Silicon Shecky

Infosec Practitioner

Connect

Solarwinds Sunbursts a Supernova: Early lessons learned

By Leave a Comment

There will be more fallout from Solarwinds to come. More companies will realize they are compromised due to either SUNBURST or SUPERNOVA (got to love the catchy, similar style names).

The question is what are you and your company going to do about it? What have you and your company learned?

Do not just throw money at this. Vendors will start trying to use this as a marketing ploy, especially to those that do in house development. If you do in house development, work on getting your Secure Development Lifecycle (SDLC) better. Do not over promise and over push your developers. If developers say they need some extra time for security testing, understand it will save you more issues in the long run. Understand that meeting compliance check boxes will not mean that security was met.

The rest of the corporate world should be doing a few things starting with your people and processes. Make sure that your company has in place a solid detection process, which includes enough staff, proper logging, solid SIEM/SOAR rules and notebooks, and a solid Incident Response plan. If your company is lacking in any of these, and that includes keeping people trained, it will be money well spent in the long term. Your company will get breached at some point and these processes plus properly trained people will always be needed. There is no perfect security, so detection is as important if not more important.

Understand there is no magic bullet. Security is a process not a destination, and burned out, overworked security people (especially in the SOC) do your company no good. Compensating by getting more and more tools without enough staff will cause burnout. People can only do so much in any given time. Make sure they get time off, and that means not disturbing them when they are off, if possible.

These are the lessons every company should learn from this situation.

 

 

The One About Chained Exploits and Pentest Results

By Leave a Comment

Where I work recently had our annual Pen Test. Overall it was not too shabby, we detected them early and could have kicked them out. I’m proud of the defenses and alerting I have helped set up and I monitor. That is not what concerns me. Action items made from the report is what does concern me.

I have yet to see a pen test that does not succeed in some way. There is always vulnerabilities. Pen tests help find them so you can fix them. The disconnect comes in with how they can be reported.

When a report comes in, there is always a dissection of that pen test report to create actionable items, patches, configuration changes and more, that will help make the company more secure. When dealing with a single vulnerability that gets exploited, a level of severity is made by the pen testers on the report, and that should match up with a level of severity on any action list the company set up internally, so that you are patching the most serious issues first and then work down the line. So if you are susceptible to Eternal Blue, that is at a high level of severity, and there is a patch you should apply immediately.

Using all of this, a compromise of say Active Directory is a huge finding. If Domain Admin was gotten well, you are pwned and that is game over man. Yes it is a critical finding, but how did AD get compromised? I tend to see on a report the AD compromise put as a critical finding but it is tends to be more from a chain of vulnerabilities and exploits. Those get broken out and are actionable items at a specific level, which is usually lower than the actual AD compromise. Fixing any one part of that chain would result in AD not being compromised (at least not in that fashion). So now the owners of systems see the report, and the action list created by it, and see Critical: AD Compromised by chaining x, y, and z together. They see each individual link in the chain at Low, Low, medium. What happens? The fix for any part of that chain is now pushed back instead of any one of them getting fixed immediately. There has to be some way the report either shows that getting to AD was done by chaining vulnerabilities that have a low level of being found/exploited, or changing the most severe of the links in the chain to a much higher severity.

I am not a pen tester, I am blue team. I do not know how pen testers decide that X vulnerability is Y severity (for that matter why the same vulnerability would be one severity one year and a different severity the next). I do know that if you go over the report with the pen testers, they should be willing to work with you on finding a way to get at least part of a chain leading to a critical compromise fixed. The best ones should be taking that into account when they write up the report initially.

Think of it this way, IT departments are swamped. They have to pick and choose what they are willing to put on their plate and what they are going to push off. Every0ne though wants critical issues fixed, be they security or other. Coming up with a way, even when the pen test is set up, of reporting the different levels should be done. How a pen test company reports chained compromises should be stated up front. In the end we all want to get to a better security point. Red Teamers should spend some time understanding how hard buy in can be when the Blue Team puts out the Red Teams findings.

Passing the Cert – SANS Notes and thoughts

By 1 Comment

After years of trying to convince employers to send me to a SANS class, I was all set to do the SEC504 in St. Louis back in March. It was all paid for, I had the hotel booked, and was all set for it. Then COVID-19 hit and a week before all work travel was cancelled by my office. Luckily SANS was adjusting for this and gave me a voucher good for a year to take the course.

I had planned on waiting until things settled down to take SEC504, which is for the GCIH cert, in person even though SANS started offering Live Online versions. I always have learned better when being at a class, especially since my focus can get pulled away at home. I love my family, but even with an office to disappear in, I can hear the 4 year old yelling, my wife yelling back, you know, the life of having a youngling around. Still, as the summer wore on, I started to realize that I might just have to do it through an online version, and the Live Online intrigued me. Luck would have it that an instructor of the course whom I knew was teaching it near the end of July. I had taken a beginners PowerShell scripting class from Mick Douglas through the Brakeing Down Security slack a few years before, knew his style and that I could learn from him. I also had kept in touch with him through social media, so before signing up I figured I would ask him some questions about Live Online. Mick, is a great guy and loves helping others out. Through our conversations I found out that not only was he teaching through the Live Online platform and loved it, but had also taken a class through it. Off his recommendation, I applied my voucher and set myself up for the class with a certification exam voucher included. I also ordered a semi-noise reduction headset with mic that did not break the bank, so I could cut down as much noise as possible.

The experience of the class was awesome. Mick had told me that it was easier to get questions asked and answered with the Live Online since it was not just the teacher with a GoToMeeting session open, but also a Slack channel where we could ask questions as we went along without hurting the pace of the class. I also was part of the newest version of the class. The new version had about 70% of the class rewritten and updated. The incident Handling part on day 1, which is the longest day of the course, was not just a look at blue team ideas, but put together the foundation of the rest of the class. They also added in a section at the end called the Linux Olympics to get people who might not be as familiar with Linux, more familiar with its commands. Everything was self contained in the materials and VMs that you get as part of your class materials.

Throughout the course I took notes on a pad of paper. The next morning I would type those notes back out into a One Note notebook I set up to help me remember the items I thought needed to be noted. This method allowed me to remember stuff the next day, helping to commit to memory by first writing, then going over and typing before the next days section.

The final day of the course is a CTF, where you divide up into teams to compete for a SANS SEC504 challenge coin. Normally I feel with an in person class, you hang out for dinner and maybe a drink after class each day, get to know one another and through that pick out who you want to team with. That is the shortcoming of the Live Online as many of us didn’t really talk with each other or get to know each other much over the course of the week. That said, I wound up on the one team of thee against the other teams of four people. That did not phase us as we divided up sections, talked over our zoom connection constantly, making sure to help each other as needed, and blew away the other teams using this method.

 

 SANS SEC504 Challenge Coin

 

Things from here get a little squirrely due to the revamp of the class and exam. The GCIH exam attached with the class at this point was still considered Beta, and was being publicly released in October(October 10th to be exact). I got an e-mail saying I would be able to take the exam in October, and my Practice exams would not be available until then also. This was not acceptable to me, as I would have no way of testing my indexing for two months, and scared me that with the way my mind works, I would have too much time to forget things. A couple of e-mails and they actually had made a mistake and I was on the Beta Exam list. No harm, no Fowl, except I now had 4 weeks to prep and take the exam(It took about a week or so to get put into the Beta Exam). I had been studying during that time, but not at the hard pace that I would need for a short turnaround.

 

I highly recommend reading Lesley Carhart’s Better GIAC Testing with Pancakes blog post, as this was the basis for the indexing system I used. I found that the color coding of tabs made going through things fast and efficient overall. Changes I made to the system included Large tabs for the books themselves, and smaller tabs for the sections. I did not tab individual commands or items, as that would have cause the following issues for me. First too many tabs would have been there. Doing just the main section cut down on how difficult it was to see where I needed to start. The index itself gave me the exact page number inside the section. Second there are only so many colors on the tabs, so with too much you start tripling and quadrupling colors which then starts to get confusing.

Tab package I bought for indexing

Armed with this, I set about Indexing, using a highlighter to mark key things in each section of each book so it would pop out at me when I got to that page. The nice thing about indexing in this fashion is that I read every line of every book again, helping to retain and relearn portions. I used Excel with individual tabs to make the index for each chapter, copied that to a separate tab in the workbook to make the main index then copied into a two column format in a word document as recommended by Leslie. I had an index that was just over 6 pages long. At this point I spent the next week using the VMs I got as part of the class materials to do the labs again. Like with the class I did one books labs per day in the evening. Then I took my first practice exam.

That first practice exam was a mess for me. I was nervous and rushing at the start, forgetting to use my index. By the time I clamed down and finished I felt better, but found out that I would not get a score because of the Beta status of the exam. I figure I wound up with between a 60-70% score although I cannot give a real number on that and I tend to judge myself harshly. That being said, I did learn weak points and set about to correct them. One of the biggest takeaways I had, besides slowing down and using the index I built, was that I was missing command context at points. Lesley’s method says to not index the lab book, but going back over it, I realized many of the answers I could not find were sitting in there, so I set about indexing it and adding it to my master index for Practice Exam two.

The second Practice exam I was much calmer for as I was familiar with what was coming, from both the Lab questions they now had along with the Multiple Choice ones. I also made sure to keep a running tally of how many questions I got wrong so I could figure out my score at the end. Taking 3 of the 4 hours on it, I tallied up a score of 85% on this attempt. Considering Beta is used to determine the passing score of the exam I did not have complete confirmation of passing it, but going by the prior versions passing score of 73% I figured I was pretty good to go. Before I took this I also set up the actual exam date in person at a testing center.

Going through all this I still had to wait a few weeks before I found out what my score was. The waiting was driving me crazy even though I felt like I had easily passed it. When I received my scored the day before the exam went public, I was please to find I got a 93% and was also invited to the GIAC Advisory Board because I scored so high. That mean my personal goal of getting that invite was met and I accomplished all I had wanted to with the course and exam. What I learned in the class I was able to use within days of finishing the course back at the end of July, and still use now.

The question people, including myself, ask is are these classes worth the cost. Much of the material I learned in the class, could be learned through other means, but the connection between the different topics might not be there. If you can afford it, or get your employer to pay for it then yes I feel it is. If you cannot, then go through the syllabus on the SANS site and do some research on each day’s topic, you should find materials that go over the tools used. I found that having access to the instructor, TA and other classmates in the class setting worked fantastically. Would I take another SANS course? Most definitely if monetarily possible.