Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

All Articles

Lidia Giuliano

Picture the overworked security professional bombarded with risk assessment, vulnerability, trying to put metrics and dashboards together, when their boss taps their shoulder and says, “I need you to do some endpoint testing. We need to buy another tool.”
How does the security professional start endpoint testing?
Where is it supposed to fit into the schedule amongst a million and one things to do?

“I've put together a testing framework you can use, and a workshop/class at SecTor this year, to give you a set of tools to go out and do it for yourself,” said Lidia Giuliano. “It’s about security products and capabilities of vendors. When you’re in that saturation and it’s time to look at endpoint protection, I offer some considerations for how you can test. Not just testing malware, but also for testing how you do business in your office.”

There are functional and non-functional aspects to consider. For example, if you have outsourced, you need to consider how much extra it’s going to cost to send endpoint protection logs to your MSP. 

In the past people have focused on testing what happens when it goes live, what does it look like then, and functional testing with common scenarios.

Other important considerations are how it scales and its backwards capability. When setting up the proof of concept, what virtual environment are you using? Malware may not work in all virtual environments. How does the solution you’re testing relate to your business and long-term strategy?

Giuliano’s presentation is a result of 12 months of work and research requiring thousands of hours. 

“I actually compare marketing slogans to what happens in the real world,” she said. “I demonstrate actual examples and what I saw during the testing. It's important my peers know how to start and what questions to ask.”

Tom Porter

Next month at SecTor FusionX Red Team senior security consultant Tom Porter is presenting Extending BloodHound for Red Teamers, starting with what Bloodhound is and what it does.

“Then I go into underlying components to teach the query language – Cypher – in a way that people don’t feel intimidated about making modifications or their own extensions,” Porter said. “I’ll show how I’ve adapted the UI to do something completely different – mapping network connections across an environment, playing with new and different data sources, that are not necessarily Active Directory-based.”

Porter uses the BloodHound UI to map connection info of netstat data, trying to identify watering holes on the network. He’ll also show to use it to find places to cross network segmentation boundaries. 

Being a member of FusionX Red Team has shifted his mindset and how he operates. He’s noted that Blue Teamers are using BloodHound to harden their environments prior to Red Teams beginning their work.

“That’s why I want to do the education component— graph databases, how to put data in, get it out, and modify it to fit your workflow, whether you’re offensive or defensive,” he said. “My extensions are just one application of that process. If I can teach you how to change and use it for your benefit, you can build your own tools and extensions.”

The session represents a change that began with BloodHound, moving toward automation of lateral movement, sometimes referred to as the industrialization of lateral movement.

“Import to GoFetch, which uses PowerShell to execute that attack path that you’ve exported from BloodHound… that’s one example of automation of lateral movement,” said Porter. “Another is DeathStar, written to automate an attack path. When you have a foothold in an environment, you need to either escalate or move laterally to achieve your objective. Bad guys need lateral movement when abusing users’ accounts.”
Some tools only query Domain Controllers, so their purview is isolated to Active Directory. They don’t look at local accounts.

Seeking to add value to the back-end BloodHound database, Porter would compromise a machine, dump the local user hashes, take a local admin password or hash, and test it against other machines. Then he’d see a common local admin password in the environment. He wanted a way to represent that path in BloodHound, being able to hop from one computer to another. 

In that same vein, he found users reuse passwords across accounts, and wanted a way to represent that in BloodHound.

“How can I look at underlying data structures and how BloodHound was using them, and then modify or add to those?” he asked. “By creating new properties and new relationships – giving a property to a node.”

Also by creating new custom queries. There’s a section for custom queries in BloodHound, imported into the UI for you to try and to use.

“When I compromise a node, I want to know what else I have access to. I also want to see the deltas in access after I compromise new nodes. Those are some of the things I built into the extensions. I’ve also modified the UI itself to change the displays to help you visually track a compromise.”

Michele Fincher

Imagine walking into your work lunchroom just in time to hear one person loudly berating another. The yelling male storms off in a huff, leaving the remaining female sobbing.

Would you ask if you can help her?

Suppose the sobbing one tells you s/he is going to be fired for forgetting her security card.

Would you take her to the elevator and swipe her in? Or would you walk her over to security for a temporary pass?  

How would you feel when you discover that neither the male nor the female work in your building, and the entire scene was a setup to get her onto the C-suite floor?

You’d feel just as stupid as anybody who’s ever fallen for the lies of a phishing email.

Chris Hadnagy and Michele Fincher of Social-Engineering Inc specialize in performing such scenarios when testing their clients' users, as well as training folks like us how to act when similar situations arise.

Presented in lighthearted, humorous, easy-to-read language, their book Phishing in Dark Waters prepares you for everything you’ll need to know about phishing, especially if you think email security is boring.

Yes, Chis and Michele have made phishing fun and enjoyable to learn.

They do it thru personal anecdotes, humor, and by making the psychology of phishers and their victims easy to understand.

Starting simply with what a phish is, they move on to the psychology of why phishing works, and the principles behind it, explaining so well that basic users can grasp the concepts.

They’ve divided phishing into levels, so you can begin with the easiest to find, and work your way up as you learn more.

You’ll recognize some of the examples from breaches that were large enough to make the mainstream news.

If you use email, you need this book.

Note: Other than an autographed copy from the author at SC Congress, Securebuzz received nothing for this review.

David Millier

His third week on the job, a new CIO learns 30,000 credit card numbers posted on the Darkweb were stolen from his employer... possibly on his watch.  

Uzado CEO Dave Millier uses his engaging tale to walk you through how breaches occur, what actions to take, which actions to avoid, and how information security professionals can mitigate damages.

He also explains how to defuse office politics during a crisis, which is when people are typically more defensive of their fiefdoms.   

Most important – this story is written so non-technical readers can understand.

Note to all security/privacy geeks and IT propeller heads: it’s safe to give this book to those who have no clue about what you do.

If you want your C-suite to understand some of what you’re up against, then handing them this book is an easy start.

Not an affiliate link – Other than securing a signed copy from the author at SecTor, Securebuzz received nothing for this review.

Ransomware is remotely installed malware (malicious software) that encrypts the files stored on that computer. Criminals install ransomware and then demand a ransom, usually payable in Bitcoin.

The files remain encrypted until they are decrypted using a key, even if you manage to remove the ransomware. If you don’t pay, the files remain encrypted. Sometimes criminals threaten them with deletion. Either way, if don’t pay, you’ll never see your data again.
While email is a common dissemination method, ransomware criminals have other ways of getting their ware on your system.

Easily used website building platforms have exploded in popularity, precisely because they are so easy to use. Non-technical users can put up a site in a few hours, and so they have – by the hundreds of thousands, if not millions.

Because they aren’t technically adept, it never occurs to these site owners to change the Administrator default login and passwords. They also don’t understand the importance of updating and patching, nor do they install security plugins, simply because they don’t know such plugins exist.

The rapid growth of unsecured websites enhances the potential gain for criminals, since the greater the number of victims a criminal can extort, theoretically means greater profits.

Cyber criminals are constantly probing for unprotected websites, sending hundreds of thousands of attacks every day. Upon finding a site that is unsecured, even a mediocre criminal hacker can enter and do whatever s/he wants with the code.

The malware types and the order in which the following event examples take place will vary, because the criminal in charge decides when to deploy and exploit any downloaded malware payloads.

Say for example the criminal installs code on the undefended site that redirects all visitors except one to Russian or Chinese merchandising sites. The lone exception is the site owner’s IP address, so the owner thinks everything is normal and has no idea what’s going on.

If after a while it becomes apparent the site doesn’t send sufficient income-generating traffic to the criminal’s merchandising sites, an impatient criminal may decide to install ransomware payloads, readily deployed to any browser visiting the site.

Alternatively, visitors to the compromised website receive an initial infection of a simple exploit file. They have no idea their machines are infected, because the file lies dormant, awaiting instructions.

Following expiration of a set time or after a certain event takes place, the exploit file receives a command to download ransomware onto the system, from another site that the visitor likely doesn’t know exists, and may have never visited. That way the unsuspecting user has no idea what site the ransomware came from. Hence the term you may have heard: “drive-by malware infection.”

You too can become a cybercriminal, by employing a vendor who sells ransomware as a service. For a small setup fee and a percentage of the total amount you manage to extort from your victims, established criminals will provide everything you need to become a ransomware commando.

Bottom Line: You can become a ransomware victim through no fault of your own.

Until you pay the criminals who unleashed it on you, your data remains encrypted and therefore unavailable.

Some ransoms are small, on the reasonable assumption that smaller ransoms are more easily paid. Others – particularly those demanded from specifically targeted organizations – are larger. Regardless of the ransom amount demanded, you don’t want the downtime and reputation disaster caused from inaccessible data.

So why not pay the ransom? After all, police departments, hospitals, and governments that are supposed to be better protected than you have all paid ransoms.

The official theory is that the criminals will always give you the decryption key, because their extortion scheme falls apart the minute no one trust them to do so. Earlier this year that theory died when a victim organization paid, the criminals collected, and then refused to send the key

At least one malware variant claiming to be ransomware deletes your files instead. If Ranscam infects your system, your files are gone, regardless of whether or not you pay the ransom. There’s a reason “no honor among thieves” remains a truism.

Additionally, even if you pay the ransom, with the ransomware still on your system there’s no guarantee your files won’t be encrypted many more times… or that the original criminal won’t sell your information to another criminal, because you’ve now qualified as a payee.

The best way to protect yourself from any form of ransomware is the same as for any other disaster, and the one nobody ever wants to take: prevention. Nobody likes taking precautions... just ask the life insurance salesperson. Prevention has always been a tough sell – if not for building codes, how many would buy smoke detectors?

The key that prevents ransomware email attacks is education. Train your users to cautiously examine email; to check not only the sender’s name, but also the sender’s address, and examine the actual link the sender wants them to open; not the link the sender claims.

As noted above, email is not the only ransomware attack vector. In the event ransomware holds your data hostage from a drive-by infection, avoid paying a ransom by having a business continuity and disaster recovery plan that includes up-to-date backups and tested data restoration. Having backups, and knowing those backups are restorable to a point in time before the infection, puts you back in business.