A Hunting We Will Go

This weekend, in my midnight forays on Twitter (I do sleep, just not when you think I do), I discovered these graphs. As they say, a picture is worth a thousand words. These are worth far more because they visually represent high-level concepts on attackers and hunting. All credit goes to Jack Crook @jackr on Twitter, whose site is findingbad.blogspot.com.  We know how this game is played, that the attackers have been living in our networks far longer than we realized. Defence isn’t passive. It can’t be. We need to be actively monitoring all the things. We need to be expanding the Cyber Kill Chain past the perimeter and into the depths of our realm, to play this game of cat and mouse.

I’ve been pursuing my love of threat intel over these past months, and shared my learnings via talks at my local DC416 chapter, and then – fireworks and music – at Wall of Sheep at Defcon this year. OMG!  Reading Jack’s work just fires up my urge to learn more, and these depictions show what I want to say so very well.

“Enumeration”. Per Jack

Enumeration is an attacker need. They need to know where they are, where they can go, where’s the data they’re after.

“Credentials”. Jack says

Attackers need credentials if they’re going to move laterally within your network. Here’s some ideas to go digging for.

“Powershell”. Jack adds

Here are some additional things to think about when looking at Powershell

And I saved the best for last! How will they execute?

Process execution is an attacker need. There’s opportunities for developing creative ways to find when malicious.

Thank you, Jack, for sharing this wisdom. And thank you for reading!

Gone

Someone I love is gone. Depression claimed another star from our infosec universe. He was funny, brilliant, so very special. There was so much more to him than most will ever know. I will forever be glad for what we shared. But now there is only grief, loss and pain increasing with each moment as the reality takes hold. Please make it not be true.

Live from Vegas! Hacker Summer Camp is this Week!

3 cons. 4 talks. No sleep. Lol. Well I did get some finally. It has been a whirlwind and I love it. Every glorious second!

BSidesLV has been the best yet. 3rd year for me. Volunteered as speaker liaison, which I love because I give talks. It’s about helping them feel more confident, ready to step up and own that moment. I also had the early bird shift in the lobby as greeter. Since I am a morning person, 6:00 a,m Vegas time was fine with me. Besides, you can’t beat watching the sun come up over the desert hills.

I was a mentor to a terrific speaker. BSides has the Proving Grounds track to encourage and enable folks to give talks. It’s how I got started, and I will forever be grateful.  And mentoring is mutually rewarding. I’ll do a separate post on it because I think it’s so vital.  My mentee, Karolyn Bachelor, gave a great talk on how to ask the right questions for the right answers. Way to go! I’ll post links.  And my other mentee from home, Nitha Suresh, gave her first talk at Proving Grounds as well. I am thrilled for both of them!

womenbsideslv

And I had fun again this year, giving my talk in the Underground Track, picking up where I left off last year on How to Rob a Bank. This year was “Banking on Insecurity”, because the hits just keep on coming. The room was packed and my opening line went something like “Holy sh*t!” lol! We had lots of interactions and laughs about some very serious and even controversial topics in the realm of finsec and cyber security. Honestly, it was better than I could have wished for!

Now, I have two full days ahead of the little con that could. The Diana Initiative is about encouraging, empowering and supporting women in InfoSec and Tech. It rose from the ashes of what was TiaraCon, of which we will say no more.  This event comes from the heart, and what I will say is that we were so moved by the belief in what we were doing by the attendees from last year. Failure was not an option. There were people counting on us to deliver and we have made it happen. Oh my god this community and their support is amazing. Truly. I am grateful beyond words for the generosity shown.  And as being part of this extraordinary team, who pulled together, gave up sleep, work, life to make this happen – I am so blessed. Resilience. Strength. Determination. We are gonna change some lives, make a difference and have a great time doing it. The Diana Initiative – this Con is on!

Book Club: Defensive Security Handbook Chapter 1

Welcome! To recap. We’ll be working through this book together to learn and grow our Blue team skill. Cuz the best offence can be a proactive defence. This book is a fantastic resource, especially for those who are starting out, or need a good overall reference. Based on my real-world experience,I believe it should be a desk reference, and part of any security curriculum. I am going to go on Amazon and say that infact!

Now. Chapter 1: Creating a Security Program. That does not just magically happen. And yet, we really wish it could because everyone needs a good security program in place. If you’ve ever tried to clean your kid’s room, you’ll understand how daunting this can be. Where do you begin?  Well, as our insightful authors Amanda and Lee point out, we don’t need to reinvent the wheel. They’re right. They refer to the NIST framework, which I can tell you I get to use on an almost daily basis when doing security audits (let’s not go there, ok?) You want to work from best practices, existing and proven standards that are used to hold organizations accountable ie compliance standards.  Good news! Amanda and Lee will take us through all that fun in Chapter 8.

So Point 1: Have the right team in place. You need the right people in the right role to make the right decision.  The book recommends establishing 4 main teams: Executive, Risk, Security and Audit.  I will tell you from experience that if you don’t have Exec buy in from the get go, you will find yourself spinning your wheels. How do you get that? Speak to the suits in their love language – Risk. And you need Audit to bring the flowers &b chocolates to their door. And yes – this is from my daily reality. Plus, audit lets you put everything down, and organize it, which makes it easier to track things, and reorganize things. Because you cannot secure what you don’t know.

Point 2: Set a Baseline.  I love talking about threat intel (holding back – self-control) and how to make it relevant. This is how you make it relevant. What’s your normal? That’s your baseline. Because how else will you know something went bump in the night? The attackers are wery wery quiet. And believe me, they are in your network like those darn carpenter ants are in the woodwork. So this will be a fact gathering mission, and you want to do it well, Plus set it up with automation, and updates. SInce Asset mgmt is the next chapter, so we’ll leave that alone for now.

Point 3: Threat/Risk Assessment. This is challenging, and a learning process for those starting out. The concept of risk and being able to articulate it to business is way hard, I’ll be honest, and I am very good with words. What we in security think is a threat has to be explained in terms relevant to the organization we serve. That’s the crux right there. It’s not what we think so much as what they understand. And true – unless it negatively impacts the organization’s bottom line or existence then even if we think it is a risk, it isn’t.  So, you need a parlay with the suits to know how the organization is defined in terms of threat and risk. Then, when Patch Tuesday comes, you can look at what is critical and determine if that is critical to your organization and why as you justify the need to make adjustments to your regular patching cycle (real world). 4 steps process: Assess, Mitigate, Monitor, Prioritize.

Point 4: Practice and Prepare. Are you as ready as you think?  So, I like to talk about why everyone, everyone needs a good Disaster Recovery/Business Continuity plan in place. And that means one that has been tested, so that people know how it works, and how they work with it. Let your inner kid come out for this because you need to play “What If” to do this right. There are things called Table Top Drills that are so good especially for addressing ransomware and DDoS scenarios. Or Sharknado. Lol! As stated in the book “testing of tabletop exercises and drills can serve as a proof of concept”.  Amanda and Lee are right on the money by stipulating your need participants from across the org like HR, Legal, Marketing, Finance etc. Infact, they provide such a good explanation you should be able to go do one.

Now, I love that the book has used a great tool, the Intrusion Kill Chain, to explain how to think through an event scenario. I happen to be a HUGE fan of the Cyber kill chain (Lockheed Martin),  the extended cyber kill chain, and ATT&CK matrix by MITRE.

Point 5: Learn and Grow. The chapter finishes by encouraging us to expand our knowledge and skills through home labs and projects, CTFs, conferences and mentoring. I have done all of these and YES! It’s not hard to do and so rewarding you’ll want to make time. Because my friends, learning never stops in InfoSec. To paraphrase the wise and wonderful Leslie Carhart aka @hacksforpancakes (on the July 11 Down the Security Rabbithole podcast) “It never stops. This job never stops. And if you want to be good at it, if you really want to be good at it, you can’t stop.”

Because it’s not just what we do, it’s so much about who we are. Til next time!

 

Blue Team FTW!

Time to do some learning. There are things we can be doing better. Things we can be doing right. And with the help of two very good friends, Amanda Berlin and Lee Brotherston, we are going to batten down these hatches and secure the *&$@ out of our fortresses.

As stated in the Foreward, “the red teams get all the glory.”  And it’s true. For blue teams it feels lonely and unappreciated, but there is so much truth in this:

“Doing defense is a vital, noble and worthwhile pursuit”

It’s easy to get turned around by hype. We follow the direction the noise is making, and tbh vendors make a lot of noise.  What we need to do, and have known for so long, is not to be dazzled by the shiny, blinky boxes. As so well said by Andrew Kalat:

Security Vendors will often define the problem set as the problem they can solve with their technology, not necessarily the problem an organization actually has.

So here’s to taking a more holistic view, as this excellent guide advocates, and understanding how all the pieces need to work for this particular machine. We’ll share Chapter 1 next.

 

Petnya Post-Mortem: Wiper, not Ransom

This wasn’t just another ransomware attack. It marks a pivot. Because these are the games nationstates play. With collateral damage and no impunity because attribution is hard. We left brick and mortar behind some time ago, when the battlefield moved to cyberspace, where there are no boundaries. Moreover, whatever previous rules of battle we followed do not apply.

There was a one-two punch, with the events out of the Ukraine Thursday morning.  Absolutely things were connected and we need to remember that going forward. Bigger picture. Because a lot is at play right now. From my vantage point, as a Poli Sci grad, cyber security is intrinsically tied to whatever is going on in the larger arena. National security. Global security. The whims of the powers that be dictate their machinations of technology, which has become their new and shiny arsenal. They’ve been at it for a while now, but unlike conventional physical battlefields, we don’t witness what plays out until we’re impacted.

What’s critical to me is that this attack was presented as ransomware to throw us off. As described by The Grugq:

This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of “ransomware.”

This was actually a targeted attack against Ukraine, using malware that was highly destructive. This attack was never about making money. It was all about taking down systems and taking away access to essential service, as per this illustration from the blog post by The Grugq :

 

 

 

 

 

 

 

 

 

Think CIA – confidentiality, integrity, accessibility. Ransomware and wiperware go after accessibility. And in our world, downtime can equal death, figuratively as well as literally (think hospitals and critical infrastructure).  As Leslie Carhart says:

Blood is in the Water -Not only have criminals found that ransomware is a great money-making scheme, but nation states and terrorist organizations have realized pseudo-ransomware makes a misleading and effective weapon. A weapon that can cause collateral damage, globally.

 

 

 

 

 

 

There have been some excellent reviews of what this attack was about, and how the Eternal Blue exploit released via ShadowBrokers was yet again leveraged against unpatched systems. Key takeaways were:

  • Unpatched systems will continue to be our undoing and exploited. We’re more at risk now because of that cache of exploits being lobbed at us monthly via the ShadowBrokers.
  • Lateral movement within networks works for attackers and infection spread. Segment. Segregate. Flat networks are an attacker’s dream.
  • Multiple infection vectors. There were as many as 4 ways for the target to be compromised.
  • Backup and test how those restore. Don’t assume anything. And keep backups off the main network
  • Windows.  Everyone uses it. Powershell. Sysinternals. AD. PSExec. Let’s keep learning about these because the attackers sure as heck know what they can do with them.

We know what er are not doing well. It’s catching up with us. Let me end with these words of wisdom by Leslie:

Defense in depth, including human threat hunting and effective detection and prevention at many points, is key. This will involve policy and financial buy-in from many lagging organizations at a new level.

And this sums it up:

 

 

 

 

 

 

These blog posts say everything I could ever want you to know, only better. Please read them:

The Grugq: Pnetya: Yet Another Ransomware Outbreak  .

Leslie Carhart @hacksforpancakes:  Why NotPetya Kep Me Awake (And You Should Worry Too)

Cisco Talos Blog: New Ransomware Variant Netnya Compromises Systems Worldwide

TiaraCon 2017 – Alliances!

 

YES! TiaraCon 2017 is a thing and  I will be part of this wonderful event again this year. July 27-28 in Vegas. We want to celebrate and encourage women and diversity in our field. We’ve heard moving stories about how attendees were inspired to go for their dreams, and to feel safe and accepted. This time we are at a new location, to be close to DefCon and where the action is: Caesar’s Palace Hotel.

Updates: Our first CFP was a tremendous success and all the acceptances have been issued. Now I must do the hardest part, which is send out the rejection letters. I’ll be crafting those carefully, because people really deserve to hear thank you.

Funding: It takes a lot to make change happen. Any amount helps us to make a difference. Visit our GoFundMe

Registration: Visit our site and sign up otherwise you won’t be able to get in. And you know you want that tiara 🙂