Infosec Time Machine: Securing Your Network Like It's 1999

thank you very much as he said my name is Nick via Seanie I am here to talk to you about the InfoSec time machine the basic idea behind this is we've known how to secure systems and secure networks now for well over a decade actually closing in on multiple decades but for some reason we fail to implement basic security concepts time and time again the real purpose of this talk is to kind of reintroduce you to the concepts that were introduced 15-20 years ago and talk about how simple application of those concepts could not necessarily mitigate some of the biggest threats we've seen over the last year and a half but how our failures to

implement these controls have resulted in these attacks being much worse than they need to be and in many cases could stop them altogether before I get too deep into it though Who am I my name is Nick via Seany I'm a threat researcher from Cisco Talos as far as my background is concerned I actually started as an analyst in a 24 by 7 sock working for the US government over the years that was an analyst lead analyst managed teams of analysts I was an IDs engineer I was a Sam engineer anomaly detection system engineer did design I've basically done everything in security except for being a developer because I frankly suck at coding and nobody wants to see the code that I

write but but really what I do now more than anything is I have in my opinion the best job in the world I hunt threats and piss off bad guys that's really what my job is what I mean by that is you know I need to keep track of what's going on on a day to day basis in the threat landscape what we see every single day but I take it further than that right it's also about writing about it it's about blowing up their infrastructure it's about working with providers to get their systems taken down it's it's doing whatever we can to force them to spend money and make them angry because hopefully the more we do

that the less this type of activity will someday be not anytime soon though because job security is important and we all agree all right so no time to really explain let's just let's just jump right into it right let's let's start by going back you know back to the days with times like these times when you know this was cutting edge technology or my favorite when used to tell people that you worked in security they immediately pictured this that's right I'm talking about the late 90s early 2000s oh the reason I picked this period out specifically is the fact that there was a key document at least from the US government perspective NIST 800-53 I know I'm in

the UK but anybody from the US that's worked anywhere near the government has nightmares about this document it is just a beast of a document but what it did do is it kind of introduced the general public to what security controls were what basic security concepts are and how you need to protect your infrastructure in your networks and I'm talking about absolutely crazy ideas like asset identification network segmentation patching access control and education I know these are all earth-shattering concepts I'm gonna take a little time and kind of walk through all of them and then I'll kind of reiterate how each of these threats that I'm gonna cover would have been addressed by some of these so let's

start with the easiest of all of these asset identification you can't defend it if you don't know it exists if I have to read one more breach report that starts with a server that the company didn't know is connected to the Internet stop doing that why do you not know what is connected to the Internet inside your network it's not rocket science you could do things like ping sweeps port scans it's not expensive to spin up in as Azure box or an Amazon AWS or whatever cloud you want to use and just start scanning your infrastructure if you have public IP space you should be scanning it constantly you need to know what is there and once you have an

idea start probing a little deeper right figure out what services are exposed to the Internet what ports are exposed to the Internet what are all of these systems that we have out there this is really the bedrock of what you have to do in security and it honestly is where everyone falls down because for some reason people don't track when a new system comes online when you're ping your sweep results change when the scans that you're doing change go find out what happened and then start patching please patch it's not it's not hard but for some reason and believe me I've been in organizations where patching is like the worst cuss word you can say because they

do not want downtime show them the reports from all of these breaches that we've seen of the last year and a half show them the tens if not hundreds of millions of dollars in damage show them all of these things to illustrate why it's okay to take a 30 minute downtime tell prevent you from being on the front page of a major newspaper one of the most important aspects around patching though is getting buy-in across your entire organization this was in one of my previous roles the most difficult thing I had to do because I had to herd a just a large room of cats of people from every possible discipline inside of an organization and get them to agree by

scaring the crap out of them that patching is something that you have to do and look you don't treat all patches the same no one should but when you have a high severity patch that you know impacts you don't wait 60 days to patch anymore it is not long enough and I'll illustrate exactly why in a minute so that's asset identification right let's move on to the my one of my biggest pet peeves network segmentation and the move to flat networks so I'm old school I've been in this industry for a lot longer than most I guess this is what a network should look like clearly segmented lines drawn accounting HR engineering operations just as an

example these groups should not be able to talk to each other on every port on every system because they don't need to all it does is cause problems but I don't see this anymore what I see is this where you got the internet you got the outside you have the inside you have this little security bubble in the center stop doing this this is not useful this is not helping anyone I understand that executives want all the access to all the data all of the time right and this is fast and easy but that doesn't make it right sometimes we need to sit down and do the the things that make it difficult we need to spend the time and do the design

do the implementation know that there's gonna be issues going in but it's better than this okay Asset control I kind of break this into three broad categories right you have network you've user and you file access control now there's a bad word on here auditing that is the one that at least from my perspective I used to hate but in this case it is absolutely paramount because you can assume you have the best access control in the world but if you don't test it you really don't know you don't know that oh that that directories only read access to the specific group but you put it underneath a folder that had inherited privileges that gave everyone

read and write access did you test that your access worked well no I just checked the box and assumed everything worked right stop doing that actually verify what you're implementing this happens way way too much and is causing lots and lots of problems if we don't get better you do realize the bad guys are getting better right they're getting better every single day if we don't get better we're not we're not gonna do well I mean we all know I assume a good portion of you er defenders defender is the most thankless and difficult job you have to do you have to be infallible that's it you cannot have fault in what you do an attacker the red teaming you

gotta be right once you can throw a thousand things up against the wall as long as one of them sticks you did your job as a defender somebody comes at you a thousand times and one gets through absolute failure this is why we have to get better at securing and doing the things that are basic all right so some of you are in operations I assume I don't know how many but let's start with a little test here so this is one of my kind of litmus test for how mature a security organization is that I go into how many rules are on your firewall and look I'm not expecting you say 8170 - that's ridiculous although some OCD

people probably know that more likely just a general concept right the this is like the the intro question how many rules are on your firewall more importantly can you explain why they are there do you know why this rule exists or is it I don't know it's been here since I started it's not a good that's not a good answer to that question additionally and this is key who put them there do you know who put them there was it someone in security was it someone outside scary Network admins have access to firewalls a lot of times just saying and then the most important one and the one where people really really really typically fall down is

have you reviewed them in the last six months doesn't take a lot of time look at how many hits reset the counters and look for hits if you have a firewall roll that has 8,000 hits it may not be the best firewall rule because let me tell you I cannot tell you how many times I've walked into an environment 6000 line ACL about 2,000 lines down there's that nice permit IP any any and you realize that the bottom sixth out or four thousand rules aren't being used at all and it's been like that for a year and a half and they don't understand why they got compromised this is why you do things like port scans and port sweeps

you have to know what you're defending and how adversaries can get into your infrastructure let's talk some user control this is another fun one so the this is one more question I swear this is the last one where can domain admins login if you say anywhere I'm gonna lose it okay that is not the right answer the right answer is domain controllers domain admins should only login to domain controllers because let me tell you adversaries love it when you use your domain admin account to fix a user issue on an end station because they pop that system in it's game over they can just all this is great I don't have to do anything we have got to get

better at doing the basics it's not hard tear your admins right you have an admin for domain controllers you have an admin for servers and you have an admin for users that way when they pop the admin credentials all they can do is stick in it's here it's not hard but for some reason we just do not do it I understand you're gonna get pushback from sis admins but explain to them you know do you want to be the person who leads to us being on the front page of a newspaper is it really worth you complaining about having to maintain a couple of different user accounts also don't log into your freaking domain admin account to check

your email stop doing that it's not hard I don't I just don't get it sometimes and look we're getting better I hope I have to keep telling myself this and just hope that I'm making a difference at least one or two people like please make it a little bit better cuz it just it sometimes it gets pretty dire one more thing users don't need admin access stop giving it to them they don't need it I don't care they I mean there are exceptions obviously but they should be exceptions not the rule it shouldn't be well that one user got compromised for time so we should take their admin credentials away no you take everyone's admin credentials away and you give them

back to the people that need it it's not hard but the real reason that you don't give users admin access is because their users let's talk about what I like to call the unpassable vulnerability user users always see boxes like this and will always always always click Save always it's just in their nature I don't know why but it is it is just in their nature but before I get too deep into that I have to I actually have to take some time to talk about macros why is this a thing why is this a thing in 2018 all I see all day in email is this or this or this and people keep clicking the edit

button and enabling content I don't understand not not only that but it's not difficult to disable right I mean go back to your office and just do it put it in your group policy and get rid of it they even give you options and I understand that there are departments that have to run macros that's fine there are ways to deal with all of them like ideally we just get rid of macros go on across the board out of your org that's your ideal scenario most of us don't work an ideal world so it's not really gonna matter but they do have the ability to only run sign macros I know that can be annoying for the people that

have to do macros and it does implement overhead but it should help mitigate a lot of your issues a little less ideal is they block macros downloaded from the internet which I guess would be okay but you know users probably just gonna instead of click open click Save and then open it locally so it kind of defeats the purpose but at least it would kind of get rid of the worst of the worst offenders and please God stop letting macros be a choice for all users all the time it doesn't end well for anyone and it never has put back to the user this is Steve Steve's a typical user causes problems that's kind of what

they do but truthfully and honestly it's really not just their fault a lot of it falls on us and there's a couple of reasons for that I mean we in today's society we increasingly kind of sit in these echo chambers of people that agree with the things that we say so for the last 10 plus years people in security have been screaming about users and how bad users are and then everybody just kind of feeds back into that you're right users are terrible but nobody actually goes and talks to the users and actually works with them and a big part of that is user education is just utterly and completely broken in almost every organization I've been in

and everybody I've talked to how often have you gone into doing your security education in your testing and you have you launch yet another phishing attack and you have the same user who sends their creds every single time no matter how sophisticated or how stupid the fish attack is there always clicking the button now part of the problem behind that is the way that our user education is built it's like this you either click Next or you click exit and most people just click Next until exit comes up and they're like ok I'm done yay or better yet the my favorite are the ones that are video based where you just click Play and then go get a cup of coffee or

go do real work and then come back after like 15 minutes and click Next and click Play on the next one and do it again what is the point of that there is just no value in that no one gets anything out of it but for some reason you think that users are going to understand concepts like malware banking Trojans ransomware spam phishing they won't if you don't educate them properly now there's there's kind of another side to this we have to change the way that we treat information security policies every organization has an information security policy of some sort right every organization has umpteen bajillion policies of some sort and the information security policy fits in

there somewhere there is typically one key difference though it doesn't have teeth what happens when a user compromises gets their system compromised reimage the box that's the end of it nothing happens to the user and look I'm not I'm not advocating for users being fired for failing a phishing test that's a little bit extreme but it has to be part of the conversation right when you go to do your reviews to get your bonuses to get your raises the information security team should be involved in that process saying things like you know what I understand that they did a great job but you have to understand that they compromised themselves three times last year and that cost us the security team

$50,000 to mitigate them do you really want to give a bonus this huge bonus to someone who cost the company $50,000 these are the types of things that you have to start having conversations around because let me tell you you start hitting users in their wallets they'll actually listen because it costs them money they now have some sort of skin in the game right otherwise it's like I don't care I'll just click yes to everything because nothing happens to me there's no consequence to what I do but it's not just consequences right then you just seem like a bunch of asses you've got to have some sort of reward there as well and this isn't hard right every

organization has some sort of a monthly quarterly yearly and whatever by yearly meeting where they talk about the state of the company right take five or ten minutes and call out people that did the right thing say you know I want to I want to take a few seconds and congratulate Susie she did the right thing by reporting the suspicious email that she received upon further investigation it was a targeted attack that would have potentially cost us very large sums of money and as a thank you for that I'm gonna throw her $100 gift card somewhere it's a very very small gesture but it absolutely resonates with people when you reward them for doing the right thing and penalize them for

doing the bad thing you're basically treating them like children which is effectively what they are you have to take that approach because it it really works I know it sounds stupid but you know people been raising kids that way for hundreds and hundreds of years but for some reason with users were just like nah they can just do whatever they want and we'll just fix it afterwards it's not a good way basically we have a bunch of brats running around our networks and it does not do anyone any good okay enough of that I'm gonna quickly climb off my soapbox they're all I'll touch briefly on users again at the end and another aspect that I want to dig into but let

me first talk about threats that we've seen over the last year-plus and how basic protections would have either mitigated them completely or at least limited the damage they would have had let's start with bad rabbit bad rabbit was a ransomware worm that started with a post request where the user would be basically their system would get fingerprinted they would send some data off to a system and then based on that they would either be directed to nowhere or given a fake Flash Player update and that should be the end of bad rabbit because no one should install a Flash Player off of a pop-up users should be educated enough to know not to do that

this should not have been a thing that should have been the end of it it's been like well they really tried but who's really dumb enough to fall for this it turns out a lot of people and once you had one user your life got exponentially worse because then it started worming and moving around your network and gathering credentials and trying hard coded rentals like this hmm God sexy curtain love those looked oddly familiar do you guys get the memo on those you know the memo from this guy mom no yes hackers have a sense of humor we see them make pop-culture references all the time this particular thread actually was kind of laden with them

they actually made a couple of a game of Thrones references as well but besides the point how could this have been eliminated with basic protections first and foremost user education why are you installing Flash Player from an update that just pops up on your system you know we have corporate IT we install patches and things if you need something ask for something don't just randomly click install by the way you probably shouldn't have admin access to be able do it anyway but that's another point altogether on again network segmentation I'm gonna beat Network segmentation to death in this presentation because without a doubt it is the most important thing that you can do to help minimize impact so yes you

might have had a dumb user in some department allow that to be installed and that apart the department could be completely decimated but your entire enterprise is in odd as it sounds you should take some solace in that because a lot of organizations when these types of threats happen do not lose one department they lose 40 50 thousand machines Network segmentation is a thing that needs to be done all the time I'm gonna talk a little want to cry everybody loves wanna cry you know the the og ransomware worm that was out there this happened May of last year something like that I'm not really gonna talk about wanna cry just wanna cry has been talked about to

death what I am gonna talk about is why you can't have a 60 day patch cycle so this is the security bulletin that addressed all the vulnerabilities that were in wanna cry was released on March 14th 2017 a month to the day later all of these tools were dumped online publicly May 12th was the day that wanna cry ravage the internet guess how many days it is between the 14th of March and the 12th of May 59 do not do a 60 day patch cycle this is why 60 day patch cycles don't work when you have a CBS s severity 10 vulnerability that affects every system that Windows runs not to mention that this is kind of beside the

point but why in the world do you have 4 4 4 5 or SMB open to the Internet are you trying to allow people to connect to file shares inside of your network I do not understand why this was such a horrible problem it spread via SMB home users should have been absolutely destroyed even they should have been somewhat protected that was a little baffling to me are you like directly connecting to the Internet how how does that work because everybody has some sort of a router or something how is are you purposely allowing SMB to be allowed into your house from the internet I just don't understand that seems like a really sophisticated thing for an

average user to do for very limited value sorry again patching patching patching stop using 60 day patch cycle patcher systems and for the love of God segment this one in particular just destroyed networks fault I shouldn't say this one was the worst this one was the worst this is the one where segmentation if you didn't have it it would just cut through your network like absolute butter yeah yeah or not Pecha this is the one that I point most organizations to when they're like well implementing network segmentation is really expensive and difficult and it takes a lot of time and engineering to do I'm like yes but do you want to be Maersk do you want to

be one of the organizations that lost 40,000 systems and to their credit look they had to do incredible stuff if you haven't read the story about not Pecha and what they had to do is amazing I mean they were literally handing off servers in airports in Africa to get the domain controllers back because they had one that didn't get destroyed and that is what they were trying to save to get the disks back to be able to rebuild everything don't be that company they had to reimage 30,000 systems I would just quit my job I would just be like I'm sorry I'm out this is just not I'm not doing this this is way way too much

but how did this work you know what did this do and it was obviously like these controls are not gonna stop this attack this was a supply chain attack the initial infection vector is extremely sophisticated you're not going to avoid the initial infection but what you can do is try and mitigate the damage so once it got into a system it used a bunch of different things this is actually in reverse order so it used eternal blue in eternal romance as fallbacks witcher obviously should be patched by that point it also used WMI and PS exec this brings me to another point why can all users use double mind I don't I don't understand what what

does an average user have to gain from the ability to use WMI and look I understand there is extreme value in both WMI and PS exec versus admins there absolutely is it's a huge hugely valuable tool but why every user on a network is able to use it you are gonna get killed if you leave those tools if they're not there by default having simple logic command-line logging look at the commands that are being run the syntax is all the same as the file name changes you have to be looking at that stuff it is of paramount importance and then this is propagation so yeah this is the WMI this I just I don't get it it

doesn't make sense to me why every user can do this again basic concepts patching not rocket science but it you have to do it simple user access control stop giving everyone access to WMI and huh look at that network segmentation again I'm telling you I'm going to beat it to death because it is the most important thing you can do okay so I have one more here on olympic destroyer so this one was particularly nasty and pretty destructive look at that he used W on my NP s exec again what are the odds you have got to be better at doing this the initial infection vector for this one is a little bit cloudy as well

but hopefully you could mitigate the issue now there are way more aspects to this so it did spread around systems and was hot patching and gathering credentials and adding those credentials to the attack it was launching but one of the other things that was doing was just destroying systems and it was doing this by you know connecting to file shares gathering the credentials turning off all the services on the systems some of the things can be avoided some of them cannot one of them that would be key to look at is file access control why does everyone have readwrite access to every share on the network probably shouldn't be that way your user access control has to be better your file

access control has to be better and again network segmentation because you can't move around a network if you segment it properly make it difficult for them make them make noise so that your security team has a chance you have to catch the noise that's coming around these attacks and look I mentioned before I'm gonna circle back to users there's actually another aspect of yours user education that I think is of paramount importance and this is that we are currently in the midst of a giant generational cap the overwhelming majority of people do not understand the stuff that we understand even remotely and we expect them to that has to change we have to realize that the majority of

people barely understand the concept of the internet or email or web browsing let alone a SLR and authentication bypass in exploitation and vulnerabilities and malware and banking Trojans and ransom they don't know what any of this stuff is we have to do better at bringing up the entire education level of people in general so kind of my my last thing here is as security people right in your organization when you're dealing with users have patience take time work with them and explain to them hey you know the reason why we do this stuff is because of all of these types of threats like you see here you see how you clicked this link and then hit this

button to send your credentials you shouldn't do that when you get an email that says your credentials have expired or your passwords been stolen don't click a link go and log into the website yourself take the extra steps educate them I know this sounds horrible but educate them one user at a time because they talk amongst themselves they're gonna educate each other but we have to start somewhere adversaries continue to get better and better at what they do and if we don't really seriously address the underlying issues like every time you see an attack that involves O'Dea we're a advanced adversary used O'Dea to get into an infrastructure right I have always said that that enterprise should

wear that like a badge of honor because you have already forced them to spend way way way more money and resources than they wanted to to get in because I got news for you determine adversary they're not going to be stopped they're gonna do whatever is necessary they're also not going to start with O'Day because that's stupid and it cost them a lot of money why would they do that when they can send an email with a word document with a macro in it that has nine pop-ups and a user will still click through every single one of them click enable and download the malware to get them into the network this is the world that we're living in

and we have to be much better at what we do all right final point cover your assets Pat your apps assets please stop giving users admin I understand there are exceptions but the blanket users like I need to install something here I'll just give you admin access don't do that I understand it's painful and it's time-consuming and it can be arduous for you but you have to stop making the stupid mistakes the small mistakes are the things that will kill you and I'm gonna tell you right now all it takes is you granting a user admin and some huge fire-starting and you forget about the user you gave that man and two months later they get popped and own the entire

infrastructure and it's all because you didn't want to install a software package at that time oh and you know maybe segment your network a few times it's it's pretty important that that's probably the big takeaway from this is please please PLEASE segment your network and do the things that are basic secure your network like it's 1999 because honestly in a lot of cases is far better than the stuff that we're doing today all right that's all I got does anybody have any questions

awesome thank you questions ready over here um so you talked about like negative incentives essentially on users that are failing to keep up have you experienced any issues with respect to that that have resulted in the sort of adversarial relationship with your users because my understanding from at least some researchers that they're they're essentially your front line of defense as well in terms of them reporting problems like even if they've clicked through something even if they've done something really insanely stupid they other people who are also gonna say hi I just did something terrible yeah so that that's one of the reasons why I always say that you in the concept is kind of you need the carrot and stick

so yes you need to punish them for doing bad things but when they do do bright things even if they get compromised if you get compromised and you immediately call security you did the right thing the worst thing you can do is just click and be like oh oh the command prompt just popped up after I did that I don't yeah it's probably nothing don't don't do that like that that's where users tend to fall down as when they do stuff like that I I emphasize the reward side of that as a big part of it because if you don't have the rewarding absolutely you're gonna have a very adversarial relationship now one of the added

bonuses that I forgot of doing the reward aspect is probably the biggest challenge in security right now is people we cannot find people to do this you'd be amazed when you start actually tracking the people that are doing the right thing the same people keep popping up over and over and over again and you know what maybe you found yourself a security minded individual that is already in your enterprise that already understands a lot of what you do that can fill that wreck that's been sitting open for two years because you can't find anyone to take it it could be an incredible pipeline of building that internal talent as well any more questions and it was a good session

no over there ah just with your emphasis on network segmentation and wondering what your opinion is on the zero trust network approach so everything has its pluses and minuses it it's it's a balance right like anything it's a balance even with patching it's the same idea like you kind of have to gauge the temperature of our organization and kind of figure out what their commitment level is how far they want to take it you know there can be puzzles and minuses to anything but the worst thing you can do is implement something that's so ridiculously strict that you get a bunch of pushback on it there there's it's kind of a take the temperature of the enterprise to figure

out what the best approach would be good question as well any more nope all right thank you very much again thank you