Blue Team-Apalooza

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Applause] [Music] welcome welcome indeed blue you wear blue lifelong blue team er yeah actually uh Curcio a quest last year's once the speakers and guys blue shirts was pretty awesome wasn't that earlier this year this year last year this year yeah Salt Lake City was fun was awesome it was awesome so then Kent K Roxy Jordan raft Hindi raft nd reverent n dot I got that from previous employer who was wondering where I came up with all the ten dot scheme so he just named me kind of really quizzes only slight about us sysadmin backgrounds and a bunch of different industries blah blah blah blah for BHS we're now doing pen testing so it's super awesome and kind of like go back and forth and our take on blue team is is also a lot of red team mixed in with it so the idea is that you approach blue team and defense from an attack perspective so let's jump right on in well I have to this slide is about acceptable risk and do not practice paranoid paralyzing paranoia and sea levels our friend assuming compromised in all scenarios like John came in at the perfect time for that I can't hear you Jordan's getting stood up here yep I got him so I love that you're basically like sea levels are we like sea levels and by the way the backdrop looks amazing we should do all of our webcasts in Jordan's basement from here on I thought this was the pH is fallout bunker yeah no is this is this fallout from the boss so I was gonna try to do an introduction for this thing today and you guys already hit it off I'm just gonna sit in and ask questions if that's alright as people come in and they they ask questions I was going to ask the questions of both of you sound like a plan absolutely all right well I'm gonna shut up and let you guys you guys get to work I call this work when you're in a conference room in Boston at anions conference and you're scrambling and you're not eating lunch yes it's work excellent okay next slide please sir okay let's move absolutely arbitrary overview slide this happens every talk right does include the word arbitrary arbitrary in overview and slide in a slide deck so it's a drinking game maybe if you count the hacker names that we end up using we might throw some out there we're not really sure there's any listed near too many times but if we save them in passing time take a shot of water or coffee we're gonna talk about blue team hacker blue team defense siree and then the executive summary and why that's important so let's get right on and go a curry wait rockery peccary thought it was the sensory blue team hurry do blue team you gotta do red team a little bit of red team yeah quit making up new words it's been a lot I guess I spent about 20 minutes with Jeff man after our talk it was interesting it's a very good feedback I'd say right the difference between a pen test and a vulnerability assessment right I know what that is can we sort of sort that out here really quick oh god I'm having trouble seeing who's talking all right awesome just break in any way you can within the rules that you're allowed to do that and then the vulnerability assessment is all the ways that you could have broken in or possibly did break in but more specifically is defining those all out and building a plant to move forward and close those doors whereas the pen test is actually breaking down those doors going through them and pillaging so that's the big key there it really depends on what you're allowed to do in your environment and what your rules are of engagement so be aware of that I would love a pair of headphones I'd be great thank you in it then you hear yourself talking and feedback I'll be fine maybe there's recon a part of pen testing or vuln assessment well well more pen testing I think well I think the H is sort of sorts everything together right don't weave ulness s headphones a lot of what BH is does is actually driven by the customers right and let's be honest the reason why we do that so often is because many of our customers don't understand the difference between vulnerability assessment pen test and and all these different types of testing that can be done all the way up to what we call sometimes black teaming and one of the most annoying things you can do when you're talking with a customer is to basically say well you know technically what you're defining is actually a vulnerability assessment I'm so much smarter than you are so really we try to meet our customers where they're at so yeah we have vulnerability assessments that involve recon we have vulnerability assessments that actually involves like phishing assessments not for exploitation but for metrics so it's really an incredibly fluid in dynamic definition I know there's some companies that absolutely hate that as well so are you ready Kent we got it set up we got recon all the things we got recon all the things this is a Russian for you you couldn't hear sort of a good blue team here you better understand what's going on in the world right you have to run an organization these are things you should do to yourself yeah the idea here is that you can't fully to be able to defend your network unless you know what's on your network and the best way to be able to know what's on your network and vulnerabilities involved there is to do a sum to you what they're the first few steps of what a red team would do they want to go in they want to find out what's on the network they want to be able to define what the vulnerabilities are and see where they can pivot through that so when we talk about blue team in the attacking aspect of it it's really to define that what that is recon your network figure out what's there figure out where the vulnerabilities are and then start making a plan for closing those doors so these are some of the tools that we use here recon ng-show Dan breach data with haven't been poned as a good place to start there have been poems have I been poned does release the references to the email addresses or user logins they don't typically reference the passwords but all those hashes are readily available out in the world so you are all in typosquatting it's good to know what organizations might have already registered a domain name that's very similar or close to your own I've included the the syntax of the application to use there's called URL crazy does an awesome job and we are going to follow up with a blog post later on that has all these links in these commands syntax is for you to use as well looking up DNS tables try to do a DNS transfer and see if you can pull down the entire domain name with all the DNS records this is exceedingly rare these days it is yeah default zone table sort except for on internal networks it still is somewhat common with Active Directory you might have it's just a checkbox that could allow it to happen that's cash yeah exactly looking up with paceman and all the paceman type services there's actually some tools out there I've linked them there that allow you to go to one site and search for a keyword and it will check all those different websites that commonly have pastebin type data someone made a paste and anonymous or not it'll be indexed there I do know that if you have a basement account with the API you can actually set up alerts so if anyone does create a paceman that has specific keyword data it'll actually send you an email back saying hey someone used your domain name and a paste bin so I think this is happen to us about a hundred times where we monitor ourselves and then we get alerts saying you've been posted on paste bin and it's really just someone posting their way so we have a blue team us where our third party cohort Derek now you're with us today that goes through and checks those links make sure there's nothing that got disclosed inside that and if there was of course we've fought with legal team whatever yeah one last anecdote about the slide one of our the sturdiest customers we've ever ran into basically had us picked out before we finished even reconnaissance and putting together a plan because we had purchased domains to type Oh Scott that environment right and they monitor DNS tables they saw our typo squat they figured out it was likely pointed back at us and they used certificate transparency during the end age meant to say I mean nice try but fail so these are things you can do as a system admin as a network architect to monitor your organization and do a better job yeah take that URL crazy report that tells you if anyone's got a type of squat domain close to yours and one in every hour and as soon as someone registers that you're gonna find out about it since it hits the global DNS so or pay a mark monitor to do that for you also been verified if you're doing personal recon LinkedIn hunter dot IO has a really great huge database of emails where you can give them a domain name and they'll give you back all the email addresses they have for that domain and of course using certificate transparency we better keep moving a lot of slides you roll through looking forward scanning enumerate all things tor go ahead contest or vulnerability assessment or Bulbul magic purple team doesn't really matter it's a part of everything so we are going to show dan your networks you should show Dan your networks too we are going to end map your networks you should end map your networks to whether you want if we're in essence or not it's what seventeen hundred two thousand now something like that we are going to run necess against your environment johnny talking yep I would I would also add in for show Dan that you can do net : as well so if you don't want to do just a specific IP address if you know where your external network ranges are you can actually do go into the showdown type in net : and then give it the classes turn your domain routing like you know eight-eight 8.0 slash 24 and it'll give you all the results in that network range which is helpful too and then gentleman I've got a question here I'll give it to Jordan and then you can repeat it for Ken so the question was do you recommend open vas as a vulnerability assessment scanner I'll let you guys take a crack at efficient is do you recommend do we recommend open bass as a vulnerability scanner and I would say the answer is no I have had nothing but nightmares with that used to try to run it at an organization I work for previously as a cost savings measure the results for us 1,700 bucks a year you're gonna pay $150 a month for an SSI since that gives you the results that are generally meaningful and point you in the direction of all the things that are yours but I Chad says friends don't let friends use open vest so here we think if you're if you're an environment right now that you you don't have the visibility because you don't have the budget to get necess open vas will be a really great way for you to go to leadership and say hey I need money because liquid open vas bound I need money to get NASA so I can properly do this it is a first stepping stone if you have an environment with leadership it's not giving you budget it'll be a first way for you to be able to produce a report saying hey we got a lot of problems I need the tools necessary to define these and to be able to help mediate them so they can be used as an open source way to move forward just give it their load we yeah just give it a week to run yeah exactly give it a week to run yep so a couple of the ones on there you know we could have had open bass in there just depends on your environment I witness is a really great tool you can take website a list of websites and will generate a screenshot of them the idea being is fee of a thousands of websites to check we can just check a report that it generates and you can find all the different type of logging their faces that might be there in websites that are produced an expose is uh what $25,000 you get going for eyewitness for an expose oh for next pose yeah an expose is a little pricey but it also does board building management so the idea is that it will scan and keep track and a lot of you to assign a vulnerability resolution to a specific person and then follow up and track that it's a pretty big platform obviously it's it's the prices let's differentiate here real quick between Qualis and nikto I like to consider nikto a web server scanner identified things going on in a web server I'd like to think of koalas as a web vulnerability scanner there's a very significant difference in the results you get there while nikto tries a whole bunch of standard things against your web services it's not really what I consider to be a vulnerability assessment tool and web that's a cell an nmap has a cypher enumeration tools as you can see in the script gather some stuff but these days I'm using test SSL that Sh there's a github repo pull it run that against your identified website I personally don't like report findings for SSL I mean there did the whole premise is that you have man-in-the-middle but realistically yeah I know and John's gonna tell me I know it's important and you're wrong I know this is this is what we're gonna do I'm gonna raise my hand and then Kent's gonna call on me so can you relay that Jordan like John's raising his hand so yeah I mean we get into this argument all the time as far as vulnerable the assessment reports should there should we even report things like SSL I think that they should be informational they should be in the report but for the love of all that's holy don't try to make them hire vulnerabilities then they should then they should be they shouldn't read much higher than informational John is saying that why would we report as a cell as anything other than informational now if we look at the Chinese telecom BGP hijack from last week right shows up in the news what are they been doing spending two two and a half years theoretically redirecting traffic around the globe dropping it through their data centers this is where SSL man-in-the-middle comes into effect right if you have log jam if you have these vulnerabilities that allow potentially weak ciphers to wrap your traffic the Chinese supercomputer can absolutely decouple that and we say super compute but some of those ciphers are so weak now that they're actually pretty trivial I mean it's encrypted but it's encrypted well so it really depends and that's kind of why it is important to report them but again it's one of those things I don't think that it's a big vector for no we don't do it I mean what are we gonna do on an engagement with SSL you have weeks I first move on let's run the dataset so web service discovery just ran this against a slash 16 I had hoped to have results to demonstrate here but they are not here for demo but basically we're saying go wrap up five interesting web ports which you should probably do too on your network assign an intern to go look at every single one of them make sure there's not a login page for your port 80s wrap those into port 4 for 3 enable ciphers if you've got proxies sitting on your network figure out why investigate all of them there's a really great tool with the nmap portion it's linked back a couple slides was listed in the syntax that will take your in and map output and build you a nice HTML report that's easy to read you can print it out or what do much easier to read them the plain text and MEP output so those four useful as well and the next slide I'm gonna actually show you how to utilize eyewitness in burp suite to pre-populate your burp suite and immediately find things that NASA's might not be able to find SAR very passive the idea here is that you want to investigate these you can find the compromised system on your network because that cover my system is going to find all the weak links in your network and it's going to use them to the attackers privilege you know it's going to be increased their potential to be able to get through your network the idea is a blue team you need to be a pen tester that's come the whole idea here and the idea is to know your tech network topology get it out on the GPS is that a hacker now John I like doing this just because I run almost all my engagements through burp passively just so I can pre-populate things find possible items I might come up in burp so the idea is you take your necessary file and you start a burp you add the nest this is to the targets and burp we're sorry add the targets to a scope and burp and then turn off interception burp and then you run this iWitness command that proxies you are iWitness through burp and it will be popular for you so it's pretty awesome does this require selenium it well I witness requires your selenium or the Firefox drivers but third or okay yeah fair enough yep so awesome yeah here is just you'd be able to kick two stones with one bird wait two birds one stone no too complicated movie on other service discovery oh absolutely anywhere you find port 23 on your network this is bad don't do this this means some old IOT device or some who knows what networks which somebody forgot in a closet upgrade those enable SSH your port 80s you shouldn't have port 80 on your network there was a comment in a slide a couple back where we say a compromised system on your network is going to find these weak logins and then compromised them so these plaintext services need to be updated to no longer clear-text we have a question from John so yeah we I was just talking with a customer here in Boston they were trying to explain to me that they required telnet to be running on every single one of their routers because the routers didn't support it which was a lie so the vast majority of the time whenever someone says they have to have telnet running because they don't know how to show it off it means they just don't know how to shut it off and I admire Ken's ability to sit and look as though he's listening intently to what I say Jordan you know he can't anything to sit and listen appear to listen with the audio drivers so yeah regardless let's roll on one more slide here yeah I like cheat sheets so we can do a whole lot of things within that right as a blue team or you have to know the services on your network learning and map learning networking how these things tie together - capital F right very important fast top 100 ports from an maps perspective on your network - P - identify every single socket listening on TCP - big a operating system and service it's gonna do its best it doesn't always work SV service version SP ping these are these are important things to learn but understanding networking is even more important right taking that step back and saying what is a VLAN what is how two devices communicate on my network how do we route between them how do we a CL things of that nature so that last slide did soccer dad yeah I didn't listen to it I was trying to work on headphones I still can't get it yeah this stuff is awful it's so boring and so general the the point here being it's hard to be a systems administrator if you don't understand networking it's hard to be a systems administrator if you haven't deployed through policy it's really hard to be a system administrator in a network that doesn't baseline things right we don't have standard images we deploy it we don't have standard networking stuff at our customers or our employees homes we don't know what Cisco smart install is but it's on by default on all our gear so learning networking right OSI layer 3 source and destiny P conversations right extending layer four right we're doing protocol based ACLs now we're saying nothing except 80 or 443 into our DMZ except we don't 80 so all that gave us the entire network and what it looks like right so what's the next step I explained testing it out find out where you're going find out what you can do and test or vulnerability assessment ah this is fantastic theoretically yeah yeah it depends if you're gonna pivot through here and do what you can then yes if you're just looking to validate a vulnerability maybe not so much unless it's like a DDoS and vulnerability and your blue screen a bunch of servers that's all right I saw this from one of finishes tech tweeters twit tweets and this is an awesome search repo so I have found a lot of fun stuff on here now so checks played us out if you haven't seen this this is a very very cool tool but again you're gonna need to as a blue team or begin that process of understanding networking understanding where services are in your network base lining those services why they're there and then stepping up running vulnerability scans or nmap right and map is almost a Swiss Army knife of reviewing a network it's got a - - bone or a - - script vuln let's have n map identify some simple things for us anyway right what did by leader right today something yeah you know it's all I think he said he was going to implement the Cisco smart install exploit tool into crack map exec and I bet it's done and that's not a joke and I do like I do like when you search for vulnerabilities what you find is shell good on gap I mean that is just the safest place to get open source code I just trusted just copy and paste it right into shell yeah we got John wait wait what the hell he was pulling down random shell code from github why would you do that I thought you told us to do this don't do that don't trust everything yeah okay see this is very smart we don't want you to allow access to github all right so the idea is uh you've checked exploits now to kind of roll back and look at your your password hygiene and what that looks like of course this could look at their side of things and checking the password policies and that type of stuff but really is trying to validate the passwords that are typically used in your environment so looking at passwords spring with office 365 a whrea cetera obviously using fall 2018 bang for your password is the best password password Spray your network with Bo's domain password spray and fall 2018 bang if you find people you have problems this is a super super simple powershell script to download and run should take you no more than ten minutes do it right now the eyewitness report will give you a screenshot of all those webpages that are in your environment take a look at that any one of them that have logins login portals on them you want passwords for those obviously do it reasonably don't lock out all the accounts but you want to know if whether or not like default creds were used or if the password is like fall twenty eighteen dollar bang is used anything like best you can define out where those are and what pivot points you have in your networks it's all ability Jamie brought up an interesting point she said run these with permission but I remember our previous gig where you run the network you monitor the watchman so to speak like who watches the watchman more Watchmen and I don't mean to use misogynistic language there who watches the Watchmen right like we would just do whatever we wanted theoretically saying I'm gonna password spray nobody's gonna find it I'm gonna end map nobody's gonna see it it's not gonna get to executives unless something drops or dumps or break something but regardless yes MFA's there's what there's one more thing that's really interesting here MFA has helped in this regard we can still identify passwords but we can't log into accounts of MFA isn't it abled if I do a burp suite spray look at either size response or timing of response it's very very probable that we can pick out valid account password combinations but still not get in because of them effect so definitely MFA all the things a couple comments off 240 OS 1.3 that's gonna be interesting so just a few days ago yeah to be interesting how that plays out with things and also yeah password reuse I think yeah which is gonna pull another situation so different tools are you can use the spray kit male sniper to make password spray and then my favorite is burp suite because that's GUI I guess windows right so the idea here is after you've got all that you really want to go back and investigate the the detailed things and one of those tools you can use this from sysinternals now Windows using system on 80 explorer etc says - fun I kind of make the analogy that it's like watching the inside of your car's engine while traveling 80 miles an hour down the highway it's scary you can see all the things work but that may or may not be a good thing and definitely decreases your productivity this is a brilliant chunk of getting started though right deploying this one on your network using PowerShell getting it on your end point seeing what's going on it's terrifying but beginning that process of holy crap here's a flood of stuff I have an intern now we're gonna start to parse that down we have a question from job I would also add that that is that is key because it's actually cleaning up the croft it's basically in many networks they just keep throwing crap in a closets and it builds up a year after year after year and the first time you start doing system on the source the first time you run bro the first time you start doing inventory and software management which are the first two things and the critical controls it's a complete nightmare because you haven't been keeping up on those things and you desperately need to start doing that and these tools give you the visibility to actually see it absolutely there are some really great questions coming through - and well definitely if we don't get them answered during the webcast John's on he says all right so in case those don't get answered we'll definitely follow up later out later today moving forward so we've talked about how to attack right yeah we're talking around networks over and over and over repeatedly baselining things breaking things proving things are flawed you've generated a list or report of things that you've accomplished and it's it might be long I might be short but the idea here is now let's let's take your side of blue teaming now let's let's look at the defense right we know we can break things we know we can get and we know we can pivot what do we do what can we do that can really it's another new word sorry well we aren't of defense if there's hackery there's gotta be the country so this is the slide that we had to put in here we're not selling a security solution we are frustrating our co-workers and which one of the attackers I am not a salesperson or am i if you need some assistance with this contact insulting a black house enforce a calm they can help with the red team the blue team purple team yeah yeah is that another arbitrary slide seriously huh the toilet paper slide so John those questions were already floating yeah I'm John I'm letting you take this one because this is this is your answer right here all right so whenever we're looking at a lot of security technology as organizations can get caught up in the back swirl I'm trying to find the best best viral well they basically try to get caught up on what is the single best product the best and breed the best in class but when we're looking at firewalls ids/ips we're looking at endpoint security products the vast majority of them especially traditional blacklisting it's pretty much like toilet paper and what that means is that the commodity you don't honestly it doesn't really matter all that much and the vast majority of them do their job about as well as others and then you get into matters of preference as far as like if it's gonna be quilted or if it's gonna be soft or how many sheets per roll it's completely up to you you at the end of the day it's still toilet paper so don't get too hung up on what the actual tool is for a lot of these different capabilities like ids/ips firewall endpoint security instead ask yourself does it give you the visibility that you need to see what's going on in your environment number one and number two is your team comfortable with using the product and that's basically a subjective preference at that point and I'm handing it back to you guys back to you mr. Ken awesome there's someone just mentioned inventory management they said thunks do you just use Excel next slide inventory management use Excel we're gonna eat it together okay so the idea here is that - you're probably blue team again you need to know what's on your network there are some solutions out there that help you with this but ultimately you really need to be able to add in additional information that you got from trying to attack so I use Excel for will be R distinct so I need to make a script and repeat it over a thousand times with different variables I use Excel because I can make it work and it's super fast that said it's it's maybe not the best tool there's little tools out there that'll help you with this as well slur wins IP address manager will say you've got a block of IPs and you can make notes about each host and what they do there's some other ones out there they're more network monitoring base like nag Yost and Singha zabbix and the most core there's gonna be a one that I've looked into a little bit called open awed IT or open audit not sure about that but it's worth looking into if you're looking for something open-source and then interestingly a lot of hardware based solutions like ubiquity and FortiGate they will produce you a list of devices on your network lets you comment on them let you manage and career that way as well you have some familiarity with the FortiGate device detection basically sits on the edge of your network and does its best to identify the devices going in and out of your network and this is exactly what bill has written with this group script passer dot PI I believe he is in here so bill if you would post a link to that we might have somebody interested in taking a look at that this is basically something that sits on your network identify strings using scape II and Python and chops things to bits and pieces but does its best to put together a list of the devices flowing in and out out of your network theoretically not in and John real quick we did talk about a hunter a little bit before before the presentation but if you want to link in here kind of how that works with inventory management analysis with that yeah so not so much AI hunter will talk about the free tool Rita Rita actually has user agent strings analysis where you can basically pull down all the user agent strings and it'll help you do an inventory of what device is what user agent strings are currently being used in your environment so you want to do a long tail analysis find the least used user or agent strings in your environment those are usually your IOT devices you're weird software packages and start analyzing those and working your way back up awesome so next one here now you've got a list of what's on your network and you really need to be able to control that as well and the whole idea here is to disrupt early you're working on the list yes working on the list yes and the idea by doing this is to just disrupt and eliminate the shadow IT so kind of get away from someone saying the IT department let me have wireless in my officers and I'm giving me the PSK or adding me to the radio so I'm just going to go ahead and buy this Linksys router and plug it into the port next my office and boom I got Wi-Fi I don't need to anyone to tell me I can or can't do it the idea is to have controls that prevent that now some of those controls are going to be you know port based security on switches but some of them are also having policies and procedures on how that works Hardware needs to be approved by someone right and having document control over that so that type of thing is important they're really business aspects of things but you need to have those controls in place so that when someone doesn't solve that switch or that access point you can go in there and unplug it and tell them too bad so sad here it is take it home but inventory is so hard and like John said earlier this is a fundamental concept in the critical controls you can't control your hardware and you can't control your software you can't control your network so theoretically right Fletch uses this mitigating controls thing he is so strict about it when he questions customers for our critical controls reviews he asks the question do you know when someone installs something on their computer that's not approved oh good that's that's awesome you run some endpoint thing that reports back to you and it's done well what is your mitigating control for that on approved software right this is how strict the control is actually written but getting there yeah absolutely I mention AWS lburrows right security in the cloud bla shared responsibility but they will tell you every single system with a couple clicks that you have in their space I mean that's that's nice for inventory and documentation helpful yes so alerting detecting capabilities the idea here is this is all well and great but you also want a central repository for logs I think we know how John might feel about sim so I might just pass this one off to him and he can throw it in there well so I think whatever you're looking at Sam if we're going to get doing this correctly a GP cert has some exist some outstanding tools so let me share this first one this is JP sir tool analysis result sheet sharing that one out so I'll send that to all and that basically breaks down a lot of the different types of attack tools and also built-in utilities that that an adversary might use like PS exact and then the other tool that they have is JP certs logon tracer log on tracer and let me throw that one up and not only do people board review yep and that'll do user behavioral and entity analytics for parsing your your event logs for your domain controller so those would be the two things I would say like we can actually start getting value out of our sin if we're actually looking for the right things instead of looking at absolutely everything and seeing nothing so passing it back over to you excellent next slide sir well I love this last quote we can still tell us yeah they do John talks about this an AI hunt it's even easier to pick them out if they have sleep cycle enabled right you're gonna sleep for some period of time then you're gonna blip we are going to see that that is so unlike human operation on a network or so unlike Microsoft's update cycles are so unlike these other very predictable things humans do that beacons do not so beacon analysis so this is a big one this is the biggest possibly of light it yeah exactly John so this is the biggest biggest one I can't tell you how many tests we do where we get in there and were like alright we're gonna help you you know get your networks set up well and we're gonna find the things for you and then we find critical vulnerabilities all over the place and it takes us about 10 minutes to get da yeah make sure everything is is updated after you've got that network inventory done so you know what's out there you know what services are running on web ports go through make sure those services are up to date every port that has a service on it make sure it's updated every workstation make sure it's got the appropriate security patches all of them don't leave any of them unpatched obviously you might want to have a change control process on that you don't want to just really go in update everything without testing it first but don't let them run for six months without updating laptops are really hard to write people take them home they close the lid at night it misses that past cycle they show up at the office in the morning and they load it and it gets all slow and crappy you don't know what's going on and then a reboots and people freak there are a couple of things there someone mentioned a mobile device management a little bit ago we're not going to talk about it here today but all the big carriers now have mobile device management I know Verizon even has one but Microsoft and G Suites they both have a portion of their platform that is for mobile device management there's other ones out there too but some of those interfaces also allow you to do mobile device management on laptops and mobile devices that don't hit your network all the time but they do sometimes connect to a network I'm fast equals monitor build these vulnerabilities equal bad all right so let's talk about group policies what is preventing your users from having a password called fall 2018 bang because it's a bad password but it covers all four of the major categories your password policy is eight characters we are guessing that one first this time here yeah absolutely and the idea here is that you can control things in Active Directory and you can prevent this you can have passwords limitations on password policies that are you know make a password that's 30 characters long do I suggest that gnome but what's the current one is it 15 I think it is 15 that enforces storage of the correct type of hash that's harder to crack absolutely so there's some other things we're going to talk about as well LM in our I'm Kerberos lesbians and password palsy Stallard you get and screen locks and also SMB so let's jump right into it yes John I was gonna say more accurately it forces it not to store the vulnerable password hash or lancret he was correcting what I said good job John because everyone everyone started typing they're like oh crap John just said it okay well so I'll talk about disabling Elliman are we had a recent blog post about this we discussed it in a couple webcast as well kind of going back through there and saying this is how you shut it off you can do with the group policy so you can start off across your environment with group policy again during you want to give the I guess the technical bits here about why this is or do we want to talk about why disabling LNR is important or do we want to talk about a lemon our I don't think everyone has an understanding even at a base fundamental level what ll M&R is or does so link layer multicast name resolution two to five to two four zero zero to fifty two right this hits all the MAC addresses all F's theoretically on your segment and that last slide mentioned Frogger and I got to try this once and so then on an engagement right I've got a lemon are I get some hashes I run Frogger I find more VLANs I jump into those VLANs create new interfaces I jump onto those VLANs find more ll M&R so L eliminar is basically a multicast way of resolving names that don't resolve by your dns if you'd be an S Sox you're probably gonna need LM an r and n BN s but there's a problem with it right in theory there's a really big problem with it the problem is if someone says hey server one I need your IP address in certain environments and your workstation could say hey I'm server one connect to me please and when you connect to me please submit your hash for your Windows environment as well and as soon as that happens you've now provided that hash to a third party potentially the environment we see here in the lower left-hand corner of the picture there is doing just that we're having a workstation set up and all it's saying is yes you're looking for server one or server two or exchange yes I'm all of those things in fact I'm the workstations that are next to I'm all different host names you could possibly search for I'm all of them submit me your hashes and all it does is it gives the hashes to the attackers and then we can take them and go crack them so taking a step back right we're talking about baselining again here if you've got CDP DTP if you've got these things that cisco does by default smart installs you've got fundamental layers at OSI one physical OSI two networking OSI three right I can jump into different segments and get different IP addresses you've got to understand your network you've got to understand what's going on with the gear on your network and then turn off the whole and on I like SMB signing on you right because we're gonna now able to take that hash that gets pushed around if we do al-manar and we can go push it to another system relay it and get shell which is incredible if you don't have this and be signing turned on so that's important to have but our next slide I will notice in the lower right hand corner we are reading dead horses at this point so if your hairs talked about defense webcasts you might see these again disable nb8 miss my adapters this is going into the actual adapter and shutting off something similar NetBIOS this is a preference instead of a group policy I couldn't really figure out why Windows wanted it that way but regardless the next one go ahead let's just roll the next one has a quick little NBN s PowerShell thing don't push this out systems admin should have access to PowerShell endpoints should not or theoretically the users running on your endpoints should not SMB science this is where you can enable us some assigning and force machines to get that certificate and validate it touch 22 does anybody catch the Yossarian reference' anyway risk vs. risk do you want to chug performance down on your network or do you want to not have Kripa graphic validation on your network way I meant story this is a great one lament passwords passwords are incredibly incredibly easy to break because 14 character passwords max cut them in half and create two hashes and then you can try to crack those hashes independently so you're actually trying to crack two of seven character passwords still on by default on Server 2016 yeah it's a scary thing a good way to circumvent this is to create password more than 14 characters long and windows won't store your hash that way and way man or turn this group policy on immediately no one in your environment will notice have everybody change your passwords down as the passwords change then they will know where to store that new hash the old hash would still be stored as I correct oh I don't know I think the old hash is still stored I think it just stops looking at that that attribute on clarification is the old land man hash stored after enabling this function and changing your password yeah after you well it depends if you have remember previous passwords the passwords will actually be stored in the it'll actually be stored in the registry so it's one of those things where it can stick around for a while but you're talking some very very old legacy systems where that would exist on most environments that you would encounter today eight you're not going to see that land man hash because it never was there in the first place 10-4 thank you next slide sir group policy is hard well it doesn't have to be though LS do you we've got LSD cat they're hanging out so you know you structure them there's a lot Jon's loving it the only structure matters and how you deploy good policy make sure you understand how to do this if you're not aware of the intricacies of using group policy go look it up learn it it's very possible to do some things in group also that you didn't intend to do just by having oh use links different ways so some ideas here some some best practices don't mess too much with default domain policy and some advice environments will actually disable it and will rewrite it with only the actual policies that are necessary and obviously look at the password policies lockouts etc and the best practice here use computer versus a user policies don't create group policies that have both user and computer policies and them together it really makes it more difficult to manage this is really a best practice but you don't have to follow up the ideas if you have a user based policy create a user GPO if you have a computer based policy create computer based GPL and then disable the filter on the GPL preferences on in there so that if you have a user based policy disable the computer processing side of it and I'll help you process you can use faster though those computers running fastest days maybe it doesn't matter so much but best practices do matter but supporting oh yeah we do we do support drain how about ongoing resource and human capital additions to your struggle something yes you should so the idea here is you need to do best practices but if you just say hey do best practices what does that mean you know you need to in your environment do training certifications are important John yes you have a comment there all right I'm losing my mind trying to keep up with a question do certifications matter yes and no I guess I'll do my best to get fired by the SANS Institute I don't think that they matter insofar as that this person has a cert they're better than anybody else that does not have a cert I think that's crap but whenever you're looking at the industry as a whole and you want to get a job as an individual you better have some certs because for HR departments actually looking at who they're going to hire the people with the certs are going to go to the absolute top so yes it does matter for the individual but I think that it's only good enough to get you through the front door to get your resume up to the point where you have that interview after you get to that interview the certification doesn't matter it's all on you and what you actually know absolutely we're gonna talk about you've now gone through you've done the attacking you've done some ideas for defensing defensing defense REE yeah that was your new word defense hurry I'm making all kinds of new words that was a good one um the idea now is you need to be able to relate this back to your leadership so that you can well really get money this is a shut up to Geoff man Jordan you wanna discuss that we've talked a lot about pen test versus vulnerability assessment if you're going to talk to an executive and you're gonna come into an environment you're gonna break something and you're gonna dump the domain controller you're gonna crack all the passwords and the executives say oh my gosh what did you just do to us and why I didn't expect this this is terrifying do they should sue you is what you did even legal I don't know the answer to that and it can be a scary scary thing and the idea here is that you've done all this work now you need to be able to relate it back to the customer to your leadership in a reasonable way that tells them what they gained out of it and why it's important but then I tell an executive I just did LLM Inara to SMB relay on your network to pop shells and exfiltrate your NTDs did and cracked everything and I'm da and Wan what that's all illegal don't do that again in fact you're fired no the idea here is that you don't talk in that language don't do that that's they're gonna walk out of the room or they gonna kick you out of the room that's not what you want to do you want to talk in high generalities and levers that they can pull things that the leadership can do whether it be policy based procedure based or money based sometimes it just comes down to money and getting resources in sometimes it's hiring a outside firm to do something sometimes it's hiring consultants sometimes it's just getting people on board for something yeah if I told you updating your password policy you'd met you didn't have to remember complex character strings all lowercase is fine if you hit 15 characters you know and the idea here is to relate this to them give them strategic options this is really difficult for some people to do and when you're in the the makes and detailed information and you're going through and hacking things and building up GPU gpo policies to then relate that back to the customer and say hey this is you know the information we're presenting you why is it important to be able to put that into strategic terms that they can understand levers they don't speak the jargon they don't speak what you called heck acronyms acronyms don't give them hacker names know that every business has an acceptable risk except that the leadership might come back here and say we don't care it's not that big of a deal they're looking at it from a perspective of the probability times the impact that a vulnerability might have and it might be within their realm they say yeah we're going to accept that risk and if that's the case you know make sure they understand what the problem probability and the impact are of that vulnerability but sometimes it makes sense to just deal with it so the next question here is why do you want to present this to the exact is doesn't it so you have to be at the executive level sometimes you might be delivering report to your supervisor or to your director or manager IT department is C so you know whatever it might be the idea here is that C levels your friends so whatever report you write write it so that there is some sort of section in that document that says this can be taken to the board to the cabinet and it can be read and the net result of that should be to know partially to scare people but to do it in such a way that get some resources right so the executives that you're going to report to they can fight for security budgets if you ask for ten million dollars you're probably not gonna get a trace you're not asking the right questions and the right people but if you take it to the board and someone in the cabinet says hey we've got a big problem this is what that problem looks like this is what happens if we don't remediated but this problem requires a ten million dollar fix they're gonna start discussing that and you might get that money executives are the ones that can make this happen right your supervisor probably can't but your supervisor can relay the information up in a reasonable way that you help do you need to give the ammunition over to the leadership make sure that they know what to ask for make sure they're not asking for something that's unreasonable make sure they in know why it's important to the business what is the risk why is doing this important at all and don't ask them to deploy paralyzing paranoia the slide early in the slide deck said something along the lines of don't do anything that's going to inhibit someone's ability to do their job because that's going to be a non-starter you know we'll get you kicked out of that room very quickly ah this one's you Jordan another Geoff man quote repeat back to me what you think you just heard yeah so here's the whole thing with this right we went through and we did a lot of technical stuff and we also did something that's not as technical and you're now kind of given a choice with this with the blue team right you can either suggest that we do business as we've always done it right and we just try to keep up with patching better because that's a given you need to do that and realistically if you do a good job with inventory management you know what's on your network you're gonna do okay but you know you really need to bring this back to leadership and start a conversation about making things better you know look at the GP options you have to make things more secure in your environments look at your password policies you know if your environment allows it get the NT disk files from your Active Directory and run them across password hack password cracker obviously work with HR with your team to do that because that's scary and there's a lot of issues that might come up with that but find out if your users are using like six character passwords and if they're spring right or if they're fall or fall 2018 bang these are things that your environment should know about so you can be able to better prepare your leadership to resolve and patch cycles are tough we've talked about this so consistently what's this is a nightmare to manage but Windows 10 does a really nice job of keeping itself updated patched rebooted and cycled right so does obviously 65 you don't even have to run o 365 in the cloud these days to continually maintain updates in your office products right so even moving toward the latest and greatest offerings from Windows is better than nothing it's something so GPL deployments are easy right disable land man stored your passwords I don't know how to cleanse those all out this might be a nice follow-up those old garbage hashes that land in their password policies this is how we win significantly every single test if if we have a weak password policy we're up against we generally win it's it's just the reality and so do the people who are attempting to break in your network gather credentials and get in John's up and also that password policy if you guys I would like to get your opinion on it but it seems that's one of the things that our customers fight us the most on whenever we say you need to go from an eight character password to something like a 15 or 17 character password they tend to at the beginning of the test say well I don't know if that's gonna be socially acceptable I don't know if we can do that and by the end of the test usually they start to understand just how dangerous that actually is absolutely and the conversation I had with one of our customers at hack and fest was this very thing he goes through the okay hey we've got to upgrade our password policy look what they did to us again they've gotten through they gather credentials they've broken into all the stuff what if I told you you could have 15 characters with no complexity and you could keep it for a year I mean it seems to you and I and John who use exceptionally long passwords we have learned how to phrase well it's hard for corporate environments to accept this politically so adding here this is our last slide so I'm gonna open up to questions I see a kind of a theme in some of the most recent questions kind of talking about patching and how it relates to it looks like breaches and public breaches someone mentioned that getting pwned is socially acceptable and that's an interesting perspective socially unacceptable it's interesting perspective because if you look at like I guess even look at was Experian was that it big data very much Equifax if you look at stock prices you kind of have to start to question whether or not it wasn't socially acceptable because what was the actual fallout of it you know there were some employment changes from it but in the end the big cost came to the users it didn't come to the organization that was managing it and you know I think maybe the same thing might happen to target where the big problem all fell on the user side or maybe the bank side but ultimately the actual investors weren't the one taking the hit and it's an interesting perspective on that that you know I think at some point the the landscape might change there where we'll actually start to see that breaches might have a bigger impact for an environment certainly as some organizations if you have a breach it will it's done you're done you're you're out of business but there are some organizations that they're able to mitigate that using social skills so and there I guess started community involvement yes the same test I was just talking about somebody that's a really interesting question about PCI the PCI framework is still saying that seven or eight characters is acceptable which I totally and completely disagree with and so so should every single member of the security community on the PCI Council it's it's ridiculous to me that we still accept this as an acceptable way to protect cardholder data it is not assume compromise I think is the one there right if you live by assuming compromise John if you assume if you live with something compromised you take things into consideration like your credit is always locked until you're ready to open account it just is you look at things like password management differently because yeah you might have a 128 character password but now you're you're storing that password is someone that might be storing it plaintext so they have to be different across all of your different web sites and that's really important to know and you said to be able to manage that and be able to accept the risk that you might be compromised already why not use password phrases can well staple horse was it correct horse battery stable yes this is something we preach it's in our finding if you've ever how to cleanse us from BH is when we get a week pass or policy binding on your network we say the same thing every time learn to use phrases on your network and allow them in Active Directory it does make something interesting ad you have a blog post coming out probably the next couple weeks where I'm taking some pretty well-known books and I am running them through our password cracker against LinkedIn and the idea here is to see there's a lot of passwords in LinkedIn that haven't cracked yet they're just ridiculously long passwords right and I'm curious to see how many of them are based off phrases of these very well-known books I'm afraid that John might know what those books are so let's just say it's gonna be a religiously fun day I told you you're gonna get fired but thank you all for joining us today as always we appreciate your time very much and are grateful for you listening to us bloviate pontificating about rinsing and repeating we get in an hour and someday I'll let them out of the basement [Music] that was a shot [Music]

Info

Channel: Black Hills Information Security

Views: 3,572

Rating: 4.9183674 out of 5

Keywords: Black Hills Information Security, John Strand, Blue Team, Information Security, Sysadmin

Id: 4UHyGzDYASc

Channel Id: undefined

Length: 55min 47sec (3347 seconds)

Published: Thu Nov 15 2018