Silicon Shecky

Infosec Practitioner

Connect

New Year, New Post, from the start

By 1 Comment

So much has gone on since my last post back in 2023, but too much to go over honestly. I am rebooting this blog as of this post and hopefully can be more consistent in posting about stuff.  So as we enter 2025 I want to take a look at upcoming stuff.

First off I am going to be speaking at Cyphercon this year in Milwaukee. The talk is going to cover some basics on where we can improve and through those areas lessen some of the burnout we run into. Yeah, I’m tackling one of the 500 ton elephants in the room. We also have a date for Bsides312 this year of June 1, 2025. Watch the website and socials for more information as it becomes available.

For those that don’t know I’m a regular contributor/host on the Talking About Information Security News podcast from Black Hills. It’s available on most podcast systems (Apple, Google, Spotify, YouTube). I’ve also discovered the Simply Cyber podcast which gives some great insight and fun banter on a daily basis.

Finally I want to remind everyone that bad things happen, and nothing is ever perfect. Make sure to take care of yourself physically, mentally and emotionally. It takes all of us to make things secure as possible, so help each other.

 

-Shecky

Ransomware, Are You Ready?

By Leave a Comment

Developing a Ransomware plan is much like anything else. Sounds simple, protect against malware. The reality though is much different, and it starts with a properly educated security team to come up with a comprehensive and cohesive plan.

You need to know how your network is laid out. A flat network (which you find in a lot of Small Businesses) needs extra consideration if it is going to stay flat. If you are segmented, how are you segmented.? Do you have any pull with the network team to adjust ACLs, Firewall rules and topology to a more secure setup?

Do you know what your company’s crown jewels are? What data is the most valuable, what data is ok to be without for a period? This helps you direct what needs the best protection when you need to decide what gets budgeted for (hopefully everything) or if you must be selective due to costs.

Do you have offline or immutable backups? Are they stored in a different location (say the cloud or a cold storage physical spot)? Do you have a fully functioning copy of your Domain Controller that is kept offline except for an occasional sync with the other DCs? That cold DC could get you back up and running much faster than without one.

Have you tested your backups? Have you tested a full bare metal restore of your servers? Do you know what order to bring the servers back online in? Are you sure that you are not just opening yourself up to another attack because your backups have the threat actors backed up in them?

Do you have buy in from all the departments involved and from the higher ups? Have you multiplied the time to restore by 3 to account for issues with restoring functionality?

This is just a quick list of some things to think about. Truth be told, even if you pay the ransom and get everything back, you must figure you are ready to be compromised a second time. Better to get the data and figure everything is going to be a loss in the long run so plan on rebuilding everything while using the old servers to keep things running.

Ransomware is a tough topic, and one that is foremost on the executive mind currently. How long until it drifts into the background like so many other issues do when a new tactic comes along. This is the change to build that defense, which can aid in other defenses. Just make sure you are covering everything.

 

The One About Chained Exploits and Pentest Results

By Leave a Comment

Where I work recently had our annual Pen Test. Overall it was not too shabby, we detected them early and could have kicked them out. I’m proud of the defenses and alerting I have helped set up and I monitor. That is not what concerns me. Action items made from the report is what does concern me.

I have yet to see a pen test that does not succeed in some way. There is always vulnerabilities. Pen tests help find them so you can fix them. The disconnect comes in with how they can be reported.

When a report comes in, there is always a dissection of that pen test report to create actionable items, patches, configuration changes and more, that will help make the company more secure. When dealing with a single vulnerability that gets exploited, a level of severity is made by the pen testers on the report, and that should match up with a level of severity on any action list the company set up internally, so that you are patching the most serious issues first and then work down the line. So if you are susceptible to Eternal Blue, that is at a high level of severity, and there is a patch you should apply immediately.

Using all of this, a compromise of say Active Directory is a huge finding. If Domain Admin was gotten well, you are pwned and that is game over man. Yes it is a critical finding, but how did AD get compromised? I tend to see on a report the AD compromise put as a critical finding but it is tends to be more from a chain of vulnerabilities and exploits. Those get broken out and are actionable items at a specific level, which is usually lower than the actual AD compromise. Fixing any one part of that chain would result in AD not being compromised (at least not in that fashion). So now the owners of systems see the report, and the action list created by it, and see Critical: AD Compromised by chaining x, y, and z together. They see each individual link in the chain at Low, Low, medium. What happens? The fix for any part of that chain is now pushed back instead of any one of them getting fixed immediately. There has to be some way the report either shows that getting to AD was done by chaining vulnerabilities that have a low level of being found/exploited, or changing the most severe of the links in the chain to a much higher severity.

I am not a pen tester, I am blue team. I do not know how pen testers decide that X vulnerability is Y severity (for that matter why the same vulnerability would be one severity one year and a different severity the next). I do know that if you go over the report with the pen testers, they should be willing to work with you on finding a way to get at least part of a chain leading to a critical compromise fixed. The best ones should be taking that into account when they write up the report initially.

Think of it this way, IT departments are swamped. They have to pick and choose what they are willing to put on their plate and what they are going to push off. Every0ne though wants critical issues fixed, be they security or other. Coming up with a way, even when the pen test is set up, of reporting the different levels should be done. How a pen test company reports chained compromises should be stated up front. In the end we all want to get to a better security point. Red Teamers should spend some time understanding how hard buy in can be when the Blue Team puts out the Red Teams findings.