• Implement segmentation internally (consider internal VPNs)

• Make every efforts to secure the methods of traversal

• If you use a jump box, consider:

o SSH access only, with port forwarding into a separate management LAN

oMFA using hardware tokens

o Strict firewalling


Image credit: http://www.lionytics.com/blogposts/images/sri-data-leak.jpg

http://www.lionytics.com/blogposts/images/sri-data-leak.jpg


• Internal Data Repositories not Adequately Guarded

• Access to Most Critical Data Governed by Active Directory

• Data Access Events not Monitored Adequately


Internal Data Repositories not Adequately Guarded


Internal Data Repositories not Adequately Guarded


Access to Most Critical Data Governed by Active Directory

• Companies still rely on AD to govern access to systems data

• If the last 10 years of pentesting has shown you anything:

oMicrosoft Domains can be compromised by a number of avenues

oAn attacker / pentester can typically achieve Domain Admin

• Based on this, your most critical data should not be accessible via domain credentials alone, and group membership.


Data Access Events not Monitored Adequately

Image credit: https://blogs.msdn.microsoft.com/johnwpowell/2008/08/14/how-to-update-a-sharepoint-user-account-when-they-leave-the-company-and-return/

Image credit: https://social.microsoft.com/Forums/getfile/35622/

https://blogs.msdn.microsoft.com/johnwpowell/2008/08/14/how-to-update-a-sharepoint-user-account-when-they-leave-the-company-and-return/

https://social.microsoft.com/Forums/getfile/35622/

Quick Wins - Data Access Control

• Data in shared folders or intranet portals is poorly secured

• If data is critical or leaks key info. this makes things easy for an attacker

• Create an internal data classification standard - apply it

• Create appropriate access control for each classification level

• Remember - your most critical data must be away from the Domain

• Also Remember - any information is good information for an attacker

• Log data access denied events and follow them up quickly.


Image credit: http://old.trustport.com/threat-intelligence/sites/default/files/ti/image/intro_network_visibility.jpg

http://old.trustport.com/threat-intelligence/sites/default/files/ti/image/intro_network_visibility.jpg


• Minimal Endpoint, or Network Monitoring

• Lack of Full Packet Inspection for Data Egress

• No Monitoring Available for Encrypted Protocols

• SIEM / Data Aggregation in Use but Sources are Minimal


Minimal Endpoint or Network Monitoring

• Examples - most companies cannot:

oDetect the creation of a local user or admin on workstations & servers

oDetect the creation of a domain user (not admin)

oDetect when a machine is added to the domain

oDetect a port scan happening on their internal network

oDetect specific process creation - e.g. PowerShell or others

• Additionally, while the idea has been around for a long time, most companies are not using Honey Pots / Data


Lack of Full Packet Inspection for Data Egress

• Detecting malicious traffic leaving org.• Key to determining compromises• Most companies: capability not deployed


No Monitoring Available for Encrypted Protocols

• Public figures quote SSL traffic at 50 - 70% of your total network traffic

• Are you inspecting that traffic?

• If an attacker or malware was using SSL to exfiltrate data, would you be able to detect that?

• What if that was combined with a trusted site?

Image credit: https://zeltser.com/bots-command-and-control-via-social-media/

https://zeltser.com/bots-command-and-control-via-social-media/


SIEM / Data Aggregation in Use but Sources are Minimal

• A number of companies are now using data aggregation

• THIS IS GREAT - but often not complete

• Licensing costs can be a barrier

• Ideally, you’d throw everything in your SIEM - but you can’t

• Prioritize based on:

oWhat are you trying to find out?

Image credit: https://www.accumuli.com

https://www.accumuli.com/

Quick Wins - Host or Network Visibility (1)

• If you can’t see what’s going on - you can’t secure it

• At the very least you need to have visibility of traffic leaving your org.

• Implement egress filtering - e.g. traffic to port X is not needed

• Force all outbound traffic through an authenticated proxy server

• Use domain content filtering to limit simple malicious traffic

• Use NETFLOW and full packet capture to drill into outbound data

• Consider how to break TLS/SSL to inspect this traffic ($$$)oNon-inline process used for investigations may be appropriate.

Quick Wins - Host or Network Visibility (2)

• Moving beyond analyzing egress traffic - consider internal traffic

• Most firms cannot detect simple actions - e.g. port scan against server

• Instead of looking to deploy additional hardware / pinch points

• Consider potentially using the NETFLOW data you already have

• NETFLOW analysis from switches and routers will show anomalies

• A single host scanning other hosts should be easy to spot

• Use data aggregation and alerting via a SIEM to automate

8. Lack of General IR Readiness

Image credit: http://www.joegirard.com/wp-content/uploads/2014/06/Be-Prepared-BoyScouts.jpg

http://www.joegirard.com/wp-content/uploads/2014/06/Be-Prepared-BoyScouts.jpg


• No Documented IR Plan

• Lack of Third Party Support

• Lack of Telemetry to Support Investigation

• Under-tested IR Plan


No Documented IR Plan

• A large number of companies have no plan, or are under-prepared

• Determine:

o Threats

o Likely Actions / Attacks

oPotential Business Impact

oCountermeasures to Business Impact

oResponse [Detection / Analysis / Containment / Eradication / Recovery]

Image credit: http://www.phoenixts.com/wp-content/uploads/2015/01/NIST-incident-response-lifecycle.bmp

http://www.phoenixts.com/wp-content/uploads/2015/01/NIST-incident-response-lifecycle.bmp


Lack of Third Party Support

• Maintaining in-house capabilities are hard

• Think of the specialisms you may need:o Disk and Memory Forensics

o Log Analysis & Triage

o Malware Analysis

o Mobile Expertise

• Consider Retainer agreements with third parties that can help you.

• Consider Legal Privilege.


Lack of Telemetry to Support Investigation

• Incomplete evidence = incomplete conclusions

• Example:

oMalware infection

oMalware has capability to exfiltrate data

oNo network telemetry to determine if that happened

• Audit Board: “was data exfiltrated?”

• Answer: “maybe” :/


Under-tested IR Plan

• Who does what and when during an Incident?

• Do all the parties know each other?

• Do they know how to communicate?

• Do your technical staff know what not to do?

• Do you drill your IR plan?

Image credit: http://cdn2.hubspot.net/hubfs/264546/playbook.jpeg


Quick Wins - Incident Response Readiness

• Planning for the worst is not something we are great at doing!

• But like most things in life, you’ll feel better once you do

• Plan: o Threats

o Likely Actions / Attacks

oPotential Business Impact

oCountermeasures to Business Impact

oResponse [Detection / Analysis / Containment / Eradication / Recovery]

o Third Party Help

Session Close

• If your company has some of the things I’ve described (or all of them!) - you are not alone…

• But you should work hard to address these issues.

• Not doing so, makes you a very easy target.

Image credit: https://i.redditmedia.com/S4Mo4iNIPHr87bX6OKSnFg59Wu96CwMw7TbILSUSv7Q.jpg?w=320&s=eafab46adeae0884be88a1eec861796b

https://i.redditmedia.com/S4Mo4iNIPHr87bX6OKSnFg59Wu96CwMw7TbILSUSv7Q.jpg?w=320&s=eafab46adeae0884be88a1eec861796b

Session Close

• Kevin Dunn

• Technical VP – NCC Group, Security Consulting

• E: [email protected]

• L: https://www.linkedin.com/in/kevdunn

Note: all images used, unless otherwise stated, are from Wiki Commons or internal NCC sources.

Kevin Dunn

mailto:[email protected]

https://www.linkedin.com/in/kevdunn

Technology

Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn