Defensive Security Podcast Episode 286
01:12:36 Share

Today is sunday, november twenty forth, two thousand and twenty four. And this is episode two hundred and eighty six of the defensive security pakistan. My name is Jerry bell in jonemi. Today is always is mister ander kelt.

Good afternoon, Jerry. I had to check IT really is this deep in the november. That's kind of crazy. I don't know that happened is.

yes, basically one month till till Christmas. That's true.

But I could be here. If anybody shopping for me, I wear a size golden am six fifty.

Good, a good hint, good shopping and place for you.

Just anybody shopping, but how are you do?

I'm good.

It's for those who don't know. We started a second show where we're even doing interviews call getting defensive and it's kind of weird. This is you and I again because I know it's an interviews and .

a lot back to back to back to bec. I think we've I think we've probably done eight of those interviews since the last time we've done one of these. So yeah, it's kind of weird IT is.

But hey uh if you're interested, check IT out it's a different podcast feed. You can find IT all on all the different podcast pod forms and on youtube. Um but is Jerry I trying to do our our best amma of interviewers of cool people in uh the security industry? Um we've had four episodes think publish far .

t will be a fifth dropping probably tomorrow or tuesday yeah and .

I think our most recent one that we published this last week was andy Green, right, talking about also to cool stuff around. He's professor at kendal state university, which is university here in a and talking about all sorts of cool stuff that he's doing research twice around voltige ly sort of disclosure motivations. And then also really interesting story about how we get caught up in a whole voter machine security scandal and disclosure that went sideways. So pretty cool, interesting.

This was a that was fascinating. I know I heard about that whole story on the peifer y and just transparently and doing a teaser. So if everybody wants to go and listen to to that show, but I you know being in georgia, this was was a story about the the state of George's election issues in was IT twenty twenty yeah, he was his his university was charged with some aspects of election security and through no fault of his own, ended up in kind of a of a weird and problematic position, unfortunately worked up for him. But it's a faint it's really fascinating that I would encourage you to go listen .

to yeah and for the record of the other three before that, we dropped a AManda berlin, who has been a long time for the hours, doing really good stuffer around mental health and medical book.

This warden, who is well known as a really interesting confluences of like legal skills and in process x skills and business executive skills, and I was a cool discussion and and alan lisa a, who was really well known for his work and round somewhere, as well as now reading comic books also to cool stuff. So we're trying to find interesting folks that you guys make one hear from. You have ideas. Send us, send us suggestions.

Yeah, absolutely, absolutely. So before we get into the stories for this week, just a reminder that the thoughts and opinions we express on the on the show, our hours and not those of hours, not necessarily those of our employer, at least for those who have employers. True intent, intent. I I believe the proper word is that I am a free agent and .

so i'm part to buy grotius that .

is right. So well, i'm waiting for my my kind of baseball in football and i'm waiting for my five hundred million dollar contract. Just assume somebody has last my contact info.

Yeah it's kind like what the nobel peace Price comes around every year and I just waive for the foundering in SHE, doesn't they probably .

just doesn't go through and then they have to go to the next person.

That's fair. And I also am bad about answers my phone if I don't know the phone a person, you know you're probably right. I should just .

answer nobel committee junk.

Well, you know, here's the thing. If get if we get the other show off the ground, we could just get some of that rogue money .

and all this through.

So we .

signed up on spotify for like a billion dollars.

It's going to be amazing. You know, if we can get staff to quit in protest of our show, I consider that a win.

Maybe, maybe we could hire people with the express intention for them to quit in protest.

Oh yeah, like protesting my stance, unlike two factor auth indication or something.

Just know how terrible that is.

Is no such as bad press, right? I love this .

because we can hire people to like pick IT out in front of like like city house and. sure. Any idea? Prety way.

dig. So our first story for today comes from dark reading. And the title here, zero days win the Price for most exploited bones. So sisa the cybersex, I still hate this name. I, I, I have I, I remain hopeful that someday they will, somebody will fix this, this a abomination, this, this injustice in the world of calling IT, the cyber security and infrastructure security agency. Like, I just think that it's just wrong anyways.

It's like calling IT, calling like an A.

T M machine. Yes, very much so, very much so. IT IT hurts IT IT hurts like IT IT actually hurts me to say IT so anyway sisa i'm going to call them sesa because I don't like the full name.

Released a report that do good work, by the way. And so it's not a slide on them. It's a slide on their name and whoever came up with the name should feel bad.

But now if i'm done now and we can move on, they they released this this report, which enumerate and they've been this for several years now, basically the top exploit vulnerabilities. And I would say I do want to take IT, just a slate diversion if you got, if you rewind a while ago, see. So started.

This cave is the known exploit vulnerabilities list. And for a long time, I would characterize IT as a bit of a joke, like, you know, things would be exploded for a very long time, and then somebody would wake up over there, and then they would, they would add IT to the vulnerability list. And the intention there is, by the way, that when something is edit in at least government agency, U.

S. Government agencies and in in others that, that may be acting on behalf of the government have to take swift action to immediate those vulnerabilities like they have a theyve, a hard time and you don't you don't get out of fixing them, you have to fix them for stop. But over the past, I would say two, three years that has transformed into something that is actually really useful, like they are very timely.

They're updating IT on a timely basis and and I think it's become something of a reliable resource. And so I I you know I want to give them kudos. I don't know what changed. I don't know why I changed. Something changed and I think is awesome.

So it's good. I completely agree. By the way, I was I hate to be so narky about IT, but I was like, you know, you d hear from the government news that you I found out about an open source a month ago, right? Is like like did you ever been involved with any like the FBI driven, like ice ax and such that we're like privileged information?

I like I just read about this on dark reading a month ago. It's not their privileged um it's just IT was so slow and I I think that is some some of the inherent problems with government, right? They have so much red tape and that they can't move at the speed that we wanted, move that.

So yeah right. Something will change. I'm happy for and Frankly, I do find IT helpful. I think we saw some other stats just came out as we are do that the amount of new C V. Versus exploit activity witnessed in categorising cvs, something like a half a percent of of the actual cv were truly known to have been exploited.

So that's like a huge gulf of like which one should I patch and if I patching everything, by the way, I just can stay for the record, is not always a viable option like I need to prioritize somehow. So having some sort of nmc y tools build in awareness and alleging around the cave, which is helpful and IT IT IT allows me to sort of give Better risk based guidance on what would work. But back to an article today, what's really interesting as we kind of evaporated on the assumption that most threat actors don't want to burn every days they want to keep on for the most, uh, juicy targets, the most interesting targets. This article kind of flies in .

the face of that yeah there reporting here shows that in twenty twenty three, over half of exploit vulnerability started off being exploded as zero days, which which is quite interesting. So you are basically that means that the majority an exploit activity is happening against vulnerabilities that do .

not have a patch t, which is a problem. Makes IT more difficult.

Yeah and and so they enumerate a couple of different strategies, one from the perspective of software producers and one from the perspective of consumers. And certainly from I would say that a lot of the work i'm seeing the U.

S government to recently is in the space of producers, right? They're trying to drive discipline around software life cycle man, software development lifecycle and and your memory, safe languages and lots of other adjacent processes. But you know not every, but not all of us are are in the business of creating software.

A lot of us are in the in the seat of having to deal with the impacts of software that other companies, right, that were you more less forced to Operate, which your internal has these year day vulnerabilities. One thing that I found particularly interesting because they do innumerate like the top, I think, was the top fifteen of vulnerabilities that were that they saw exploited to zero days out of the fifteen. Six of them were what I would call IT core network infrastructure, stuff like from cisco and crick and ford net.

In the work, there were some from progress. You would certainly move IT with move its so far was there at last in patchy. But you know there's a lot of things I would say are typically expected to be on your edge that were part of this a group of of systems that were exploited in and that kind of flies in the face of all like just don't exported to expose IT to the internet like that starts to break down when when in fact, the problem is with something that you're intentionally buying to put on the edge to protect your other stuff and then IT, is that being the way that people get in?

Well, yeah, I had very little more thought, but then I was thinking, okay, this is statistical bias situation where if I do a good job of violating everything else, you only i'm exposing are these tools that are meant to be exposed so therefore are getting more, bigger and and and more attention. I don't I don't know. I don't take us true actually.

I think I think register this weird cycle where these tools that are on the edge have gotten weak and more easily attacked. But there's it's something no like statistics are so tRicky of of this game theory going on of what's exposed versus not exposed versus you know developed lifetime le versus what's reported verses, what's kind of it's so tough to know. But I think I think nonetheless what this tells me is somehow think about a game out. What happens if that premier device that you have to have exposed gets packed? And how do .

you mitigate that.

right, whether it's through more cementation, through more monitoring, through a more we less trust inherently between your devices and forcing this still traffi C2Be aut henticating eve n wit h, you know, assumption of a bad actor sitting on that primary device. Okay, how do I still authenticate their traffic? And every environment's little different. But that's the kind of stuff I think about in in light of this news.

Definitely, I would also say I know every one of these is a little bit different story, but there are several which are the vulnerabilities are in components that don't necessarily need to be exposed to the internet. So while, for example, your cisco farewell is its intended to be on the edge, the management council for IT doesn't need to be. And I think like with I think IT was fortnight and apologize if i'm wrong on this, but I think it's for net like the default is that its management console is internet facing and you actually have to take like steps to to change that.

And so I think there's also kind of a least privilege, and I don't necessary mean that and like an I am stance, but like there, if you don't, I think you need to take a very close look at how your devices, especially in the edge, are configured to make sure that you're minimum exposing things because IT does seem like and one of the recent shows we did, we were making fun of one of the providers recessing PHP in their management castle. Well, you don't have to have that exposed to the internet. We can make fund of IT all that all the time.

But like that shouldn't be exposed. And then he wasn't really intended to be exposed. I will also say that back to your point about how do I think about this. I think one of the if if you go back a couple of years, I think there was there was kind of a moment, a applause in the industry caused by some researchers finding a serious vulnerability, one of these firewalls.

Yeah, I think that caused a lot of both you know the bad guys and the good guys to start investigating these firewalls, which I don't think he'd really had any like substantial focus by the security industry like there was IT was just kind of not on everybody's radar and something happened. And as we see all the time, once one thing happens, like there's this mad rush to go look for other things, when we saw log for j, like there was the initial log for j ulna ability and then there was just a freight train of of, you know more vulnerabilities that kept getting found. And I think we see that quite often. And I I definitely think that was the case with this and is going to continue to be the case because I really feel like security vendors are some of the worst offenders at writing secure software.

Happy you. Ah I think we've both worked in a few and I think it's absolutely IT, which is fascinating because they are part of their entire reputations based on trust and security.

But I I agree with you, by the way, you've made this point over the years and and I certainly don't disagree that when the research community of the bad guy community gets a hint of one classic problem, they then take that and replicate that investigation or that that classic problem prove of a concept across many, many, many different environments that they might not have tried before. IT gives them a new temper at the test against basically or IT to the luck. And then, you know, speaking a lot for j just randomly. It's it's funny. We still see attempts all day long against our web properties with log for jay in my crane environments all the to so still hanging around.

I think we're going to see log for jay. I strongly suspect there are still not actively sold things that have vulnerable versions a lot for j just because we have such limited visibility into yeah what gets incorporated into software. And I me I think it's it's not everywhere.

Like I think the industry is done a pretty good job of of Erica IT, but like i'm quite certain it's still there some some places by great. So so one of the one of the other one of the other findings of this report was that the usefulness of exploitation of ulna ability tapers off from the perspective of an attacker after about two years. And I think that because after about two years there's A A majority of the landscape has is either you know sun set the technology or applied the pad or or what have you.

But I fun and interesting that know we've talked a lot in recent episodes about the importance of patching and how like is an industry. We don't do a great job of that because it's not very sexy and like we're struggling with labor shortages are not the right way to say IT, right? But we don't have enough people uh, to do.

Everything needs to be done and patching tends to fall aside because like everybody wants to play with the new, the new I enable know whatever. And so that's just something that that takes a back seat. But you know here here were saying even if you're doing a great job of patching, it's IT may not be enough.

And so you really need to also be focusing on a mitigating controls, looking your your ability, as you pointed out, to quickly detect that something was that was exploited in bypast or secondary controls. You looking at things that are on the edge and how how do you mitigate an an export of that from a resulting in deeper penetration into your network. So these are these are are are certainly difficult times, and we will talk about a little bit later, like there's a lot of opportunity for adversity like that. This is the world has get more dangerous, not less dangerous, and I think is becoming more important that we pay attention to this mitigating controls.

especially when you take in consideration even for those that heavy patch before and exploited appears, we're seeing that window shing so rapidly that almost becoming impossible to patch fast enough. And then you know there's risk with patching. We've see this all the time.

If you patch too fast, you could induce a production out of your production issue. So this i'm not saying patching is aborted. I think it's apply foundation, especially because we're they were talking about a lateral movement or privilege coalition or any sort of inside want somebody y's inside how they might move around, which matters, right? You can just focus on the edge. But what I think this is telling us is that we need we need to also build offences with the assumption that we have been able to patch a problem before it's exploded in some way. And how do we know and check.

That absolutely. So our next story comes from bleeping computer, and the title here is github project projects targeted with malicious mist to frame a researcher. I I don't know what would struck me with this one, but I thought I was worth talking about because I just found the whole thing fascinating as well.

They say one of the, I guess, one of the most setting, things like the the victim in this is somebody named dark mage with the twitter handle evil dojo six six six, who is apparently the victim of this. So so there was A A set of commit to a software, a gia pory. Its E X O S get up a positive, which I think is they do some AI loop law, which contains some encoded python.

So IT basically looked like kind of random numbers, but they were included in a way that that they were decoded and then run when you decoded them. They enrolled into some python that connected to the website of this quote, victim is evil dojo person, and looks like a attempted to download some commands that would then get executed. The issue is this person says that IT wasn't them. The, the, the the end point, the directory on that website never existed that get up account do not belong to them. And all all, by the way, all appearances are that he's being truthful .

yeah and apparently this is not the first time that right that he's been targeted in this way. Um but it's fascinating on a couple levels. One the concept of office sted code uh that was put into A A pull request that if you didn't know what you're doing, could have been approved and could have legitimately, if I were a true bad guy, pulled some sort of back door into the code is interesting and then that this is being done to frame this guy ah is also fascinating but fortunately you know logs don't lie this not usually and he's got the release to prove IT wasn't .

him but he is it's a crazy story yeah commit didn't never never made IT into the actual code base, which again points out the importance of assessing commits before you you accept them into your code base, especially when you are is this is this that is get our project is accepting contributions from the community. I know we've seen quite a few instances, most famously in recent times, the X, Z.

I wish I actually mentioned in this article where one of the committee basically bullied other people into know, accepting that person's contributions, which IT turned out to be malicious. So I think it's important like there's a couple lessons here. My perspective one is, is really important to do a thro job of assessing code contributions. And I think is also important not to necessarily jump to conclusions up until you've had a chance to investigate because like in this instance, you know this this person that is very clear to me that this was somebody trying to harass and seriously significantly so perhaps trying to get them in trouble with the law, which is not not a not a trivial matter a to make sure that you are thorough investigating what what, what happened before you jump to a conclusion. So yeah.

so another quick is interesting. Some of the automatic tools that you can run against code flag, this particular one is like highly suspect, which is kind of nice. So yeah yeah .

there there's .

a value in those code tools and this sort .

of instance, why I think that's that's very true. But I also think in my mind like I think that that was intended IT was if you look at the python code that used IT was like, dead, stupid, simple, like IT was as basic of a you of an attack technique as you could possibly get. And so to me, IT seems like IT was put behind a thin bail.

And I think they knew that he was going to get caught by by something with the intention of IT, you know not not being there to actually drive exploits, but to cause problems for this person. So but you right like it's there's a lots of tools out there. I did catch this in a diamond. We should .

use them indeed, right?

The next next article comes from the hacker news in the title. Here's microsoft launches windows resiliency initial ative to boost security in system integrity. So this is largely an outgrowth of the is the big blow up with crowd strike earlier in the year.

But I think it's turning into something that, that has lots of arms and likes, which are, I think, a not a bad thing. One of the most to me, seemingly significant improvements that they're making is the ability through remote configuration management to revive work stations that aren't butt. I don't actually know them yeah don't only mechanics of how that works yeah but that's really cool yeah I .

like how like something something at the the firm where level on the mother boards, something in the biosecurity. What is now no longer called the bioscope, some sort of pre boot i'm or some sort of boot sideline ader that like that says like a recovery partition on the drive. Very curious how that's going to work and and what the edge cases are like like how well does IT cover all the circumstance? Ces, it's cool.

Don't get me wrong. Like i'd like that they're king on IT. I'm just very curious .

networks and does IT open new avenues for attack and exploitation?

Of course, IT does. Why won't .

that's gonna? It's gonna the billion dollar question. But I ahead our next business .

is going to be writing edr for that sid loader.

I objective is great. Very good idea when I read that one of the youth cases that came to mind was ransome more attacks .

yeah .

so if you have a fleet of systems that were you know that were wiped, you know they invaded all of your other most excEllent controls in, and now you're everybody y's staring at a in an unbooked able system, would this potentially give you the ability to restore and mass without dispatching people to recover? And I think the use case to me very clearly was what happened with crowd strict, where somebody had to go in touch, each one of the systems that were impacted, you run through some process. But IT makes me wonder if they could also be useful in, like a rain, some more type attack.

I just depends IT. All depends on what data is able to be back up and restored is in just key system files IT. Yeah I I don't know to be determined yeah.

So they have a number of other improvements that they're including here, things like windows protected prints, which they are apparently going to be doing away with third party print drivers. Which how how do do you for that?

I mean, I think half the red teams in the world are sad now.

Yeah um support for past keys in windows hello no, I didn't know that wasn't already there. So that was a little I opening to me the hot patching in windows, which is very interesting to me. And I think long overdo see zero trust DNS. So basically the ability for you to lack your in points to a particular DNS server and to not allow them to, he basically resolved domains outside of, outside of that that DNA provider.

which technically is in zero trust. It's like one trust. I trust one DNF server, maybe two.

I got I got .

to trust anything.

right? I can argue with your logic there.

You know, this is what happens of marketing.

People get involved you with you.

It's because like four four trust for servers, that's IT. Sorry, good. sorry.

They clearly need to get you and speed down. Hey, so here's what we're thinking.

indeed. So so they're .

also looking at implementing this config refresh option to to basically reset systems back to unknown good configuration. Mean, I think that's a good day. I think you'll be Better if you could prevent the dressed in the first place. But hey, that's I guess a good .

first step. Well, if you give your users some at local admin control, somebody inevitable, right? You're you're gna fit the things. Um so I like the concept of it's like a gold image locally kind of sort of like you're store back to no gold, at least from the figurative standpoint. So if you're fiddle around with things, it's it's kind of a nice help. This creature, if this one live in this story, is going into the implemented the way I thinking about IT so to be determined .

and then the I think the most significant thing, of course, is what we talked about indonesia since since the cross c debacle o they will be providing a way for security tools like ida to Operate without kernel excess.

But yeah, we have talked about this a time at night. I am still very cursy. I was gonna go from a efficency performance and compatibility and competition standpoint. It'll be very interesting to .

see how that plays out. And one of the one of the big i'm assuming that they're going to find a way to plum the security tools you with enough visibility for them to do their jobs.

I know one of the chAllenges, and we've talked about this in recent shows, is that when when software runs in izard land, it's relatively simple or at least possible to kill like so as an attacker, you can you can stop processes or you launch processes in in the a user land. But you can't do that for cornel unless you have very elevated permissions. And in some instance, is not even not even then.

And and so one of the I think one of the reasons, as we've talked about in the past, that crowd strike, I think, liked Operating in the cardinal, was that you couldn't kill them if if somebody clicked on a fishing linker or range some peace of somewhere, that male didn't have the ability to kill the crowd strike process in the same way that they could kill some other security software. And so that's gonna a be more interesting. And I think that's.

They like that knife is going to cut both ways, I suspect because now you're you're providing a way for some, I assume, for something to be uncapable in user land. And so how can I be abused? And so it's like just like the the ability to resurrect unbudgeable system is remotely, does that provide a new avenue for abuse? What kind of venue for abuse does this open up? And my hope is that the people that are working on this are smart enough to ask these questions. And i'm not like breaking new ground here, but I have I have questions. I'm cautiously I optimistic, but I have questions well.

And i'm sure the other aspect that all these guys are think that are, is okay if microsoft gonna build this new method, gy, where the spirituals run in usual land and not cruel land, does that include microsoft defender? Or as microsoft offenders still gone to have the privilege of running in coronal when nobody else does? And does that become a competitive differentiator that will quickly become an anti trust issue and litigation will ensure.

I has happened in the past, apparently. Yes, so question.

we shall see. We shall see. Hey, look, all koodoo work on. I saw good stuff. I don't mean to like just you be negative. I'm i'm glad they're making some some of these vertical like, wow, why didn't we do this before now sort of ideas. Uh, so i'm glad they're working on IT.

That's A A good call out like this was not in any way intended like to dog on them. I think they're doing good work, and I expect these will be meaningful improvements. But it's it's a lot of uncertainty about the implementation details that all you're .

skid rolling, cracking. It's fine. You can admitted you miss your nap today. You didn't get to watch your mat lock episode right?

By the way, did you know there's a new matlock? I did, I did. I did not .

know that .

this time. I feel like I can be old now, like I just. anyway. Anyway, the final final story is another see report.

I'm no no article that goes with IT, but it's a report from sea. The title here is enhancing cyber resilience insights from csa red team assessment of A U. S. Critical infrastructure sector organization.

This is a reasonably long read out of a red team or I guess we would you more commonly call them a penetration test report that he said did on an unnamed critical infrastructure organization. They don't even tell you what sector there in. So there's no is really no identifying information other than they have a mix of windows and linc systems. That's that's about all you all you can you can get out of that.

But I really liked this summer, and I think there is a little bit of something for everybody in here because they they talk about how they compromise linux, a linux environment and then and then compromise IT at scale, which is not something that you you typically think about because you know unliked windows systems, which have this inherent often have this inherent trust relationship through active directory. You don't have that with clinic systems. And so the novelty here, in at least net perspective, is they did find a way in the way they found that was through this company's linux systems all had a nfs that they they I didn't realize people still use enfers like I I thought that went away a long time.

I got apparently that they do so cool. Uh, they they found that there were dozens or hundreds of people whose home directors linux home directories were mounted on this entire share in because the the way they can figured this nfs mount to Operate, when when you have root privileges on one of the systems you can, you can basically get access to everything on this info ference. So they were able to go in, clock out lots of S S H private keys and and they got a lot of other useful information like some certificates and some even information that enabled them to compromise active directory.

Um but I thought I thought I was an interesting attack factor to find S C H keys that provided access kind across the environment. Another aspect I thought was really interesting was they they they first started off trying to attack the organization. By the way, I should set IT up front, asked to be attacked, right? They they asked sesa to perform this engagement. So I wasn't like sesa just took IT upon themselves.

So you think consent is important?

Consent was important. They are government agency, so I don't know how i'm assuming they all have qualified community anyway. But there IT is. So um they initiated the attack trying spearfishing, so they identified a set of attack targets and a guessing through linked in. They did some research to figure out like what kind of work stations they used in, what kind of security suffer and they ran and um and that turned out not to work. And in fact they said that one of the one of their victims and one of their targets actually did execute the um their code but that this organization was running a piece of security software that that he says pan testers didn't know about and and that software they don't mention what I was but that IT blocked that software from running so was interesting yeah yeah .

I think they said of the thirteen targets, one user responded to them and two actually ran the malicious illness but didn't land yeah but it's probably work mill and that was now where bites.

I'm sure it's probably mare by, of course.

of course but first one I will take away right if that trigger an alarm that might have been given a hint to the sot OK somebody e's up to something maybe or could have been just stuff happens all the only. How do you know that seen once the beginning of focused, intentional, you hard target attack versus just random noise, when you get to the lett like this is an immediate thought. I have, in hindsight is perfect.

Twenty, twenty at the time is just another alarm. How do you know? Good question.

exactly. so. So they then pivoted to attacking infrastructure. They looked at you, swimming, showed in other open source intelligence. They they identified an application that had had a vulnerability, and using some proof concept code, actually got a web show. But what IT really, it's really weird if, is that once they implemented this website, they started poking around and they found that there was already another web shell on the system that was put there by another .

tester and never remove yeah some sort of like proof concept for another and just never cleaned up, I guess.

correct. And that happens, by the way, if you're if you're not careful, if you engage pantai ers who are not diligent, you know, they can leave little messes around that can be exploited. So so sisa the red team, actually, that point reported the the, the web shell because like the web shell was just open and accessible for anybody to use.

And that, of course, caused this organization to go to an investigation. And and they found a lot of, but not all of the activities of the season, red team, I think they have they eradicated ated, all but four of their of their persistence mechanisms, which is still four, so that you know, they they could have done Better, I guess, their their investigation. But over over some time, the engagement changed a bit, a little cleared to me exactly what would cause that to change.

But that they, this organization, that their security team came to, realized that they were being fantastic. And so so there was a mutual agreement between the contact at the organization that was coordinating with sea and the internal teams that the internal teams would would basically hang back and just Operate in a monitor mode. And so IT kind of be on this point in everything was there were n any further attempts by the by the organization to stop them.

They just kind of SAT and watched and reported back to see. So what they saw. And so the lot of the report is, is based on a comparison of what the routine did versus what the compass security team reported rather than rather than in more than an adversarial yeah.

that was turns into like a purple team at that point if you cried to that concept.

Yeah, exactly. So so then they they, they were able to through through couple of different machinations, they were able to compromise the active directory of of of this organization. They did point out that he was pretty easy to go from their external emc, which is where the web server was to their internal network, because there wasn't a lot of separation.

They point IT out that. And I thought this was interesting that the organization had actually gone so far is to prevent there are external dmc for making unsolicitous connections out to the internet. She's a good practice, by the way. What's such a good.

tough to do consistently about you.

right? What wasn't such a good practice was that they had A, I guess, a relatively unmonitored proxy that allowed access out to the internet. So so kudos, they blocked access to the internet, but then they provided an avenue taxes, the internet that apparently wasn't wasn't really monitored.

which is manding because the whole point of funding through proxy to monitoring control IT corona coming up, right?

So one of the one of the files they found the on this N F share had some credentials for an active directory account. They they were able to log into a system that had unconstrained domain. Their active directly on this system was configured for unconstant delegation.

And so basically that allowed them to covers active directory to perform logging on that system in and leave behind keys. Basically, they were able to capture enough information that allow them to impersonate other users in in the active doctor environment. And they from there, they basically had know the run of of the domain.

And you when you're at that point, like it's game over you, you can get on work stations, you can get on servers. You can you can basically do anything you want. They talk a little bit about some of the persistence mechanisms like on the windows are. So in the linux systems, they modified the I they modified some crime jobs and the I F B scripts that um that that handle turning or turning up network interfaces and to yet to run their persistence scripts based the the call out for much shell. So you know interesting stuff like there were opportunities kind of all over the place as you might expect, like those kinds of things could be detected through file integrity monitoring. But one of the I thought one of the more interesting aspects of this is they do a pretty sorrow job of enumerating all of the different takeaway and some more prescription around you know resident just kind of attitudes like more actionable information um and I go through some of that but there was one quote in here that I thought I was very worthwhile reading and is very was that where he said that .

if the target organization has listen to the defensive of scrutton podcast more, they would have banned .

fine I think so I think that yeah although no, actually I think that sentence got dropped in the final draft.

Happens all the .

time you but this sense is quote, this document illustrates the outsized burden and costs of compensating for insecure software and hardware warned by critical infrastructure owners and .

Operators and inquired .

shots fired. Well, look, as we talked about earlier, see I think is much is for a long time that I think theyve been uh somewhat naming and shaming the victims but I think they're really now focused for the past year to at least and the providers to suffer. We're not going to rehash all the stuff that we've talked about in regards to like what does IT take to create reliable and reliably secure software, what that but that's clearly front and center in their mind. They're saying like this is not a problem or not necessarily a problem.

Know that this whole report is not necessarily problem or evidence for a problem by critical infrastructure companies or fAiling of those companies is a problem or or fAiling of the software that they're using that if they if they had more secure software that these problems wouldn't be there. And I I mean, if that's hard, argue like I mean, its face, you can argue with that. But I think you you have also recognized what does that take to do that? Like that's the partly I think he starts to break down like you know, creating really robust software takes away some flexibility. A costa, more innovation is slower and on. And so that you know I don't know where where that thought process ultimately leads, but you can definitely see that that's where sesa is trying to drive this discussion.

Yeah, yeah, yeah. It's not like it's it's not an increase staff. But in a vacuum, there's always more consideration.

There's more inputs that decision making process of how they got there. So it's easy. Just go a hh, you're dumb for excise. Like these people who are making these decisions usually have a lot of competing priorities that are trying to baLance and so that you typically yes.

yeah. So while i'm not onna, read through all of the although the lessons learned, I think it's definitely worth your time to read through, especially the second half of this report, which starts with a listen, learn and and then goes into some specific mitigation steps.

But there were a couple that I wanted to a zero in on, and one of them is the lesson learned is on business risk and it's it's what they call finding number seven, the organisation use known insecure in outdated software. The red team discovered sofa and one of the organisations web servers that was outdated. After their Operations, the red team learned the insecure and outdated software was a known security concern.

The organization security team alerted management to the risks associated with the software. They, they, the mister ward there, but management accepted to the risk. Next, the security team implemented A V D P program, vulture vulnerability disclosure program, which resulted in a participant exploiting the vulnerability for initial access. I think, by the way, with a web shell, they don't say that.

But yeah, to be clear, if you don't know the term GDP a because I can be a little misleading. It's not that this company is disclosing their vulnerability out. It's for a third party researcher or rana person to contact them and tell them about their vulnerabilities.

It's it's an intake. It's like a bud bony kind of process but a little different. So IT allows third parties to tell them when y've got problems.

Right right. Good color. Ah so so the V D P program and I continue well, to quote, the V D P program helped the security team gain management support and they implemented a web application firework as the compensating control, however they did not adequate mitigate the vulnerability as they can figure the wave to only be in monitoring mode, the security team either did not have processes or implemented them or or implemented them properly to scan assays and test whether they treated the vulnerability effectively.

And I think this is one of the like, big misses that we have in the security world. Like great, large, we accept risks all the time. And in fact, we just recorded the podcast with a pretty cool guest who who pointed out one of the one of the chAllenges I think we have as an industry is that people under rate the likelihood in in the likelihood and impact equation, they they misunderstand how likely something is to be exploited.

And and I think this is kind of aligned with that. By the way, that's that's in an upcoming episode of the getting different the security so packets so you know, pay attention to your your feet. I I recommend you like .

and subscribe shameless plug morning, shameless plug. We need a sound effect for that.

But anyway, back back my my thought here. I I I think we are really good at as as a security organza organizations calling out. But something is old, something out of they will have you. And we're very good at having processes in place where management can sign off on the risk. But the chAllenge is that I I think where where we go off the rails is the just accepting the risk doesn't accomplish anything like in effect. You know, I used to work with a lot of lawyers and one of the one of the the lessons island and was like when you accept a risk that's like exhibit a like you you move from ignorance into negligence when you're we start accepting .

risks well, I struggle with that a little. The way I look at a risk acceptance program or methodology is that the decision makers should control prioritization of the resource focus of the business, has been informed of a potential risk or risk and is held accountable to making the right decision with the resources available, right? So if if the decision maker is making, let's say, your software shop, if the decision makers make a decision between patching something versus developing a new customer committed functionality and they can do both, they've GTA make a call, they're going to make a decision. And sometimes that decision is the business decision of deep delivering that committed bit of functionality to that customer, rolling the dice that, that vulnerability or that risk is not GTA bite you before you can get back around to IT. So I don't know it's negligence so much as IT is making a choice.

So when I say negligence, i'm talking in the legal in the the way that would be looked at in in in the court of the at least here in the us, how how your how the opposing council is going to be portraying your acceptance of that risk that caused their client to be harmed is it's not going to be presented as a reasonable business risk. It's gonna presented as you were negligent.

And you you have a ga with a .

lot of lawyers. I have .

o but fair.

but any anyway. So in this particular instance, they went even further though they not only that, they sign off on the rist, but they also said, okay, will sign off on the risk so long as we have some kind of medicating control in place. But you know, one of the one of the things I was, no, I wasn't able to do at all the time, but for for certain categories of risks, I found IT useful.

And again, not everybody can do this, but I found a useful to try to have somebody exploit the problem. After we put the mitigating control in list at a, demonstrates that the mitigation was was effective. And and I think that's where this where this broke down is they put they put a reasonable control in place that a reasonable person would say would mitigate the risk. But they didn't verify that IT actually mitigated risk. There was one of the .

possibility here, which is that IT was a fairly new deployment of the wave that they put in a monitoring mood while they were still finding and fixing false positives and things that would if you go straight to block mode in a wave without tuning IT, you're going to break production in a hurry.

Good point.

Good point. So I don't know if it's been a monitor only mood for a year. Yeah, okay, sorry. no. If it's you know if they just stood IT up a month ago, I kind of understand the timing issue there.

There's no context. It's a good point. There's no context there. By the way, wafs are, as you point out, notoriously hard. So I can figure anyway, that doesn't break yeah does a break application if you .

want a truly effective wave that has a good bounce, shing, false poses and false negatives and isn't breaking production, isn't blocking legitimate ffion, but is stopping a lot of a bad guy. traffic. You really have to know your web traffic well.

You have to tunit. Well, I mean, yeah, a lot of the architecture. These things say, oh, no, it's self tuning itself, learning in A I and blood, blood. No, you need to stay on top of these things or is quickly going to get blamed for a lot of outrageous. And before you know, IT folks in other parts of the company are screaming for the weight to get turned off, which is not a good outcome.

Yeah, your point. So in addition to all of the recommendations and details and mitigation, they actually do call out some noted strength, which I thought was a good thing to see. One was that the the network team of the defenders identify the initial compromise in some some of the red team activities in that, that LED them to be able to shut down a lot of of the activity.

Their E, D R, as we talked about before, mitigated the male that that was delivered in their fishing attacks. Apparently, they had a really good password policy and they had effective separation of privileges. So and I know, by the way, that like not every organization has those and every for every one of those things, you don't have kind of exacerbates how easy IT is for an actor to move through your environment.

So in total, this is, I thought, a really good example of how a more complex attack can happen. And I I will go further and say that I suspect a lot of like IT necessary security people, but a lot of IT people will say i've never seen this happen in real life like it's it's like a it's it's an edge case. but.

I think I think one of the chAllenges is the type of actor, unless is unless it's one of the more sophisticated ransome Operators, which we are starting to see, right, the type of actor that employees these techniques, you won't know what you happen to catch them. They they will get in, they will do their stuff, and they will get out. And you won't know they are there.

Your mom definite knew I was there.

I knew, I knew, I knew what I wasn't getting out of this without 第二个 joke。

I'm so sorry.

sorry.

No, you're right. Unless you do a complete forensic and have perfect fell, you may not even even know some of these techniques .

were utilize. So then I guess you're left with the question in A P T. Falls in the woods and no one is there to catch IT that .

that actually happened. Well, when your dad is published for sale on some bad .

I form yeah I don't know how likely IT is now this obviously a critical infrastructure Operator. And so the downside is that in adversary would would tunnel in in light, jump over to in ot network, and you dump all the coLoring in the water, or like, you know, right, turn, turn the power off, whatever, whatever the bad thing is. But an alternative explanation is, suddenly china has a fighter jet that looks a lot like the .

js f right?

Or russia has something that looks and off of that like the space shuttle.

Or you those are .

the things that you, you, you just don't know or or maybe they bring you down like suddenly you are your competitor in some other country that has is is creating budgets using know something that looks like the exact same process that you've spent years innovating .

even more basics. Suddenly all of your custom base is being approach by a competitor exactly just under what you're charging them for. eta.

So not everything is not everything is a ransom attack. And I think that's to some extent, ransome, where is really on the one hand, IT has been one of the bigger bones for the security world.

But on other hand, I think it's taken eye off the ball because like that's that's the thing we care about and we also like we expect IT well, you didn't like every day I show my PC still boots like, you know hey, we did IT which an but that's not the only, not the only attack so anyway, the whole article is, the whole report is worth your time to read. I'm not i'm not going to go throw any more of IT, but you definitely hope, hope that was useful to you. I learned a lot. I thought I was IT highlighted some things that that I hadn't seen before. So good stuff, and i've seen a lot.

I I really appreciated this, the depth in detail in actual information that came out of this. And you know, I think one of the chAllenges sometimes when you look at a report like this, is the tennis to say that the blue teamers are the or the defendant orange tion is has some sort of moral fAiling, your intelligence fAiling or skills set fAiling when that's not typically the case. These are really complex problems.

And if you look at you, there's interesting takeaway here about how long IT took for certain things to happen, especially once the the defending soc was based, who stood down among only mode, there was a lot of opportunities to detect and disrupt this attack, which I think is important like this is never questions. I never it's rarely a single stage attack. And so even if you can't stop the initial intrusion point or the initial social engineering attack or whatever that is, being able to detect and disrupt some chain along that attack path becomes critical. And I think that's part of where we should also spend our energy and time is, hey, if someone were to get in, what might be the next thing they do? And how might I detect that?

right. I will say broadly speaking, a lot. What right in this in this instance like that the if if IT had been an actual attack, IT very likely would have been stopped at some point. So so that was no good cutters on them. And and I I think from what I read, this organization has a level of maturity that many organza do not have yeah and and I and I I raise that because when you read this, you like, oh my god, this was terrible but IT wasn't and and I genuinely think a lot of none critical infrastructure companies void struggle like they they would not have seen most of this.

yeah.

So I agree, we have IT anyway. That is the show for today. I hope you found the interesting. We will have links to all these stories on our website at W, W W, that pensive security, that org. Just a reminder that we have a whole new podcast, by the way, called the getting defend, whole new renew, called the getting defensive podcast, IT features and d ni, interviewing you people that are certainly smarter than me, maybe not smarter than eighty, but smarter than me.

certain ly certain Better me .

to help explain context. Buying things that they're patient about them. It's not all not all business related. You know you talked about some people of have repayed personal experiences on how they got in the security, some interesting personal endeavours they had amid a berlin in, for example, talks about her work with mental health hackers and and so on. So so it's, I think, a really great, great thing. Hopefully IT opens your eyes to new perspectives beyond just what what the indian I talk about and and certainly we're hoping this is our past to your title being know that that joe work and money is is keep saying um one .

quick I know is we're trying hard to avoided like sales pitches and sales folk like we're trying to like find people doing the job down in the trend is like, you know that's one of our progresses because we get honestly a lot of pitches of a lot of sales e folks to come on the podcast and that's of the avoid. But if you know somebody really interesting doing to really good work, uh, even just preferred rated to information security, hey, let us know we've where we got a whole long list of people already, but we're always looking for new interesting guests.

Definitely, definitely the intention is not for this to become the marketing vehicle for the latest security products. Although i'm not going to say that if we find something that seems exceptionally novels or coal, that we will never have somebody and talk buff like that. But the attention definitely is to learn more about the basics from people who are doing the work.

So good. I think it's good stuff and i'm having a time to find that mean a good people having some good discussions. So I hope you like IT too.

Anyway, that is the show copy had fun. I had fun. Oh.

if you want to find that new show, just just to wrap up, our shameless less plug getting defensive dot com is the website because how could I not registered that domain? IT was too perfect. And also all the major protests platforms and, uh, video, all these are video as well.

If you want the video feed IT, it'll be a youtube on the defensive podcast channel on youtube, which is a new channel that we just started. Look, we're getting crazy. We're getting crazy. Over here .

are social media. But with that.

that's all I got.

All right, you can find, you can find me and my lovely masted an instance jury at info sector exchange. Can what can they find you?

I'm also there on in the second change at erg L R G. And i'm still an x hanging out at alert there. Um and yeah those are the highlights.

Thank everybody. Will talk again real soon.

Have a good week. ball.

Bye bye.