June 19, 2017
This last week I was fortunate enough to be invited out to Hollywood to participate in a large exercise for the entertainment industry focusing on cyber security planning and threat management. There were folks in attendance from a variety of organizations, all of which were very interested in just how exposed they might be to data theft. The resounding call from nearly every executive that I talked to during this event was that they were aware of how exposed they likely were, and that they were extremely worried about who would be next to have their movie or tv show leaked to the public.
If bricks were words you could have built the Great Wall of China with the number of conversations I had about ransomware and data theft. So obviously everyone there got the concept of the problem and everyone also grasped the realities of the threats. Super, but when I and a few others started asking the questions about who was managing this space for them and who specifically was enforcing the rules to protect that data and those networks only 2 answers came up. “IT” or “The Network Guys”. There was no CSO. There were no cyber security players who were tasked with protection and operationalizing the tools that had been purchased to protect that critical data. When asked “where is your data, and how are you using encryption to combat the threat of ransomware?” I got the look of a deer standing on top of another deer wearing roller skates in the headlights of an oncoming 18-wheeler, from nearly everyone. I’m pretty sure I saw a few of the federal security guys (FBI, Secret Service) giggling in the back of the room as these questions were asked. It was painful to see the concern on those leaders faces when they realized they had no real plan in place, and that they had basically farmed out their future to “IT”. Suddenly they knew that what they had done was read some ads and heard some stuff from talking heads on TV about ransomware and then they tasked their “IT” folks with buying a bunch of solutions to “fix” the problem. So, someone on those teams bought some end-point stuff and some other stuff touted as being anti-ransomware technology, and a SIEM tool (which was never configured by the way), and a whole lot of other technology and they pushed it to the appropriate whatever and bingo bango bongo…Problem solved.
One organization was willing to be a sacrificial lamb for the week and selflessly tossed themselves on the sword for us to attack. Before we even started the technical operations though, the red team knew we were going to have a field day. The target organization told us that they had a “liberal” BYOD policy, everyone was admin on their machines (mostly Mac’s), and that they had a very weak asset management protocol in place. Anyone could plug anything in as they needed to get work done.
Pretty sure I smiled like this before we started testing…
I got my machine, powered up Kali Linux and started poking around a target system (with the groups permission of course) and in about 4 hours I had found and logged into (via brute force attack) 1 server (with pre-production material on it) and 6 wirelessly enabled printers that were great conduits into the network. In half a day, I was in the network and could go after whatever I wanted. Easy. We also took a USB enabled hack tool with a malicious shell compiled for a Mac attack enabled and got a command level shell with our off-site attack server. We now had admin privileges on every box we touched. That shell slid right by their end-point security and worked on EVERY machine we plugged it in to. We had command and control of quite a few systems and could exfiltrate data at our leisure, and we weren’t even there to do a pen test. Heck, most of our team was looking up “how to’s” on the attacks we were using. It was not a Nation State level attack, it was a higher level script kiddie attack at best.
This industry, just like many others is trying to do the right thing; be secure. But the reality of the types of attacks and the methods that are used is that the strategic implementation of technology to secure things is what makes the difference, not the technology itself. Having the “IT” or “Network Guys” put anti-virus on end-points and segmenting networks is a good step, but it doesn’t stop an attacker or protect the crown jewels. Had these folks used encryption, asset management, Zero Trust concepts, and an operational command and control of their data and their networked assets they would have at least been cognizant of the attacks we launched, and they would have been able to protect their IP. Because they didn’t OWN their assets, network, or data perimeter they were easy picking for a guy that hadn’t been on keyboard for a red team in nearly 5 years.
When it was all said and done the executives and leadership in the room got the concept of real protection based on strategy, not technology wizardry.
Simple strategic concepts were needed. Protect the data, use encryption. Define the perimeter based on data, not the network edges. Enable logging and have someone tasked with network awareness. Role based access control and least privilege. Observe and enforce security policies. Asset management and default configuration removal.
Embracing the fact that success or failure in this space is based on how well we all do the simple, small things is where the difference is made. Simplicity is a strategy, and it works.