Brandon Helms - Make the Dev Do Your Dirty Work

hey good afternoon everybody you I have here that our actual developers and by developers I mean you can be a prototype or you can the enterprise developer hey you can write Python you can even write really good batch scripting awesome awesome then this talks for you how many people do I have in the house set are security professionals of any kind awesome this talk is for you and how many of you think that your developers in your environment have a lot of access that they probably don't realize that they have in their environment awesome so you already know this talk so I'm just gonna regurgitate some stuff that you're already knowing or maybe be thought

you're thinking about and then let's kind of talk through how we use that from a Red Team perspective or from an attackers perspective to where we can get exponential rates of returns from these types of attacks so once again my talk it's about using the developers as a tool because why should I try to infect every single one of you out here if I know you all you slack why don't I just infect the slack app if I can and if I can they affect that slack app then guess what I'll get you over time so that brings this to why you should listen to me right I'm Brandon Helms my twitter handle is chief e chief I'm our chief

operations officer at rendition InfoSec but remove the title from my name what do I do I do red teaming operations exploit develops do things person right kind of like a lot of people in here as a developer you're probably wearing multiple hats you're probably not just sitting on a keyboard typing and if you are at that's awesome its job in the world you're probably also having to kind of engineer try to take people's thoughts and translate them into beautiful front-ends or into beautiful applications that do things outside of that I used to be in the Navy I was a Cryptologic technician for the networks I ended up making chief worked out a few three-letter agencies

did some really cool things and then lastly I am a gymnastics dad so from my development perspective I was able to see the development practices at multiple three-letter agencies at the deal at the Department of the Navy I worked for a company called Palantir so I got to see the enterprise side of it and then even at rendition InfoSec I get to see our security practices and our best practices for programming so I took all of those and I said hey where are we getting you're right where are we getting wrong which now takes us to this piece talking about supply chain entered diction right this is kind of creeped up over us over on us for the last two

years but really this has been happening all along just people are getting smarter turns out CEOs are losing money so that's why it's more important now so in order to know about using software for supply chain interdiction we're gonna talk about the traditional supply chain interdiction we're then going to move to applying that to our software models now to get those exponential results afterwards we're gonna take a step back and talk about why we got here so understanding the mindset of the developer everybody in this audience because at the end of the day you're just trying to do the best you can with what you have and many times those pressures that are put on you create

these environments that create this surface area of unnecessary risk we're gonna then go into the attackers mindset and how has my red team at rendition InfoSec we used the attacker or we target the developer to be able to get us to get these quantifiable rates of returns so with that traditional supply chain so when we start thinking about this we start thinking of hey I'm gonna insert my company in a poverty I'm gonna have a sweatshop I'm gonna be able to turn out these shirts that are dirt cheap I'm gonna get them into Walmart's stores because I'm gonna do something that's gonna make me have that competitive advantage whether it's something malicious something illegal or

I'm just gonna underbid everybody because I can at the end of the day it's for the competitive advantage right so in order to do that we have to get creative if I want to get into the supply chains I'm gonna have to find something that entices you once again if we go back to that shirt analogy what's going to entice Walmart to buy my shirt over somebody else's shirt if I'm gonna say the same exact shirt because one we're just gonna sell it as a white shirt and they're gonna slap some logo on it right they're gonna say hey is your price cheaper can you give me more quantity hey can you make it worth my

while so that's why we do things to be able to say hey I have a company over here to build that company over here it still costs money you get a one-for-one return right in order to get those people in the sweatshops you have to invest to be able to get yourself into that supply chain you have to invest so whether you do get your shirts there it's still a very long and tedious process and a costly one but it has paid off right we'll take AT&T for example who here remembers when the first iPhone came out yep how many of you were not in AT&T service member at the time did anybody swap over to AT&T at that

time oh good answer last time everybody said yeah I swapped over to AT&T yeah I was on t-mobile last time at t-mobile sucked really way back then but long story short AT&T got exclusive rights to the iPhone iPhone was the first smart phone although I think Microsoft did it for years before that but when they came out everybody wanted him and they had that competitive advantage so as the iPhone price went up AT&T went up that's that competitive advantage that I'm talking about there's nothing malicious about what AT&T they just got the upper hand but what happens if we take that same perspective and apply it to some of the things we've seen in recent years such

as their accusations from the Guardian that the US has been involved in supply chain interdiction if you think about it from a US standpoint we have some of the biggest companies here we have Microsoft we have Cisco Apple you pick you pick one of the big fortune 100 companies they probably headquarter in the u.s. meaning that we have many points of egress that we could interject that piece of hardware and to what we want to it all right we say that's far-fetched right but then we heard about this thing called Super Micro and China right and what do we find we found out that these little tiny semiconductors actually had targeted instructions on it that said

hey if this goes somewhere do this and then everybody freaked out because now it's no longer theoretical it's now practical we have tangible evidence we have proof we're now reversing it if you want the slide deck you can have it and I'll walk you through every step of how this was done so now we're no longer in the realm of theoretics we're now in practicality but once again in order to do this this took a lot of research a lot of research a lot of design they had to embed themselves in the right place at the right time and from a physical standpoint that's that's tedious that's very hard to do but let's start thinking about support

right do I need to have a physical location to compromise software no I just have to compromise somebody who has access to that software so from the software side of the house it's scalable meaning that if I infect your application than any client that you have that browses to that application is now susceptible so if you build a web app and I inject on your web portal then anybody that browses that web portal now can be compromised by me once again this was thought to be theoretical a few years back and everybody's like oh that doesn't mean much but then what happened shadow hammer right does everybody know about this the Asus live updater you might call it

a Seuss the update utility what happened some and everything up basically attackers got into the development environment they were able to take a small bit of code highly targeted and inject it into the process of the developer the developers somehow got that code to their master they're in production instance in which it went out and as people got this live updater software they now were infected and directly by the attackers maliciousness does that make sense perfect another one that I was very disheartened about with ccleaner I've been using ccleaner for better better part of the last decade right once again same concept right malicious attackers got in they inserted a little bit of code into the actual code base a code

base made it production that one compromised there got 2.3 million downloads known known downloads with over 700,000 systems infected so if you said hey as an attacker or as a red team I want you to go infect 700,000 people that's gonna take forever if you say hey infect this piece of code and let's see what comes back the rate of it return is exponential this is why we love going after the developer so I just stated what the problem and what the people are doing to attack that vector let's talk about the actual developer I saw that I had a bunch of developers in here how many of you are told that hey we're gonna operate off an agile workflow how

many you're told we're gonna do sprints how many of you're told hey we're gonna do feature release feature release then bug release and then how many times are like oh we're behind I just need all these features will get to those bug releases later right we're not going to rebase we're not going to go back we're gonna keep going forward and forward and forward and you're gonna keep getting pushed and pushed and pushed right I know this because I've been at three different product companies that do three different things from prototype to enterprise development to everything and all three of them are push push push what once again it's no malicious intent it's just we got to get the product out

there you developers are one of the most valuable resources to a company so if they say hey let's take time out let's go back let's rebase let's implement this secure software development lifecycle you're they're gonna be like that's gonna cost me so much money and I'm not gonna get any rate of return out of it so skipping steps right because you want to be able to make sure that you finish those Sprint's on time so how many of you all have been like you know what we'll skip QA here because this is a high priority bug fix that needs to get out today cool we'll do QA on the next release cool I've done it I'm not

gonna say I haven't and then you realize oh that was a bad idea so that takes us into this thing called software development lifecycle I'm in a university right now and if any of you are SCS majors right you've heard of this SDLC and when you look at the textbook definition of the SL CSS DLC it sets you up for failure it brings in two three things that never equals success which is highest quality lowest OP shortest time from everywhere I've ever worked you can have two of those but you can never have three right I can have the highest quality at the lowest quarter at the lowest cost but it's not gonna be a short time and if I want that

shortest time I'm paying a premium right so that being said we already have an algorithm that does not work for us and if it works for you please let me know because you need to be on stage telling everybody at your success story so that being said one thing that I see and maybe this changed a 20-19 but when I went through to get my computer science degree they were not talking about the secure software development lifecycle the model was hey get through your MVP let QA let your internal red team let your app SEC review find bugs and then you know what when they find bugs they'll kick them back to you and and we'll just have a sprint dedicated

to fixing that and then you'll get that back and you'll be like oh crap we have to rebase this entire function or this entire method of this class right is your this library that we import is just we can't use it anymore and what it ends up happening is it now cost you even more right we'll talk a little bit later about how to mitigate or how to work through this but at the at the end of the day we have to change the mindset the culture of how we're developing cool so let's talk about this qualitative term called best practices every company's going to have their own set of best practices some companies are still

using subversion I know this because I was at a company the other month they were still using subversion most people have moved to get cool please don't raise your hand if you but anyways what are all these all these are just centralized repositories that we can all work with so we can collapse in on a project to be able to be more efficient right throwing this with a true agile workflow allows us to be not only effective at what we're developing but it allows us to focus on core of peak features as we're building our application so I kind of did some googling I said hey show me the best practices that everybody says that you

should do when you're committing code or when you're working with code and then I highlighted the ones in red that my team says that they take advantage of and so the first one is commit related changes cool that makes sense usually how I work in your probably same way is there some kind of ticketing some kind of issue and then your job is to go in you typically assign a branch to that issue and then you work it then you commit it UPR it back in somebody does a peer review and then it goes into into master right my next favorite is commit often right where's the security vulnerability behind there there's really not one right it's actually a

great methodology but I want everybody if you develop code if you commit I want you to think about your git commit messages right I heard I hear laughing right that means you must be like me knightly get message done get message yep because yeah absolutely vague right I believe back in the earlier days you only had a finite amount of text that you get actually put in a git commit message so if your commit and often and frequently write just like it says you should and / get guess what you're gonna have tons of get things and they're all going to be vaguely expressed so that's an attacker if if my OC Olli comes in and says you know what

I'm gonna insert some code here git commit dash M cool space - a enter guess what it's gonna just blend in and it's probably gonna make it through that PR right we think about it I think think think right next one is don't commit half done work by man i I blue because I don't ever want is what's what work I have and I swap computers right test your code before commit we all do this I think we're all pretty good at doing this one right that's just a best practice that everybody I'd here's two right gonna commit messages once again we just talked about that and then use beaches I can't tell you how many

developers come into my workshops and commit straight to master but then I how bad I am and not forcing nobody to be able to commit master right I think if you have a github account and you want to make it private you can't commit are you you can't what is it you can't prevent people from writing to master unless you pay for it right so that github like you know what the security feature you really you got to pay five someone I'm like man I don't have the last thing is agreed-upon workflow for the most part if I talk to in here you're a little bit different right does anybody truly work off the verb items

scrum workflow or agile or is it custom tailored to your business units needs right absolutely mines the same way because that then add a there's bits and pieces that just are irrelevant to us cool so we talked about best practices let's actually talk about the attacker side of the house because that's what this talk was focused around for those who have never done those who've never exploited it legally here but we're gonna talk about the legal side of it the thing you first have to ask yourself is where am I going to land and in a network and if anybody knows where they're gonna land you're a better person to me we call it the needle in the haystack

which is basically I don't know where I'm gonna land in your network but I know I'm gonna land somewhere and typically the first place you land is not the place you want to be so over time an attacker will get to those places that they want so how do they decide where they want to go it's based off what they're trying to achieve and if I'm trying to achieve supply chain energy interdiction or if I'm trying to obtain higher permissions that developers my key piece for everybody in here when you develop has your IT company told you hey we don't typically install that software on your pier for people that are like I have to have V s

code or I have to have Adam or I have to have visual studios or I have to have dotnet pick a number right typically the IT department has to bend the rules a little for the developer not only do they have to bend the rules but you're also gonna say hey I need a dev instance to this cloud instance and I've seen a MIDI instance it's like hey hey take this AWS bucket issuer's and your team's or hey take this as your instance and do whatever you want with it and then you're like okay now I need real I need some kind of data to work with and it's not good practice but how many

times they say okay just use the real database but don't write changes to it and you're like okay cool because it does give you great data to work with to build your application but once again you take a step back from a security side of the house the security team says okay well now you have local admin on your machine so you can install all the tools you want now you have access to production data now you have access to your own AWS instance right so you can develop on now you're you learn to look at this you're like oh man these people actually have a lot of access in our network that's what entices attackers to

their machines this is a my github but way github.com slash chief of chief you'll see a lot of exploits prototypes you'll see a lot of half worked applications feel free to make them work I would love you for it the next piece is when an attacker is in that environment they want to survey the landscape so once again as a developer what you mean times you use setted you use grep you get luck to figure out where your you use git branch or git checkout to go out see what you're working with guess what an attacker uses the same exact thing this exact line I do when I get in an environment because it allows

me to know where we're at with that branch were working on and here I could see that on my recon app I'm working on they've integrated open LDAP and user works cool I don't know what that variable is but I'll probably find it out as I looked at the code I'll see that they're making it work don't know what that and I see that they've carved out the template once again I don't know what that is but now I'm already starting to see that hey they don't commit well defined code right or what fine messages as you would call it so now I know what I'm working with I also is it as an attacker many takes

shots I can video record what they're doing and I could just sit back and see what they're working on whenever they call it a day then I just go in there in this instance they were working on the login an application called scoreboard right I saw that everybody hits this page to log in and you know what I said in these comments I'm just gonna insert or inject the code that I want to happen in this situation I said hey let's put an iframe here this iframe will go back to my malicious site and that my Mellisa site will survey them and try to inject any malicious code I can cool if that's making sense that's how easy this is at

this part all the attacker has to do write some git commit message right I said finished implement or implementing LDAP that way it blends in it added one file changed five inserts for deletions I think I had some new lines I removed and then I get pushed it because nobody has their token save to their desktop right yeah exactly so that being said at this point the attacker set some weights because if everything goes according to schedule that code will somehow make it into master it might not be the next day it might not be a week later but it will eventually make it in there and at that time all they do is they have a c2 set

up and now they're just catching callbacks once again once the attacker has done what they've done and they've been detected by the defenders they will go back and they will be able to say at this time somebody committed this code and they'll be able to trace it back to that time and they'll be able to see who did it but it will never say the attacker did it it will only show the developer who committed their coat so once again now you're having to question is this insider threat is this remote where are we at so once again from an attacker this is gold because I now have an unlimited amount of exploitation that's going to happen

once again the ASSU slive update the ccleaner are prime examples of how exploiting one little bit of code has expanded them to hundreds of thousands of machines this takes us to mitigation strategies cuz you never want to just say hey here's a problem you figure out solutions right there is no end all be all there's no silver bullet here I wish there was at the end of the day and I can tell you the two things actually there's three things that I would recommend to make the right moves the first one is training training training training and it starts at the earliest stage what I tend to see is people implement that SDLC and then they add

the security on to the end guess what if you look at the security SDLC you'll see that the first thing is training make sure everybody in the party to include management understands their roles and responsibilities what permissions they have make sure the lease permission is adhere to you know it's much easier just to hook somebody into a production database it actually is painful to create test data right it's it's a pain in the butt create unit test right but guess what if we spend those weeks it takes to build the initial unit test guess what we're not going to be exposing that critical and sensitive data to the attacker if that machine gets compromised the next thing is

culture get out of the mindset of I need to get this product out and I and change it to I need to get this product out safely and securely and what you'll find out is it's not really costing use to too many cycles so what does this mean forcing people to adhere to actual workflows make sure we have software assist where needed I could tell you that whenever I get ready commit anything in a master it runs through a few checks to make sure one I'm not stealing other people's codes so that way we don't get sued secondly make sure that none of the libraries I'm using are outdated and the next one is set it up

in a test environment and make sure it executes without throwing an error right just basic checks but this is something that most software assisted tools have and by having those three things it makes it a lot more secure minimizes my surface area right the one the one thing I don't have up here is leadership this is all clutched on having leadership and the buy-in and everybody knowing expected results cool so that being said I would also hit off with training if I didn't say that already let's head to the depot right originally I wanted to be able to do this demo with three screens I wanted to be able to show you the attacker screen

and what the attacker does I wanted to be able to show you the developer screen and what the Attila the developer saw and then I wanted to be able to show you the clients that went to the app and downloaded and got affected turns out that's a lot of screens and that's really hard in this kind of environment so what we did instead is we already assume breach let's not worry about how the attacker got on the box they got our on the box ooh that's probably bad quality let me know

so what we're looking at here is I have active session on this machine once I have active session on the machine the first thing the attacker is going to do and sorry if you can't see green I thought would show up a little better is you're gonna survey the environment when I start serving in the environment if I'm on a developers machine typically I'll see things like dotnet or I'll CVS code or I'll see visual Studios running and then at that point I do a directory search of the entire system looking for dot GI T right and if I find a folder with GI T then I least know that they know how to pool

get code then I start looking for those folders and seeing if there's repos inside of them and if there's repos inside of them the next piece that I want to do is I want to see if they're actually using them because many times people go to get and they'll just download it to do what they need to do and they're not really writing back to it so here you can see I found that directory called repos I now hop into a shell and on the show I now have command line on that developers machine I see that they're working on five different applications or that they at least have downloaded a five different applications and then I say hey let's go into one of

these because the time stance shows a very recent modification at this point they have went inside this location I've looked and see hey it's a Python app of some kind I'm hoping as flask or Django cuz I'm pretty familiar with those and then I start going to where I no code will be written right start app pi was a prime example go into blueprints see the endpoints I get called into here fast-forward a little bit I find the right file right and on this bio I find the actual login portal for the scoreboard application and I say cool I know everybody has to hit this page once again sorry about the green as I find the exact function I want to

modify I make sure the developer is not currently writing to that because if they write to it and I write to it then they might find out so what I'll do is I'll wait till they go to bed right or I'll wait till they have a slow time that's they're not doing anything I'll check that git log once again we now have a long list of a developer who writes really bad git commit messages which might be me well then translate that into let's download the file let's make our modifications here and in this scenario all I'm doing is I'm opening up a new file and then I'm writing the username and password in plain text into that

file right and then I can have that file shipped off to a server every hour every two hours every time somebody writes to it and then as attacker I win at that point I'll re upload it back to the target I'll do a new commit message and then I'll push it many times when you push you don't have the ability to PR your stuff directly in without some kind of peer review if you're working in a development shop that you can commit push PR and release without any verification you're probably doing something wrong by the way I've been in those environments and then at that point I sit back and relax and as you can see master has been updated so now

the next time this gets deployed to a development instance I start infecting people immediately

on that note do we'll have any questions yes sir

goats lion would definitely slow me down but if cosign is implied then I probably have many more obstacles in place to be able to get me to that next step yes sir

very true yep but I will say if you're at code signing right if you're already implementing code sign you probably already have a better process than most it will slow us down and typically what we'll do at that point as we'll start trying to survey the landscape to see if we can get into one of the other assemblies that are getting passed in that might be by passing code signing because once again not every piece of the code of the application has to be signed right just each of the pieces that you're applying the code signing to yes sir

yeah absolutely yeah does ever anybody hear where I go golang you can pull directly from github right yes oh thank you so much thank you so much if you right going right you can have it always check github for it right and change in that little library or like you said if we have different system paths that we can play with and importing other libraries change in NPMs yeah you don't have to attack their source code but you can tack one of the libraries that are going into it absolutely yep and then it's expandable yeah absolutely once again sky's the limit of where you can take this and I'm not saying this is how a Seuss got compromised racist got

compromised not saying this house secret gets compromised I'm just saying this is what my red team all those people in blue over there this is what they do when they get on developers machine if it's in the scope of work oh yeah yeah so there's a few out there so at my previous company we used circle CI to help with the build and making sure it's getting to the test instances Dru Dennison I can't remember what his company's called he'll shoot me for this but he actually has a company out in Palo Alto that goes through all your code looking for the plagiarisms looking for outdated libraries matches those two known vulnerabilities and shoot you back

hey this is bad code or this is needs to be updated thanks good questions on those what else do we have so this was that I think you asked this very similar question so my friend drew Dennison once again I messed up his I forgot his company's name and he will shoot me but anyways he has a company that actually goes through it scans it he compares it to a bunch of different libraries I want to say that a company that starts with git and then something com might have worked with them or doing similar things okay awesome lastly I want to say thank you all for attending and for those that ask those two questions please I got

something up here for you all everybody else I have some swag I have some coins that have some stickers if you have any other questions about development just think to yourself hey if I was an attacker would I be doing that awesome thank you [Applause]