Presenter:
Transcript:
[ 00:00:09 ]All right, well, here we go. Let's rock and roll. So you can see the attacker's perspective. We'll talk about that in a minute. Let me give you a couple of reasons why I believe I'm qualified to talk about this. I'm not going to bore you with the normal dialogue of my background. What's important is I've got 20 years, over two decades of offensive and security both, you know, in technology. I've worked in many verticals across the industry. I've worked in Telecommunications internet service providers, you know financial transportations both on ground and air; I've worked in retail local governments to name a few. I've been a technical consultant for IT, and I've also been a security consultant for Birch Cline, which is an alias. I've kind of done some offensive testing under that; I'll explain in a minute.
[ 00:01:02 ] About 2011, I did the Lovefield modernization project, which was a huge project for the whole airport and the opening of the airport. I did most of the security. Infrastructure in that building and then I also did that for Southwest Airlines for some international stuff so what that really summarized to say is that I'm not I'm not I'm not ignorant of enterprise architecture either for small or large environments I've also been a pentester for six years for one of the largest banks in the US, I also been a pentester in local and state governments and different types of infrastructure. And what I want to do with you today is I want to kind of reconceptualize or kind of rethink about enterprise security architecture, but I want to think about it in the lens of an attacker.
[ 00:01:54 ] And I'm going to lay out some information that has to do with enterprise security architecture. So before we go any further, let's kind of explain this. Where the term comes from is the quotes at the bottom is Luke Hohmann coined this phrase, and he was talking about two different groups. He was talking about technical architecture, which he called Tarkitecture, and then he was talking about marketing, which was a marketing group and product development, and he called that Markitecture. And if you're familiar with a portmanteau, all he's doing is combining the word marketing with architecture, and you get markitecture, right? But what I thought this encapsulated was it was really important to talk about security, theatre, and markitecture because when you talk about security theater and markitecture, we're talking about the vision of what we want the software to be sometimes, not necessarily what it is today. And that leads to efficacy testing and things that are necessary, which is part of the talk. So I really like the term because it makes me use less words to explain the concepts to people.
[ 00:03:07 ] So, there's a lot of questions that come up when we talk about offensive security architecture from an offensive point of view. But we're going to focus on these three. Okay, so the first question is, you know, are our security controls as effective as we think they are? In other words, do we have this false sense of security about our architecture? And then if we do, can we trust security solutions based on marketing alone, right? And then the third one is, How do we ensure that our security strategies evolve with a threat landscape? Because it doesn't stop, and neither does, I would argue, that your enterprise security architecture or your IT architecture is not stagnant either. And hopefully by the end of the talk, we can talk about that.
[ 00:03:52 ] I can explain that to you. But these are the three questions we're going to kind of focus on, and we're going to look at it from an attacker point of view. So this is what happens when you don't do it. You get fragmentation. What do I mean by that? Well, you get what's called swivel chairs. Swivel chairs are where your defensive teams are having a swivel chair to look at many panes of glass in order to get answers. So it's fragmented. Your layer defense is coming from arguably the enterprise architecture, right? I don't believe that enterprise security architecture could exist without being scaffold on top of the enterprise architecture. So it has this hybrid model, and then we're using those interlacing, or this hybrid integration, we're using that as enterprise security architecture to defend the castle, or to defend our environments.
[ 00:04:43 ] That's what we're using it for. So it creates this fragmented environment when it's not aligned properly. And let me give you an example of alignment. We all know what the CIS controls are, right? We all know those. Depending on what level group you're doing, you have so many controls in your environment. You get administrative controls, you get technical controls, right? Well, technical controls are going to be related to tools, right? So when I would look at environments as an attacker, I would see that they had their frameworks aligned, their processes, their procedures aligned properly, and their administrative controls aligned with their framework. But when I'd get down to the tools, the tools were a security sprawl of tools. And the tools were not aligned with the controls.
[ 00:05:27 ] And matter of fact, if you look at any of the frameworks today, you won't see a mapping between the tools that we use, which are what we rely upon for our technical controls, which I would argue is enterprise security architecture, and you won't see that alignment of those tools. And that alignment is what the attackers are exploiting, because the attackers are us. So think about that. You know, I tell that to students a lot of times. I teach an ethical hacking course, too, and I try to get them to think like attackers, and the attackers are you. I know everything you know, but the only difference is I'm the adversary. I'm the attacker. So what's the solution to that? Well, I personally believe that continuous pentesting, I know that's a buzzword.
[ 00:06:14 ] We're going to talk about that in a minute. But I believe that continuous pentesting and efficacy testing and offensive techniques are what we use in order to dial in our enterprise security architecture and to, more importantly, test the efficacy of them because of the hyperbole and things that come along with attacking and things like that. So let's look at a case study. This is from one of my attacks. There's two stories here. I'm going to tell you the first story first, which is the actual attack. The attack happened in 2020. They wanted what was called a full scope adversary emulation. And if you're wondering what that means, we'll talk about that at the end. But so that's what the attack is. And that's what the customer ordered.
[ 00:06:56 ] And what they were concerned with is could an inside person. take over the entire school district, and could it cause problems? And that's what they asked me to do. So this is what you see me doing. That's the miter. I'm codifying it to mitigate so you kind of get an idea of what the attack tree is. But by the time this test had finished, I took over everything. Doors, door swings, the air conditioner systems. The police departments, the door locks, and everything in a span of time. Now, this is not me telling you what an elite hacker I am. What I'm telling you is this was preventable. And the enterprise security architecture they had, they had a lot of it. It's not like they didn't have tools. They had a lot of tools.
[ 00:07:40 ] The problem was the non-testing and the efficacy that I'm preaching about. And none of that was done. The secondary issue was the report got leaked to the press about a couple years later. And ironically, the guy who picked up the job to talk to this investigative reporter on camera was my buddy. and my buddy Philip Wylie. So Philip was doing the interview. He knew that I was operating under the alias of Birch Cline, and I'm the one that done the test. And so I can talk about this because it's already been judicially. So the link right there at the bottom, you can barely see in blue. If you want to go look at it, you can go watch the whole video and kind of amuse yourself with it.
[ 00:08:23 ] What was really bad about this test was it got complicated, and then there was hyperbole-the security theater was that a student had done it well, the truth is. The FBI, another one of my colleagues, was working with the FBI, and there were questions of who did it in the home. The student got blamed for it, but they were using my pentest report as their roadmap. And the reason why we know that is because the FBI saw it spitting out all over the floor. It was spitting out all the campus on the printers, and they were taunting them with it. So that's why we know that they were using the pentest report. The investigator reporter tried to get the second report because I always tether my reports together, and they're trying to get that.
[ 00:09:04 ] So what does this mean? Well, this is the consequence of when enterprise security architecture doesn't really align from an offensive point of view. And I personally believe, hopefully by the end of this presentation, I'll be able to talk you into understanding why this is absolutely not only critical, but it's germane to your enterprise security architecture alignment. So this is a model, and let me explain this to you very simply. It's Bruce Schneier, and he's talking about the feeling of feeling secure when you're not, and then he's talking about also when you actually don't feel secure when you actually are. And he's saying without having a model on things that are very complex like that, you really can't align them because you don't really have a concept for it.
[ 00:09:53 ] So he's talking about having a model, which is the third thing. So I created this chart in order to illustrate that, to make informed actions out of that, and to align those models, you have to have a model. Because attackers are complex. They don't always attack the way you think they should, right? And they hit you in, I like to hit people in. Like using Grammarly to data exfiltrate things that you wouldn't think would occur in your environment in your architecture and Attackers do that they look for that type of environment, so the question here is: Can the results of pentesting, what I'm proposing, or offensive security, can that be used as a model? And it absolutely sure can. It does all the things to the right.
[ 00:10:39 ] It's a data-driven model in order for you to balance the scale between feeling safe and actually being safe. And not only that, but to also prioritize what you're going to fix first. And then we're going to talk about that as well. And then the other question is the one: Can we just trust these security controls? And the answer is absolutely not. It's not that they're trying to sell us a bag of, you know, a bag of vaporware. It's the problem is us. We have to test it, and it can only be done by offensive people. Offensive people have to be involved in it because that's how we dial in this architecture in order to accomplish our mission. And remember, we've got limited troops, so we're going to talk about that strategy.
[ 00:11:23 ] About is a strategy and a strategy involves people, processes, and technology because keep in mind when we're talking about you know enterprise security architecture, we're talking about people, right? So let me give you two illustrations on this framework. Here's the first one: The guy in the sock; he's working every day, his agents are falling offline. He doesn't know why his agents are falling offline, so they throw a headcount at him. He spends an enormous amount of time trying to figure out why the agents aren't reporting in, and that's half his day, okay? And that's a habit. And instead of testing the efficacy and going to the vendor and saying, 'Man, can you explain to me why your agent just can't simply stay online?' They just adopted behavior.
[ 00:12:08 ] And so as an attacker, think of me being you. I know what you know, and I come along as an attacker and I exploit that. I know what they're doing. I know the shift, somebody on the shift's doing that, and you exploit that. The other part is me, okay, and cognitive biases. And let me give you an example of that. When automation for pentests came around, I was a skeptic. Not because I was worried about power or losing my job. All these things that get in the way from adopting and moving companies forward. What I was worried about is the risk, the hyperbole that we were going to replace pentesters. And I knew it was a bunch of baloney because automation won't fix broken business logic sometimes.
[ 00:12:54 ] And it certainly can help you scale and get there faster. And autonomous pen testing today is absolutely 100% real with efficacy testing. But I would encourage you to test those companies. And anybody peddling that you can replace the pen tester, it's not because I'm talking about power. It's just not there yet. So will we get there? Quite possibly, but we're not there yet. And so we have to be on guard about that because it creates a secondary risk. We start feeling like we're doing the right thing, and the next thing you know, we're getting broken into again. This is what we're dealing with. We're no longer dealing with complex and simple networks. We're not talking about, you know, gardening ivory tower. That's why we talk about zero trust.
[ 00:13:40 ] We're in a multi-tenant, multi-cloud, niche cloud, all these cloud services. We're on-prem, we're off-prem, and attackers look at it this way. They don't look at your enterprise architecture of thinking, hey, I'll just hit you with your firewall, or I'm going to do a password spray. They're looking at all of you. The entire roadmap of where all your SaaS is and your business partner. So it's quite complex, and will CNAP solve that problem? CNAP is this holistic idea of having a tool that is a single pane of glass that's in the cloud that will solve our problems. And yes, it has a lot of promise. I agree with a lot of the attributes of CNAP, but it doesn't replace testing. Because empirical data and verification and validation come from testing, not from assumptions.
[ 00:14:32 ] So that's why it's important to do the continuous pen testing. So do we have a multi-cloud and cross-cloud security capabilities? Yeah, we do. And there's some good software out there. But testing needs to occur as well. Look at it. Let's look at it in more detail. It actually looks like this. You know, we're talking about remote home workers. We've got we got SaaS. We got all this going on branch offices. And this was done by Pete. You can see the the original author of this. And I recreated it out of his talk because I thought it was really good to illustrate the complexity that we have today. And if you remember, I said that architecture, enterprise architecture is. The IT side, and then we have enterprise security architecture that's scaffolded on top of that.
[ 00:15:24 ] So think about that when you look at this. Your enterprise architecture is layered in your defenses, and I'm going to point it out as we go through some things. Let's look at another case study. This case study was a local government. It's a city, and they were worried, and the question was: Can an attacker impact our elections? That's what they wanted me to do. That's called a goal-based pen test. They're asking me. So I did a full-scope adversary emulation on this. I'm breaking this slide into three stages for you so you can kind of talk about it quickly. And in the first stage, what you see me doing is accomplishing the goal, and I'll show you that. The second stage is taking over the entire city because that's really grandiose, and that's what attackers want to do.
[ 00:16:08 ] Is that feasible? Right. Can I can I make you let everybody out of jail because I corrupted your evidence? Can I, you know, can I mess with the police department? Things like that. So here it goes, moving my pawn to control the top of the board. What I'm doing is I'm using OSINT data, open-source data. That's what you see up there in the left. And I'm doing simply a password spray. Now, I would argue at this point I'm not really attacking you. I'm attacking Microsoft because some of that shared responsibility comes from them, right? But you have your shared responsibility and your layered defense that's called conditional access. You get that wrong and this occurs. So that's what occurred here. I gathered a service account. How did I get that?
[ 00:16:51 ] Well, I used dark web data. And there was a lot of passwords to choose. And then I used that to build a semantics dictionary of the language you use and those common passwords. And then I started my spray. And I just got lucky. Right off the bat, I caught my account. It was a service account. I know that they're going to be afraid to touch it. It goes like this. Stop him. Disable it. No, no, you can't do that. That's the way it works. They're scared of it. They're scared to turn it off. And I know that. So that's why it was golden. It was a great account to use. And I'm using that, and I'm doing my recon. And the second mistake on the recon is: You could have caught it there, but the problem is they wouldn't watch it.
[ 00:17:32 ] Because remember this swivel chair going between cloud and on-prem? They weren’t paying attention, right? And this stuff goes down really fast, like a chessboard. That led into this. Now, in the attack, I don’t believe in just showing off. So what you see me doing in the left side is I’m coming from another country. I’m coming from Ukraine. And why am I doing that? Because it’s cool? No, I’m doing that to show a layer of defense failing. Because you could have created friction for me. Or it’s called breaking my ODA loop. Make me really work for it. Instead, they didn't have that protection there. So I'm trying to show them that anybody from around the world can connect to you.
[ 00:18:14 ] And then the VPN access, what I got that is from what's called OSINT data. Because they were telling their people how to connect to the VPN. And that was available to anybody. That's how I found the VPN back door and knew it. And then not validating the client, letting anybody install the client. This came up as a back door. And when I talk about full scope adversarial emulation, I'm not talking about just breaking in and gaining the foothold or doing vulnerability testing. What I'm talking about is the entire life cycle. And when attackers attack, they want to maintain persistence. So that's what I'm doing here. I'm using the VPN as my back door and I'm burying myself in. I've got the desktop. The desktop is well protected, so I'm leaving that along.
[ 00:18:59 ] I move over to stage two. Stage two is where they're using a virtual desktop, right? The virtual desktop you see down on the bottom left, they had a really good solid EDR. They had alerts and everything else. That was great. But see the middle with the little finger? You can barely see it. What that is is a published app. So I do what's called a traditional breakout. I break out of the app to get to the server. Now I'm at the server level, and that layer's not protected at all. So I set up shop there. There's no EDR on the server. There's no nothing because why? Because they were under the illusion the attacker's not going to go there, right? And they didn't do efficacy testing. It tests all their layer defense.
[ 00:19:38 ] Remember, I said it's a layer defense. And one could argue that that's kind of really IT stuff, right? No, it's not. It's really part of your enterprise security architecture. So I'm breaking out and I'm getting to the server level. I set up shop there. And then what you see in the top right is me doing another test. When I get what's called a golden ticket, a golden ticket is a way to maintain persistence, a little bit of old school way of doing it. I'm checking the functional level of the domain. Why? Because in my report, I want to show you that your enterprise security architecture is failing you. Your functional level of your domain is 2012, so you can't possibly be rotating your Kerberos account.
[ 00:20:23 ] And see how they kind of intertwine with one another in an attack? And the only way to discover these hidden flaws is to attack. Here's the rest of the attack. I'm going to go through this pretty quickly because it's getting boring, but you kind of get the idea. What I'm doing is I'm attacking both domains. There's actually two domains here. I attack both clouds. I take over both clouds, the election domain cloud, and I'm taking over the other cloud, which is the entire city. So I'm grabbing the city and the election domain, plus I own the on-prem as well, and I buried myself at this point in very deep. It's going to be hard to get me out of there, okay? It's going to take you time.
[ 00:21:02 ] You're going to have to bring a professional crew to get me out of there, all right? So then I start looting, and I'm trying to accomplish my goal. And what I do is I loot their email. Loot their email, start stealing the passwords out of the email. That led to the actual election software you see on the left. So now I own the election software and game over in the first stage. And this went down in that time period you just saw. The second part of the test was just really owning the environment, owning the entire city, and burying myself in. I had accomplished the first goal. So the question was, can I impact elections? I say it's plausible. Very plausible that I could impact elections.
[ 00:21:48 ] Why would I take on the voting booth and the encryption and all that? I'll just wait till you bring it back to the castle and start unencrypting and look at it, mess with your integrity, game over. You're going to have to explain to the people why you can't tally the votes properly, right? Or why it's not working out. We counted them before we left. Now the numbers don't match, right? So I had options of their code and everything else. This is what I'm showing with a chest piece because when you're dealing with the knight, the knight's unpredictable. The knight can move in many different ways, which represents your pen test. It easily wiggles between your security defenses. That's what the knight does, right? So this is a good illustration.
[ 00:22:32 ] If you look at the rook, the rook moves up and down very quickly. That's the way a rook moves on the chessboard. And what that kind of represents is your audits, your validation. The king represents what you're protecting, your verification, what you're checking, you know, all those validations. And these all work in concert. So if you roll both of those together, we could be talking about a hybrid pen test where we're kind of combining these techniques together continuously, automated. At scale and we're doing it all the time dialing in this enterprise security architecture here's another one. So this is a human-operated ransomware. It's very common today, and this city was very concerned with. So after checking out and gaining access to the inside through their wireless that wasn't defended very well, once I got inside, I went after their backups.
[ 00:23:25 ] That's what you see at the top left. They had two-factor. They had all the accounts laid out, but they made one vital mistake. Nobody ever checked the local account. So all I did is check the local account. It wasn't set up, so I helped them out with it. I set up their local account for them. I gained access. I even put two-factor on it to make sure they're safe, right? And then I loot their environment and I restore those to attacker rig, and then I go through all their unstructured data to loot and get even further. So this is game over and this is what attackers do. And when they deliver things, remember I said attackers don't normally attack like you think they are. So this is actually called Team Fisher.
[ 00:24:05 ] It's not my work. It's another work. You can read the authors at the bottom. And what I'm doing is I'm delivering the bad news to them through Team Fisher. One, because it's funny. I thought it was clever and funny. And because most people deliver that by pop-ups and deal, I'm actually creating chaos and fear, sending it through the team Fisher, through all the team viewers, right, to let them know they'd been ransomware. And then it gives me the opportunity to show them this. To the left, what you show me is little hidden radar buttons that cause part of this problem. And this is allowing anybody to share and have these capabilities. And these combinations can become toxic. Let's say you've got a high-risk user. We know they're high-risk, and they have the ability to do external sharing.
[ 00:24:55 ] So it's very relevant of how all these things work together as your layer defense, and it's very detail-oriented. Unfortunately, it is. So your layer defense has to be tested in detail. So remember I said attackers don't attack the way you want them to? This is an example of that. They take the path of least resistance. Microsoft did a really good job of this, so I'm just showing their work. And what you want to do is create friction. You want to make it incredibly hard for them. So you want to create strong security controls. They're effective, and you want to move those to the right part of your architecture in order to defend it. And then you want this continual test life cycle going on in your environment. Here's another example.
[ 00:25:43 ] Blind spots. This company had this company was set up. They had. They're knowledge-based. The first thing that caught me off guard, here's the attacker mind. I was looking and I was going, why are they using Freshworks? Because they don't have a product. Why don't they use Freshdesk? Boy, and I'm chuckling. And I'm looking and I find a subdomain takeover in it. I'm kind of looking at that. And I said, you know what? I bet these guys don't realize that their knowledge base in a Freshworks product is designed to share with the open public. So I created it. a fake account. I get into it. Why? Because Fresh Work is offering it to you. They're saying, hey, this domain's available. Would you like it? So that's what I'm doing here.
[ 00:26:27 ] And then I gain access not to control the app and not even to get past the authentication, but just to get to the knowledge base. And I start looting the knowledge base. The knowledge base makes this mistake, see redacted. That's the wireless password. So I jump in the car, drive down there, game over. Okay, I didn't take on your firewall attackers do this Automation won't get this sometimes this is attackers being creative Okay, and that broken business logic sometimes can't be automated That's why it's important to put these in the hands of tools of people SMEs that know what they're doing This is this what I just told you If you look at it, the attacker is making assumptions. He has a hypotenuse. He's thinking, hey, man, I think they do X, Y, Z.
[ 00:27:17 ] Because remember, they are you. They know just as much as you do. You have to assume they're smarter than you. And there may be more than one of them, right? And so they think like you. They watch you. They'll read your email. You know, I can't tell you how many times I've actually closed my own tickets in systems. I just close them, process them for them. Here's another idea what I was telling you about creating the friction, Microsoft calls it friction, Military calls it breaking OODA loops. You know what you're trying to do is throw them off their game? You want to make it incredibly hard in order for an attacker to attack you. How do you do that? I'm sorry, it's called blood, sweat, and tears. You have to test.
[ 00:27:58 ] You have to have people who are qualified. And you have to grow them internally if you don't have them. You need to put tools in their hands to help them so that you can create this friction. And then you can't, everything can't be a priority, so you want to prioritize where you're the weakest. And there are softwares out there that do it autonomously, and that's no joke. They really do. And they actually lay down deception. As they're fixing it, they'll lay down deception to buy you more time so that you can prioritize to fix these things. You don't have to fix the entire market. What you need to understand is understand the threat actors that are attacking you. What industry you are, what type of attackers do you have that are going after you?
[ 00:28:43 ] Let's slow down a little bit. Let's define pen testing. I like Philip Wylie's definition. He is my buddy in full disclosure, known him since 1995. But I like what he says in his book. He simply says this type of security assessment is the only way to uncover exploitable vulnerabilities and understand their risk. Couldn't agree more. The second one is me. I'm saying that full scope adversarial relation is a comprehensive security testing approach that goes beyond compliance base. What do I mean by that? I'll explain it when we get to the framework models. But Red Team, let's keep it real simple. They test the ability of the Blue Team to respond. And if you want to make it more complicated, you can read Joe Vest's definition.
[ 00:29:35 ] He does a wonderful job of describing what Red Team is doing. I'm proposing to all of them. These are all tools. These are all quivers. I mean, these are all arrows in your quiver to use, and they have different solutions. And then you layer in the confusing market texture with autonomous pen testing, you know, verification, all these other things. These are just things that are scaling, but they basically mean the same thing. They're just speeding up the game, making it faster. So what does that kind of look like? Well, it looks kind of like this. You know, if you're doing traditional pen testing, you're doing the minimum preparedness. It's a snapshot testing, so you're doing your annual pen test. You're only doing a snapshot, so you only really have a limited threat vulnerability.
[ 00:30:22 ] You have a limited view of what's really going on. If you're doing something like this. You have advanced security posture because your blood, sweat, and tears and all this work, and you're doing it continuously, and you have an advanced idea of what's going on in your environment. And this is why it's critical. Let's look at one more use case, or a couple more. So this is a government agency that provides helicopter services. Company that provided helicopter services for most of the police departments around the United States and they were concerned that an attacker could get in and compromise their video surveillance. I absolutely knew nothing about helicopters, nothing about this. So I start with what's called OSINT data. Up at the top left, you'll see that it's redacted.
[ 00:31:17 ] I mean, top right, you'll see it redacted. Their error message through an error domain and everything that had nothing to do with the people. I said, oh, that's the developer, right? So I follow them back to their GitHub, right? And then I use that and they use certain language. It's very specific. So, I used that language to build what's called a brute force dictionary. Didn't know if I would need it, but it's pretty easy to do. Using the choice words that that person was using, the email domain, things like that. It's called Semantic, Semantic Dictionary. You can look that up. And I built that. And I still don't know about the service, but I get the way I understand the service with the map is that most people don't know it, or maybe you do.
[ 00:32:04 ] If you're spending taxpayer money, you feel overly when you have the responsibility to share it, right? I would say that SSI, sensitive security information, you don't have to share because that was their downfall. This little map harvested from one of the cities tells me how everything's laid out. This little UX with the mobile phone, I was able to tie that back in to the original developer, and that told me how that works on the mobile phone. And then the rest is just traditional enumeration. I'm looking at what services are involved, you know, just by enumerating what services they're running from DNS records, things like that. And then I start uncovering that this software, their middleware concept that's in the middle for the streaming service in the cloud has a vulnerability, which is called an authentication bypass.
[ 00:32:54 ] So that looks yummy. And then I'm noticing they're running PHP, which leads me to this. So actually, The authentication bypass, if you see me up at the top using Burp, what I'm really saying is this doesn't matter. This doesn't matter on my password because the authenticated bypass didn't do anything. It just allowed a read-only account to get in there. What's the impact with that? Well, I can get to the XML files and restore that, and I looted that and got another password, right? But I'm still at read-only level, right? I'm looting. I’m able to look at one video, you know, one sheriff department, but not the whole pie. So then what I’m doing here is I’m doing the brute force attack, and then it’s game over.
[ 00:33:39 ] Now I’ve got root access to the middle software. I move laterally across it, and I’m attacking the application layer. I’m gaining access to the application layer. I create this group called the renegade group, me and a buddy called Micah. We created this account. And then I use that to demonstrate what the attacker does next. So after I gain the application, I go over to their support desk, right? Like I’m going to turn in a ticket, and I’m checking it. I'm actually doing the pen test, but at the same time I'm gaining access. I'm checking it to see, did you validate the files that I could upload? And of course, they did not. They weren't checking them, so I upload my PHP file.
[ 00:34:21 ] This is kind of old school hacking, nothing elite here. And then I run it against there, and now I'm root access here too. So it's kind of game over. Now here's the cool part. The whole time we're doing this, we want to see video. My buddy and I are going like, man, we want to see cool stuff. So this is the cool stuff. You know, we sat around laughing, watching people get arrested. A funny story is there's a guy on a boat up there, and he got arrested. There was a dog they left on board, and we were like, 'Oh, no, they left the dog, you know, because the police department arrested him, put him in handcuffs, took him off the boat, and they left the dog on board.
[ 00:34:57 ] So we had a lot of fun with that one. But this is the kind of stuff that occurs when you don't test. This is why it's really important to do enterprise security architecture. Two of the biggest things that don't get missed in framework, post-exploitation. Nobody tests their data exfiltration. Nobody checks persistence. And those are like hidden landmines. So, if you don't test those, there's only one way to test those is you have to allow the full scope of that test to complete. If you're just doing compliance-based intent tests, pen testing, he turns in his findings, you're never testing data exfiltration, you'll never find these hidden problems in your architecture that you could actually do compensating controls on. So it's important to allow the tester to do the full life cycle.
[ 00:35:44 ] One could argue that I'm talking about red teaming. But now I would send you back to look at the definition. I'm not testing the ability of the red team to respond here. Am I going to turn your security controls? Absolutely. I'm going to turn your controls off. I'm going to mess with, I'm going to tamper with it because I'm an attacker. But am I doing, red teaming has its place, but I'm being overt because I'm trying to find as many attack paths as possible for you to get the biggest bang for the buck, right? Continuous pen testing all the time because we need to quickly shut down these different attack paths within the company. This is a framework model. I'm not going to go through it, but that's there for you if you need it later.
[ 00:36:23 ] There's different frameworks you can do for your enterprise security architecture. I would encourage you to go look at them, make sure they're aligned, and the most important thing is I would list all your tools in your environment. You can use AI to help you, and then codify them, and then align them with all your controls, and then test them all. Make sure, and you're going to find big gaps in your controls. Or you're going to have overlapping software that's security theater. It makes you feel secure, but it's really not doing anything. And those I would jettison. Get them out of your model and go out and either trade up or buy different software. I'm not going to go through all the detail on this one, but this is a purple team exercise.
[ 00:37:03 ] What I'm doing here is I'm dumping credentials. The counter to that is credential guard. So it went like this. This is how the test really went down. I asked the team, 'Are you ready?' They say, 'Yeah.' I said, 'No, are you really ready? Do you have everything in place to go?' Yeah, we're totally ready. Okay, and we had meetings, everything else. They're not ready. Right there, the policy didn't hit the board. It was running, but it actually wasn't installed. I mean, it was installed, but it wasn't running. So I finished the test, and what I'm doing here is I'm taking advantage of a guy named SubTee. He's separating the payload. It's a technique to get around EDR. You see me getting around the EDR in the top left.
[ 00:37:48 ] I'm evading their woefully inadequate EDR that they have on the desktop. And I'm using a friend of mine named Mark Moe, if you want to go look him up. And it's called a single file bias. And I won't go into detail on that. But basically, I'm evading, I'm loading, and I'm dumping their credentials, even with the EDR running. And then I'm showing you. And I would even add that I'm touching the disk. I'm not even running it out of a cradle. I'm literally running it on the disc. Now, this was a while back. This would get caught today. But at the time, it wasn't getting caught. And this is an example of that. Here's where they have it in place. And this is going to be the counter.
[ 00:38:28 ] What the attacker is going to do if he discovers that you are running credential guard is he's going to come in and he's going to do a counter, and he's going to insert the DLL, at least that artifact, over to the left. And then from that moment on, after inserting the DLL into the LSA, which is the memory, then he can capture every password, therefore, after. But this is catchable. And, with purple team exercises and Yara rules, and right out of the box, if your software is not catching this, this tells you something about your layer defense, because this is very catchable, right?
[ 00:39:11 ] Okay, when we talk about continuous development, I'm going to keep it really simple. If you're catching version controls and things like that, and you're doing the OWASP top 10 on your app, You're really not going further now. And let me explain what I mean by that. Version control gets caught in your shift left, right? And I would ask you a question. How do you know you're shifting left? What measurements are you doing? Let me show you the way I think it should be done. There's another test called application verification standard. And I've talked to a lot of buddies. People have been in the industry for many years. And I'm surprised at something. They don't know about it. And application verification standards, also OWASP, and it goes way beyond testing the top 10.
[ 00:39:59 ] And so your most covenant app that has all your critical apps in there, you really want to be doing a hybrid. See at the very end, it's hard to see, but they talk about a hybrid pen test. So think about it as the two chess pieces: You're doing the traditional pen test, the web app pen test and everything you need to do. And at the same time, you're doing the audit piece where you're doing the verification. What are your security controls? Where's your architecture? Can you show me where the authentication you decided to use, where that's written down? Oh, you don't have it. So then mark. And then that becomes a maturity model that you can measure back to the left and say whether you're shifting left or not.
[ 00:40:40 ] And that's where you can measure back to the left. So think holistic. You've got to think big picture, not just little microcosms. Hopefully by now I've convinced you that this is why you want to think like an attacker. This is the why. So this whole talk is about the why. OK, the reason why it's actually imperative that you do these is because of this reason. And then you want to think big. You want to have a 360-degree view of your entire threat landscape, your enterprise security architecture. One last good one, and we're wrapping up. I know this is getting kind of boring, but this one's funny. So hopefully you'll have a good laugh. After I broke into the environment, it's human. It's human nature.
[ 00:41:31 ] So I was watching this person as I was hacking other things, and I got into the KVM, and they were imaging every day. Guy would come in, get to image some boxes, throw the box on the tray. He's in the KVM. I'm watching him the entire time he's doing this, waiting for him to make a critical mistake. And you know what it's going to be? It's not going to finish. He's going to go home. This is exactly what happened. The guy didn't finish. He went home for the day, left the screen up. I'm in the KVM. I finished his install for him. And then I backdoor a server. I backdoor his workstation, knowing that it's going to get deployed within the fleet, right? And then on the same time, I do a downgrade attack inside of PowerShell. I actually load PowerShell 2.0 up in the app in order because I know that they can't see the EDR, won't see me doing that. And I load that up, and then I run Responder on another segment of their network because I'm not physically there. And, of course, everybody knows what that gets you. Okay? Let's wrap up.
[ 00:42:41 ] I actually call this shape. So if you want to get in good shape, you know, you really kind of want to be doing this. You want to think strategically, right? And this is a good acronym. So you want strategic risk, and you want to align that. that risk and align this offensively. Think about it. Your enterprise security architecture and your tools are what you're depending upon to have this holistic view of your environment. And if they're afterthought and you have these sprawls of tools and they're a lot aligned with your control, I think you're just missing the boat, right? So you want to have that. You want to do this alignment. You want this proactive, continual cycle. That means you need to do efficacy testing, so it's out there. And then you want to do the last part of this. And then I'll leave you with the closing thought at the beginning. If you're not testing your defenses, attackers are going to be more than happy to test them for you. So I prefer the latter, and that's my recommendation. And with that, I'm going to finish up and ask if you have any questions. I think we've got less than a minute, and I'm sorry about being long-winded.
[ 00:43:55 ] Okay, we got one minute and we can take this out in the hallway.
[ 00:44:13 ] Yeah, his questions about fear, really. You know, if you've got an app that I'm about to knock out of commission that's going to cost you about a couple million dollars and I'm doing this no-holds-barred adversary emulation, how do you do that? And it's based on results and trust. You're going to have to build trust. No attacker. that's reputable wants to knock your app down. But there's other ways to avoid that, to minimize damage and stuff. I've done plenty of these. There's only been on one occasion that I've taken a server down, and to be honest with you, I gave them a finding because I was just using your basic normal protocols, and the server shouldn't have gone down to begin with. And I would argue that you want to know that, right?
[ 00:45:03 ] So it was a costly mistake, but you know, it happens. But it's a good question. It's a real good question. It's not an easy sell, I'll be honest with you. But if local governments can do it, I mean, those are real live accounts, then I think we can too. We just need to be careful. And remember, they can be your internal crew, people you trust. It's all about risk. It's a trade-off, you know, that's what Schneier's saying. It's a trade-off between convenience versus you know, risk. And I think the risk is far higher to not test it than it is to just allow it to be out there, API not tested. I'm going to end. We'll take it out in the hallway if y'all have any more. Man, thank you very much for showing up for me. I really appreciate it.
