The hidden horrors that 3 years of global red-teaming revealed

okay so welcome um i'm gonna tell you something about the stuff i've seen uh during my red teaming um who am i uh my name is justin bate had the first seven years of my career i spent building stuff and the last four years i've been spending yeah basically breaking stuff right which is an interesting combination um of course after the break we still still help to improve my clients and that's what what it's all about in the end we do red team engagements which means we do an attack on a client as if we were an actual adversary we tried to use a good technique good trick stay out of the blue team and stuff like that operate basically

without being detected we do it in a lot of locations it's good thing we like to travel but as it goes with traveling yes you do get sick in india i also get sick in south africa it's not always fun but overall it's good fun you get to see a lot of stuff you get to see a lot of countries and what interests me the most is actually it doesn't really matter where you go you see the same kind of problems which was quite surprising to me i would expect that in western europe or in the us we would be a bit more advanced maybe a bit more secure than in some other countries overall that's not really the case what

i've seen of course i only come at companies which are actually interested in improving their security so depending on where you go your mileage may vary to keep that in mind during this talk is what i've seen during my expeditions if you will it's not a broad research so classic defense in depth this is something we are all taught right you you have your defensive perimeters it's this is basically where it comes from first you have your mode you have to get over the mode get over the walls every edit layer adds a layer of defense where you can hopefully stop the enemy insecurely we adopted the security onion the defense in-depth layers the idea is if you breach maybe the

system and hopefully the operating system and the different layers in your network will help you to protect your crown jewels your data your ip your transactional systems whatever it is but what i found that's that's works really well if you're being attacked by an army like a castle would be but that's generally not the adversary we're facing right we're facing an attacker which tries to be stealthy and like a castle he's only gonna need one backdoor to be able to get into the castle so he can social engineer the guard so he finds a back door and he gets in and it looks like he belongs and unless you put additional measures in place you're not going to stop him

right so really now we've poked a lot of holes for our clients or users who operate here to actually work on this sensitive data that's kind of required right why do you have a company otherwise and and those are those are the holes i discussed you need your users to be able to work and so all these layers are really really cool but if i can pretend to be a user here or here or here on any of these layers then i can actually get to this data as a normal user would so what i realize is not so much a castle as it is a pyramid right any of these security layers if you will

are required to help you secure they don't add to the security but actually required to be secured to help secure the crown jewels which are kept on top and if you map that against the layers we've previously discussed you get to this amazing stack of my own creation but what i'm trying to tell you is you need all these layers to be secure it's not like you can't just forget one of these layers and then expect the rest to help you secure your systems that's something i want to discuss with you today if you can reach any of these layers which we'll see later can be a little bit easier than you may hope you'll be able to get to those crown

jewels so my first case is organizations which use endpoints which they don't trust basically right we've seen this with multiple locations we they give users laptops they don't configure laptops or they have to system standing around for them to to log into or they expect them to work from home they log into secured vdi environment and they go from there so okay fine right they use a secured thin client or laptop or whatever we saw this at one client and we uh yeah we were struggling a bit uh there was nothing exposed on the network we only had this vdi portal they could look into but what we realized is that actually a specific case

the thin clients were just sitting there they were locked in you didn't log into the thin client you use the thin client to get to the portal so what we were able to do one night is hang around a bit stay until everybody leaves and then actually compromise the uh the think lines by just going to them and executing something in user space so that means that your your model or your implant is running in the user space you don't have any high privileges but it's enough to keep an eye on what the user is doing now these users are afterwards logging into their vdi environment and using the credentials they have get to the systems they need to go

so from that point we were able to capture those credentials they were using and actually start escalating in the vdi environment and and the problem here is it's not really readable through the beamer anymore but the hardware was completely hardened we couldn't get into the hardware and all these upper layers were also completely hardened because you only had this vdi we couldn't get any credentials for it initially but because the operating system allowed you to just start up the thing and and log in and basically run some low privileged applications we were able to get an agent running there and basically get in here and move up from there i hope this kind of makes sense

so the next case you see that by breaching this layer everything else fell over basically um the next one was a company where they were then an office network wasn't all that all that special but it wasn't all that interesting data in the writer for us so we were looking to go to their uh their pci environment right payment card industry that's where they keep the transactional data credit card data stuff like that that that's heavily uh governed by pci dsas the data security standard from the credit card companies and and you're not supposed to just get in there so this client there they checked all the boxes they had a vpn connection to that data segment

and they actually protected that with two-factor authentication so even if you you're able to get the credentials you will still need a token or whatever to get there so we were thinking okay so what can we do well it turned out that actually the administrators administrating the pci network they they didn't really know how to handle the fact that they were using 2fa or what that actually meant so they just set up that vpn and kept it open right two-factor authentication can be a pain you have to use your credentials and then look at your phone or your token and put in the token and and they're like i'll just keep it up so instead of protecting you it actually

keeps the session open and then it was pretty easy for us to just get on their laptop and pivot over their system to get to this pdf pci network right so the fact that they had two-factor authentication was a great control on paper but in practice no one told the admins to actually disconnect after they were done and then you see again and then you're you're a user we already had the credentials from here you can just go up in the pci network uh i'm going a bit fast i see let's see third case is a four-hour principle case um again you see a client the office network was okay not great but then the real the real nice systems

they were behind the two to a 4i principle so if we wanted to put in a transaction they actually needed someone else to approve it now this is a great control if you're talking about fraud people just trying to put their own transaction into the system of using the system but it's not a security control if you don't add anything extra beside the fact that you're using for i just the two people logging in all the all the information you need to get in the system is found here which has already been breached so this 4i principle doesn't really add anything it just tells me i need to log in twice yes i'm really rushing through my slides

yeah so my main story my main point is you cannot build high security systems on lower security layers right if your story is i don't care too much about my laptops or my endpoints then that's fine but you cannot expect the users using those laptops and endpoints to keep your eyelashes your data secure without adding extra controls if you go back if they would have added a two-factor solution here right then it would be much harder for me to get into those systems than that for our principle could also be a security control even if we could somehow hijack someone's session and get in that's possible but you still have to wait for someone to actually do that and

then have to wait for the second person to do it so i can approve it which immensely raises the risk that i will be detected it gives the company time to react and and as we discussed before there's lots of vlogging and i don't know most of you i think so i thought i saw hexer presentation and there's lots of long going on if i try to log into a system which turns out to be protected by two factor it should pop up in the loss and be alerted similarly if you go back to the pci network if the admins were being instructed look we're going to put in two effects authentication for a vpn

we know it's a pain but it's a security measure and you're supposed to shut down your vpn when you're done that's again something that will slow you down as an attacker it won't prevent you from the attack but at least it will force you to wait for an admin to go there log in it greatly increases the risk that you'll be detected it will slow you down and give the company time to respond similar to the first case yeah they they thought that there's nothing here we don't have to really secure this there was no malware detection for for our implant to be picked up with there was no monitoring to see that we were messing around with it

right so you see they're building security on top of unsecured systems

those were my slides yes i see questions yes i'm assuming you made recommendations on how to fix things of course on case one what was the solution to stop them from getting into the vdi session vdi session or into the once you once you compromised the host yeah you had access to the vei session correct correct so what was what was your recommendation to so we made a couple of recommendations one was to do for them to think about rolling out 2fa definitely for calling in from the outside possibly from the inside which would prevent it but more so hard in your system like it is a kiosk because you are using it like a kiosk

there's no reason for me to need to be able to execute stuff from a usb drive make sure it's not locked in all the time if you want to use generic accounts at least make sure it's locked out after people leave and it's not left logged in and those kinds of recommendations right but you have to think about how the company is operating and you can tell them you cannot do this but this is something they invested millions in so you need to find a way to get them aware of the situation try to fix as much as you can but also implement the monitoring to make them aware to make them see that something's going on

but you cannot completely change their business model that's you can try recommending it but they won't yes most of the solutions are windows based so uh imagine with uh uh ms-17 vulnerable you install keyloggers and you go in from anywhere yeah

so can we go back to the pyramid for a second because you mentioned that in one of these cases i don't exactly remember which one but that you hung around and you got access to it that sounds like you had to be first one okay so that means you have to be there in person physically present where does that show up in this pyramid well it's not in this pyramid um physical security that's that's that's something we also assess and depending on the engagement we have we will be inside or outside um but shouldn't that be the foundation that everything's built on because if you have physical access then sure no that definitely mean hardware is in there but physical

security is is kind of a different chapter than what i was discussing here but definitely yeah physical security if you can touch a device you have a risk yeah

it's not everything yes

other questions yes uh based on your experience uh what what is the most successful phishing technique to get an agent on a host like for remote is that is that emails or is that uh or i mean attachments in emails or is that links to hdas or

so what we use a lot and what still works is either attach documents or tricking a user into downloading a document and that can be a docker x can be an aca file um but if you if you're talking about the most successful right i mean doc docs docx especially topics which aren't macro disabled they get picked up a lot faster by nd anti-phishing software stuff like that so mostly we go to uh for example getting someone to go to a portal and download something uh it could be signing up for something and getting a flyer getting discount something like that yeah thanks the fishing fish that the spam filters are really keen on getting out

malicious attachments well it's sometimes less so for the the ids or something like that any other questions still plenty of time left so

one more are you sure yeah well it's the first time i've asked the second question so i think it's allowed right let's hear it so this is the current state of affairs how do you see this changing in the future as in is there going to be technologies that you're really looking forward to as to we can start using this uh do you see any changes in the way that you're currently doing your work this is not going to be solved with software solutions this is not going to be solved by technology this is something that the admins and the architects of your networks and systems need to understand how sharing your keys in lower and high

security systems it's it's basically downgrading your low security your high security system right it's similar to saying so this group of admins has this server to manage another group of admins has this server to manage but they all use the same file server right you still have your point where you can jump as an attacker and that's something you need to change in your architecture and your way of thinking and it's it's not user friendly definitely and it's something we need to solve and i don't have a ready-made solution but it is something we need to talk about so you don't think some of the sandboxing that's coming into play in mac os now in windows 10 as well is going to

help with that because i mean you're you you do get kind of stuck into one user environment i mean to a certain extent even if you compromise that one user account doesn't mean you're going to compromise other user accounts yes but then you then you're talking about just the endpoint exploitation and a large part of this is all the the lateral movement and the escalation we do in the network so that that's not based [Music] isolated to one host let's say and definitely it will definitely help and it's already helping with accidental infections uh downloads and stuff like that but we would need to see a bigger roll out for that to happen to have an actual

impact but if you're talking about really targeted attacks they will they will find ways to get around that or find another attack which is not sandbox

okay i think that's it thanks thanks josh