Author Archives: cmartin

Breached Organization uses Network Insight to Pinpoint Source of Infection

English

A Core Security partner was contacted by a large institution with what is becoming an all too common problem: they had suffered a massive breach from an advanced persistent threat (APT), and they wanted to make sure it never happened again. Read on to find out how Network Insight proved to be the right advanced threat detection solution for their needs.

Making Changes After a Costly Breach

This institution discovered they had been breached when systems stopped working at multiple different locations. The attackers were able to steal millions of dollars, and recovering was costing thousands more. The breach quickly became public knowledge, so the organization also suffered a devastating hit to their reputation.

The organization already took measures to protect themselves from infections and APTs by implementing an advanced threat detection tool. Frustratingly, their existing solutions did not catch the threat, even after the breach occurred. While they were eventually able to clear the infection, they wanted a way to ensure that they could detect threats before causing such tremendous damage.

A Successful Proof of Concept

After initial conversations with our Core Security partner, the organization requested a proof of concept (POC) for Network Insight to ensure it could handle any type of attack. Engineers from both our partner organization and Core Security went to the site and installed Network Insight’s hardware—sensors that passively observe communications going to and from a network.

A few days later, the engineers met with the organization to go over the results of the PoC. In less than two days, Network Insight detected four active threats that had not yet been uncovered by any of the other security solutions the organization used. They quickly decided to purchase and deploy Network Insight.

A Long-Term Solution

This institution continues to use Network Insight, and has avoided any damage since. Ultimately, the organization now has confidence  in the security of their essential assets knowing Network Insight will continue to provide definitive proof of infection, delivering actionable information about known and unknown threats regardless of the infection’s source.

breached-org-network-insight-success-700x350.jpg

Breached Organization uses Network Insight to Pinpoint Source of Infection
Network Insight
Big text: 
Blog
Resource type: 
Case Studies
Want to learn how Network Insight can also protect your remote workforce?

Read our blog, Four Network Security Challenges for Organizations with a Remote Workforce, to find out out how to reduce risk with intelligent monitoring and detection.

Pen Testing Stories from the Field: Combining Tools to Take Over an Entire Domain

English

There is no single set of instructions on how to run a penetration test, and no one manual on how to be a pen tester. The only real constant is that each job is a combination of preparation and improvisation to adapt and adjust to each environment’s quirks. So one of the best ways to learn and improve your own penetration testing techniques and strategies is from your peers, whether it be through watching them on the job, or from talking shop at a conference and hearing how they handled an interesting assignment. With this in mind, after we spoke with a pen tester about a recent job his team had completed with the assistance of Core Security’s tools, we asked him to go into detail, in order to pass along some valuable lessons from the field.

What was the engagement?

We were tasked with completing an internal penetration test on a large, multi-national manufacturer.

What tools were you using?

We had a jumpbox laptop that we placed on the network. We used a Nessus vulnerability scanner, as well as a variety of pen testing tools, including Core Impact and Cobalt Strike. And of course, our powers of reasoning and deduction.

Had this company ever had a pen test performed?

Yeah, quite a few, actually. They told us the one they had conducted the year prior had turned up “nothing in particular,” so we were pretty curious to check out the environment for ourselves.

So, where did you begin?

Once we had the jumpbox laptop installed, we ran the Nessus scan. The scan indicated that there were 23 machines running the Solarwinds Dameware Mini Remote Control—a tool that IT teams can use for remotely accessing employees’ computers, laptops, or servers for support. Core Impact happens to have an excellent exploit for this product, so we used it and managed to get onto 13 machines. We installed an agent onto all 13 of these machines, but only as an unprivileged user account, so our initial access was fairly limited.

How did you manage to escalate your privileges?

We used Impact’s privilege escalation RPT (Rapid Penetration Test), which saved us several hours. CVE-2020-0668 is a privilege elevation vulnerability in the Windows kernel. There is a patch for it, but we still found it on several machines, and were able to use it to place an agent running as SYSTEM, which is the Windows version of what a lot of people know as the “root” or superuser account.

Next, Core Impact’s Windows Secrets Dump module, which can collect user credentials from a compromised machine, helped us obtain the local password hash database. Looking at the database, we noticed that the “administrator” user had the same hash on four of the workstations. We wondered if this administrator had the same credentials on other machines.

It turned out that the administrator did have the same credentials elsewhere, and we were able to get into a couple hundred machines. We used the hash with CrackMapExec to get access to the LSA Secrets, which housed a large amount of domain cached credentials. Ultimately, we were able to harvest 900 other user credentials, including multiple Domain Admins. We also used the hash to deploy the Cobalt Strike beacon payload across other systems compromising the environment even further.

Yikes. How far did you take the compromise?

Oh, we eventually took over the entire domain. We had complete control.

That was probably an unpleasant surprise for the organization. But better that your team found it out now instead of an attacker down the line. How could this have been avoided? What would you suggest they, and other organizations, prioritize to mitigate risk?

Well, to start, patch often and patch everything. If a patch is available for any of your devices, patch them. If a patch is available for any of your third-party software, patch them.

Also, never use the same credentials across machines—it’s a great way for attackers to quickly move laterally across the organization without much effort.  

Use two factor authentication for elevated access. Just do it.

And, naturally, I strongly encourage hiring savvy pen testers on a regular basis to validate those remediations.

042120-cs-lessons-from-the-field-blog-700x350.jpg

Lessons from the field: Domain control
Penetration testing
Big text: 
Article
Resource type: 
Articles
Want to learn more pen testing lessons?

Watch our webinar, "Getting Inisde the Mind of an Attacker: TLS Attacks and Pitfalls" to learn about exploiting this security protocol.

Four Network Security Challenges for Organizations with a Remote Workforce

English

Recently, the need for being able to work remotely has dominated the news, making it clear that the ability to connect from anywhere may soon become the norm for more businesses and industries than ever before. While remote work may be coveted by many employees, it can easily fill your cybersecurity team with dread. Telework can create many new security weaknesses for an IT environment, and can significantly increase your organization’s chance of a devastating data breach. Read on to find out what makes these new network connections so vulnerable, and how you can reduce your risk.

 1. A Rapidly Extending Perimeter to Secure

Businesses with onsite employees and workstations used to have an easily identifiable security perimeter—the building in which the office was located, and the network IT teams set up there. The cloud expanded the perimeter, but the majority of connections to the cloud were from different branches of the business, which were still located in traditional office spaces that could be secured and centrally managed.

With remote work, the perimeter has the potential to be virtually limitless, widening to each remote employee’s own router and wifi. Securing each one of those new individual connections is a nearly impossible task. Additionally, since security teams can’t verify how employees are managing their own networks, a remote workforce can mean that every remote worker may also soon be an attack vector.

Planning to implement a remote workforce requires careful consideration, additional resources, and typically a deployment that occurs in phases. Even then, not all security issues may be preventable. Having to quickly adapt to a remote workforce in an emergency, with limited resources, presents even more challenges.

2. Insecure Configurations

As mentioned above, security teams can’t control how individuals choose to connect to the network. While home office configurations have gotten increasingly sophisticated, their initial configuration may not be the most secure. For example, many wifi networks permit remote administration by default, which can serve as a primary vector for attackers. Some remote workers also use their own laptop, which may not be as securely set up than one provided by your IT team.

Additionally, though people may be primarily conducting remote work at home, particularly during an emergency, some may be traveling for business or could choose to go to coffee shops or libraries. While complimentary wifi is convenient, these connections are public and are very rarely properly secured, making them incredibly easy to exploit.

3. Connecting Personal Devices to the Network

Even those with work laptops and a relatively secure home setup may unknowingly be posing a risk to their organization. Once your home network is connected to your work network, so are all of your other devices—from your spouse’s tablet to a gaming console, and even your printer—all of which may not be properly protected. Every one of these devices can be compromised by an attacker, and used as a way into your work computer, exploiting your secure connection to gain entrance into organizational systems and data.

4. Episodic Increases in Malicious Activity

Finally, any time there is a crisis, regionally or globally, threat actors quickly mobilize, using phishing and other scams to take advantage of heightened emotions and the impulsive, reactive behavior that is common during such times.

When the waters are calm, threat actors have to be strategic in their phishing attempts. They can send out mass emails that don’t take much time to make, knowing users are much less likely to click on them because they are generic and tend to get caught in spam filters or quickly raise suspicion. Or they can use tactics like spear phishing, sending tailored emails intended for specific individuals or groups. Fewer emails are sent, but the likelihood that they will be opened is much higher.

However, when things are unstable, attackers can exploit the anxiety people are experiencing, transforming desperation for information into clicks. Attackers don’t need to spend time creating tailored emails for specific individuals when there is a topic that everyone is highly interested in. Threat actors can have the best of both worlds—they can cast a wide net, with the click rate of a targeted attack. Because crises can temporarily blind typically discerning eyes, it is extremely difficult to prevent such attacks.

Reduce Risk with Intelligent Monitoring and Detection

Remote work seems to open seemingly endless new connections to an organizational network, whether deliberately with a secure work laptop, or inadvertently with insecure connections and devices. While your security team can act preventatively by requiring passwords and VPN, there are still too many variables. By taking the zero-day approach to security, organizations have the mindset that they will at some point be breached, and should layer security accordingly. This means that it is also necessary to also go on the defensive, focusing on constant monitoring and detection.

But how do you keep up with this web of connections without drastically increasing the size of your security team? Instead of monitoring the network, advanced threat detection solutions like Network Insight monitor the traffic, looking for and confirming malicious activity, ensuring that swift action can be taken the moment it is identified. This way, your organization is being monitored without disruption, and connections can constantly be added and removed. In most cases, additional headcount is unnecessary, since such a solution carefully analyzes any threat, confirming and prioritizing infections to ensure security teams are equipped with all the evidence they need.

One Core Security customer has already seen the advantages of advanced threat detection after having to quickly move to remote work in recent weeks. While they were using their VPN as a secure connection, they had Network Insight installed to monitor that link.  Within 12 hours, there were five threats detected, which illustrates the heightened malicious activity of the current moment. With such rapid detection and notification, this customer was able to thwart each attack, and suffered no damage.

Even with these security challenges, remote work is a great way to meet the needs of your employees, and makes your organization more adaptable and resilient. By understanding the risks and implementing the right processes and tools, your security can be up to the task and equally durable.

 

cs-preventing-ransomware-with-a-remote-workface-700x350.png

Network Security Challenges for Organizations with a Remote Workforce
Network Insight
Big text: 
Blog
Resource type: 
Blogs
Want to learn about advanced threat detection?

Read our guide How to Identify Compromised Devices with Certainty, to learn how to avoid the fallout of a breach by swiftly confirming infection with evidence based analysis.

Common Security Concerns and How to Reduce Your Risk

English

Reasons for Penetration Testing

What common security risks/entry points are you most concerned about?

cs-2020-pen-testing-survey-image.jpg

One of the questions asked in our 2020 Pen Testing Survey was about what common security risks that respondents were most concerned about. While misconfiguration (77%) and phishing (72%) were the top concerns, every option had a high enough percentage to warrant further discussion. Read on to find out what makes misconfiguration, phishing, poor passwords, lost/stolen devices, and orphaned accounts so worrisome, and what can be done to safeguard your organization against them.

Misconfiguration

At 77%, misconfiguration was the most common concern—and for good reason. Misconfigurations, and particularly cloud misconfigurations, have been to blame for a number of large breaches over the years. Even when security policies are properly configured at the start, they can often be altered at any time by any employee. Luckily, there are clear steps to successfully keep misconfiguration mistakes to a minimum.

Limit access. Users that have full access to their networks can end up in an application they aren’t familiar with and accidentally changing something. A strong Identity Access Management (IAM) program, whether through Identity Governance or Privileged Access Management solutions, can enforce the principle of least privilege by only giving employees the privileges they need to complete their job functions.

Monitor and manage security configuration. Since misconfigurations are so frequently accidental, they can go undetected for months, and all too often a breach is what notifies security teams of a vulnerability. Configurations of servers and networks should be routinely checked to verify that they adhere to your organization’s security policy. While this can be a challenge, especially with cloud servers regularly spinning up new instances, there are tools that can automate this administration and ensure efficiency. Additionally, configuration policies should be continuously monitored to ensure unauthorized changes don’t go unnoticed. It can be difficult to do this manually, so security monitoring tools like SIEM solutions can help keep track of any modifications to your organization’s policy.

Phishing

Since phish regularly evade spam filters, it can be difficult to prevent users from being regularly exposed to this problem. Phishing is also becoming increasingly challenging to spot, with sophisticated tactics designed to entice users to open them without question. For example, spear phish look incredibly realistic, and are tailored for specific people or groups. 

Phishing simulations imitate malicious phishing campaigns, allowing organizations to monitor whether any are opened, clicked, or have credentials entered. These simulations can assist in uncovering which employees are vulnerable to phishing, and what type of phish they’re likely to open. From there, regular reeducation sessions for those who fail phishing simulations can help create more discerning users.

Poor Passwords

Passwords are limited, but are still regularly used within companies. Weak passwords and ineffective password management are a major threat to the security of an organization’s sensitive data. It is essential to have a strong password management solution and maintain password policies that enforce complexity and non-reuse rules. But this must be done in a way that leverages secure and flexible authentication methods. A variety of password reset authentication options, including mobile reset applications, telephone-based keypad resets, or voice biometrics increase user adoption rates, while maintaining a secure reset channel.

Lost or Stolen Devices

While it’s incredibly convenient to have employees able to work from anywhere using laptops, tablets, or other issued devices, it has made the potential for loss or theft exponentially increase. While it’s impossible to prevent this from happening altogether, it’s important to have a policy in place that encourages employees to report these events as soon as possible. Security monitoring solutions may also be able to detect a stolen device before it’s been reported. These solutions can be set up to trigger alerts for abnormal behavior like repeated logon attempts, sessions from unusual locations or during odd hours, as well as any other suspicious activity.

Additionally, some measures can be taken to ensure that there is no damage aside from the cost and inconvenience of a lost device. Where possible, devices should be password or biometrically protected, and have an option of wiping them remotely.

Orphaned Accounts

Orphaned accounts are accounts that are still active in the network, but are no longer being used, typically because the user no longer works at the organization. While all organizations can have orphaned accounts, certain businesses are more susceptible—those with high turnover, a contingent workforce, seasonal employees, or those that have been through an institutional change, like a merger or acquisition. Since orphaned accounts are no longer associated with a valid user, they are an ideal way for attackers to gain access into an organization because no one is actively looking into them. Orphaned accounts are similar to misconfigurations in that they are typically accidental and consequently often linger. Luckily, they can also be managed with a comprehensive Identity Governance & Administration  (IGA) program.

Orphaned accounts are a common identity management problem, so an IGA program would include policies on provisioning and deprovisioning accounts with the user lifecycle in mind. This would take into account the type of user when it is first created—full-time employee, temporary employee, vendor, or contractor—as well as the necessary measures needed upon departure, whether it be voluntary or termination. Because of the complexities of these policies, there are solutions designed to automate this process that will mitigate the ongoing risk of orphaned accounts.

Prioritizing Security Weaknesses With Penetration Testing

All of the above concerns are valid, and require some sort of action in order to mitigate the danger they pose. But solutions to these issues take time, money, and resources, so organizations must be strategic in how they choose to address them. Penetration testing, which involves simulating attacks, exploiting your own network to uncover security weaknesses, provides valuable, actionable intelligence that will help you make such decisions.

Pen testing not only discovers which entry points have been left unprotected in your network, it helps you intelligently manage these vulnerabilities by determining how much risk they each pose. Additionally, retesting helps determine if changes made are improving your defenses. By regularly evaluating your infrastructure in this way, you can begin to build the most successful layered security posture for your organization.

cs-pen-testing-survey-webinar-blog-700x350.jpg

Common Security Concerns
Cyber Risk Identity and Access Management Password Penetration testing Privileged Account Management SIEM
Big text: 
Blog
Resource type: 
Blogs
Want to learn more pen testing insights?

Read the full 2020 Pen Testing Survey Report to get a comprehensive picture of the effectiveness of ethical hacking strategies, and the resources required to deploy a successful pen testing program.