Post A2J0kPc3G79RPRTXhg by adam@hax0rbana.social
(DIR) More posts by adam@hax0rbana.social
(DIR) Post #A2J0ACL58IdZohGn4K by adam@hax0rbana.social
2020-12-17T22:08:18Z
0 likes, 0 repeats
Well, I doubt many people will continue claiming that software supply chain attacks aren't a real threat. Now there is news that it wasn't just SolarWinds that was backdoored, there was at least one additional method of initial access. No word on what it was, but I'm guessing it'll turn out to be another supply chain attack.Source: https://arstechnica.com/information-technology/2020/12/feds-warn-that-solarwinds-hackers-likely-used-other-ways-to-breach-networks/When I wrote about this previously, I suggested companies check for these things. I stand by that suggestion.https://hax0rbana.social/@adam/105380015560365645
(DIR) Post #A2J0kPc3G79RPRTXhg by adam@hax0rbana.social
2020-12-17T22:14:52Z
0 likes, 0 repeats
With 18,000 customers affected by the SolarWinds backdoor, it is amazing it didn't get caught earlier. Just one of those customers might have tens of thousands of people in technology related roles (security, infrastructure, desktop support, sysadmins, devops, etc.). Sure, some of these companies care about security more than others, but it's unreasonable to assume that all these customers were negligent. So how did this happen? Why didn't anyone catch it sooner? I have a theory...
(DIR) Post #A2J1DDR9bhe02q73g0 by adam@hax0rbana.social
2020-12-17T22:20:04Z
0 likes, 0 repeats
Some companies have acceptance testing, where they vet the software to make sure it isn't going to cause any trouble. Sometimes this includes security testing. The 2-week dwell time before the malware called out to a C2 server would get past this type of review.This type of testing is still worthwhile, as it will find software incompatibilities and can detect when the software isn't doing something that it should. It's best to find these things before deployment.
(DIR) Post #A2J2Tgv9r1LI4iZDNI by adam@hax0rbana.social
2020-12-17T22:34:15Z
0 likes, 0 repeats
The system that would detect this is the same thing that would detect vulnerabilities that were exploited in SolarWinds: monitoring in production. But for some, SolarWinds **is** the production monitoring system. There may not be anything else.Let's generalize: if your tool to monitor netflows is compromised, how would you even know? You likely wouldn't see the software calling out...If you have one technology provider for everything, the answer is: you can't.
(DIR) Post #A2J2zpe2xCrQOmtBtw by adam@hax0rbana.social
2020-12-17T22:40:03Z
0 likes, 0 repeats
Having a homogeneous environment means there is a single point of failure for all your tools. If that company were compromised, all their tools could all conspire to conceal their malicious activity.The good news is that it's not as grim as it first appears. This is because while you may use 100% Cisco networking gear, all networking gear is generally considered to be potentially compromised. That's why we use TLS (HTTPS) everywhere. We know advocacies might have access to it.
(DIR) Post #A2J3Ypj2e8ESmfuoxU by adam@hax0rbana.social
2020-12-17T22:46:23Z
0 likes, 0 repeats
This means that your hardware firewalls can restrict traffic, but your software firewalls can duplicate this effort. The software firewall will be from Microsoft, or Linux, or OpenBSD or whomever, but it's unlikely to be the same as the hardware firewalls. This mean that unless both vendors are compromised, you should be able to detect when traffic that should have been blocked, makes it through. It's not bulletproof, but it will catch most of these attacks.
(DIR) Post #A2J48RQyRFjbs2RZLM by adam@hax0rbana.social
2020-12-17T22:52:49Z
0 likes, 0 repeats
Next you can force software to use your own DNS servers. This means you will have visibility into all DNS queries, which will include those for C2s. This falls apart if the malware calls out directly to an IP address, but I have seen networks where all traffic that block traffic that didn't have a DNS request (and triggers a log message). I'm not sure how it was implemented, but it was effective when we were testing it.DNS queries are not tremendously useful for desktops, but it is for servers
(DIR) Post #A2J4qLSrzgcG6AGWCu by adam@hax0rbana.social
2020-12-17T23:00:45Z
0 likes, 0 repeats
Servers will be responding to requests from all over the place, but they shouldn't be initiating much traffic. Typically it's ARP, DNP, NTP, a syslog server, possibly your mail server and automatic updates. If you are not using static IP addresses then there will also be DHCP (IPv4) or Router Solicitations (IPv6). The destination addresses should be from a small set for each protocol. Many of these can be to your servers, which means you have a lot of insight and control.
(DIR) Post #A2J5YzuCzrBKGWLR7A by adam@hax0rbana.social
2020-12-17T23:08:49Z
0 likes, 0 repeats
So why weren't people doing this? It comes back to what I was saying before about software calling out to a bunch or sketchy domains and that just being standard operating procedure. https://hax0rbana.social/@adam/105380036944188533Determining which requests are expected is not necessarily difficult, but it is time consuming and requires that analysts know what to look for.Disclaimer: GRIMM's training practice falls under me, so this may be a bias that I think people should get the training to recognize these things
(DIR) Post #A2J5wEhc9GKAokXE2q by adam@hax0rbana.social
2020-12-17T23:13:01Z
0 likes, 0 repeats
I'm a security person though and through, but I can say it probably doesn't make sense to go to this level of effort for every system in your organization, and probably even not every server.Focus on the systems that have the most value to your organization. Do NOT measure security based on the value to the attacker, measure it in relation to impact to your organization. That's how you determine the value to you and can limit the costs accordingly.
(DIR) Post #A2J6MnMzsVS1rkYW4O by adam@hax0rbana.social
2020-12-17T23:17:49Z
0 likes, 0 repeats
This means systems that can do things like: move money, launch the rockets, access your customer's communications (which could destroy trust in your products/services/company).If you have those under close watch, have tested your detections, and are confident that they are working as they should, then you can consider expanding scope to include more systems, or maybe even reduce the security budget because there's not much more to build. Perhaps your tech debt has been paid.
(DIR) Post #A2J705RUcQTZD7OVHM by adam@hax0rbana.social
2020-12-17T23:24:55Z
0 likes, 0 repeats
You may have noticed that I have focused on what the customers can do, not what the vendors should be doing. The reason is that these are the things you control and just blindly trusting vendors isn't going well.There are a lot of things I recommend to the vendors on how they can detect these things before they ship, rather than being notified by a customer or hearing about it in the news. That's part of my day job and the suggestions are tailored to the specific environments of my clients.
(DIR) Post #A2J7eqSFFRZobEBHmq by adam@hax0rbana.social
2020-12-17T23:32:17Z
0 likes, 0 repeats
I also have been implementing these things on my home network with almost entirely open source tools. It doesn't get the level of effort that I'd like to spend on it, but that's largely because I spend most of my time at work. This type of work requires large blocks of uninterrupted time to get into the details and make sure nothing was missed. I have a lot more of that for my clients than I do for myself, sadly.At any rate, I hope you enjoyed my thread and learned something useful. 🙂
(DIR) Post #A2KdaUWQF6176r3wp6 by Cherylb@raggedfeathers.com
2020-12-18T17:04:43Z
0 likes, 0 repeats
@adam Again, Thank You for your time and Well Done!