Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc


Lidia Giuliano

Picture the overworked security professional bombarded with risk assessment, vulnerability, trying to put metrics and dashboards together, when their boss taps their shoulder and says, “I need you to do some endpoint testing. We need to buy another tool.”
How does the security professional start endpoint testing?
Where is it supposed to fit into the schedule amongst a million and one things to do?

“I've put together a testing framework you can use, and a workshop/class at SecTor this year, to give you a set of tools to go out and do it for yourself,” said Lidia Giuliano. “It’s about security products and capabilities of vendors. When you’re in that saturation and it’s time to look at endpoint protection, I offer some considerations for how you can test. Not just testing malware, but also for testing how you do business in your office.”

There are functional and non-functional aspects to consider. For example, if you have outsourced, you need to consider how much extra it’s going to cost to send endpoint protection logs to your MSP. 

In the past people have focused on testing what happens when it goes live, what does it look like then, and functional testing with common scenarios.

Other important considerations are how it scales and its backwards capability. When setting up the proof of concept, what virtual environment are you using? Malware may not work in all virtual environments. How does the solution you’re testing relate to your business and long-term strategy?

Giuliano’s presentation is a result of 12 months of work and research requiring thousands of hours. 

“I actually compare marketing slogans to what happens in the real world,” she said. “I demonstrate actual examples and what I saw during the testing. It's important my peers know how to start and what questions to ask.”

Tom Porter

Next month at SecTor FusionX Red Team senior security consultant Tom Porter is presenting Extending BloodHound for Red Teamers, starting with what Bloodhound is and what it does.

“Then I go into underlying components to teach the query language – Cypher – in a way that people don’t feel intimidated about making modifications or their own extensions,” Porter said. “I’ll show how I’ve adapted the UI to do something completely different – mapping network connections across an environment, playing with new and different data sources, that are not necessarily Active Directory-based.”

Porter uses the BloodHound UI to map connection info of netstat data, trying to identify watering holes on the network. He’ll also show to use it to find places to cross network segmentation boundaries. 

Being a member of FusionX Red Team has shifted his mindset and how he operates. He’s noted that Blue Teamers are using BloodHound to harden their environments prior to Red Teams beginning their work.

“That’s why I want to do the education component— graph databases, how to put data in, get it out, and modify it to fit your workflow, whether you’re offensive or defensive,” he said. “My extensions are just one application of that process. If I can teach you how to change and use it for your benefit, you can build your own tools and extensions.”

The session represents a change that began with BloodHound, moving toward automation of lateral movement, sometimes referred to as the industrialization of lateral movement.

“Import to GoFetch, which uses PowerShell to execute that attack path that you’ve exported from BloodHound… that’s one example of automation of lateral movement,” said Porter. “Another is DeathStar, written to automate an attack path. When you have a foothold in an environment, you need to either escalate or move laterally to achieve your objective. Bad guys need lateral movement when abusing users’ accounts.”
Some tools only query Domain Controllers, so their purview is isolated to Active Directory. They don’t look at local accounts.

Seeking to add value to the back-end BloodHound database, Porter would compromise a machine, dump the local user hashes, take a local admin password or hash, and test it against other machines. Then he’d see a common local admin password in the environment. He wanted a way to represent that path in BloodHound, being able to hop from one computer to another. 

In that same vein, he found users reuse passwords across accounts, and wanted a way to represent that in BloodHound.

“How can I look at underlying data structures and how BloodHound was using them, and then modify or add to those?” he asked. “By creating new properties and new relationships – giving a property to a node.”

Also by creating new custom queries. There’s a section for custom queries in BloodHound, imported into the UI for you to try and to use.

“When I compromise a node, I want to know what else I have access to. I also want to see the deltas in access after I compromise new nodes. Those are some of the things I built into the extensions. I’ve also modified the UI itself to change the displays to help you visually track a compromise.”

Michele Fincher

Imagine walking into your work lunchroom just in time to hear one person loudly berating another. The yelling male storms off in a huff, leaving the remaining female sobbing.

Would you ask if you can help her?

Suppose the sobbing one tells you s/he is going to be fired for forgetting her security card.

Would you take her to the elevator and swipe her in? Or would you walk her over to security for a temporary pass?  

How would you feel when you discover that neither the male nor the female work in your building, and the entire scene was a setup to get her onto the C-suite floor?

You’d feel just as stupid as anybody who’s ever fallen for the lies of a phishing email.

Chris Hadnagy and Michele Fincher of Social-Engineering Inc specialize in performing such scenarios when testing their clients' users, as well as training folks like us how to act when similar situations arise.

Presented in lighthearted, humorous, easy-to-read language, their book Phishing in Dark Waters prepares you for everything you’ll need to know about phishing, especially if you think email security is boring.

Yes, Chis and Michele have made phishing fun and enjoyable to learn.

They do it thru personal anecdotes, humor, and by making the psychology of phishers and their victims easy to understand.

Starting simply with what a phish is, they move on to the psychology of why phishing works, and the principles behind it, explaining so well that basic users can grasp the concepts.

They’ve divided phishing into levels, so you can begin with the easiest to find, and work your way up as you learn more.

You’ll recognize some of the examples from breaches that were large enough to make the mainstream news.

If you use email, you need this book.

Note: Other than an autographed copy from the author at SC Congress, Securebuzz received nothing for this review.

8-June-2015 Polluting the data lowers the validity rate of stolen card numbers.

Read More

2-June-2015 Training and policies that take into account human nature.

Read More