IanLin

[Music] today is uh chain exploitation uh and then perspectives in security testing um I'm going to be going through why connecting the dots is crucial for both Defenders and attackers um just a little quick overview of who I am and uh where I work I work at uh I've been working at pack Labs we're a security testing penetration testing firm uh that started in 2011 I've been working there since 2018 um I'm responsible responsible for a lot of the security operations purple team exercises penetration testing uh and red teaming exercises I promise I'm not a professional um certificate getter but there is some associated with my name I don't really feel it's necessary to put that but our marketing department

feels otherwise right okay who is Packy laabs um just a little bit of a shame uh Shameless plug here um pack laabs is a penetration testing firm founded in 2011 uh we're you know we consist of a team of multiple teams of highly trained uh proactive ethical hackers uh with different Realms of expertise uh we have experience performing um across various industry vertices including Financial e-commerce Transportation healthc care and government uh and overall in Canada uh UK Australia and the USA as well um um okay bsize Calgary so the reason for my talk today um it's not you know groundbreaking Concepts or theories a lot of my talks you'll see that it's really just observations that are made

from Real World work and with with some case studies and this is typically you know uh some of the sentiments I've had from Defenders some of the uh the sentiments I've had leading a team of ethical hackers and penetration testers and really some of the shortcomings and gaps that I'm noticing across uh the industry as a whole right so first we to get to some of the efficiencies or I guess negative sentiments on the blue side whenever they receive a penetration report or penetration testing remediation report uh number one is that uh the the first kicker is uh the a pen test third party security testing is extremely expensive so a Big Driver of security testing is unfortunately

compliance and uh not a lot of people want to deal with security afterwards so a lot of the times they they look at a remediation report they're like oh okay we have things to fix which is not the best way to interpret uh penetration testing report and I think the second thing is if you've ever seen a penetration testing report even if you haven't go on GitHub and look at the penetration testing report templates it's you know we're presenting uh vulnerabilities and findings in

really have to do with another so that's another shortcoming of a penetration testing report um another thing with this problem is is that when Defenders receive it they don't actually understand the prerequisites uh for certain attacks for example finding number one actually is a prerequisite for finding number three is very actually difficult to um communicate that in Report Form um even in a presentation Deb format like this it is also very difficult to communicate it um I think number four is there's a mass confusion on what penetration tests can do and what it cannot do I hate the term penetration tests because the term implies that is a test you pass or fail something but that's a horrible way of

understanding penetration tests and I think I've seen it security managers directors Hound on their staff saying we failed but like that's not the way to understand uh penetration test it really should be an input uh the data we get from penetration test should be input into your security program um and I think the fifth point is silo testing teams I think across uh big consultancies like the big four uh and internal uh security testing teams people are siloed into different uh niches what I mean by that is if you test web applications and you kind of belong into like the web application testing team and if you test infrastructure you kind of belong into that team so you're not really there's a

big Silo thing that exists across almost all big companies and uh and how that's bad is because sometimes um the web application penetration testers might find something that leads to internal network access and if you have Silo teams it's really difficult to chain that together um I think the next two points uh really I think uh I mentioned a little bit on it but there's a really real lack of training for the blue teamers The Defenders on how a penetration test report is supposed to feed into a security program um and a lot of the times in penetration testing reports I've been saying that word a lot um it's you know we address how to fix

the vulnerability but we don't actually address U any sort of guidance on security strategy that that takes a little bit more so these are just some of the observations I've noticed from U being a penetration tester for the past sort of fiveyear Mark right now this is a sample of one of our penetration testing reports um just kind of notice on 5.1 right so a lot of the times we'd find something called a active directory certificate Services vulnerability uh a lot of the times that actually a prerequisite in exploiting that that particular service and active directory really hinges on uh security controls in your ldap configuration and also whether or not you are allowing users or null null users to be able to

coers authentication from a domain controller a little bit about that later on right so just kind of an example of hey look if you get it in a list format is really hard for you to contextualize hey these two findings actually have to do with 5.1.1 right um I think there's another gap on the defender side I'm ripping on Defenders right now because I think um a big part of the indust blue side or the Defenders really need to master the basics so there's a um really popular meme I like to use here is that um in information security um there are some fundamentals that you need to practice uh for example patching strong passwords user awareness uh

security hardening but then the way the industry sort of Trends is like we need to get the latest WAFF the latest this EDR we need to sign up for that third party xdr service we need CTI sorry the last talk was CTI we need Pam we need all these extra things right but a lot of the times if you don't focus on the fundamentals doesn't matter if you have any of these products you're bound to fail um and I think a really popular Trend that I've noticed for Defenders is the sort of over Reliance on EDR and xdr technology so if you look at the right hand slide this is a quick Google search on you know what R is the best and I

guarantee you there's not a vendor in the world that won't say that they they are number one or 100% in their miter attack uh evaluations um so if if everyone's 100% andone everyone is first um who really is right right so this I think this is one of the you know major drawbacks and I think on the marketing side of things it's um it's really difficult for someone who's out there trying to purchase uh or acquire a product for their organization to sift through all this marketing crap right yeah I'm not saying edrs are bad by the way I'm just saying the marketing around it is garbage um next right this is one of uh websites I use to educate people

and clients when it comes to nuances in EDR technology I I apologize if you're any of these vendors I'm you know you're great but there are some uh uh flaws and gaps when it comes to these sort of evaluations so a lot of the times you're going to see this and I think what purple means uh if I remember correctly is uh detections found and towards the very like right side the yellow and the gray that really denotes that oh there's no detections found or uh it just wasn't logged in their sort of platform now if you look at this and you compare all the edrs you're going to see most of them are purple and they're going to be like

oh yeah we scored whatever whatever for a specific AP or specific scenario but I really kind of want you to sort of um uh focus on uh the two uh modifiers uh at the left here and there's a reason for that so actually I'm not the only person to point this out um very popular uh Twitter infos uh professionals they also have uh sort of insights on uh these things one Twitter user said this miter eval to the last place you should look for when shopping for an EDR that's pretty ironic because a lot of the marketing comes from miter uh and I think another another one that I found funny was anyone else surprised that all

the EDR vendors uh came first um and I think there is a generic problem with how this is portrayed so to put some insight into this is sort of highlight that here is when I uncheck these two things you see how much yellow it comes out of so you when you do that as a comparison it's more accurate what these two modifiers means uh is the number one configuration change is that during these evaluations for people that have participated in them sometimes they'll stop the scenario and say hey let me make some tuning or configuration changes to my EDR so if you think about it in a real life attack scenario do you get time to do that right so that's a

Nuance in of the miter attack valuations and the second one is delay this this one's kind of funny so if I launch an attack or make an action sometimes it comes a day after can you action on that in a real life scenario if you're a day late so those are sort of some of the the the nuances that I sort of want to sort of show people uh especially when navigating uh the EDR market and this is something the boot team The Defenders really all have a trouble with because every time after pen ation test or after a red team engagement they're different by the way um they would ask us so what is the best product to buy and that and

and when you ask that question immediately the the direction is wrong because it's not about the technology okay now chain exploitation why this is important so this part I'm going to go over a little bit why it's important to understand vulnerabilities in sort of a graph format yes so just on the last slide did you expand on

narrow kind of like okay yeah yeah so let me let me um based off on I might be wrong here because I don't have the the site available with me but I believe that the the the the more it's purple the more Telemetry there is gathered for a specific prodction right um because sometimes if you look at edrs um you're going to have an alert panel most of the time right um the more more specific would belong in there but you're going to have a whole bunch of telemetry that might not be alerted on those things you have to go hunt for and search for so I think that's what it means there right yeah yeah I'm not an expert in in in

deciphering minor evaluations this is just some of the flaws that I've seen when vendors come to me we bought this product it's supposed to protect us how come it didn't do its job it's like not really and yeah I'll go into that a little bit later uh trained exploitation why this is important for now now I'm on the uh sort of the attacker side these are also some of the flaws and Trends I've noticed in some of my own U work as well as some of the work that pack laabs produced were not perfect um I think understanding root causes will help Defenders prioritize remediation so one common thing that I have seen uh from

point one and point two is that sometimes an attacker would uh find something and they would stop there um so we actually were able to take over a few clients from another penetration testing firm because when they were doing a fishing exercise yes they got into an inbox but that's where they stopped but when we did it we we we went into the inbox we found all sorts of things wrong and we were able to hop from email inbox to internal network access uh and really one of the uh I'll go over that in a bit um I think also penetration testers need to think about a different way of reporting so I think lists are sort of uh Legacy and it's

very difficult to communicate risk communicate strategy and uh uh all sorts of detection uh value um a good way we do this is by thinking in graphs or diagramming what we've done um and if you you know try to write your penetration test report in a way to construct a story it becomes more memorable to uh The Defenders I think John Lambert I think he's one of the uh Microsoft VP for Microsoft security he said that Defenders think in list attackers think in graphs as long this is true attackers win and one of the uh um you know the tools that was modeled after this philosophy as you some of you may know is the active directory Blood

Hound tool you see it's a way for attackers to visualize how to Traverse uh the internal Network okay um right now I'm going to go over two specific uh case studies these are recent and real world engagements that I believe happened in the last two months that sort of detail uh some of this in practice right so remember how I mentioned there was a firm that stopped that fishing um and you know but when we did it there was a way for us to get to internal access there's a very similar uh case study here so I'm gonna present from email fishing or social engineering to domain administrator so it's a very simple scenario here we were able to

craft a uh password Harvester application uh trick them into you know entering the credentials but we're faced with sort of a Microsoft authenticated authenticated prompt I don't think this is possible anymore in the default configuration but what we did was we just logged we started logging into his account at like 1200 a.m. and we did it like 20 times and you know I think they wanted to go to sleep or something so they press yes right so that that's like the very so we've been using that all of like 2019 2019 and 2020 and it's always worked for like like seven out of 10 times um and I think I think a step that attackers sometimes Miss is once they

get into the inbox they're like what I do now yeah if if you think in attacker shoes you have to be able to go further and that's really where you create value so a lot of the times when an organization onboards a specific uh user contract contractor or a new employee they'll give them like of boarding details sometimes they'll post this on SharePoint sometimes they'll give it them give it to them in a teams chat sometimes they'll email it to them so this is exactly what happened here this was a point uh for an organization rather big one and uh they they just put the the openvpn configuration on their SharePoint here's remote access guys

right it's really interesting because um once you have this file all you need is a correct username which we already have from our email fishing scenario so right after this is um you know logging with the user VPN right they they configured MFA they mandate MFA for their Office 365 but not their VPN for some reason that's an oversight here so simply downloading Cali host with the exact same fish credential we're able to log into the network that's how someone can jump from email fishing to internal Network very easily right um I have no idea why they did not mandate MFA but you see back back to the the mastering the basics again multiactor authenication is a basic security

control having that in place on also of the VPN would have um would have actually made our tasks a lot harder here right now so stay with me here at this scenario we're now currently in the VPN network I'm going to say it's like 192 168 1. one or something right um the next part is a little bit more uh harder to explain when you're on a VPN network in a client's environment and the VPN does something like split tunneling um you're going to find that not all ports to all hosts are open sometimes you can't even reach uh most hosts uh but what happened here is that we managed to find an RDP instance that the entire

organization gives their users access to we're also able to hop onto that Host this is a terminal an RDP terminal with command pump open now one of the big problems is is exploitation because we weren't using a command and control framework we're just simply on the command line it was very difficult to conduct the Tex because a lot of the times if you've been doing hack the box or ctfs you're probably familiar with a Cali Linux machine but in a real world scenario you need to learn how to operate on a Windows computer if you can't end map on you can if you can end map on C what are you gonna do uh on on

on a Windows machine you going to install in map there's a lot of things that you can't like kind of do when you're on a C machine so uh on the VPN network there's also segregation so from our Cali machine uh we can we can actually reach RDP but the domain controller we can't reach the domain controllers for for uh SMB ports ldap ports CER Bros ports and DNS ports and you have to understand when it comes to active directory being able to communicate with a do domain controller is a very an extremely important thing um but the thing is that the RDS server has access to domain controller so what we did here is we logged into the uh RDP

server we and because most Windows 10 comes with SSH we use SSH to Tunnel out to a Cali box that we control so what we're I'm doing here with this command is the the first argument is sort of my attacker DMZ IP I'm saying okay the intern and I'm putting the internal IP of the domain controller here so that once I do this you'll see the next screenshot is that hey now I have access to the domain controller uh SMB ports ldap ports DNS ports and Cur Bros ports uh on Local Host this is called uh local port forwarding in SSH right so if I do an end map on these things you can see

these services are working right notice how I'm end mapping Local Host is because I'm binding that uh um that all these services from the RDS server this is why uh egress filtering is important egress filtering is a practice of limiting what outbound traffic have from your organization now this part I think is quite obvious uh in in packet there is an attack called curb roasting which is usually you can get the TGs the service ticket of uh domain users that have their service principal names enabled right so from an RDS box with SSH uh an attacker is capable of doing this uh with this done um this is basically the these hash material used for the domain

administrator account domain administrator account and if I was able to crack this I can then log in from that RDS server into the domain controller and that is exactly what we did right domain controller and we did this in the span of I think three hours yeah and just as a bit of a wrap up here right so sort of to to to go over this entire attack graph scenario is that we started with a fishing campaign cign password Harvest right and then we could proceeded to spam them with the MFA uh we found an open VPN file in email and in SharePoint right with VPN access we had RDP access at hosts now because they

don't practice egress filtering uh we're able to Tunnel SSH outbound right and because of this we're able to Tunnel back with curb roasting uh and compromise the domain controller so as a wrapup here what are the fundamentals that Defenders need to be practicing right The Defenders really you know failed at these three points right um the the way they configure the MFA right uh push notifications are no longer allowed so now you need to respond with some sort of challenge is usually a number or some sort of other response either through your authenticator app or whatnot right second they didn't really think about um their uh onboarding practices right this is something that's a very uh you know very difficult to do

well very few organizations have been have have success keeping this hidden right and the third thing is the lack of lack of egress filtering right so what lack of egress filtering kind of uh more specifically means is that from your machine location if you're able to reach your uh TCC TCP ports one to 65535 then technically I can SSH on any of those ports and tunnel any number of ports internal IPS out through whatever Port right and a capable defense of people can use is you limit just to the ones you need a lot of times organizations just need to be able to visit web which is https and HTTP P 88 443 and what you do is you perform

packet inspection and you place all your IDs and IPS on those two ports it's impossible to do it on all 65535 it's not feasible and that that's the the the funnel for detection would be too large right so this is the you know uh case study one a second case study is uh sort of our um red teaming engagements we use this scenario uh it's one of it's a favorite of mine right is that uh you know they we ask them hey enable two active directory or however number however however many active directory accounts that were recently disabled because they either left the company or you know they're on mat leave or whatnot let us use those accounts and see what

we can do from there that actually is a a more realistic exercise of an assumed breach a scenario um so you know in this particular scenario here we're actually dealing with several um expensive uh firms and expensive Technologies we're dealing with the security Operation Center who they're very apparently they're they're very good uh they also have a DLP product uh they also have a corporate filtering Pro locker and EDR and we were shipped on site to perform red team engagement on sort of contractor laptops like standard Windows 10 right and I think for this engagement it was really tough for us because um they had a rule they they were like at any point if you're detected the

engagement stops so right away that's that's not the way you run an engagement has no value for The Blue Team if we were able to bypass everything so number one right so um okay so let me go through this one right so as we were um on the contractor laptops yeah they're corporate proxies very well in effect um it's you know this is a standard corporate Pro proxy if you were to visit social media sites if you were to visit cali.org if youer to visit youtube.com you're gonna get this right and actually it's funny enough because the first the first day we were on like let's see how we exfiltrate data out so I started

going on like github.com uh you know paste finin and stuff all blocked right even like like box or one drive it's it's all blocked right so and and and we also went to Java because we wanted to see if there's any you know useful um initial access vectors right Java's blocked but we actually found that uh python.org is not blocked which actually led us to the conclusion that this company probably uses uh some sort of um you know python development in their pipeline or they might have an internal python shop or you know for Dev SEC Ops or devops they might be using python somewhere in this organization right so if you go on python.org it is not blocked so actually

that gave us about 30 28 to 32 hours to look for vulnerabilities in Python so in red team engagements is very different from penetration testing penetration testing you're focused on vulnerabilities red team test red team engagements you're focused on uh testing their security posture so it might not really be vulnerabilities so actually we looked through a lot of python versions and I think we stumbled upon python 311 I think in almost all versions of python 311 if you were to go to python right now and download this embedded package you're gonna and you unzip it you're gonna see something like this here you're GNA see a python binary and a whole bunch of DS right but the only two

we really concerned about are these two because when you uh when you run python without installing it you actually are loading you know python 311 dll and a whole bunch of other on the ship right but the python 311 is the most important so this how you run python in a uninstalled manner so you sort of run it as a portable executable you're you're allowed to run python like this and day two of the engagement was us sort of running python like this you know hello world we're writing scripts just to make sure the AI for the EDR sort of pick up okay python on this machine is kind of normal right now we actually tested this uh I

think we came up we we we probably made over 47 payloads in order to get this to work I think we stumbled on like three that potentially could work um so essentially we had to craft the D that would bypass uh EDR agents um that is the most expensive thing in a red team engagement so whenever you're scoping out engagement like this you always want to be like okay we're gonna spend x amount of time trying to evade your AV or EDR but if we can you should whitelist it that should be the approach otherwise they're paying for a lot of things that and they not going to see a lot of things from from the report so

number one we had to evade uh uh an EDR and number two because of a corporate proxy anything that you try to download would be subject to inspection so if we were to just pack an exe or if we were to sort of pack um uh you know uh you know bat file I don't know if they still do that um it would be probably flagged uh by the corporate proxy it would ALS they would probably also have a copy of your payload right so there's two things that we sort of need to sort of develop here number one is uh reputation reputation is hard to come by so unless you've been seating domains for a long

period of time is and and and having like fake stuff for all the categorization engines to say hey this is you know this is for shopping this is for social media that then it's really hard to get uh trusted reputation so one way we did that was to abuse cloud services if you go to azure and you spin up an Azure Cloud app or an Azure blob storage you're going to get a nice Microsoft signed SSL certificate uh no longer are the days where let's en Crypt is used let's encrypt is automatically flagged by almost all edrs and firewalls now so don't use that right now the second part is dynamic generation of the payload um because you don't want the

payload to be sort of captured you want to use something called HTML smuggling HTML smuggling is uh usually just a base 64 blob in JavaScript uh and you're using a JavaScript function to downloaded so this is known to bypass corporate proxies so if you're you know Defenders try this technique out right see what your corporate proxy will catch most likely it will catch the endpoint where that's hosted that's it because it won't catch the JavaScript part right so we're actually able to use trusted sites and HTML smuggling to smuggle a legitimate python package but shipped with a legit uh dll and a custom dll that we uh um yeah that that we also use okay and the specific technique that

we're trying to use here is uh side loing and what side loading is it's just uh essentially what side loading is it's a subcategory of DL hijacking and and it's usually when you position um a legitimate application in this case python and the legitimate dll and the malicious dll so that when you execute python it loads your dll alongside uh the legitimate one so the python process still actually works but you're loading uh the the malicious do as well right that's how you gain code execution in the form of a trusted process so when we did this um our Beacon was running as python sign binary python with a D um additionally um to ask our traffic

with the client's organization we can because they have a lot of cloud apps or Zer websites um so we abuse something that actually was open again like a month and a half ago right in November 2022 um Azure or Microsoft sorry um they actually blocked domain fronting for newly created domains did you know that as of September 25 25th this year they have re-enabled that yeah no right so actually this is to watch out for again right so because of this uh because overwhelming customer feedback and security considerations they've opened this again this really funny when I read this yeah but I'm not I'm not I'm not dogging on Microsoft I'm sure they have their reasons I love Microsoft but

sometimes I don't understand I I I think for them security is not at the Forefront of their business right yeah so that that's unfortunate reality of some of these things now contractor laptops to domain admin right so day three of the engagement we're after 47 compiles of that payload we're actually able to detonate the payload inside uh the contractor laptops right I masked out I don't want to try to I don't want to shame the EDR vendor but an EDR service process and a stock agent process was both running and we had a beacon in there for what is it 15 days 16 days in there and they did not complain right 100% not really yeah so

okay let me go back to the 100% the 100% thing is not prevention nor detection if anyone says their product can 100% detect and prevent don't trust them what they mean by 100% is visibility because EDR edrs work on the userland and also kernel they have a lot of methods where they can pull and gather Telemetry so they have 100% visibility I'll believe that right because they they they have the ability to look at everything that's happened on a specific host that's exactly what they're advertising their product is that a question yeah what's

up yes that's probably the reason why right because when edrs look for something very obvious right unsigned executables are no no right if you if you try to detonate an unsigned executable you're gonna get flagged right and that a lot of times when you detonate a payload if you're performing any sort of uh remote process injection like create remote process thread you know all all everything along that Lin you're going to get caught right so it's one of the reasons we were able to bypass this was we did something called uh um D unhooking so how edrs work is that when something is run on the EDR end they redirect execution flow to their own dlls right and their own DLS

will process whatever um that process is running right now in order to circumvent that you would need to look into that specific EDR look at what DLS that the the the code execution flow is going to and then you unhook them you say no go to Colonel 32 go to ndl right so when you do that the the the the EDR won't complain that's one of the techniques we were able to use to bypass that right now the funny thing is um they there's indicators of that in the EDR but you actually but it's not as in an alert format you have to go look for them you have to do hunting to actually go check

so that that that's why you can't over rely on the alerts that edrs give you right and the second thing is that we're able to uh exploit something called um this one's tough to explain I don't know if have time right uh this is an active certificate uh active uh directory certificate Services vulnerability I think in 2023 alone till now eight out of 10 or nine out of 10 times we've been able to get domain admin through this exploitation process so it's very useful to learn what PK AI infrastructure is and what certificates do in active directory now in this specific case I'm just going to sort of condense it here is that um is essentially the ad active

directory certificate Services installation on a domain controller or on another server it's usually settings with predefined active directory objects as certificate templates now these templates are a collection of enrollment policies uh and other certificate settings for you know you know what's the subject uh who is allowed to request a certificate who's allowed to authenticate a certificate who is allowed to enroll now the only thing I really want to point out here that is sort of the Dead on the Mark is if anyone in their pki infrastructure allows domain users to enroll um then it's a easy privilege escalation path from domain user to domain admin right just to keep this part short yeah would be known as an esc1 that's correct

that's correct right an esc1 is templates allows uh uh specifying a subject Al alternate name right now after we did that um to cut this attack sort of short we're able to extract the uh certificate usually it's a pfx file um if you're doing it on Windows you can't do it the certified way the certified way does it all for you it's very easy so what we did here is we injected a net executable called rubius uh we were able to sort of get the ticket sorry the certificate and then we used something called uh unpack the hash um so I we use something called unpack the hash to get the ntlm hash of the

privileged account and what unpack the has is is that it's usually a service ticket with something called the pack credential info info step it essentially contains encrypted uh username and password of that specific impersonated account right part of this is we're able to use a domain user specify a uh alternate subject name for example a high privileged user and where able to get our certificate back and what people don't know is that you're able to authenticate with hashes passwords tickets but you can also authenticate with certificates so if you can authenticate with certificates you're able to pull what tickets out of that user you can pull the hash of that user essentially that's what we did

here right now the very last thing here is uh you know using proxy chains we attempted to perform past the hatch on the target domain controller and why we opted to do it in this way is because if you understand C2 Frameworks the only way you can pass a hash is to patch a specific process called Elsas when you do that you're going to get yelled at by your EDR as well so one way to not do that is to also um to to to launch a sock proxy and then do it on the Cali inux machine and the only indicator here is probably your hosting right so whatever host name you put as your uh C2

server that's going to get in in the windows locks is actually one of the reasons we got CAU because I put brute Rell here and I was not forgot to change that to a a host name in the clients environment right but we didn't get caught until a lot later so it's fine right now a lot of the times if you've done offensive security training You're Gonna Want To Do ip config who am I and host name please don't do that when you do that you're gonna get caught because literally I know at least three EDR companies that will just flag these commands no matter who runs them they'll flag them right so offensive security um

like because they they tell you hey you need to give us proofs in this format um a lot of security uh you know testers or penetration testers will do that to prove hey I have access don't do that just list a share that's good enough yeah now to sort of wrap up this entire attack right um really it's we we're with a very modern sort of uh you know defensive security stack proxies the L PS app Locker EDR ack right very hard to circumvent but really here is uh where it it gets down to it right it's the python the dlsi loading esc1 so what are the basics and the F fundamentals here it's really you have to think about uh

sort of this section right this isn't really a vulnerability so it's really hard to communicate that if you if your team is over relying on the EDR you're always going to hit a uh advanced adversary or an actor that's capable of bypassing how we bypassed uh this specific EDR is because our company happens to use it so we have a perfect test instance against this uh company as well because we have the same EDR customer now um so we're able to test so many times until we get around that product we've got around that product I think like 10 times now um now the second part is really managing who has Python and who can run python in the

organization if you don't have a baseline or if you don't have any knowledge of what goes on in your environment it's very difficult to Baseline an attack like DL sideloading or DL hijacking right and third is misconfigurations right um pki infrastructure is very hard to secure properly it's very easy to screw up especially if you spin it up without touching it you're going to be vulnerable so another one is whether or not they audit their pki infrastructure with the tools out there right and I think another one I didn't really highlight is domain fronting with your now because Microsoft is now on the bandwagon of okay let's allow domain fronting again there's a need for

detecting potential uh domain fronting uh activity and really you it's it's usually just looking at the host header and the uh Sni uh value if there's a mismatch this indication that something is being domain fronted now domain fronting doesn't mean it's malicious a lot of legitimate apps also domain front right one popular one that does it is signal signal does domain funing because of what it advertises right now the hard part is baselining you know what in your internal traffic is tunneling out or sorry communicating with aure that's the most important part and a big prerequisite for this is SSL and TLS decryption if you're a you're not able to decrypt or SSL or TSL uh TLS sorry um

you're not going to be able to look at the host header or the Sni value right so there's a lot of things here that uh is uh sort of the you know some basic things right but it's really hard to communicate that as a vulnerability because what we're going to write is yeah fix esc1 right it's very hard to communicate the other three parts because that's part of security strategy right so kind of what needs to change and sort of Lessons Learned here is that actually instead of just issuing a report what we've been finding um is that we give more value to vendors when we diagram the findings right we do this with a

portal we sometimes do this with a graphical tool and we label findings and you know how they have to do with each other right now I think one of uh the popular quotes by John Lambert is that you know what do you think is your biggest security spend if your biggest security spend is the technology or whatever that's new and hot whatever buzzword technology that you're going for if that is your biggest security spend you have a problem technology is great but it's the people that investigate alerts and hunt in the network so where does that investment need to go it needs to go in the people right because the people know how to hunt and how to Baseline an environment

you have a step up in the game right um also number three I know I keep mentioning this but penetration testing results should not be thought of as just an output it's not a check mark pass or fail it needs to integrate to an actual continual Improvement program um you need to have someone capable uh reading the penetration test report and draw uh specific security and strategic recommendations that can be part of your security program that's how you're supposed to actually use the penetration testing report now in order to um learn in order to be a good Defender and this is for the people on the defender side you actually need to be an attacker um

you to be so I I actually like defense more than offense right right now because defense is so interesting how do I catch people like me right but in order to do that you gotta like be on the attacker side first I think that's one of the prerequisites that are missing a lot a lot of the times you know I I see students or you know a Juniors uh in infos trying to go into the infos field you start out as what sock analyst right if you start out as a sock you're not going to know a thing I started out as a stock analyst I did not know anything the only thing I could

detect was lockouts right like honestly yeah right it's only after I went into the offense I I can be a pretty good uh a stock analyst now because I understand how attackers work I understand what to look for I understand how to hunt right um a good Defender cannot be born without time in offense right as as some popular quotes on Twitter said defense is offense's child and that's really Rings true in in this field um actually the basics are important right white listing asset Vol management security uh uh security architecture design lease P privilege policies uh access request policies anything that you can policy it's good because it creates a narrower funnel for detecting threats that

actually matter part of the reasons why security teams can't detect threats that matter is because the funnel is too big there's too many things they got to deal with right so you know this is not you know something new these are just some of my observations about know uh security testing as a whole and my time on the offense and sort of um uh insights for the defensive team so I think that's all I'm Gonna Leave time for some questions yes yeah no the company itself does it because it's so usually when people get this like I've seen the this happen like a director or a manager gets a report and they threw it to their sis it Sis

admins hey fix this that's a wrong way to use it as the Director or the it manager responsible for the security program you got to take that Rapport and you got to mine insights out of this Rapport what why did this specific attack work how do we change up our process or policies to make this more difficult the next time right

yeah what got me c oh gosh so this is okay I I'll when we're back I'll share more but what got me caught was um what got me caught was running sharp hounded memory um no I I ran rubius and a whole bunch of net executables in memory but sharp Hound was the only tool that leaves behind dis indicators so when you run sharp Hound it creates a cat file and it creates Json files with specific file names now I know to randomize the file names I know to to say don't save the cash but when it's trying to zip up together the hash there is no way to change the Json F before it zips so

that's what got me caught and I learned that the hard way right but when I got caught by that the the the tri team marked it as a false positive so that's why we were in the environment for way longer right they were like oh this is normal and we're still like yeah yes so so

thisal you imagine with you guys to make sure that they at least have a shot at absorbing the bigger picture versus just reming absolutely when we do it we don't we don't really sort of sort of set of a c set a cap like this one client that's been working with us they've requ you know it's like a 8 week long engagement I have two meetings with them a week so that they absorb this information so yes that that is absolutely necessary if a client just comes to you with a report they're not going to learn anything other than oh this small really I gotta turn on this registry install this KB it's not going to be helpful for them I

saw another one

here Micosoft learning part of did that make any difference when it comes to Baseline you're using time that stuff so um I love how you bring in machine learning I don't think there is an EDR in this world that doesn't do machine learning marke right yes right now I I don't have experience with the specific uh Microsoft product that you mentioned but we did I did I we do testing uh alongside another firm that says they run automated pent tests with AI machine learning we are able to find more almost 90% of the time right yeah so yes AI machine learning does help but it doesn't help in the way that you think you can't replace people this

is why back to the point you invest in people not technology because the more you invest in technology it's actually the people that defend your network right these vendors they care about you know their recurring uh expense for you um or sorry not expense recurring revenue from you um They Don't Really they don't really have a vested interest in defending your network your people does yeah that's the

difference um so part of that is uh so we usually have two types of debriefs we have debriefs for the executives the managers at high levels I don't I don't go into details a lot of times I just present graphs I don't even go to I don't even most of the times there's not even a one command line output I just go over graphs this is what we're able to do this is the impact this is the potential Financial impact dollar dollars loss execs need to know that right and I think we have a separate call with the technical team to say this is what we did these are some hunting strategies the these are detection

opportunities right these are our logs let's compare logs yeah yeah so we Sorry OT pen testing um any comment on that uh I'm probably not the best person to speak about operational technology um but what I've been observing from my side is that uh we do a lot of OT pent test as well um and it's it's a lot of times it's joined with active Direct on Prem it and OT there there's a Gray Line dark there's a gray line right now for OT stuff we're about 20 years behind like on-prem active directory so on Prem active directory has grown a lot we're now to cloud and stuff stuff like for OT a lot of times if you can circumvent the

segmentation you have full access to whatever PLC IC scatter stuff that you see so OT is 20 20 25 years behind traditional on Prem so infrastructure does that mean that easy to circumvent this it's so there's no circumvention need if I have direct network access there nothing's needed the hard part is find finding out how circumventing that segmentation and a lot of times circumventing that Network segmentation is in the it realm because it's the it switches you know the active directory groups you know the way you design your network segmentation Falls in it not so much OT so you need to know this stuff before you get into OT a lot of times we hit OT stuff we've been able to control

cranes we've been able to control kils you know control you know chemical output levels things like that yeah sorry I just keep asking very curious about engagement how about uh things like Z with that CNA right you get all traic and they have where you can go to any success on people okay so um we've tested many clients that says they have zero trust zero trust isn't uh technology it's just a it's it's a principle right no technology can give you zero trust automatically right yeah so zero trust is a is more a a principle that has to be put in practice

and

yeah right

[Music]

success Yeah Yeah from an offense yeah offenses from an from an offset perspective and um in all my time I probably seen only one organization who's put zero trust together in place properly for that specific engagement we were not able to do a thing uh the only way to circumvent that is you fish them till you die because no because for zero trust infrastructure you know yeah it's like they don't have passwords it's it's it's like they don't have passwords you literally have to fish them with all typ different types of tech techniques we tried a whole bunch of different techniques but a lot of times for these organizations it's the right person right opportunity right

time the right you know pretext to get privilege access somewhere but a lot of time in a lot of zero trust uh organizations you're really still only one fish away from privileged access though that's that's the problem right so zero trust is effective it'll make this harder but it's not foolproof yeah there's no fullprof no there's no foolproof you don't there's no stopping attackers yeah if I I if I have millions of dollars to throw at initial access we're going to get you yeah yeah that that's that's the fact we're it's it's about slowing us down

yeah yeah

okay right so a comment on that is when you have that kind of a security stock that I presented a sock an xdr you know they had two edrs actually right um you know and and and a full team they had like 300 people on their it it's a huge company you have never seen 350 on it team on a blue team right so if you have that amount of resources you have visibility right there's no such thing as no visibility when you have that amount of resources the only reason you would miss detections is because you don't mandate threat hunting you don't have people actioning on the visibility you don't have people sorting through

the Telemetry a lot of the times it's that it's not that organizations don't have visibility it's that organizations have too much visibility don't know how to sift through them or action on them right so it's about it goes back to one of the core principles is about the people it's not about the technology you can install crowd strike like whatever Sentinel one micro Defender for endpoint you know cyber reason fire whatever right if you don't have people looking at it it doesn't matter

[Music] yeah [Music]