← All talks

BSidesIOWA 2015 Track1: Adversarial Testing through Unconventional Offensive Breach Techniques

BSides Iowa1:12:15267 viewsPublished 2015-04Watch on YouTube ↗
About this talk
Dan Kottman & Chris Patten Traditional vulnerability scanners and pentests, although useful and valuable in an overall security program, generally lack the context and comprehensiveness to fully evaluate risk of identified vulnerabilities. Breach assessments (i.e. blended assessments commonly referred to as Red Team testing in the military) identify risk from a multi-faceted, opportunistic manner that closely simulates the style and approach of an actual attacker. This style exposes valuable information within a context, demonstrating typically unidentified weaknesses, chained attack opportunities, and actual severity. Using anecdotes based on the presenters' experience, the presentation will highlight the following: - Critical vulnerabilities not commonly identified - Effective and ineffective defensive measures commonly encountered An emphasis will be placed on understanding potential attackers while not underestimating their creativity. The intended message will be twofold. First, organizations can take specific actionable measures to greatly increase their security posture (these measures will be common themes of the anecdotes discussed and will be highlighted as killchain disruptions). Lastly, organizations should be doing more than relying on traditional vulnerability scanners and penetration tests to better capture context, opportunity, and attacker creativity.
Show transcript [en]

Guys, we're going to go ahead and get started with our next talk. This is uh Dan Chman and Chris Tatton both came in from fishnet and fishnet's one of our sponsors this year for Bite. So, uh, thank you for for coming and sponsoring and and also presenting. I'm really looking forward to this talk. So, uh, make sure you ask lots of questions. All right. All right. Hey, uh, good afternoon, guys. Thanks for showing up to our talk. Can everyone hear me? Yeah. Thumbs up. Right on. Okay. Um, well, so this is adversarial simulation testing. Um, it's unconventional offensive breach techniques. So essentially, we're not going to be dropping O day or anything like that. We're basically going to talk through um

more offensive techniques that we run into. So, uh just to uh really go into the agenda. Um we're going to start with introductions. Everyone has the obligatory introductions. Uh then we're going to go into a coffee break. We're going to go into an overview. Then we're going to have another coffee break. I know you guys had barbecue, so that's why I'm saying this. Uh bridge simulation. Uh why? What it is? uh how does it compare to traditional testing? Uh case studies and uh again another coffee break uh another coffee break and uh really the whole deal is ask you know ask you know what all the questions uh have fun with the talk uh we want to uh really hear

experiences and things like that as well. So when we get towards the end and we're doing the Q&A hopefully we have tons of time for Q&A uh we definitely want to kind of have an interactive conversation. So without further ado, uh my name is Chris Patton. Um I'm actually the director for uh the advanced services group at Fishnet. We uh primarily focus on uh adversarial testing. So you guys may have heard it as red teaming. Um we'll get into that here and there, but essentially uh essentially do uh blended assessments. So we leverage things like social engineering, uh physical security, uh basically a lot of logical pen testing, those sorts of things. We blend all of these and we attack an

organization, right? We don't attack individual things, assets, systems, we attack an organization. Um, my background, uh, I was in the military. Uh, so I was, uh, I was Air Force. Um, I moved to telecommunications, been in the industry in various capacities for 20 plus years. I've been with Fishnet for four and a half years. Uh, and I've primarily just been doing penetration testing, uh, etc. And now we have this group uh and Dan and I have been kind of traveling around all over the place probably for the last uh last two years uh performing uh these offensive engagements like this. Uh yeah, my name is uh Dan Kman. I'm a principal consultant with FishNet. Um I

work for the team that uh that Chris here leads up. I've been with FishNet for about four years. Um been consulting for about eight. Uh primarily focused on pent testing, but uh you know, we've gotten more into these kind of blended assessments. Uh we're more demand for it especially with some of the uh you know the high-profile breaches that uh that we're seeing more of recently. So that's kind of why we've we've developed a talk uh I think today to to kind of focus on some of that. Okay. Okay. So, uh really objectives um let's define an adversarial simulation and aka breach assessment or breach simulation. Uh and that is we'll kind of we'll kind of

distill all of this out here uh momentarily. But that's that's kind of what we want to do. We want to we want to understand what uh the departure is from existing offensive testing and transition that over to these uh these more involved breach assessments. Uh contrast traditional penetration testing and breach simulation. We'll uh we'll we'll talk about the pros and the consu essentially why you would want to do it, why you wouldn't want to do it. Um really uh talk about organizational maturity. You probably heard about the uh cap capability maturity model. I'm not going to go much into that, but it really does um it does feed into kind of the overall reasons why we would want to

perform a breach assessment. Um expected outcomes. These are the things that the organization can actually learn from. Uh so uh we definitely want uh we want to understand some of the items uh that come out of a breach assessment um that are a little bit out of the norm that we would typically receive from uh as feedback from from safer penetration test or something to that that effect. Um and then really the roles in a in a security problem or in a security program. Why we want to uh introduce this sort of testing overall into an organization's security program. So let's talk about penetration test. Organizations go through uh they they have they have a requirement to perform

a penetration test. They have a requirement for a system, a host, a network. Um they have a new product that they want to that they want to pen test. So they're bringing a vendor. Um the problem with the penetration test is that you hear things like it should be comprehensive and it should target all the all the things you know all the services all the all the uh the operating systems um applications that exist on it that sort of thing. Uh it should only leverage one attack vector. So maybe you get in uh and that's the only thing you concentrate what can you get after you make that initial initial breach. Once you make that uh initial

compromise, uh it should leverage one or all of the attack vectors. Maybe they're more concerned about identifying all of the services and then seeing if there's vulnerabilities associated with all those services and then attacking those to see if there's you know see where they can get right. It's more of a kind of a comprehensive approach. Um the other thing that we uh we get quite a bit is uh leaving the shields up or down. So uh IDS, IPS, uh HIDs, HIPS, that sort of thing. Um and depending on uh compliance functions um so say for instance you've got like a PCI assessment right um one of the big things is you know to to perform a PCI

engagement they want to bring the shields down and assess the underlying vulnerability so they get a true uh understanding of the underlying risk uh risk exposure um or if they leave them up uh then at that point you're essentially testing the effectiveness of an IP PS or a prevention like a blocking system. Uh but you don't necessarily know uh what the vulnerability exposure is or the risk exposure is in case those fall over, in case those uh those first line defenses fall over. Um some want nothing more than domain admin, right? Uh get in there, get domain admin, show me impact. That's it. That's what they're that's what they're concentrated on. Uh that's what the customers

concentrated on. Uh then others will say, we want it all. Don't leave until you hack the Gibson, right? We want to we want to own everything, right? Um and so really what it comes down to is depending on who you ask, they have a different definition of what a penetration test is, right? You know, some some people think strongly about leaving um you know, the shields up. You know, it's not a penetration test unless you're truly simulating what an attacker would have to, you know, how he would have to approach a network. Y So this all leads to a common problem. We have an identity crisis, right? Um this uh this guy knows how to be uh

knows how to be kind of awkward. Um so uh all right with that uh we have to ask ourselves have we evolved? Um so as as organizations uh delivering the service and as customers receiving that service uh we feel that we feel essentially that uh with the services that we provide uh and the services that you know whether this is penetration testing uh whether this is wireless engagements basically adversarial uh services um there is this perception that we're providing something that the client wants and at the same time the client is purchasing something that they think they need, right? Uh but we still have these problems where uh we're we're we're kind of breeding assumption,

right? Uh as as a vendor, we're breeding assumption. Um as a client, you know, or as a as a customer, uh they have these assumptions as well. Uh we market the material, they want that material, vice versa. Um but no one's really listening to what's going on in the industry, right? things that are driving the industry would be breaches. So um we have to uh we have to evolve. We never give up, right? So we need to create something. What are we going to create? A breach simulation. This is what we want to this is what we want to address. We want to address all of those use cases out there, all of those scenarios where we've got uh various

breaches going on in the industry and we want to emulate those. Those are it's you know advanced persistent threat to use that cliche that uh you know uh buzzword buzz word uh oh solid bingo solid. Yeah, exactly. Buzz word bingo. Um so let's uh let's define breach simulation real quick and that'll kind of set the stage on uh what we're talking about. So a breach simulation focuses on the items or items that are designated as critical soft hard targets. A concept of chain composite attacks is used throughout the assessment. The CCA or the chain composite attack provides a chronology of attack progression from initial unauthorized entry to final compromise. The events are demonstrated in a CCA. So

the critical points of compromise are identified while they provide relevance about how each lead to subsequent compromise. Okay, that's simply just a fancy way of saying and and we use this internally uh the chain composite attack. Uh what we want to do in a breach assessment or breach simulation is we want to identify that first initial point of entry. uh and when we identify that first initial point of entry, we want to build those associative relationships. So if that first vulnerability leads to something else, we want to build that associative relationship all the way through the entire attack chain. And that's what we're going to demonstrate at the end, right? We don't necessarily care about

the bread approach um where we're identifying all of the points of entry. We're only focused on the most critical aspects of the organization. uh getting to the things that actually make the organization money, intellectual property, um whatever whatever it might be. Uh and we want to build out that chain composite attack. And and the idea of the chain composite attack is interesting too because when you do a traditional pentest and um those of you who are in consulting or have to write up reports, you know, you have no context when you're when you're writing up the report itself. So you may have an information disclosure flaw and you write it up based on what you think it's

actually worth. However, when we perform breach assessment and and we're able to kind of chain together all these all this information, we may find a piece of information very early on in an assessment. Whereas, you know, normally it would be a low severity type of thing and it turns out to be critical that it's exposed because we're able to take that information coupled with something else that we found, marry the two together, and then it suddenly becomes a critical finding on our network. Right? So, it's essentially based in context. So if you have a standalone system that's not connected, it might be highly vulnerable, but if it's not connected to the rest of the network or

it's not doesn't uh expose a lot of risk, then we're not going to rate that it's not necessarily a high severity. However, uh if we have those uh you know, we have another system that uh might have uh a lower severity item, but it leads into uh you know, maybe an exposed, highly confidential or highly secured environment, then at that point that severity can increase, right? So this is a slide um this is a slide by HDMR HDR's law um this essentially says uh it demonstrates really kind of where where the skill is uh where where you want to focus uh really how different uh different organizations leverage their I guess where they leverage their focus

right where they leverage their focus uh on uh so we're saying skills versus verse threat actors, right? Okay. And this this is when you have say for instance onto the far left you have your auditor assessor, right? It's a low skill. Um and that's no offense to any auditors or assessors, but uh you know that's that's kind of where we we live in like a compliance compliance world. Um as we move towards uh the right, we start getting into penetration testing. You'll kind of start to see this this yellow line uh come down. Um and and that's fine because we're kind of siloed in a in a particular area. We're siloed in say for instance a system uh a host a

particular network and at that point we're performing a penetration test say against those items. Um so at that point you know we have we we're kind of we're in a restricted kind of constraint. Um however if we move towards the right then at that point that's kind of where we live in a breach assessment. Um we take uh more of the organized crime syndicates uh more of the espionage uh so far right there um where we have to learn a lot of this information. We have to leverage a lot of the information that we learn. We have to assess a lot of the targets but we still want to m maintain covert co covert operative uh

throughout the entire uh the entire engagement. um to kind of help that out and to visualize this. If we have if we have an individual like a traditional assessment uh say for instance up in the upper leftand corner we'll call that a logical assessment right uh that could be again that could be a wireless assessment that could be a vulnerability assessment that could be a penetration test within that that's kind of a siloed context right you're going to perform an assessment uh and you're going to exploit those vulnerabilities in a breath breath approach um and you're going to uh not really have much concern for all of the rest of those those areas, those circles, those

physical assessments, those OSENT recon, the social the social assessment, etc. Right? These are all kind of performed uh in their own perspective, their own isolated uh silo. Now, when you get to the breach assessment, the breach assessment takes in uh pretty much all facets of those different disciplines. So we have we have bleed over from a logical assessment, from a physical assessment, from a social assessment, and from OSET and recon. And I've broken them out like that because that's typically what we run into. For logical, we run into things like penetration testing. Uh you know, we have system vulnerabilities. Um we have network vulnerabilities, we have wireless vulnerabilities, etc. Uh physical assessments, we have uh vulnerabilities

that are associated with dwellings. Maybe uh security uh security folks aren't manned 24 hours. Maybe they have ineffective uh entry points, egress points. um uh maybe they have you know um ineffective badge provisioning systems. Uh so we definitely leverage a lot of that information and then social assessments is essentially the social engineering aspect. Maybe we need to make a telephone uh telephone pre-texting calls uh in order to to gain access. Maybe we need to send in a spearfish um you know something to that effect in order to gain that initial entry point. And it's not just necessarily the entry the initial entry point but that could happen throughout uh you know the entire network chain

throughout the entire uh composite chain attack. Um now with the OSET and recon uh you hear a lot of folks talking about um really you know what what that means. So OSEP uh reconnaissance information gathering uh essentially we're going out to public domain. We're looking for all the things that we can leverage uh to target an organization. Whether that's technologies that have been exposed, uh job resumes that are out there, um anything that's in social media, we can build entire profiles based on a single person. I just did an engagement um where I called into a financial organization. I built the entire profile uh based on just this this one guy's social media presence, right? And when

when I called in there, I placed a phone pre-text call and I was able to compromise the account three different ways. So, it's it's like those sorts of things that you're able to build, leverage that's good information, but there's only that sliver in the middle that's useful, and that's your intel. That's your intelligence. That's actionable information, right? That's the stuff that we want to that we want to leverage, the stuff that we actually want to use in the bridge simulation. That's what we're going to end up leveraging to actually gain gain access. Okay. Okay, so this this kind of just puts a side by side the traditional pen test um and uh the brereech simulation.

Um we don't necessarily have to run through all of these, but it just kind of highlights the differences in approach uh or the the differences between the two. So as Chris mentioned, the approach um on a traditional pentest is a breath first approach, right? We're going to be comprehensive in nature. We're going to pretty much touch all all uh you know inscope systems, all the ports, you know, we're going to test all the things basically. Whereas, you know, a breach assessment is more targeted. We don't really care. We we care about it's a depth first approach. We want to see how deep we can get. We don't care about testing every single host on the

network. We care about the one that's going to get us access, right? And then beyond that, we care about the the the next step that's going to get us further access. You know, we don't care about testing everything. um attack vectors as Chris mentioned in that last slide. You know, uh a traditional test is really logical only whereas a breach assessment is kind of marries all of those together. Um let's see what other ones are probably worth measuring or worth mentioning. Um severity measurement. Yeah, the severity measurement traditional um will use something like CDSS, right? Industry standard. Uh whereas a breach actually uses demonstrated risk. So, as I mentioned before, you know, talking about an

information disclosure flaw, you know, without context, it may be low severity, maybe a 3.0 CBSS score, but when we uh couple it with maybe, I don't know, a uh a physical security flaw. Um maybe the two of those um combined create a high severity finding. Um also worth mentioning, um the tool sets we use um are quite different. A traditional pentest is really just a a laptop and breach. We have uh you know a number of of tools um beyond just that. And then one of the most important pieces as we've kind of talked about already up to this point is the context. Um traditional pentest has no context really. I mean you're just testing. You

don't you know you don't know what's most important. You don't really care because you're doing a comprehensive type test. Whereas uh a breach assessment the context does matter. Um where you find that vulnerability does matter especially if you can use it to pivot uh internally or couple it with you know another finding. So um the tool set is that yeah, we'll go into um the other the other really important aspect of it is evasiveness. Um so with traditionals uh so traditional pin testing or traditional uh techniques, you might run into those occasional smash and grab type situations, but for the most part uh the traditionals are uh overt uh in nature, right? Because you're more you're more concerned about

uh the overall vulnerable state of those those subjects or those those items that are subject to to review. uh whereas in uh breach assessments we want to maintain uh complete you know we want to remain anonymous we want to maintain covert um and then uh the other really really important part when we are executing these things and that's for anyone who's doing red teams or is thinking about doing red teams compartmentalizing the folks that know uh in the organization. So you have to have uh executive sponsorship uh that's critical otherwise the project's going to go sideways and when it goes sideways it's going to be a really nasty thing. Uh but uh so you definitely want to have executive

sponsorship, but you don't want all of your executives to know. Uh you probably need critical people like maybe your uh physical building, your physical maintenance. If you're on a campus environment, you definitely want those folks to know, at least one person to know. Uh points of es escalation. Uh you need indemnification clauses. So essentially uh your get out of jail free uh letters, right? So it tells you what's in bounds, what's out of bounds, your backup contacts, who's going to be performing the uh performing the engagement, etc. These are all kind of cover your ass sorts of uh sorts of things, but uh it's definitely lessons learned. So, um why would we do uh the next slide

really? Why would we do a breach assessment? Um because in 2014 documented 131 breaches uh some of them we didn't necessarily hear about. Uh and then some of them are big uh obviously big targets, right? We've got uh we've got Home Depot, uh JP Morgan, eBay, uh Michael stores. Um and then you know through throughout all of those definitely lots of uh intellectual property, lots of credit cards uh disclosed uh things that can uh things that can impact brand defamation. They uh you know maybe there's not a monetary association around that, but you know if you if you try to quantify that that's going to be you know brand defamation is definitely going to bleed

into that. So you've got both qual you can qualify those things and you can quantify those things. It just depends on how you truly look at it. One of the biggest ones uh was uh obviously Target, right? Um, so there's uh there's quite a few uh uh lessons learned with uh with that. But uh all right, enough of my ranting. Um we're going to talk about some case studies. So this is kind of really where the meat of it is. Um this is really kind of we we've we've gone through um three separate scenarios. Um the first scenario is more associated with um financial organization. The second scenario is uh uh associated with a medical uh organization and the third

is with a large insurance. So these are all big Fortune, you know, Fortune 100, 500, whatever companies. Yeah. Um and and we put together case studies. We think they're kind of maybe the best uh basis for for kind of studying the um advantages of a breach assessment um because we can kind of highlight a number of findings and you'll see some repeats between the three different scenarios we lay out, but we can highlight some of the findings that you know your traditional pentest is definitely not going to find. Um, and we can also kind of highlight some of the points where, you know, if you're not chaining together vulnerabilities or if you don't think that, um, processes you

have in place are important, well, you know, we can show you otherwise. You know, uh, these are the types of things that a breach assessment can highlight. Yep. It's not just cute, but they make for really good stories. You'll see. So, the stories are very interesting. Okay. So, this is it. Um before we actually get started uh to uh set the context uh we're just kind of go go through some uh some tools of the trade. Um so these aren't necessarily standardized tools that you would typically see um on normal pentest or normal normal engagements. Um so with these uh we kind of uh yeah so we've got locks locksmithing uh tools. Um so we

have like bump keys um yeah bump keys. So uh so essentially we have uh you know lockpicks, bump keys, um those sorts of things and those are basically just leverage to get past uh you know physical access, right? We run into situations where we need to uh bypass a door. Uh this might be uh an external perimeter door, it might be an internal perimeter or it might be an internal door. So we need that to actually like gain gain uh initial access in order to get a logical foothold in the organization. We want to place uh say for instance a malicious device, right? So In that particular instance, we uh use things like that. That's a pone plug, right? Um and it's

running a full version of full version of Linux with Metalloit on it. Um you've heard of the Pony Express, right? It cost what? 400 bucks, 500 bucks, something like that. You can build your own. This costs 150 bucks, I think. Yeah, she plug, right? Yeah, it's cheap plug. But yeah, it's sweet. So, you just plug it into the network. Um you know, it looks like a, you know, power device, whatever. Plug it into power. Plug it into a network jack and and it establishes a back door connection. So we have it set up to establish a VPN connection back to our labs. Yep. Uh cold boot software. So uh uh con boot is one of those and that's uh that you

know once we actually do gain access and these are this is physical access to the systems, right? And we don't really what we want to do is establish that initial foothold persistence. Get out of the building. If you stay in the building too long, you're going to get caught, right? So we just want to get in, get out. Um so with cold boot software um essentially we can uh and comb boot's a perfect example. We can actually boot into the BIOS uh boot comb boot comb boot will actually rewrite or patch up the authentication process and then at that point we can just log in local admin without a password right and that allows us to uh

to drop uh drop shell drop whatever we need to do to establish a uh establish a persistent connection. Um, the other thing that we typically do, uh, is we, uh, we have RFID badge cloners, uh, emulators. Um, yeah, so this is just a kind of a cool, uh, DIY, uh, Kickstarter project, our Fiddler. Um, and that allows us to, uh, actually, uh, basically clone a vast majority of proximity cards. So if we have uh if we find badges on employees or if we find badges that are laying around, something to that effect, then we can clone those badges, recreate them, and then come back at a later time to uh to actually be able to gain access to the building.

Um we talked about rogue devices. Uh the other thing that uh we we kind of downsize, right? We we try to carry as much power as we possibly can uh without having a big form factor. So we just use like a little Nexus 7s uh that are running Ki Net Hunter. allows us uh pretty much a full-blown version of Linux. We can drop into shell. Uh we can pretty much do anything uh that we need to do. Uh we have uh you know micro USB connectors that allow us Ethernet access. Um that sort of thing. That way we're not lugging around MacBooks. We're not lugging around a bunch of extra gear. Um and then other things that we

end up doing uh phone spoofing. Uh we run asterisk uh uh PVXs so we can actually spoof and and impersonate help desk. uh maybe we can impersonate uh vendors etc that might have a relationship with the organization that we're attacking. Uh so this is this might lead to initial foothold uh or it might lead to an additional foothold when we're um uh once we're we're actually within the uh within the organization once we have a little bit of persistence. And then finally, and I think this is the most important, uh, one of the most important parts is, uh, just having having, you know, skills in general, but software development skills. Uh, if if you hire a vendor, uh,

and they come in and they're like, "Okay, we're just going to run metas-ploit on you," or, or something to that effect to try to get an outbound shell, and you expect that to work and you're you're, you know, you're pacified with that answer, that's fine. But in you know in our experience uh if you're able to code and able to develop your own C2 uh uh connections you know back to your command and control servers uh then you have a much better uh you have a much better uh probability of extracting and and actually excfiltrating uh data and all all you know in addition to establishing persistent connectivity. Um, and one of the things that I didn't uh include in

the tools of the trade is that we've leveraged a lot of uh cloud-based VPS services. So, we uh for our C2 server uh implementation, a lot of times when we're trying to send shells or send connections once we've compromised an organization, we'll send the shells out to uh these these cloud-based organizations. Um that way we can one stand up multiple C2 servers in the case in the event that actually one does get compromised we can move them to a different region. So I think we pick on digital ocean a lot right so but digital ocean we can block our IP you know customers can block our IPs left and right and we'll just switch instances right I mean

it's it's a cat and mouse game. Yeah. Yeah. So like that that way like if you know if we've got if we have an IP address on VPS that's in San Francisco know like okay well we blocked you so we just bounce over to say for instance you know Amsterdam or over to over to Germany. They just turned up a new hosting facility in Germany. So now like we can bounce all over the place. And the nice thing is that we can clone uh we can clone our BPS image and just move it over. We just basically just transition it and bring it right back up and we're back in business. we just shovel our our uh uh connection over to

the new IP address and we're we're good to go. And they have a nice API, too. So, eventually, we're working on it, but eventually we should be able to do that probably from an app or something on our smartphone. So, if we're physically on site and and we have trouble getting back to our current instance, we can spin up another one, you know, based on just client side calls that uh you know, we have. So, and you forgot to mention also one tool of the trade that has only been used once on an engagement is a grappling hook. But it's worth mentioning even if we've only used it once, $25 at an army surplus store. Best

$25 I've ever spent. I got that call. That was that was a great call. Like, hey, we need a grappling hook. And I was like, what the hell? We need a grappling hook. It was a legitimate attack vector. And it worked. And so, Yep. Okay. Okay. So, the scenario, we'll go into the scenario real quick for the for the grappling hook was that they didn't actually like sit the the the uh the first floor uh doors were locked. Uh but the second floor, they left the doors unlocked, right? And there was kind of like this balcony area. Grab right. Well, and and the weird thing about it, so the second floor Yeah. I mean, they

had like picnic tables and stuff. There was no way no way up there from the outside of the building, but you could see the doors from, you know, ground level basically. And they actually had like a deadbolt lock, but it was on the outside. It was visible on the outside. Like, you know, why can you unlock it from the outside? And there was no card reader or anything. So, we could have just gotten a ladder. We could have rented a ladder. But the guy I was working with wanted to get a uh VW bug for a rental car. So, I don't think we could like haul a ladder around on a VW bug. Did you fire it with a crossbow?

No. No. I've never threw one. I was scared as hell. I was scared as hell throwing that thing out there, but I tell you what, the first throw it was perfect. It was perfect, but I couldn't do it again. All right, so uh this is honor honorable mention because I didn't feel like dealing with TSA. Um they wouldn't know what that is and I'm just like, whatever. So, uh I don't know there is the um who's the company that uh that originally did this? Um they changed their name. Yeah, Bishop Fox. There we go. Uh, so they originally built this. So, uh, it's it's basically it's it's a HID hid badge reader, right? Uh, it's one of the big ones. Uh, so the

ones that are like out in parking lots or whatever. Uh, so Bishop Fox originally built this thing. Um, it allows it allows people to come by, you know, like unsuspecting victims to come by, swipe their proximity badge, uh, and then it reads the information off the proximity badge so you can clone it at a later date, right? So you can either take the take the information, rebuild it, uh replay it onto uh another um Yeah. So you can replay it onto one of these. Um so this is a T55X7 uh format, um which is a universal format. The other format is Q5. Uh Q5 is primarily found in the UK. Um but they're kind of moving away from that.

So this is pretty much primary primarily the format. Um, so this uh this HID reader, uh, you can basically just place it up against the wall. Uh, maybe use rare earth magnets or something like that to place on a pole. Uh, put it out there and, uh, as as cars are coming in, they're swiping their badges, you just go and grab it later. And, uh, and then you have the information uh, to dump it, you know, dump it elsewhere and actually recreate the cards. So, we built we built one of these um, but we went a step further um, and we added more power. So, it's got a range of, I don't know, a little over

two uh maybe two and a half feet, something like that, uh to uh to be able to pick those up. So, you can actually plant it against the wall and as people are walking through on a hallway, uh you can pick uh pick up badge uh you know, badges, that sort of thing. Uh it has Bluetooth, so you can uh exfiltrate the uh badge uh data out via Bluetooth. Um, so it's just got some uh it's just got some ideas there to uh kind of help us not necessarily again the whole idea is not be around while the attacks are actually happening uh or whatever try to remain uh completely covert and if these kind of outofband measures are will

facilitate that then by all means that's what we want to bake into these tools explain it. Yeah. So let's walk through let's walk through some of the uh the cases that Chris was talking about. So this first one is uh financial institution. Um they have a lot of existing security practices in place all of which are listed up there. Um it's all pretty standard. I mean really so the breach assessments um when we go about kind of selling these to customers we a lot most customers who think they they need a breach assessment aren't ready for one. Um they have to have mature security practices in place. They have to be doing regular pentests, you

know, things like that. So I think you'll find that uh all the cases that we have listed here they all have pretty good existing security processes. Um you know things like DDIs they have decent go for you know using tiered accounts endpoint security which is pretty pretty standard and pretty useless anyway but um yeah. Okay. So yeah and then uh didn't we on this particular one we saw randomly generated domain admin passwords right? Yeah. So that was for that was for the tier. No, this sorry this is an old this isn't for the financial institutions. Some of these listed here this is old data. Ignore the HIPPA thing. This was for a different example that we had up here

but yeah that's good. Excellent to restart. Um so yeah so the uh um initial composite chain attack vector um so essentially this organization uh we we we gained access uh into the organization through um through the building through the actual dwelling through an egress door uh made our way through uh into it was kind of this protected uh huge kind of sky skyscraper type of building made our way into uh the organization um once we were in there. Uh they had pretty much all of the defenses that you'd expect. Uh turn styles, uh badge access to doors, uh etc. But again, that all fails when you actually social engineer your way into the organization. Once you actually

social engineer your way into the organization, you're in there, right? You're in there and kind of kind of ready to do uh do the thing that you're you intended to. So, um along along those uh along those lines, while we were in uh performing uh kind of just going going through and kind of evaluating like all of the uh the different security uh controls, basically the entire environment. Uh one of the things we ended up doing was doing an inventory. Um so we walked we walked through uh uh multiple buildings. We social engineered or not multiple buildings, multiple floors, social social engineered our way onto uh those floors. Um and we went through with an

inventory checklist. And essentially what we were doing is trying to figure out how we were going to one get some kind of persistent access because while we were going through performing I think uh like the logical perimeter uh uh review we weren't getting uh a whole lot of um we weren't getting a whole lot of leverage uh by doing that. So as we're going walking through uh and performing this inventory and impersonating uh employees of the organization, we identified that a woman had left a badge unprotected. And this is something that we see, right? So uh she had left her badge unprotected on the desk. Uh and in that particular instance, we just took that badge,

right? She was away from away from her desk. She wasn't protected on her person. Um and there was a couple things that we were trying to evaluate there. Uh the first was we definitely wanted to have a useful badge that we could come in uh after hours maybe uh in the morning early morning hours like you know 2 am or whatever something like that. Um uh the other thing that we wanted to uh understand is would they decommission a badge if it was reported uh and or would they be looking for uh any kind of event monitoring alerting uh that would be associated with a badge that was uh that was reported missing. Right. Um,

so later on that evening, uh, just a fast track, we left because we had this, um, we came back and at that point, uh, you know, I believe Dan was, uh, kind of kind of watching from a a great distance, uh, where I went up to the door and swiped the badge to see if we'd regain entry, to see if it would, uh, call any of the, uh, you know, invoke any security response, incident response. um appropriate protocol would be yes, we decommission the badge, but we're we're checking for those badges and security personnel should show up. Security personnel didn't show up. So, at that point, we knew we have we have an entry, right? So, at that point, we

we gained uh access uh onto uh into the organization uh went through all of the offices. We had access everywhere. Uh primarily went to one of the floors uh that we originally obtained the badge from. Uh as reviewing uh another common mistake uh surfaced. Uh so they had uh this particular organization had locked down VDI systems, right? They had locked down basically Citrix virt virtualized desktop uh systems. So it was very very difficult uh to uh potentially break out of those. Um but they were it's not difficult to break out of Citrix. Don't don't get me wrong. That's that's very easy. But uh uh they had written down uh a username and a password. Uh, so at

that point we had a working username password, we checked it while we were on there, but because they were using VDI, if we shelled that box out, as soon as we logged out uh logged off the box, then we lost that shell. We didn't have privileged access. It was an unprivileged account. Um, so we kind we kind of rolled in this blended blended attack scenario. So this is a chain composite attack thing. We have the actual domain credentials. Now, but you got to tell how we got the domain credentials. So we were in after hours, right? And we actually found the credentials written on a sticky note in someone's office. Yeah. Did you say that?

Yeah. Yeah. So, yeah, that's how we found. So, um Yeah. So, at that point, uh I think I had to I think I had to catch a plane or something like that. The next day, it was a Friday. It was like Friday afternoon. Yeah. So, I was going to the airport. Dan uh fires up uh sends uses those credentials uh pops onto the uh Outlook web web access uh with that uh puts a malicious payload uh sends it off to the help desk and immediately calls them up and says, "Hey, I'm having difficulty opening up the uh you know, opening up this document." Um apparently convinces the uh the help desk employee uh to open the document.

It's got a malicious BBS script on in the back uh that's that's uh that's loaded that's going to execute and it's going to fire back to our C2 server. Um after some convincing, he gets him to execute it. We have access outbound. Uh and the help desk employee like many help desk employees is uh is kind of uh not he's not necessarily running the VDI system. He's running a standalone a standalone uh workstation and it's also running what what was it running as domain admin? Uh no, he had they had tiered accounts. One for non-p privileged u like everyday use and then one for more privileged access. So like the domain admins have like a regular

you know ad account plus one just for like their privileged activities. The problem that we see more often than not is that it's pretty convenient to just reuse the same password for both accounts. So and that's what happened. Okay. So now we have uh we have shell on the administrator box. So that's our first change, right? That's that's kind of our initial chain vector. So now we're going to chain we're chaining the chain composite attack. All right. So now we need to because we have access to that box and now we have some level of uh well because we have some level of access we need to establish persistence. So we um at that point do you want to

talk about like how you how you got the um yeah so after we got domain admin access um uh so I mean we just accessed a domain controller and uh interestingly their domain controllers and servers were allowed to talk outbound which you know there's really no reason that your server should need to talk out over the internet. Um so what we did is we we established u we basically used Windows schedule tasks and just set up um like basically an interpreter reverse shell to run what was it like eight times a day across three different domain controllers something like that. So we just kept getting shells in you know um which is an awful thing to do. Don't do

that. Um but at that same time it does like test to see if they're looking for uh anything that's actually egress and leaving the network. Typically um on servers uh you would schedule tasks much much less. You know you might schedule a task every every few days something to that effect if it's a workstation much more. Um you want to make sure that uh you know workstation traffic is a lot more frequent especially making outbound uh outbound connections you know elsewhere. Um so they're not necessarily looking at work workstation outbound uh egress traffic as much as they would be on a server. Um so yeah at that point we have persistence uh and that's why we

say patience is a virtue because we're just going to sit on these um uh the next the next uh slide is basically chaining the chain of the chain composite attack. So this is basically taking our initial point uh to establishing our persistence outbound through a critical system. Uh and now we're going to take it to uh take it to kind of the final stage uh where we need to identify uh individuals that are critical. We need to uh understand uh folks that are maybe associated with physical uh uh building physical security. uh we need to uh understand folks uh that uh have access to you know in this particular instance it's it's a financial organization right we need to

understand how do they move how do they do a transactions etc out of out of the organization so we need to figure out those critical those critical individuals we don't necessarily care about all of the the ancillary risk associated with other things uh that are in the environment we only care about those specific items so we patch up the network share login script uh and that way when they log in they're using a uh a mounted a login script. So when they log in it it drops a flat file uh and it and it gives the actual physical machine. We have access to the network share. So we can pick up the actual physical machine. We know their uh we

know their username, their account name. Now we can redirect all of our activity our attention towards those those critical systems, right? Those systems that you know if we need uh further building access, say for instance it's an entire campus environment but we only have access to one building. Now we can target those uh those particular folks that do badge procurement. Um that sort of thing. Um so we do that. Uh we locate building facilities. Uh we locate uh uh the user systems of great importance pretty much. Uh and now at this point if we've identified all of those we've obtained uh really people that know about a transfers. you know people that have uh this tribal knowledge within the

organization that you know we only have a few days maybe a few weeks maybe a month etc to to understand. So we just kind of pause at that point. We stay quiet. We go dormant and we research absolutely everything that we can. And that's that's kind of a critical um that takes the longest part of the engagement. It's usually just trying to find the needle in the hast. Yeah, that's not sexy. But I mean that is like fundamentally what uh I think overall assessing is. It's basically just researching, reviewing um and understanding kind of kind of your target. Understand what you're going after, right? And in this particular instance, what we're going after is an

infrastructure. We want to know uh how those systems interact. We want to know how we can excfiltrate money uh out of the organization. So with that uh we identify um the main frames that uh uh the main frames that uh basically all the FDIC transactions go through uh etc. Uh we uh identify the uh software that interacts with those main frames. uh and in order not to uh uh really truly uh exfiltrate that data, that's that's the point where we we we pause, we stop and we get a hold of the uh the project sponsor and we say, "Hey, we're on your main frame. We have access to your to your stuff, right? Uh set up a shell

account for us." So that's what they do. They set up a shell account, uh they fund that shell account, uh and we demonstrate at that point uh that we can move money uh outside of their organization. And that's good enough. That's enough to show impact. Um, yeah. So, that's that's kind of at that point that that's where that uh entire how long did this last? About two months, something like that. So, it's about two months worth of work uh to uh to perform this this sort of attack, but it demonstrates that your typical penetration test or typical traditional test isn't going to necessarily identify that sequence of events that's going to lead up to such a great impact. Right?

That's the stuff that's actually going to kill a business. You know that you you disclose your account, your financial data, you uh you bleed money uh out of your organization and you don't detect that. That's that's you know that's detrimental to to an organization. So at that point uh I think really you know we um we kind of talked to uh talked to the project sponsor and you know overall uh the outcome is that we want to protect we want to help the organization protect those critical assets those critical processes uh and prevent that from happening. all the all the rest of the ancillary vulnerabilities that the other things that we don't necessarily uh we don't

necessarily concern ourselves during a breach assessment or breach simulation uh that maybe occurred during a penetration test those are kind of off to the wayside because those might just be another point of entry uh to get to the same destination that we got to. So we want to uh protect we want to help the client protect uh that most critical process most critical uh uh uh piece of data. Um lessons learned on that was that uh incident response was inadequate. Um they did detect uh our presence on the network at one point. Um we uh this was when we were physically on site and we plugged a laptop into their network. This was after we sold the

badge. Went back on site at like 2 a.m. Plugged a laptop in ran a few port scans to see you know what was there or whatever. They detected the laptop. You know it was an unauthorized device on their network. They dispatched somebody, but they dispatched somebody from the the information security team who lived 45 minutes away. So, you know, why why would they dispatch someone who lives 45 minutes away? Why would they dispatch an infosc person when it probably should be someone trained to deal with a hostile, you know, individual, you know, depending on who it is. So, things like that, you know, your pentest isn't going to find that, right? That's that's a process thing.

Yep. Uh, ineffective egress controls. Why are your critical servers talking outbound? Uh you have domain controllers, you got databases. Why are they allowed to talk outbound? There's no reason for that. So, uh yeah, that was that was interesting. Um uh password reuse between tiered accounts. Uh there was no uh identity and access management. there was no u you know there really wasn't no protection or prevention uh from from someone establishing a lower you know a lower privilege privileged account to a higher you know higher privileged account and reuse that password. Um single factor off uh on both the uh Outlook web access and uh on bank applications. Um again these uh you know when when one of the first things that

we do is we try to compromise uh the actual uh email systems right because email systems are critical intelligence it's critical surveillance on what we're going through uh you know as we're kind of moving throughout the entire attack sequence. We want to understand what they've detected. Uh we want to understand if they've dispatched something to like mitigate our attack whatsoever to uh maybe block us to notify whatever. We don't care. Um, we'll we'll we'll hack the uh internet me or the instant messaging systems. We'll hack the uh the email. If you protect it with a simple uh username and password, uh we're going to get the password. We're going to we're going to basically just squat on those systems

and intercept traffic. We're going to identify. Again, that's the real reason why we uh target building physical security because we want to understand that. It's the reason why we target infosc folks because we understand what they're doing. is the reason why we target uh information technology groups because we understand that as well as all the rest of the uh the folks that have the that again that uh intrinsic knowledge um guard stations physical badge unsecured. Uh so these guys leave at a certain time of night and they just leave it all you've heard of uh clean dust policy. Uh some of these guys don't believe in that. So they just leave everything just kind of kind of laying

out or they'll take all the badges and they'll throw them in a drawer uh and they won't they won't lock them, right? they'll just leave them or they'll just uh they'll put them in some kind of minimal security uh uh enclosure, right, that we can get to uh quite easily, right? And it's just kind of out there in the open. Yeah. What he didn't say is we also stole what 20 vendor badges straight out of the security guard desk one night. Yeah. So, um uh and then you know we have the inadequate social engineering challenge and we have weak password policies. So, these are uh uh the inadequate social engineering challenge thing. That's uh it's kind of hard to

protect against, right? We we there's a hard it's it's difficult to mitigate that. But the weak password policy, if you got weak passwords, uh that's that's kind of first defense, right? You need to employ something that's complex and preferably some kind of multiffactor authentication. Um we're running out of time, so three. You have plenty of time. How much time we got? 20 minutes. Yeah, let's just do three. You want to hold up? Oh, yeah. That's good. Okay. So um yeah, so we'll we'll jump into this case. So similar along the same lines, we'll just kind of run through the whole uh attack scenario. So this was a uh a large insurance company. Um again, they had

very good existing security policies including, you know, authenticated outbound proxy, network segmentation. Um most of this is pretty standard, but they actually had really good egress controls where like none of their servers were allowed to talk outbound, so they were actually doing that, right? Um, and they also had uh very good physical security. Um, we'll get into some of this, but um, they had turn styles pretty much at every point. Um, egress point in in the building. Um, even getting in and um, out of elevators. I mean, every floor had turn styles. So, if you didn't have a badge, um, then you probably weren't going to be able to uh, tailgate in or anything like that. Um, let's see. So,

we kind of knew about their physical security before we we set foot on site. Um, so while we were doing some of the the remote testing, you know, the question kind of loomed as we were kind of planning our on-site portion of it. Um, you know, how are we actually going to get in physically? Um, you know, when we do these engagements, there's almost always an on-site and a remote component, right? And so to fully test an organization, we feel like we have to have like a legitimate attack vector in both. So, you know, that was kind of the question. when we go on site, are we even going to be able to do anything?

So, we weren't sure. Um, so we actually attempted three different spear fishing campaigns uh initially. So, um it netted us two sets of of of domain creds. Um but they detected us fairly quickly. Um with the domain creds, we got access to Citrix environment externally that was using single factor off. Um but they detected it quickly. They killed our sessions and they actually forced the people to change the passwords. But what this actually told us is it it disclosed their password policy and it was weak. It was like you know six characters something like that. So um what we were able to do is kind of take that idea and uh tune a password guessing attack

against one of their authentication portals um based on like a you know a six character password policy. And so what this you know this was we use you know a common um you know a common pattern is to use like uh you know the month followed by the year. So at this in this case it was like jam 2015 I think we chose and we just ran it across a number of different uh uh users. It also disclosed their their user account naming system. So they didn't use like first initial last name. They used like a predictable type semi-predictable um you know template. Yeah it was kind of alpha numeric. It was incremental you know so you could kind of iterate

through them and try to guess. So, um, you know, we just ran a password, uh, guessing campaign using that password and it it it got us, I don't know, six, 10 different, uh, hits. So, we were back in and this time, um, since we didn't have to do a spearfish attack, uh, they didn't detect us. So we had access to Citrix. We broke out of Citrix. Um and uh you know from there we we noted that uh one of the credentials that we had pulled um one of the groups that it belonged to in active directory it was listed as like the machine named_admin was the group. So we're like hey this guy's an admin on that box. So

we authenticate as that user to that box. And sure enough he was a local admin. So you know we get system we dump the hashes use using mimikats if you guys have used that. Um so we dump the creds and on there was domain admin. So just like that we have domain admin. Um uh let's see. Yeah. So next slide. Um okay but like I said they had a really good um egress control. So we had to pretty much tunnel all of our traffic through the Citrix box. um expanding the network presence was a little bit challenging for that reason. So we couldn't really bounce around like we normally could because we couldn't establish remote uh you know reverse

connections. Um but what we were able to do is you know through that access um we we were able to actually browse network shares as domain admin. Um we bounced around and expanded our presence, pulled other domain domain admin passwords and things like that just so we had you know a better uh foothold on the network. Um, and we did things like from network shares, and this is pretty common, you know, we just looked at an HR payroll network share, and we we pulled files that had all their employees, you know, pay information, uh, social security numbers, things like that. Uh, pulled, uh, customer details. Um, we didn't really know what most of it meant quite

honestly because it was insurance and, you know, it's insurance. Insurance is um, but, uh, you know, it looked like it was it was sensitive in nature. Um and so most importantly um we spent a good deal of our time actually focusing on recon. So we started targeting um the actual uh facilities folks. Um from the network shares we identified the name of their badge provisioning software um as well as their security camera software. Um we got access to their security cameras remotely. So this is how we knew about their their physical security presence before we set foot on site. So, we're looking at cameras in their lobby and we're noting all the turn styles everywhere. We noted that they had a

24-hour guard presence, right? So, we weren't going to get in after hours and walk right past the guard desk. There was nobody there but the guard. Like, we weren't going to sneak by. So, that's that's how we kind of wondered. So, we spent a good deal of time actually focusing specifically on weaknesses or or you know, how we could we could actually provision our own badge. So one one of the big things that we ended up doing was you know I talked about gaining access to webmail right once we identified that there was a physical security uh person uh and we understood which system that uh that he lived on. Um also gained access to the web mail

and then spent a good amount of time rifling through and just reading absolutely everything doing targeted uh searches. So we knew that uh uh we knew that they did uh badge provisioning but we wanted to understand specifically what that meant. Um, so we got the reader types, we got the badge types, we got the provisioning details for the badge. Um, we knew that they had a certain facility ID code associated with the badge. Um, we knew that they paid extra money to HID uh to uh to get uh encryption keys. Um, we we had a wealth of knowledge uh that we can leverage uh kind of going into all of this and and we didn't actually have the

equipment to to create our own badge for this specific type they were using. So we were kind of screwed in that nature. So we're kind of like you know dang we can't create our own. So you know what's the alternative? So uh we actually we gained access to the badging software remotely before we set foot on site as as like their facilities uh manager. Uh the problem is once we actually got on site. So our plan was you know we have access to this badging software. What we'll do is we'll take an existing card that we had that was kind of the same type. We'll go scan it or whatever and just capture it in the system. we could

go look at the logs in the software and then basically add it as an authorized cart. That was kind of kind of our our level of thinking. Um there were some limitations to that where we wouldn't be able to get access to all the floors that we wanted to because you know you could only add a certain number of card types per floor. So uh we didn't know if that was the route we necessarily wanted to go. Um so we had access we went on site and we're like all right well at least we have kind of a foothold. We have an idea of something that we can do. The problem is when we got on site,

we no longer had access to this this user's account, this the facilities manager. He changed his password. There were a couple of coincidental things that we we could no longer get his password through the same means that that we had. So we went to the domain controller and we uh performed a shadow copy of the ent. file, tried to extract it. problem is extracting it while tunneling everything through the Citrix server was incredibly slow. Um it failed multiple times. So I mean we were kind of you know out of luck um doing that remotely. Now we found a different weakness that normally you wouldn't think is necessarily a big deal but their wireless signal bleed was

incredible. I mean I'm we're talking like two blocks away from the facility you had full wireless strength to their their corporate network. So, we went and sat at a Starbucks one night and downloaded the file in 10 minutes time. You know, like as Starbucks was closing, we downloaded the file. Then, you know, we uh we used the entd.get file, cracked the passwords, got the guy's password back, got access back to the badging software. Um, so again, you know, we we exploited like the wireless signal bleed, something you wouldn't normally consider as a big deal, uh, to to kind of gain access. Um, also while we were doing info, um, uh, while we were digging around their network shares and

and their email, we actually found documents about, um, their processes for issuing badges to employees who had like left them at home. And the the interesting thing is, okay, so they required like three pieces of information. So, uh, you know, employee shows up to work, yeah, I left my badge at home, issue me a temporary badge. So they required the employees name um their network ID um and also it was their uh they yeah they validated a picture in the software uh that we had access to. They validated that picture against the person standing in front of them. And so yeah, do you know where I'm going with this? So what we did 2 o'clock in

the morning picture of him is fantastic. He looks like hell. I was we just we just got back from like a whiskey or something. We were out drinking before that, but so it's like 2 o'clock in the morning. We thought it was a good idea to take this picture. Oh yeah. You know, you you look professional. It's like your first day of work there. Yeah. Um so we take this picture and uh we actually figured out where they store all all the employee photos. And we uh just randomly picked out an employee and we're like, "All right, you're going to be this guy for the day." We put his his photo in there. Um validated that it was

his picture when he pulled up and uh we're like, "Okay. Um yeah, so you're just going to walk in, tell the guard you're this guy." and um you know see if they'll issue you a temporary badge. Once he gets a temporary working badge, I mean it's game over. We have access to the software and we can grant it god rights to the entire building and stuff, right? Um so just you know to to make it more fun, I sat at the Starbucks next door because of the wireless signal we Oh yeah. So part of the process when the issue Well, let's let's talk about like the reason why we had to get the badge real

quick. So the badge uh the facility code on the badge was proprietary. We couldn't recreate the actual iClass badges that they were using. uh and the actual readers that they were using would only allow and because it was like a multi-tenant building, they could provision up to eight separate uh or eight individual facility ID codes and then after that you couldn't provision anything else. So you actually had to have like one of their valid badges or clone a valid badge with a valid uh facility code. Now because they were all maxed out, if we dropped one of the facility codes associated with an individual reader, that means that we're performing a denial of service essentially on the tenant. No one's

going to be able to get into uh into the building via that. So that's definitely going to set off uh alarms. Yeah. So that's the reason why we needed an actual badge. We needed an actual ICLASS badge with a facility code. And and also we noted from the the documents that we're looking at for provisioning that uh part of the process is when when an employees issued a temporary badge, they disable the employees previous badge, right? And so his badge won't work until he returns the temporary badge, then they reenable it, right? It's just so he only has one working badge at any given time. And they also add a note in there saying that this employee was issued this

temporary badge, blah blah blah. So anyway, he walks in into uh up to the guard and tells him that, you know, he left his his badge at home. And we made sure that we did this first thing in the morning before the employee got got in. You know, we didn't want to raise any alarms or whatever that this employee is in the building trying to swipe and he just can't get anywhere, you know, because it's temporarily disabled. So, first thing in the morning, 7:30 or whatever, he walks in, goes and uh explains to the guard that he left his badge at home. Sure enough, you know, he gives he gives the fake name and the uh

the the LAN ID account um um that we knew and then they validate the picture again, the picture that he looks like hell in. Yeah. So, if I may Yeah. Yeah. So, before uh so this is kind of the social engineering aspect of it, right? Uh so, when I went when we took the picture, I look like hell. I've got a full beard, right? I've got like two am bags under your eyes. I haven't showered in like two days. Yeah. So, um, so then when I walk in, I'm, you know, dressed in, uh, you know, really nice business attire, right? I'm clean shaven. It looks like it gives the impression that a lot of time has

elapsed, right? So, that was back when, you know, back when I first started years. Yeah. Back when I was a bum when I got my first job out of wherever. Um, and now at this point, uh, you know, I'm I'm an actual respectable person working in an insurance company. So it was it was very uh it was very uh believable. So he he gets issued a temporary badge just it worked out flawlessly, right? So he's in there for all of a minute, gets the temporary working badge, you know, walks out of the building. He he comes over to Starbucks before I even have a chance to like open up my my laptop. I'm like, "You're you're back already?" He's

like, "Yeah, they they got me the badge." So I'm working frantically, you know, trying to reenable this other guy's badge before he gets in. So, uh, I get the badge reenabled and then he's like, "All right, well, I'm going to go test it out." So, I I reenable the other guy's badge, you know, remove all the history, the the note that was added in there. So, there's really no record um that the second badge was actually issued to this guy, you know, and he just walks into the building and, you know, authenticates to the turn style, hops on the elevator, and goes up to the point of contacts, you know, floor and walks around. So,

you know, at that point it was a a weakness in in their process. You know, like how do you validate an employee who left his wallet at home? You know, he can't show you government ID because he left his wallet at home. Well, they need to think of a different, you know, uh, validation means, you know, somebody has to look at you, come down and escort you or something like that. So, and the moral of the story is it's that easy. It's just that easy. Okay. Um, oh yeah. So, this is um, yeah, just kind of the review, you know, some of the the findings that that we have. Um, we're running out of time, so we won't go over

these, but, you know, we talked about these um, and some of these are repeats from the other scenario we talked about. So, um, you'll see common threads are really single factor off. Do we see that as as one of the most damning um, issues? So, that kind of leads to the next slide. I think we kind of compiled a list of you know what are like the most most serious flaws that we actually see and uh you know if you could fix one thing in your organization if you could dedicate you know money to to like one thing well we would probably I would probably push for two factor authentication like everywhere I mean realistically that's not going to

happen but you know what I'm saying um uh improper egress controls on servers outbound those two things alone I think would make our jobs a hell of a lot harder and you know in spending money um it it a lot of times for organizations I mean you don't have unlimited amounts of money right so you just try to spend enough money that you can delay an attacker long enough that you can detect it right that's kind of the goal that's the that should be a realistic goal

okay so uh yeah so reasons for a lot of these vulnerabilities we'll just shoot through these real quick mergers and acquisitions people uh people lose track of their um what they truly have uh what they bless you what they truly have in their environment. Um so uh through through merger and acquisition uh they attain a whole lot of different assets different resources and they don't have a good inventory right so it introduces vulnerabilities uh in effect of asset management they just don't know what they don't know so they don't perform an asset management or an asset inventory uh throughout the entire organization uh they have uh they have outliers they you know don't know that they have you know

servers that are controlling a sprinkler system elsewhere that's actually still connected to the network okay it just introduced a vulnerability Um employee turnover uh that can uh that can definitely happen. Uh you don't maintain that continuity uh when you have a dedicated employee and that employee leaves and you have turnover. You kind of lose that tribal knowledge that that employee once once uh had, right? Um disparit uh change management processes. Uh so you might have good change management in your Windows systems, but you don't have good change management on your uh your Nyx environment. um you don't have good change management uh on your network elements, your switches, your routers, uh your DLP devices. Well, it doesn't

matter. You know, it's just uh you have all of these these kind of uh ancillary devices out there. Um what Dan was just talking about um inadequate budget. So, you just don't have the budget. You might not have the uh uh the seale uh support. You might not have the support from board of directors to uh allocate funds associated with uh upgrading security. Um, that's a that's another big thing is just no executive support. You can't get anything done if your team doesn't support you. I mean, so if you're trying to make big purchase, trying to try to mitigate risk, and you don't have, uh, uh, the necessary means, you're kind of on luck. Uh, so, uh, lack of

trained skilled infosc pros, uh, we know that is, uh, definitely a problem in the industry. um can't get enough skilled uh skilled resources uh that not only are skilled can talk technical but can also bridge that gap and understand have adequate business acumen um to be able to talk to numerous uh numerous target audiences. Um and if it's not a priority that's going to be a problem. So I just hope that you lawyer lawyer up and get lots of Arizona missions insurance because that uh that's going to be a problem later on down the road. Um, and I think one of the big things uh that uh and this is kind of like to evangelize

uh really kind of what a security vendor uh does in that entire relationship uh is to use it as a vehicle to uh to help help obtain your agenda. Right? So if you need more funds, leverage your security vendor uh uh to to kind of direct their attention towards those things that are critical that impact the organization. help them help you build a case so you can go back and you can get the necessary. Yeah. A lot of times we actually get requests. I mean the issues that maybe we wouldn't call out specifically or make that big of a deal. The customers will ask us, well, can you highlight that? You know, we've been pushing for

funding for that. Can you highlight it? Yep. Yeah. You know, we have no problem doing that. It helps. Most bang for the buck. That's effective. Yep. Can't hide anywhere. And this is kind of just reiterating that I think. So yeah, some of the the the most critical things that you could probably put in your environment that would make our jobs multiffactor authentication, authenticated outbound proxies, egress controls, um this is identifying your critical servers that uh shouldn't be talking outbound. Securing your BIOS uh knack to prevent devices uh from connecting to LAN and Wi-Fi. Uh that would prevent us from actually gaining uh passwords and you know going to Starbucks and authenticating and being able to compromise your network. uh

monitoring, alerting and auditing of badge provisioning. That's another big thing obviously because then at that point uh when we deactivate an employees badge, we reactivate, we reprovision, we change privilege levels associated with a badge, all of those sorts of things should trigger events uh and those should be investigated. And then critical f file integrity checking for really some of your most important um your most important uh resources on uh say for instance servers and things like that. So, if you know that you've got transaction software uh that uh maybe moves money uh into uh maybe another batch process or something like that, you definitely want to uh implement integrity monitoring because if someone comes in there and they change it,

changes the hash the the overall signature of that file, you want to be able to flag it on something like that, right? Um and all right, we were going to have questions. We're almost out of time. I don't know if we have Yep. So, and and that's that's it. That's Q&A. Open it up. Okay. Any questions, comments? Yeah. So, when you said the wireless, was that wireless protected or was it was there any password for the wireless? Yeah, they were using peep. Yeah. Yeah, it it was peep. It was uh it was peep, but we had domain credits. I mean, at that point, so they just weren't doing any kind of like client validation right?

Anyone else? Sweet. All right, cool. Thanks. [Applause]

You don't touch

Related talks

27:13
BSides Iowa 2018: "Threat Hunting Windows Event Logs w/ Powershell"
BSides Iowa
56:10
Continuous Integration: Stalking Vulnerabilities with Puma Scan
BSides Iowa · 2017
54:52
BSidesIowa 2019 RCEvilNet
BSides Iowa
33:10
BSides Iowa 2018: " Investigating the FBI’s use of Network Investigative Techniques (NIT)"
BSides Iowa
1:14:13
BSidesIOWA 2015 Track2: Secure Process Isolation with Docker by Greg Rice
BSides Iowa
52:11
BSidesIOWA 2015 Track2: Assessing Network Sandboxes by Jared McLaren
BSides Iowa