Be afraid. Be very afraid. Vulnerabilities in your web applications and networks is like leaving your door unlocked at night. Look out, chances are you may have some right now just lurking in the shadows. Join me during this spooky Halloween-themed discussion where I share scary stories from the trenches. These horrific events truly happened! "Whatever you do, don't fall asleep!"
4. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
Sessions That Just Won’t Die
ZOMBIE SESSIONS
» Types and Examples
• Long Timeouts
• Red Team / Blue Team Example
• O365 Phishing Example
- Add Session Termination to IR Plan (CIRP)
• No Timeout
• AppSec Examples
• Broken Logout Functionality
• AppSec Examples
» Don’t Get Bit! (Risk)
• Takeover Users (Session Hijacking)
» “Double Tap” (Solution)
• Idle Timeout
• 2-5 Min for High Value Apps
• 13-30 Min for Low Risk Apps
• Absolute Timeout
• Renewal Timeout
• Manual Expiration
5. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
Other Spooky Session Issues
ZOMBIE SESSIONS
» Types
• Weak Session Entropy
• Session Fixation
• JWT Issues
• Submission & Storage via Insecure Methods
• URL
• Missing Secure / HTTPOnly / SameSite Flags
• LocalStorage for Persistent Cookies
7. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
They’re Watching You!
MAN IN THE MIDDLE
» Man-in-the-Middle (MitM) AKA Creepy Crawlers
• Between Client and Server
• Hiding in Plain Sight
• Starbucks
• Airport
• Your Home! (War Driving)
» At Risk Traffic
• Unencrypted Protocols
• FTP / SMTP / Telnet / HTTP / etc
• Weak Encryption
• Broken Ciphers and Algorithms
• Downgrade Attacks
• Authenticity Issues (w/ Examples)
• Self-Signed Certs
• No SMB Signing
• No RDP NLA
8. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
What’s the Big Deal?
MAN IN THE MIDDLE
» Data Integrity Issues
• Modified Data
• Example (Real-Time)
» Confidentiality Issues
• Sensitive Information Exposure
• Credit Cards / Banking Information
• Credentials / Session Information
• PII / PHI
» Account Takeover
• Credentials / Session
9. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
Expel the MITM
MAN IN THE MIDDLE
» Fight Using
• Strong and Trusted Encryption
• Current Ciphers
• Disable Outdated Protocols & Ciphers
• Trusted CA
• Trusted Networks
• Examples of ARP / WiFi Spoofing
• VPN if Untrusted
• Training
• Look for Certificate Warnings
• Enforce Signing on Relevant Protocols
11. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
“Red Balloon” Social Engineering
PHISHING
» Victims and Targets Due to
• Inefficient Spam Filters
• Their Role / Position
• Public Information (Recon)
• Lacking or Improper 2FA
• Lack of Security Awareness Training
• Convincing / Targeted Campaigns
• Urgency / Threatening
• Rewards / Approval
• Financial Incentives
• Chain of Command
• Types & Examples
• Phishing / SMS
• Call Centers (Machine Learning)
12. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
Don’t Take the Balloon
PHISHING
» Phishing Techniques
• Spoofed Sender
• Doppelganger Domain
• Google Calendar (Black Hills InfoSec)
• Open Redirects
• 2FA Bypass
• Session Stealing Reverse Proxy (Modlishka, Evilnginx)
• PIN / Code Capture
» Security Awareness Training
• On-Site
• Tools like KnowBe4, PhishAPI, GoPhish
• Third Party
• After SE Engagement
• Google’s Interactive Phish Training (Mobile, Desktop)
• Know What Links Should Look Like
• URL Encoding
• Subdomains
• Know What File Types Typically Contain Malware
• Maldocs (PDF, MS Office Files, Executables, Archives, etc)
» Analyze URLs and Attachments
» Self-Report if You DID Take the Balloon!