Presenter:
Transcript:
Okay. So some of the objectives that I want you all to get out of this, hopefully we get a few laughs.
You'll see some stuff. Maybe be a little more effective and efficient at utilizing information already in your environment. Some new ideas, certainly come up with a few. And one thing is enhancing your communication effectiveness, because when you start talking to other people about security and that's not their passion, like me, talking to my wife is the best way to get her to go to sleep in a hurry.
Bring up security. So that's my son's dog. His way of apologizing to me. Oh, okay. So lot of vulnerabilities and silly things and directions on it. You don't have to. Wow. Okay. Is that better? Yeah. All right. So one of the cause of vulnerability management is, is the asset inventory piece, right? It's it's a huge topic of debate.
What exactly is an asset? Most of the business AI is going to consider physical assets, right. So they wouldn't necessarily consider something like a DNS record and asset. I always did because when I was pentesting or hacking something, if I can take over part of the DNS records, I still own you was I was. So some of the, pillars that I operated with, I did endpoint.
I've done firewall network team, but you also got a lot of stakeholders you got to deal with.
Asset information. See. So you got Dhcp logs. Gives you a lot of information. You got firewalls like Palo Alto or any of the other ones out there. You get a lot of data from that. You got network management like info box tools like this, domain controllers, all the cloud subscriptions you can pull tons of data from these guys.
What you don't get is a lot of the business information. So you don't know that one DNS record or one asset is more valuable than the other. You don't get how important it is for the business to keep operating. You don't often get stakeholders, so you're going to have to build that somewhere and correlate it and figure out what's going on.
If you start asking the business owners, hey, is your application important? I guarantee you, as we spoke about, they're going to say, yeah, so start looking at other things. Look at their disaster recovery plans. Look at how much money they spent to get back up and running. Should something go pear shaped. That'll actually give you more information about how important really is that?
Because they put money towards it. So what now?
Well, that went forward too quick. So how can we use all these disparate sources? Right. How can we optimize, tune and enhance our program? That's what this is about. So scripting and APIs I'm kind of an old school, programmer and scripter and did a lot of it. Most everything has some kind of API interface where you can kind of make one.
Word of caution, though, and, and I tell this to companies I've worked with, you always got to use caution with the scripts. It's still code you write. It is still got to be maintained. There's bugs in that, too. It's just like any other software development except a little looser. And I do it in the dark and sometimes with little alcohol.
Yeah. No documentation. You don't want to do that.
Okay. Some of the benefits. So you can tailor the functionality, right. You could write the script to do whatever you want. If you want to stick a mud function in there to do something with a DNS record or an IP address to change the color or add some extra information to it, you can do whatever you want.
Of course, the increased efficiency, right? I've done scripts where now I don't have to do that job anymore. I'll automate myself out of it. Hand it off to somebody else, or I can do it a lot faster. Like, instead of hacking one machine, I can scan thousands of machines in a fraction of the amount of time because I'm using the CEO's computer to do it.
Enhanced flexibility. Again, those scripts can be modified as your needs evolve. But like if you're dependent and this is going to come up again on, say vendors firewall, well they'll do an upgrade and break the API and they won't tell you that. You'll have to find out. Competitive advantage. This comes up quite a bit. It can give companies a pretty big competitive advantage because your program is going to adjust dynamically to their business needs.
No one had to tell me. We've added a new subnet ad, find out within four hours that a new subnet has been added and someone's throwing Raspberry Pi is on it. That happens. Some of the detriments. Again, you got development time and cost right. It costs time. It costs resources to develop this stuff, but not the documentation. That's that's quick.
You got the maintenance burden. You get woken up in the middle of the night. Your script isn't working. It's created 10,000 tags. You've changed the code. Whatever the case may be.
You still got the risk of bugs and errors, right? I've knocked down plenty of systems. I've wiped out air conditioning systems in July and July. You have the, the dependency on developers. When I left the company I was working at, they had to hire two people just to replace me for one of my scripts. And I have no idea if they know what they're doing.
Yeah. Connectors. Now, this is a little bit newer, but some of the scanning tools that I've used like tenable, Qualys, they're now building connectors in to talk to those APIs for you. They're using the same thing. They're just using like AWS or Azure's APIs to get data or Palo Alto or whoever. So you can use the same thing.
A lot of times they still give you a list of assets, but they're still not going to get the business side of it. Right. It just doesn't exist. They're, it may be incomplete because if they're connecting to, like, the domain, well, that's not always going to get your cameras. It's not going to get those little panels outside conference rooms, which, by the way, those are really cool because they download Java packages that aren't signed many times.
You have more than one domain. If you're into the the OT stuff with OT on all that stuff, you don't want to connect it to the corporate domain. So you may have domains that aren't connected to the main one. So you may not see any of that stuff.
So now I'm going to go through a couple of use cases I did or war stories. So we had an issue where externally exposed assets are more at risk but security and it are not informed. Imagine that. So the process for getting something exposed probably needs to be reviewed, right. What what is the company's process for this? Now what I started doing is looking at firewalls connecting to say, Palo Alto.
And I could tell when a new rule was created or modified and use that information to start scanning, for API calls. But it allowed me to start scanning subnets and IP addresses as they were being added without anyone being told, sometimes blocking them to, you may scan it. You may not find the asset the first time because it will create the rule first.
And then they got to go back and put the asset out there. Otherwise it won't work. Right. You got a chicken and egg scenario. So a lot of times you want to set those up for scheduled scans. So you keep assessing it.
So another one I had thousands of vulnerabilities are identified. But you don't have asset information related to the business. So you don't know how to prioritize anything. And if anyone's done vulnerability management you've seen vulnerabilities. Just they're everywhere. So a lot of the scanners now try to use asset information to aid in calculating severity. Calculating the finding. There's one from Microsoft for a bypass that's going around right now.
Well if it's on an internal asset only that's never exposed to the internet. Not so much of a big problem. But if I phish you now, my stuff is still on your machine. So I wrote a script that used business logic pulling from ServiceNow to get the business information that they were entering that allowed me to prioritize data.
Right. But it wasn't in the tools. It allowed me to do this kind of thing. It also prioritized scanning some assets got scanned faster. But it's really so network topology. This is one of my bigger ones. So in the company I was at, we had a huge network always changing. People all over the world had authority to bring up and decommission subnets.
So we had info blocks at the time. So I wrote a script to crawl the info block server, find every subnet that was built in the company, and I could quickly assess it for what country it's in. So I knew what scanner to use. I knew how many assets were in there. I knew who the contact was and where they screwed it up, which they did often, you know, but that was, a big one.
It would run for probably about 15 minutes to crawl the entire network and tell me what's new. So need to ensure the web applications are being scanned. This was a fun one. So I did stuff pulling DNS logs to look for new DNS entries popping up. Started querying for what services are those things pointing to? Is there something running out there that they didn't tell us?
You would often find web servers not running on four, four, three. They're running on 80, 80 or 8, four, four, 3 or 9000 or something like that. But I would trigger in nmap scans this way in that scans would run a lot faster than the traditional vulnerability scanners, because it didn't have all the overhead. And I could be a lot tighter in my criteria.
Then I could see those results to the big vulnerability scanner automatically. Add that to do web application scans across those applications.
So almost and I knew I'd go quick. So so they can the scripting and APIs can yield a lot of gains. A lot of efficiency, a lot of accuracy and additional information. It can help you adjust your program to the to how your business runs. You got to kind of look at what all is going on, you know, are they submitting firewall change request, get yourself injected into that process somewhere, either before or after or during.
If they're doing certificates, maybe you can look at that. There's protocols for that. You can grab Ahold of those types of things. DNS another issue we had was they would not decommission the DNS record but decommission the resource. The DNS record pointed to. Oh, well, what am I going to do? I'm going to spin up a resource that DNS records supposedly pointed to.
Now I own it, right. So I wrote a script that would recursively do a reverse lookup on the DNS until it got to nothing left, and check to see if the resource was there. If it's not, hey, it's abandoned. See if this needs to be decommissioned. So that's some of the stuff you got to figure out new ways to to get some stuff done.
Like I said, the custom scripts are not free. I wasn't allowed to post them. But they do incur some other costs. You got the maintenance personnel? I was the one doing it. Technology. Again, some of the technology will change. You get upgrades to Palo Alto, you get upgrades to to windows will break stuff. All kinds of things happen.
So it it can become another thing that you get stuck doing because no one wants to take it over. So you might have to watch out for that. And sometimes later that that functionality you built, it gets built into the product. You don't have to do it anymore.
So hopefully there's a few questions because I want to yes. Do you have a recommendation to do for the vulnerabilities. And so do I have a recommended recommendation on the vulnerability scanning. Yeah okay. So I used a variety of them. It kind of depended on what technology was I scanning against. So if you're if you're looking at a web application right you might use burp.
You might use app scan, you might get different results. Also could depend on how the application was built. I personally like doing it manually because I would find all kinds of really weird things that way. Stuff they probably don't teach anymore. Like changing the user agent string in your browser. So I used to go to SharePoint sites.
If you go over there in your browser, you get the nice user interface. I can't break anything. So I changed my user agent string to a mobile browser. Now a whole different interface comes up. Wasn't locked down. I compromised that pretty quick. Got some people very upset, but the way that actually got some headway is I got a vice president on the phone because that's who it was designed for, was C-level executives.
And I asked him, well, what's going to happen when you call into your helpdesk? And they're hitting that interface through their browser on their desktop, you're hitting it through a tablet. Y'all aren't seeing the same thing that got their application guys to start fixing stuff, but that was how that one was was done. Yes. So on back to you, the asset manager, the person you had a slide there.
Service network. Yes, sir. Now, as you know, hardware asset management software asset manager. In my experience, work same as an application manager with manager, all the applications. So if you're trying to do this on the iPad or you work with the stakeholder ServiceNow version, the application manager. Yes. If I know about it and I can get involved I try.
So to give you an example of that, so do an asset management and service. Now I was very adamant about putting things into that. That would help me understand what the business value of each application was. Right. Because initially what a lot of companies were doing with, say, app, same thing with vulnerability. Everything's the same. Well, why would I spend all my time assessing an application that's internal, only used by two guys, the same as the externally exposed portal to their financial system?
Doesn't make any sense. I would rather spend my time on the big one and spend all my due diligence there. Do a lighter check on the internal stuff, but no one had that information, so we had to get them to start adding that information to ServiceNow. And that helped us prioritize. When I did acquisitions, because I got pulled into acquisitions all the time, I would go out to companies, have them list their applications.
Okay, why is this important? I mean, is that why we bought you? Might be, might not be, but it helped us to figure out what's the priority of what applications we needed to onboard, that we needed to look at. Maybe there's a risk. We found applications where it was running on one box in a closet on decommissioned hardware, and it was the most important application.
The company had. And I found out a month before they were shutting down the site that it existed.
So in that case, it was a physical virtual. Let's try it out and see if it works. Cross fingers and hope it does. It did, by the way, so that all of you know, like Cisco. So I didn't do the development of ServiceNow. We we had people now I had my own databases I built to do this kind of thing.
So it depends on whether you're putting it in service. Now. Like, I know Qualys has their own asset management because they wanted to do something for security, because no one else was doing it. In their view. Correct. Tenable probably has something similar. You can build your own stuff to do that, you just got to figure out what are the the business information that you need in order to help you prioritize for whatever your program is, whether that's vulnerability, whether that's appsync resource utilization.
It doesn't matter to me, but we we would add up stuff to kind of get an idea of how important is this thing to the business. You know, there's the CEO going to get called up in the middle of the night if this thing goes down, that kind of thing. Now, we also would put attributes on it from the cyber side.
Do we consider it a high risk, such as does it have a lot of ports open? Is it connected to C-level executives or their administrative assistants, where they might have access to other data that not everybody would have? So would it be something that an attacker might leverage, not just your run of the mill scripter finding it, but nation state type stuff?
Competitive advantage stuff is what we would do, really. I would say work from where you put it, we've got an agreement within the company. What do we want to capture? And the legal system. Right. Yeah. And then based on at the same time, a if it was to go downhill. Yeah. And you got to get them involved in it.
Right. One of the problems I saw was that for, for a long time, you know, security would tell them to go fix something. They didn't care. They didn't have to do anything. It wasn't until we got the big stick that said, if you don't do what we tell you, we're going to shut you down. And if that costs $1 million a day, that's on you.
That's what we got. But that took the board of directors on down to get that kind of support. And that's where the sun was in the phrase yes, no, we're here. Yeah, yeah, I know the data as well. So a lot of time it's hard work and it's like that from that we can.
Yeah. Because they are the people who for it. I'm not going anywhere that they have. But if you.
Did and we, we had a case like that where an application had gone through a security review. A matter of fact, I'm the one that did it. I passed it, got deployed. Everything's fine. But a month later, I get a call from a lawyer. There's a big violation and it's GDPR, and I have to attend because my name appeared somewhere on the records.
Right. But what happened is after I reviewed it, everything is good. They deploy it. For some reason, the developers decided they wanted to add G.P.S. location data into their app. Well, this application was registered to individual users, and it wasn't like we knew what city somebody was in. We knew what floor of the building they were sitting in.
Well, that's a violation of GDPR. So I got them on the phone with the attorney and it was like, okay, you know, if you can make it at the city level, not at the address they're at, that's fine. GDPR doesn't care, but I'm trying to that. Why did you add GPS data into your app?
Because that was their answer. They thought it was cool. They didn't have a legitimate business reason to do it. So we made them rip it out. But that's that's the kind of stuff you have to get involved with. Change management is big. If I had had a way to see that they were changing their app, I could have triggered a review.
But you don't always get that either. You might get firewall changes, DNS changes, certificate changes, things like that.
