Silicon Shecky

Infosec Practitioner

Connect

Do well, not be “popular”

By Leave a Comment

I’ve had some things on my mind so this will turn into a rant or stream of consciousness. If you feel called out on this post, it happens. Hopefully this will help some others out there.

See, I’ve spent the last 15 years, as I moved from a Network Engineer to a Security Engineer, trying to fit in with the CyberSecurity/InfoSec crowd. I am proud to be part of the community, proud to be one of the organizers of the Burbsec meetups in the Chicago area. I love welcoming new people into the community, but I am not a leader. I don’t and will never be looked at as a thought leader, a well known speaker, or anything else other than Shecky.

It is not that my thoughts and ideas are bad, I just am not part of the popular big names. Yes I occasionally get a speaking slot at a conference here or there, and I love doing it, but I am 50 years old with a 5 year old son who I adore, so I don’t do a lot of travelling to distant conferences. I mostly stay within a 4-6 hour drive from the Chicago area. When I was younger I didn’t have the money to do travel, and the whole traveling consultant thing and I had problems as a local network/server/desktop person before I moved into security. Add on that my writing skills are the weakest part of me, and you have a recipe for being just another face in the crowd, which seems to surprise some people because I talk with the more well known people in this field so it is assumed that I am one of them.

I’m not though. I am your everyday person(pronouns for those that ask are he/him). I try to keep my main twitter posts security related, unlike many who use it for expressing their political/social thoughts. Note that I said my main posts as I will reply to others political and social issues posts. Also realize that these other people get followers strictly for the non-security posts that these people make. There is nothing wrong with that at all and I commend them for trying to make the world a better place by pointing out what they see wrong with it.

I’m not well know as I have never written a piece of software that people use, written some huge idea that people have run with or started/founded a company. I have not run a conference, although I did offer to help build one but was told I wasn’t needed for that level. Instead I just volunteer for it, and a few others. I enjoy documenting the conferences by officially taking pictures for them(I was a professional photographer for a while back in the 90’s). I enjoy helping others out. I see cooperation as a way to improve, well, everything including security.

I love public speaking, but as I said my writing skills and lack of any big revelations tend to get my talks turned down at the CFP level, and I do let others look at and help me edit my CFPs before I put them in. I know my weaknesses. Those rejections hurt and I take them hard and sometimes personal even though they are not. That comes from rejections and being looked down on throughout my life going back to childhood. Like many I was picked on growing up. Adults shunned my thoughts, and people my own age, I didn’t fit in well with most of them.

I feel bad that new people to our community get picked on, and trolled. It is not the right way to do things. You should be treated with respect no matter you gender(or lack of gender), skin tone, religion, age, sexual orientation, or anything else. Yes I do speak this as a Jewish White Male, so from a position of privilege. I do what I can to use that privilege to help others.

Yet, here I am, still going, still trying to post stuff that will help people, and I will keep doing it not matter how often I seem to get the urge to just give up. I fought hard to get where I am. When I got back into computers in ’97 I looked to the world of security. I worked as a break/fix guy, on the helpdesk, as a system admin, a network admin, a network engineer. I had times where I was out of work due to contracts or being screwed over. When I finally got my first official security gig in 2015, I felt it was just the beginning. I dreamed of becoming a big name, or at least speaking at conferences and eventually keynoting them. Instead, I’m just another cog in the engine who is respected enough to chat with and know some of the big names. , and you know what, that is fine. There are more people like myself out there, and we are the ones who have to take the big thoughts and make them into reality.

We just need to be treated with kindness and respect, especially when breaking in. It is tough enough to get that first security job, especially the way that I went about doing it with no degree. The gatekeepers are tough, but persistence works and eventually will pay off. So be part of the community. Talk to others, no matter how big a name they are. Ignore the trolls, cause even if they are right about something, they will say it in a condescending way. Finally help pull up others. With how the world is today, we can each use more people in our corner.

Defense Layers: A Case Study

By Leave a Comment

Recently, I have been wondering why a site such as mail[.]ru(and it’s subdomains) is being blocked by Microsoft Exploit Guard’s Network Protection setting and not Umbrella. Considering that Network Protection does not give an actual block page, and instead a generic access denied page, it seems that the order of things were to blame. I did some experimenting and testing along with research to come up with the following conclusions on the order of something being blocked:

  1. uBlock Origin
  2. Network Protection\Smartscreen from Microsoft
  3. Cisco Umbrella

This seems counterintuitive since Umbrella is a DNS level service but from what I have come across, the actual hitting of the Umbrella block page is actually a Man in the Middle redirect based on the DNS classification. Finding a true writeup on where in the connection attempt Umbrella’s redirect happens is difficult to find, as Cisco says it is a kernel driver redirect based on the DNS yet looking at when the Umbrella block screen actually does appear, it is a bit later on in the connection process compared to uBlock origin and Exploit Guard’s Network Protection setting.

uBlock origin uses a known list of bad domains as part of its blocking technology. This allows for known bad sites to be immediately blocked by it.

Umbrella classification of ggmail.com (blocked by ublock origin)

When I went to the above site it was blocked by uBlock origin, even before Network Protection was able to hit because the site was in its autoblock list. Effective but easy to get around. uBlock origin is great though for ad blocking.

Microsoft Exploit Guard’s Network Protection is another interesting situation. While Cisco’s classifications come from its own Talos group, Microsoft has its own threat intelligence team. This data feeds into items such as Network Protection and Smartscreen (which is part of Edge if turned on). Using the site mail[.]ru as our example here, mail[.]ru gets blocked by Smartscreen in Edge and Network Protection on Chrome/Firefox. In Edge you get the famous red block screen saying Smartscreen has blocked access to the site. In Chrome and Firefox, you only get an Access Denied page with no other information.

Both of these technologies actually check and block immediately following the three-way handshake (syn, syn-ack and ack) based on Microsoft’s Threat Intelligence. This block is before any data is transferred that can be redirected (which is where Umbrella’s block page comes in).

Umbrella classification of mail[.]ru (blocked by Exploit Guard Network Protection)

What happens here is that Umbrella’s DNS has classified the site, and Umbrella is ready to send the block page upon connection, but the connection never gets to the redirection point. In the case of mail[.]ru, Umbrella will block the site in Chrome or Firefox if Network Protection is not enabled on the machine due to it being in the custom Blocklist that we have(what does worry me is all threat intelligence platforms I can look up mail[.]ru on show that it is known to house malware across its series of IP addresses, and that Cisco does not classify it as a Malware site is odd to me, but that is something different to look into at a later time). This has been tested on a machine that does have Umbrella and does not have Microsoft Exploit Guard Network Protection enabled on it.

Just as an example of something that Cisco blocked that the others did not, I found someone who went to an obvious typo of gmail.com. It does show the difference in classifications of threat intelligence out there that it is classified as Malware by Cisco but must not be by Microsoft since Network Protection did not kick in on this site.

Umbrella classification of gmai.com (Blocked by Umbrella)

The results of all this show how multiple layers of defense can work together can compliment each other, and where things are actually being blocked. It also shows that Cisco Umbrella’s block page is independent of its classification and being a redirect happens well enough after the three-way handshake (which could be microseconds) for it to not show when Smartscreen/Network Protection feels a site is malicious.

 

Device vs. User

By Leave a Comment

Identity is the new perimeter. We keep hearing that, especially from Microsoft. Unfortunately, they have not completely bought into this in their Defender suite of security products.

Microsoft Defender security products are nice. They work decently, Gartner likes them, but there is a problem with them. They focus on the device too much as far as some key features go. I specifically am talking about alerting and web filtering. This is made apparent when designing policies for either. Here is an example, you make a custom detection from a hunting query, and it gets applied to a device group. Alert e-mails get sent out to those e-mail addresses that have been specified for that group. This can and does create a bunch of alerts that go to a helpdesk which has no clue on what to do about them, besides the security people who are the ones who should be looking into them. Groups of IT people start ignoring the alerts from Defender, and now you are almost as insecure as you would be without defender. I say almost because there is protection, and maybe even automatic investigations/remediation, but you do not have eyes on it to check for false positives, nor to check the alert overall and see if it is part of a larger attack. This is one way where Microsoft’s Device Group only thinking fails. Make sure you alert only those that need to be alerted. This cuts down on alert fatigue.

Another way I am seeing it fail is with their web filtering feature. This is becoming more prevalent as Defender for Endpoint is now able to be rolled out to mobile devices besides workstations/laptops. This failure is not just a Microsoft problem, I have seen other well known web filtering fail at the whole user identity protection (I’m looking at you Cisco Umbrella, but that is a not keeping up with technological advance (AD vs. Azure AD vs. Hybrid vs. Both)). Microsoft again wants you to apply per device group in your MDE tenant. So if you have person X who has a Laptop, Phone, Workstation and Tablet all of which are suppose to be covered by the web filter policy, you have to manage all 4 devices in their respective groups. Wait, there is more! You now also have to make multiple device groups for similar devices based on a persons function and what they are allowed. All this extra work instead of being able to say people in AD(or AzureAD) group X get web policy Y. You get identity information into MDE, it should not be so hard for Microsoft to allow this for better control.

All of this starts to fall into the identity space, which is definitely the new perimeter. You bring your identity with you everywhere you go. Identity is the most attacked thing right now because it gives that initial foothold. I am not saying get rid of device group policies, but make sure that identity policies are also available. The real answer is both devices and identities do need to be secured, there is no question. The problem is we are tackling the application of these secure controls and alerts to a device instead of to the identities. If you switch devices your new device has to get put into all the right policies instead of being automatically put into the policies that your identity would already be a part of.

This is a starting point, and one that should be discussed and debated respectfully. Security software and alerting has come so far from where it use to be, but I feel we are seeing some major mistakes with how it is being designed. These flaws, just like any flaw, can and will be exploited. The final question is doe the companies like Microsoft actually want to listen to us or are they going to just shove their flawed way of doing it down our throat?