A Cascade of Pebbles: How Small Incident Response Mistakes Make for Big Compromises

good says 230

so good afternoon our next speaker is Josh little Josh is going to be talking about uh incident response also just as a a note keep your sidebar conversations if you can just to a minimum Whispering it's a little distracting um these guys put a lot of time and effort into the presentations and we're all here to learn so nothing wrong with the whole sidebar but if uh you know if you have to carry on conversation there's plent of on side of the confence all right hi everybody oh no no hi Dr Nick geez come on all right so uh talk is called a Cascade of Pebbles how small incident response mistakes make for big compromises okay uh a little bit about

me I am a sec senior security consultant at viopoint I'm also the chapter leader for wasp Detroit we got a meeting coming up next week so come on out if you want to go hear about uh what are we doing uh designing for hostile environments um I'm also a founding member of myc um and I'm also probably the only infosec in uh Pro out there who's got a degree in philosophy and medieval history so it's kind of a weird way how I got here but uh I also try and or I try not to talk too fast but I end up always talking too fast and going on and on and on and on so we're going to try and keep that to a

minimum today I'm at zombie Tango on Twitter and the other various things um so yeah I'm also a dad and if you ever wanted to know what does a 2-year-old do with a jeweler screwdriver she tries to pick locks with it um I didn't teach her that um I've never shown her how to pick locks she's never seen it before but she decided that's what it's for so awesome okay so the talk today is kind of a bit of a morality play I don't know if anybody's familiar with the concept of morality Play It's essentially a a vignette into somebody's downfall for the uh edifice of the listeners in how to live a more moral life in this case

it's going to be taking a look at a specific in or a specific test that we were involved with um and kind of taking a look at the mistakes that the responders did um and kind of using those as a set of lessons for you know proper responses and uh improper responses to incidents okay so as I said this is based on a series of penetration tests conducted against a large company um they have a maturing security program there uh so they've got a decent infrastructure in terms of security uh uh you know detection capabilities different sets of controls they've got processes in place but they're really kind of working into this and so really this test became a

very good teaching tool for them in terms of of learning still what they need to be doing learning where some of their pain points and mistake places occur things like that um the names of you know we're going to keep the uh the the names of the uh the innocent here uh omitted for their production uh same with the industry that they're in um and also the little bit of CH things have been changed in this story uh more from narrative uh uh aspects rather than uh to kind of hide anything so the point of this is also not to pick on anybody uh involved really we we're not trying to to uh make fun of these guys or shame

them um it's better for people to make mistakes in this kind of a context than it is for them to make that same set of mistakes when it really really matters so we're going to use this as kind of a training tool for both us and for that okay so the setup uh our client engaged us to perform a multiple week really No Holds Barred penetration tests with the ultimate goal of trying to get into a secure Data Network that they maintain um so really we had no real uh uh restrictions against what we could try the only things were we were going to come from the outside we were not going to be given any uh uh accounts or

anything like that we had to discover everything on our own okay so in the initial foothold was gained through a uh somewhat uh uh simple but still uh elaborate social engineering attack um and the total time we stay within network is about three weeks um so we were really trying to um represent that kind of evil three-letter word uh or yeah three litter word kind of a scenario here so all right so the initial attack all right so as I said it was a social engineering attack we took a look at the external network um the controls there were pretty solid um they had some web applications some of them were slightly old they were out

there there wasn't a tremendous amount of stuff to do uh in taking a look at that we did find one interesting uh vulnerability in that they had an older control that would print the web page that was requested as a PDF well the problem was is that the system that was generating that PDF was in the inside of their Network and so you could just request various different servers on the inside of it so you started making up things like web. name of the company internet. name of the company SharePoint name of the company you start getting back some interesting stuff so we were actually able to do some reconnaissance on the inside by forcing this thing to

print to PDF the content of that web page and send sending it back to us so that was kind of interesting so we got some uh uh fairly interesting ideas about what we could use for social engineering pretexts from that so the first pass that we did uh it was pretty standard we were trying to see well let's see if anybody actually falls for the just generic email that comes out so we took a look at and we found out that they were using a certain fairly well-known travel and expense vendor uh for that kind of stuff so we mocked up a little bit of an email that said hey we're changing security protocols as of

this date you need to install this new client's uh certificate on your machine to make sure that you're going uh uh and are going to be able to access our new secure Services after such and such date um we had grabbed a bunch of email addresses by scanning through Linkedin so we essentially found the company page pulled up all these things we found some public email addresses we assumed that the pattern that we found from the public email email address matched through the a whole company we then set up a script that pretty much took all their names from LinkedIn matched it to that profile and created email addresses out of it so we had somewhere in the

range of 120 140 different email addresses that were potential we looked through those we figured out again using LinkedIn and Facebook um kind of figure out who these people were what kind of level were they were they director level were they just general users were they what business Unit were they involved in we found some of those that would probably be more likely to uh to use that travel and expense vendor uh in their day-to-day stuff so if we found somebody that's the janitor they're really not going to be sending out expense reports but if we s that guy that's the traveling salesman yeah he's probably going to be sending out sales reports so he's probably go or expense

reports so he's going to be the the the more preferred Target for that kind of stuff well in the end yeah it didn't work um here's kind of what we used for our our email time it's kind of hard to see there essentially saying hey come on please install this this Concur Solutions uh certificate installer which actually was a core agent um so nobody fell for that we were kind of disappointed I was like wow man that we should at least get one person to click on the link to go grab the installer nobody like damn that was obnoxious we put a lot of work into that so we're like well you know maybe I don't know maybe they're just

not going to fall for that kind of stuff maybe it got caught in the span filter what the heck all right so let's let's not abandon this let's try again so we decided to really kind of let ramp up the legitimacy factor in the state so we went kind of balls out and developed an entire fake government policy agency that was within the sector that the uh company was involved with uh everything from website with news reports uh member content emission statements uh photos of their board whole bunch of other stuff uh put that thing up there sent the out another group of people uh an email saying hey we're partnering with your company we want to get ideas on employee

opinions within your sector on certain current and future governmental policy standings okay just come on come please come to this page fill out our survey when they went to the page we had the company logo there we had their stock ticker idea we had their entire uh kind of like about section that we pulled from the from their website we had that alongside with all the stuff from the government policy agency and last but not least we said Hey to increase uh uh participation in the survey we're going to give out a free Apple iPad to a random person but we got to make sure that you are who you are so at the end

of this survey we're going to ask you a couple of pieces of information about you and hey just to verify that you really do work for the company we're going to ask you to log into this login portal that goes to your company so we kept hammering over and over and over that the way that you're going to get this Apple iPad is if you finish this full registration any survey that doesn't have this thing it's not going to go in the drawing that was in the email it was on the front page of the survey and it was at the bottom of the survey at the the regist a portion so we're like really we really want you to

just just give us your username and password and it was all fake we had a back-end PHP script that was essentially pulling the user's full name their title their phone number their username and their password we of course told them that no no no the content that you fill into this form it's going off to your company we never see it don't worry about it it'll be fine no exploits no need to bypass IV nothing else like that we're just going to ask for their username and password and it worked our first and only response was within two hours of sending out the emails our responder was a director level employee longtime employee of the company and close to

retirement I trust everybody that's right so this occurred roughly about 400 p.m. on the day we sent out the email all right so the first Pebble all right so we sent out this email we kept the target list small because we didn't want to just really Hammer this and really make a big deal about it we wanted to get it fairly targeted we wanted to make sure that it wasn't hitting anything that was going to set off alarm Bells anything like that but it still de one of the recipients of the email took a look at that and said this is fishing he sent it down to the help desk and the security teams okay this

was fairly close to about the time that we got our one hit uh on our script so he goes through and he's really kind of gung-ho in this he's like I yeah I'm going to take a look at this I really want to figure out what's going on he's looking at it he's like I don't know it looks legit he Googles for our our uh Think Tank name and it comes up we're the second hit on Google for that Think Tank type I at least had the thing up for about a week before we actually sent out the emails Google picked it up it was on there hey if it's Google it's legit he goes to the he goes to the

homepage of it because we've got the web logs that say he went to the homepage of it and he's looking around look it's got news tickers they got they got a board person they've got all this kind of stuff it looks legit he does a DNS search finds out that I'd forgotten to create an MX record in DNS for it so he said ah it's got no MX record this has got to be spam congratulates himself says yeah I figured it out it's spam I hate that word I absolutely hate the word spam mainly because this isn't spam okay spam is Viagra ads spam is you know Nigerian prce scams in some senses okay when the

end user thinks of the word spam hey is this spam they're thinking that kind of stuff they're not talking about something that somebody went through a full week's worth of work to put together a completely fake organization that's very very minutely targeted toward your organization don't call that spam because end users everybody else thinks oh it's just Spam nobody cares about spam all right that's a targeted attack ATT that's something in the realm of SP state sponsored and you know high-end hacker organizations that's that's that level of stuff sure wasn't just you you were personally offended because all that work you did you called it spam hey I I don't really care that he called it spam in personally I just

don't like the use of that word because it conditions end users to kind of think it's it's the fluff that shows up in their spam folder in Gmail okay once end users start being able to think and figure this stuff out in a sense for themselves and be able to take a look and see this is really something that somebody needs to know about as opposed to it just got caught in our spam filter and yeah who cares about that one of it guys I take it yes this one one of it KES that kind of took a look at that recognized right so once he decides that hey this was you know not legit he

starts looking to find out well what's the scope of this how many of these things did we get who got them what happened okay some good response uh ideas here so he looks to exchange transfer logs and he actually finds every single person that received our email cool you know the scope of it okay he looked through their web proxy logs to see if anybody clicked the link he didn't find it in the web proxy lcks he said nobody click the link all right cool so he sends off an email to all the recipients to say hey this is spam just delete it don't click on the link don't fill up the survey and he kind of put his hands

together and he said cool I did it case closed the reason why we know that we sent out an email is we found that email in the deleted messages folder of the one guy who gave us his username and password so yeah that worked out really well so over e and some bad assumptions okay I give the guy super props for his effort that he went through to try and figure this out he was really eager he really wanted to figure this out he really wanted to make sure he was doing the right thing cool I give him props of that some levels there were certain mistakes that were made some of it based on bad

assumptions okay going back to my point before should a highly targeted fishing email with a large amount of effort put into it legitimately be lab a Spam no this is an attack just because it came through email it was fake doesn't mean it's spam okay this was a very very targeted long wellth out attack okay next thing why do you think he didn't find it in his web proxy Lots anybody what was that I hear say I can't hear you I internal Network actually he was external to the network he was at home when he clicked on that Network that L from his Outlook web access okay so it's not as a proxy L he

made the assumption that because it was a user and it was during the day he had to have been at work and he had to have clicked on the link from his work email from his work user no Outlook web access Works anywhere even on his home machine he clicks on us from his home machine he fills the stuff out it's not going to be in his web pracy lck he never actually really contacted each person that was involved in the incident okay he sent them an email so his mind he contacted them but he didn't call any of them and say hey did you click on this link or answer that survey no he just sent out

the email said okay they're going to read it they're going to not they're going to follow my instructions and everything okay well our Target Reddit we know because he deleted it he also didn't bother to tell the guy hey you know what I fill out that survey we should probably do something about it nah he also did not inform management that a heartly targeted tank was launched against them he kept that information to himself mainly because he said oh it really didn't affect us nobody clicked on the link nobody went there it's okay we're all good so there was a Communications breakdown at that point uh in forming the rest of his teams informing management that this type of an incident

occurred okay so the lessons really need to know the difference between simple spam the things that you know postini stops 10 billion of those things a year for and a targeted attack something that's actually being crafted specifically against your environment okay the incident response procedures and responding training must include some clear escalation points and reasons for escalation okay that information shouldn't have just sat with that one guy and within their ticketing system it should have gone up the management there should have been some kind of consultation at that point that that type of an attack has been launched against their systems he should at least reported hey I don't believe that anything really happened out of this but

that information needs to at least been made clear to some kind of a stakeholder communication again is key he didn't really follow up with each individual user send an email yeah we all get thousands of emails nobody reads them all and then users should also be assured that they won't get fired for self-reporting security incidents we don't know if this guy actually had that in his mind but it's a potential idea hey I'm not going to tell anybody because I clicked on this link and I actually filled out this survey uh I'm just not going to tell anybody and hope nothing happens okay part of user awareness needs to be that it's okay if this happens as long

as you tell us about it we can fix it if we know about it if we don't know about it it's just sitting out here you know we can't do a tremendous amount to help you know to help fix that okay so we've got a username and password cool we've got access to this guy's email cool we're starting to look through that to kind of get an idea of what kind of network we're looking at trying to see there's links and emails to find us to give us additional uh resources things like that so at some point previous to to getting into the network we had done a DNS reconnaissance using probably my favorite DNS tool

which is fierce anybody use it Fierce is awesome okay essentially it's going to go through and and and enumerate through DNS records so we find their you know cleverly labeled VPN server of vpn.com domain took a look at it sweet it's any connect sslvpn sweet username and password no two Factor double sweet we're able to get in to their VPN using that SSL client as the user we got access for and we're in the network cool we bridged that portion of it okay we're kind of going through some of more of the internal pieces bunch of information or enumeration reconnaissance stuff later we find a virtual desktop image that our user can log into we log into it we're

using that thing now as kind of our jump base inside of it he didn't have administrative uh access to it but I didn't care I dropped a core agent on the machine and I used that as a pivot point to start using it as just a TCP conduit it didn't matter to me that it really didn't have uh administrative rights on that machine so anybody know what that file looks like and it may be hard to see down there the file's name is scan reports all Vols all hosts date. CSV anybody a qualus user so this this was file was found on their file share in just a general folder and it contained the last month's

vulnerability scan so my job was easy okay so check file permissions we got a lot of stuff just by trolling through the files uh file share there was a lot of interesting data relevant to our our organization that uh uh was just simply found by just looking through the file share itself so we took a look at that report there was a bunch of really fun stuff in it you know there were some ms8 067 there's some jmx consoles no authentication there were some uh you know some SQL stuff that we could Brute Force we're like cool this is good stuff and then the IPS found us man exp points weren't working okay and worse the IPS was generating alerts and

even worse for us we thought was somebody was actually looking at those IPS alerts okay so the IPS Alerts get pushed down they say hey there's stuff coming from this machine out intoo our Network exploits being launched we're seeing stuff what the heck somebody finds out that the user that's logged into that Mach that virtual desktop there we were using was the user that we had successfully fished and so somehow all of this gets translated into the user's desktop is doing stuff funny not sure how that happened so the help that was then dispatched to scan for viruses on the user's desktop okay sure I summon the B of an AV scanner yay all right they finally had the response

teams finally had a correlation between the user that we had fished and some kind of a level of malicious activity inside the network okay one of the big things that tipped them off was w why is this user trying to constantly log in as sa to all these database servers what the heck I don't know he could be doing that legitimately I don't know okay anybody here who has a director level employee that logs in his essay to database service anybody no I didn't think so so the vir scan comes back clean huh okay must have been a false positive yeah no all right so one of the things I've always seen in a lot of places that don't have M mature

Security Programs is that incident response equals scan the machine for viruses if it comes back clean okay we really need to be giving our responders a little bit better idea of what kind of things they should be doing when they see anomalous Behavior besides just go scan the machine for a the worst if it really was a virus you're losing some valuable in or uh uh forensic information and it you know very very worse you're missing stuff because you're looking in a completely wrong place okay they also need to be trained on how to think through an incident critically what are we seeing what could that possibly mean how would that possibly look on the machine or on

the network networ and how can we go find out that information to see yes or no was this really something to be concerned with or was it something that just happened to look really really bad okay again there was a communication breaker around just like is in the first instance okay the teams that were responding to these set of ips alerts really didn't know too much about what was going on originally with that fishing em the guy didn't really share it as much as he should have possibly if it they had known that within the last 20 to 4 24 to 48 hours there had been this targeted attack and we should be looking out for stuff maybe

if that information had reached the other teams that were responding they may have been said hey you know what we did have that anomalous attack hey that guy that we thought his user desktop was affected with stuff he was on that email list ah maybe really he did fill out something none of that happened so there was a communication break again when we're responding to incidents we're not doing this stuff in a vacuum we're not just one lone gungho guy going and go take a look at that we're doing that as a combined team you've got to have input from network from servers from desktops from management from you know directions everything like that we've got to have

it all put together in a cohesive unit um if anybody was in for Dr Joe Adams talk you know he was talking about the whole idea of working together as a team fieldcraft that all that kind of stuff applies to this scen scenario as well okay there has to be communication between teams there has to be um proper and valid communication Clear Directions clear idea of what's going on okay I'm a big also believer in that that we don't just mindlessly take what's coming in from tools okay my Mantra with IPS and IDs analysis is don't trust trust the signature just because it says you know Ms 8067 on the network doesn't mean well one that the endo's vulnerable at two

that the ACT tack was actually ms08 0867 coming down the pipe you got to take a look and see what that's check is actually doing if it says oh well it's the following URI string with the following bite stuff with the following host header that's a little bit clearer than hey at bite position 10 you're looking for O8 o a o d e okay well that could be a lot of things okay don't blindly trust in tools but also don't dismiss what you're getting out of them you have the tool there for a reason when it starts popping up alerts especially a large set of coordinated alerts so you see one host sending out exploits for this this this this this

and this well that's probably far less likely to be a false positive than that oneoff ping of the IPS every six months okay oh we get Uninvited to the party so we are finally discovered okay in taking a look at a couple other things that were coming out of that box they finally decided hey we really should look at this RDP system hey that was the thing that was originally causing those IPS alerts what the heck so they take a look at it like what the hell is going on with this RDP say nobody even uses this RDP box what the heck they finally see oh it's this guy why is he logged into this all right so

we get kicked off of that RDP session we're like okay well this is going to be the end of it they found us game over the help Des finally says you know what we're going to go talk to this guy they go confront the guy he says yeah I did click on that I did fill out this thing okay they're doing this four days after the fact act so yay for us so they request that the user go ahead and change his password fairly common response in IR okay the problem was is that the guy had kept all of his personal and corporate passwords as notes within Outlook which we had been reading for most of the week

um so we also discovered that he liked to use a certain pattern for his passwords and just kept increment the end number so we stopped we got a little bit more coffee and we tried the next number of the list and we were back in the system uh we never really left because our VPN session had never been terminated and we had 10 hours left on our 24hour VPN session so all we really had lost was the ability to log into systems and that was for long enough for the Cur egg machine to make some more coffee the responders at that point decided hey we kicked him out we got him to change his password everything's good now we

can call this case closed yeah no we all give users through their their their uh security awareness some kind of idea on how to pick good passwords we make XKCD uh comics about how to pick new great passwords then users possibly remember that for the first 24 hours after the awareness session and then they really kind of forget about it and that's it's not great I don't like it but it's kind of reality but in this case when we're asking a user to change their password after a known compromise or at least a suspected compromise they really need to have good directed uh advice on how to pick a new password don't just say hey user go pick

you know go change your password okay they're going to go change the password the same way they have always done let's give them a little bit more idea okay can you please make sure to pick a strong password and give them some ideas on how to pick a strong password okay this guy obviously didn't and he really wasn't told go pick a Strong's password he was just told go change your password okay I change my password every month I'll do it the same way I did it last time administrators need to know how all facets of their systems work um kind during the debrief we learned that the reason why we weren't disconnected from the VPN session was that the

administrators didn't know how and that they figured that since we didn't have a user account anymore we weren't dangerous to the network ha so probable but rarely used functions you really are going to need to kick somebody off the VPN but this incident shows the need to be able to do that when it really comes down to part of incident responses is kind of doing pregame okay it's that training sessions up and before the incident to actually be prepared to actually respond trying to figure things out and trying to train yourself how to respond to an incident while an incident is going on is probably a bad idea and then after a compromise especially a compromise of user accounts

we really need to start looking at those things at acely at least for a certain amount of time afterwards we know Joe's account has been compromised we think we've taken care of it don't just leave it alone you've got a Sim technology put up an alert that or at least a report that says hey this is Joe's activity for the 24 hours after the envir after the compromise this is his activity yet 48 hours after the Compromise take a look and see exactly what has occurred after that compromise just to make sure that you've actually gotten everything out of that system okay so we're back in we've got the users new new account password we're back on the network our

vpn's still connected we never really left we're trying to find some more systems we're like okay we really need to now be a little more careful with what we're doing they're actually watching us they're actually figuring things out let's be a little more stealthy and then we discovered this laner desktop it was called or something or other and domain users just happen to be a local administrator I guess that was the easy way of not having to set up individual user accounts as administrator on the box let's just make everybody administrator nobody nobody worries about this thing cool that's awesome we're now on this box this thing was kind of tucked away somewhere and uh

it was now our new Jump point for the rest of the test so we pulled down the ntlm hashes for the administrator account we pulled down a couple other things we threw them some through some cracking routines didn't come up quickly so we're like you know what we got to get on with this thing we're not going to try and spend hours cracking this stuff I don't have a good cracking rig so art poisoning why not let's give it a shot uninstall the AV on the machine loaded up cane sweet we discovered that we're on the same VLAN as the network and server administrators awesome found out some good some good RDP sessions pulled into there use iron

geek's fun little uh script that pulls uh keystrokes out of RDP sessions that's great little tool and we had some domain administrator accounts two of them sweet so we stopped using our original account we're like well this thing was already compromised once we don't need to go through through and keep on beating up on this guy's account so let's start using some of these admin accounts we also wanted to make sure that we didn't you know administrators T to you know look at logs more than anybody else does we didn't want them to get spooked and say why the hell am I logging into that box I've never logged into that box so we created another

mid-level access user our goal wasn't really just sit around and pop boxes it was to get in this protected Network so we found some group names that were related to the protected Network we had added ourselves to those group names we don't need to be an administrator if another group that's not maybe as necessarily as highly watched as Dom main administrators has access to the same data we're at at you know administrator access wasn't our our our goal the data was so let's go where the data is so we gave it a realistic name we didn't care him like you know her Mye Granger or Harry Potter or you know Iron Man or something like that um so we

added him a bunch of Juicy sounding groups we're like okay we'll use this account to try and find some more additional data and see if we can actually get into some of these networks that we're looking for okay well again detective controls worked one of the groups we did add ourselves to actually was a monitored group so their Sim device picked up that there was an addition to this group that was a protected change controlled group oops on our part set an alert okay the responder to the alert called the admin that created the the admin that created the account and said hey did you call the you create this account we didn't see a change control for this

no I didn't create it well that's weird want to go get some beer sure okay we had these detective controls for a reason don't set it up if you're not going to pay attention to it but if you ask somebody if or if you're asked did you create this account and you didn't something happened it's probably not a good sign okay our detective control worked yay response D minus okay it been less than three days since the previous in incident okay we really this should have set off alarm belts we just had an incident now somebody's creating accounts and I didn't do it ding ding ding ding ding ding some reason no okay so we're still looking for this

pathway into the into the protected Network we still don't have it frustrating we we're running rampant through this network and we still don't have this thing we finally find it there were a set of jump boxes that we could use that had a full separate domain uh and a fully separate authentication set and we also found a management server okay a solar wind box cool solar winds typically gets connections into everything else which it did so we've got two ways into this thing now all right the authentication domain wasn't a big deal because both admins used the same password for each domain so that kind of defeats the purpose of two different authentication domains if

you're going to use the same password all right um so we were able to use the jump boxes to get a whole bunch and pretty much almost completely fulfill our mission so we got a lot of Juicy information that we really needed to to kind of fulfill that portion of the test okay man it was the management box that finally got us caught permanently okay so we jumped on of this management box we were using RDP um just to kind of keep control of it we were looking around through that Network we were able to get host names out of Orion of hosts and boxes that were were in that Network so that was cool if you're doing pen

tests just use the admin's tools against them they know where all the good stuff is so just ask them um we dropped a core agent again so we could pivot so we were double pivoting we were well I thought we were double PIV pivoting uh pivoting to the uh loader desktop and then pivoting again back into the uh management box so we're kind of trying to double hide our traffic there and kind of let some stuff make it look like the management box was actually producing the traffic and not us okay damn IPS is again they had a fully separate set of ipss within this protected Network okay we were getting late into the into the uh time period of

the test we probably had about a day or two left in the in the actual lotted time for the test wasn't for that we would have been a lot more stealthy but we're like you know what we really want to get that final 5% so let's go balls out um so first off we found the IPS we're like this things just going to screw up our day so let's see if we can log into it unfortunately neither of our admin accounts had access into that so we decided to Brute Force the HTTP post login page of the IPS we didn't get anything but we were also kind of amazed the IPS didn't detect Brute Force

attacks against its own management interface that was kind of interesting that file that under things you should know about your security devices ums for exactly exactly um so we did finally get kicked off the RDP session when one of the admins that we had taken the account of tried to log back into their session and essentially you know what happens when you R pee into a session that's already being controlled you get the desktop of the person that was previously in there especially when you say yeah just reconnect me to my established session so up on the screen as I got kicked out of there was the login page for the IPS and the admin

kind of was like oh I don't remember trying to log into the IPS I don't even have an account for this oh well they thought it was strange that they were trying to log into the IPS when they didn't remember that but huh okay so we kind of threw Hydra down to the SSH Damons that were on the protected Network and that was the thing that really kind of got us called we were noisy we knew about it and within 15 minutes that got escalated up and uh luckily that kind of came out in the middle of a staff meeting that all of the IT staff was having so they were kind of forced to kind of communicate

together at that point um and that got us pretty much kicked out um Port was locked down from the machine that we were using that thing was taken off the network uh finally we got our VPN session uh killed we were out and gone um my Pivot chain had broken down so everything that I thought was going through the management box was going through my remote desktop box um when core decides to reconnect an agent uh it resets the local Source address so remember that if you're trying to Pivot through many many many things it resets it so that's no fun so that finally brought the on all land on Deck response uh everything was

kicked out our uh primary contact calls us up and says please tell me this is you guys we said yes they said okay we don't have to report to the sht that we have to report to so glad that they didn't okay so finally in the face of overwhelming evidence they were all able to coordinate effectively they were able to pull together and actually get everything done the way that it needed to everybody started changing their their passwords uh to nice newer stronger passwords um everything became hunky dory we kind of help them figure out exactly what was going on and what we had done in the in the during the event um and so good they were able to respond

to this huge macro vet that essentially set off every alarm Bell that they possibly had it was all the smaller little tiny incidents weird things Oddities things that may have been false positives because I can't really proved that this thing happened communication breakdowns all of those little things that at any point during the chain of this test should have gotten us kicked out should have gotten us discovered properly it didn't again Dr Joe Adams in his preious presentation before has put up a a a quote from Richard Clark essentially saying hey we're not expecting the next digital Pearl Harbor we're expecting a death by a Thousand Cuts okay this was Death By A Thousand Cuts there was lots

of little tiny incidences that could have been picked up upon that little bit more diligence a little bit more effort put into the response could have gotten us caught it didn't okay so this should have been an hour long compromise okay it was a weeks long compromise this is that type of of incident where you hear about somebody sitting in a network for months or years if we had been really stealthy and if we had really really taken our time again I don't think a client's going to pay for a twoyear long pent test engagement it'd be awesome if they they do if you want to pay for a two year long in or pentest

come to see me afterwards but um if we had been stealthier we could have really stayed in that Network for much much longer okay anybody have any questions anything you want to talk about yes sir uh they were no so there was two people that had knowledge that this was coming down the support staff did not the instant response the security teams none of these guys knew that we were in the process of doing a test so there was two people within senior it management and up at the ciso level that knew that this was going on that was it so we both wanted it because especially the fact that they're a maturing organization we wanted it both as a

controls test and as a process response test and really the value really was in that process response that's where they got most of their value out of this thing the controls worked for the most part um you know there were some things that we went back afterwards and say yeah we may want to tweak this and we might to add a little bit more here but for the most part we were starting to get detections you know adding that member to that protected group that change control group perfectly came off the response to it wasn't the way it needed to be yes

sir would have done a lot more reconnaissance in the inside would have done a lot more um I wouldn't I wouldn't have tried for exploits at that point I wouldn't have tried for account proof forcing um at that point we may have been able to uh use some of the access we had to do internal social engineering um we could have been able to uh you know we were in we had gained access to their Sim device so we were actually looking at most of the alerts that were coming through at that point um so we would have learned what those things were um and then that that would have let us at least Target know what we

could Target what we couldn't um we may have been really stealthy and decided to turn off an alarm for five minutes go and do something and turn the alarm back on um things like that so I think at that point it once you have time on your side you can be a lot more a lot choosier a lot more uh uh uh discreet in what you're actually trying to do um we kind of you know stop and drop that that level of caution at the end so anybody else all right thank you

like