Use what you have! - Corey Bussard

all right good morning everyone welcome to the second session of b-sides track two uh before we get started a quick clerical announcement apparently there was a t-shirt kerfuffle of some sort I don't know um Davey say check your emails if you're missing your shirt I think there was something wrong with the XL shirts but anyway check your email if you're looking for one of those shirts and then take that email over to the registration table so today we have Corey Buzzard talking about use what you have I'm sure not all of us has these large corporate budgets that we see some of these fan companies represent so this will be an awesome talk learning a little bit more about using what we have and the best way to optimize this technology so that said let me turn it over to Corey thank you thank you so just as he said um today I'm going to be talking about uh use what you have so there's a lot of things that you have in these things you may not have to go and spend money on they're just things that you could utilize take advantage of or deal with to improve your security obviously so with that being said who am I um in my professional life um vice president of security services for an organization called Blue Bastion I run a managed detection Response Team a digital forensics and incident response team and a devops team just because I'm a huge proponent of automation who am I personally uh well my husband a father I'm a hobbyist there's a lot of different hobbies that I have and uh the last one on there is true I am an alpaca farmer I have baby doll sheep too many animals is what I'll say um so you'll see alpacas here or there with me so why the basics um you know there's a ton of tools out there uh you know insert an EDR platform insert some new buzzword term xdr that's out there can't I solve all my problems with that you can solve a large amount of problems with those tool sets and I'm not here to say that those tool sets don't work they do they work very well but what I'm here to say though is maybe you should think about taking advantage of the underlying features of the things that you're implementing to the best degree that you reasonably can before you start adding on top of that security posture with new tools so as I said does that mean I don't need tools no no that is not what this speech is whatsoever so just to say that very clearly um the key ingredient here is um don't let the exception become the rule make the rule the rule and the exception the exception if you have an XP device in your environment okay that stinks maybe you can't get rid of that but don't let that become the rule for the entirety of your network so what are the basics Basics could be many different things I'm going to point you to the CIS top 18. it's a really great starting point there's 18 major overarching things there that you could look into I think one of the ones that I will say the loudest right now is asset control discovery of your network um if you don't know it exists in your network how can you secure it that's the easiest way to say that right so that is a really great framework that you can start with take walk away if you've never heard of it if you have heard of it you're probably quite familiar with it so um digging into that you want to like I said asset inventory is super key and data protection and Recovery drbc those types of things to do I see this a lot in the industry I see analysis or paralysis by analysis there's too many things to do where do I begin put one foot in front of the other just start moving forward pick something tackle it if you can do that you're going to slowly increase the cyber security of your network or Enterprise it's really hard to see I'm sure I added way too many things into this slide I almost apologize um but documentation I'm a huge proponent of it um why is this key documentation is ultra key because things like Network Maps I run a digital forensic instant response team why is a networking map important if you're having an incident and you bring in an organization like ours how do I know what assets you have how are they interconnected do you just have one major site do you have fiber connecting multiple sites what's that look like another fun fact about Network diagrams is have a physical copy of them that you keep up to date if everything in your network gets encrypted so does your network diagrams so uh We've ran into that um org charts um that's going to play into another slide that I'm going to talk about here in a few minutes but how's your organization broken down do you have an HR department what do they do what's their day-to-day look like as a cyber security individual you have to understand what your organization is built from what do the people in your organization do your HR people they open up PDFs all day day in day out right resumes they're going to get all kinds of stuff like that I'll tell you this I came from an offensive security mindset I won pen test by sending HR individuals resumes that just had macros in them that was an easy win so understanding who your user base is and what do they do as part of their job will help you understand how you can help them become more secure as well so talking to your user base is quite key but also understanding what the roles inside of your organization are understanding these things creates a foundation for how you can also create better cyber Security Programs inside of your organization as well because what you'll find out is if I sit down and talk to one of my developers and they only use python as an example and they only use pycharm in as their development platform I should never see things like vs code or vs Studio on their on their machine I shouldn't see c-sharp apps running right so but without that intricate knowledge of who they are what they do and how they work you're you're going to end up deploying an EDR system and say well I don't know we'll just allow it to a developer and that's not going to get you to the place that you want to be so documentation is quite key um also understanding things like what are your most important Assets in your organization I'm going to say this two different ways because it's very important number one is what are your most important it assets to your it organization within your organization If This Server goes down what does that mean the second way to say that and the second piece to note is that's Ultra important is what are your most business critical assets sometimes those aren't the same as it if I lose my DC for example I don't have authentication but if I lose this manufacturing device that doesn't use active directory for authentication that can run without it but it goes down I lose millions of dollars a day there's a there's a major difference there so this is where documentation becomes so key so if you're walking into an organization and you're brand new to it and the first questions you should be asked asking that organization are these types of questions by the way this is not like this is the exact way to do things these are just examples hopefully that that makes sense so uh with that being said some other good questions to ask are what are the key stakeholders in the organization if I have an incident who do I contact who are the important players you know do I have developers who from the management side of the fence do I need to contact who's going to talk to the um news heaven forbid if they get involved or there's some level of leak to them and now all of a sudden I have to have a public response who's going to do that inside of my organization so those types of questions are really really great things to do up front and alls it does is it takes time it's not a cost it's not a I have to go buy this tool set to do these things writing it down understanding it another great one is active directory um I I can't lean into incident response enough I walk into uh all kinds of different scenarios and one of the things that I see quite often is stale user accounts this isn't uh something I see in small organizations only by the way I see this in large Enterprises I see this in mid-market organizations I see this in small I see all kinds of different things so reviewing a couple things your ad accounts in general are they being utilized when was the last time they were used do I have any stale accounts out there if so start disabling them create an audit that you do this once a month once a week once a quarter whatever it is I will say this a court once a quarter sounds absurd but if that's all you have time for that's all you have time for and that is much better than not doing it at all um so then also with that in mind your service accounts the same thing applies I see a lot of people will focus in on user accounts forget service accounts maybe I have this HVAC system I replace the HVAC system it had a service account that had to do all these terrible things and had so much access we forgot about it we replaced it we still have that service account out there active in life and it had to be enabled for snmpv1 and all of these bad things that just makes it super easy for some offensive security person to come in and just snag that and start running wild with it or worse a threat actor creating an onboarding and off-boarding process for your employees again these are things that are so simple you just got to create the process and stick to it creating an onboarding and off-boarding process for service accounts so creating these audits making sure that you're checking in on them in a timely fashion and then also staying on top of it and anytime somebody says I need a new service account I need this user spun up making sure that that happens in a timely fashion and having an onboarding and an off-boarding process for them so with that being said we'll move on to least privileged access these privilege access is typically another one of those things that is just a time commitment thank you so least privilege access is just one of those situations where it is a time commitment thank you by the way um so to get there you're going to spend a lot of time in A.D more than likely you're going to spend time in your file server restricting access to those files or folders Etc so least privilege access is a huge piece that you can spend a lot of time in with minimal minimal budget or cost reviewing your drbc plan do you have one step one if you don't have one uh create one there's no time like the present drbc plans are something that are so incredibly important to your organization if it doesn't exist it it needs to and it needs to right now um if it does exist what you can do is ask all kinds of different questions around it what happens if start inserting some ifs into that statement what happens if my building catches on fire what do we do what happens if water Rains Down from the ceiling from an HVAC system onto our servers what happens if our server room floods these aren't these are real scenarios so um what happens if and those are two physical or a few physical examples what happens if somebody gets my veeam account my veeam service account maybe you use veeam for backup I hate to pick on vendors but we see that happen a lot what access will they have what can they do can they delete your backups do you have an incident response plan I'm sure everybody knows this one I'm sure everybody thinks about this one if you don't have it make it um same thing no better time than the present for this one uh this should go hand in hand with your drbc plan um if you have it update it I've walked into many organizations that have an an IRP plan and it hasn't been updated in three years not a single key stakeholder that's on that document even exists in that organization updated make sure you're staying on top of that who just knowing who the contacts are in an incident is a serious leg up during an incident golden images anyone um so this one this one kills me uh golden images during an incident uh what we see a huge time suck in is re-imaging all of your machines so you have a few options there obviously but something that you could just do today is create a golden image you can get really really creative with this and really specific to departments you could have an HR golden image you could have a developer golden image the only requirements for this are time and space all I need is a place to put these golden images after that you can start asking bigger questions like how are we going to mass deploy what happens if everything gets encrypted by ransomware how do I re-image all of my machines rapidly those are really great questions but make those golden images again time and space that's all you need the next one is also very very very important talk to your user base get to know them I hinted at this a little bit earlier in the talk but this is very very important I already gave the PDF example about uh the HR team that used to be my favorite um understanding job responsibilities how do they do their job what applications do they use what is their preferred browsers these questions sound kind of absurd and they become very useful later you'll understand your network to a much further degree than what you ever would have before this this ever happened what do they do as part of their job what should they never do as part of their job sometimes you won't get that directly from the end user but you'll start to understand here are the things that they do all the time they work with inside of these systems they are a developer they hit SQL they hit this application server or maybe you have separate sets of developers that hit separate sets of applications in back-end databases okay perfect so you should never talk to our HR platform easy enough but you wouldn't know that unless you understand their day-to-days find a champion within your organization I can't that that this one's huge it's a lesson that I've learned very very very much so very recently having a champion inside of your organization or having multiple champions talking to people getting out there understanding your user base is awesome take it to the next level by having Champions I have an HR department find a champion in HR I have an I.T uh help desk inside of my organization great find a champion over there and the reason these Champions become so valuable is it gives you a place to start testing things they feel like they're on your side because they are on your side they're helping you do your job and you're helping them do their job by making them more secure so you start to create this really really awesome system so whenever you do that finding Champions throughout your organization they'll be much more happy to help especially whenever you're about to break everything in their day right because that's that's let's face it that's what we do um defining out all those questions and writing them down did I say documentation is important yet um because it is yeah another big one so I can't say how many times I'd say maybe like 60 70 percent of the IRS that I've been a part of personally have been because of this one um log me in remote was left on a machine forgotten about my organization implemented insert remote access tool I won't get too specific um and it went up it was never updated seven years later it has an rce because of the version that it was it you could brute force it until you found the password and you were in that happened they were a developer with da access and often to the races reviewing your installed applications this kind of goes hand in hand with asset inventory understanding your assets understanding what is out there running things to find out what applications are installed out there what applications so after I've talked to my user base I should have a pretty good understanding of what applications they use a lot and what applications they probably don't ever use you know I probably have Wireshark on all of my machines I shouldn't say that out loud I probably have Wireshark on all of my machines have I used it in a while probably not it's been a bit I could probably remove that ask questions like that go to your laptop look at the installed applications and and just when was the last time I used this get rid of it you don't need it get rid of it um so you can ask all kinds of different questions around that another really big thing that I see quite often is looking for it tool sets so I just did this Mass deploy of insert whatever application security tool set whatever I use PS executive dude it was awesome and I created this specific folder with all my it tool sets in it and then a red teamer uh a threat actor comes in they're like oh hey all my tools are deployed for me look for those tool sets out there if you've deployed anything think about that I have what did I use to do it did I have a folder structure wipe that out have you had a recent penetration test or red team Services engagement did they leave any tools behind because that happens look for those things what happened after I had this red team engagement did they leave any tool sets out there you know Bloodhound is a really awesome tool that if it's in your network I could probably find some ways to escalate my privileges firewalls most people have firewalls today I shouldn't say everyone does not every network has a firewall I really would like to say they do but what do you have if you're walking into an organization you may not know that answer how are you using it a recent conversation I just had was hey we have all of these awesome great next-gen ant firewalls in place we have the highest levels of the highest levels and all the things are are quote unquote turned on but we receive threat and tell from it and we're not reacting for that is that your organization today because it could be asking those types of questions okay yeah we have the threat and tell from the big next-gen uh sorry next gen firewall vendor but are we doing anything with it are you using the application awareness features are you using all the feature sets are they implemented they're there are they just in passive mode are they in active mode are they reacting to anything again these are just things that you could go back to your organization and start implementing potentially today Network segmentation this one's always fun I love this conversation um because some organizations will you walk into and they're very upfront they say hey you know what slat Network why what is stopping you put from putting vlans in today what's going to stop you from walking towards Network segmentation some organizations it won't work for or they're very small and there are great use cases or scenarios where it's just not going to work but most of the time you can walk towards Network segmentation and you mostly have things in place that could at least walk you there so uh the next one if you know me uh you know that this is a huge uh piece with me oh it's hardening I have up here uh quite a few things um I'm posting this out to GitHub uh today as well so this whole talk will be out there public there's a lot of different features inside of an OS if you're in Linux deploying in a minimal install focusing in on application or Pat packages that you have installed and making sure that they're a up to date and B you're only using what you need in Windows they've done a whole host of things in Windows 10 11 2016 plus and that's kind of the focal point of what I have up here ASR attack surface reduction its features you just turn them on they can break stuff there's pros and cons to this you don't need licensing for this by the way you can just enable it you don't have to worry about E5 licensing or anything along those lines you just have to understand what it is and how you're going to implement it so ASR great thing does all kinds of stuff there's an lsas uh injectio