Presenter:
Transcript:
To, present, the first time presenting. I've been to a few of these before, and so it's it's kind of cool to be on the other side, so, I'll get started. So, a little introduction. I didn't have an introduction slide, but for me, I mean, I think it's I know I've been in it for seven years.
So a little bit of time, I'm responsible for my company small glass for incident response. Threat hunting, security design, security awareness training. Pretty much. I'm really the only security guy there. So it it's it's fun. It gives me on my toes. It's it is fun. So today we'll be going over how, we stopped session theft, and it's not perfect, but it is.
It has helped our company out a lot. So we'll be going over, this. And then I put the subtext in there to your MFA. Your MFA is futile if I have your cookie. So we'll be getting into that here shortly. So first, we'll be asking a few questions just to kind of get, if you guys want to go ahead and pull out your phone and join, it's anonymous.
It's not going to be like, you know. You got this, you have this, I got them, I got them all the security. You can trust me. You can trust me. So you're welcome to to do this. We're just going to do a couple, like, questions here just to get a kind of gauge for the audience.
All right. Cool. We got some thumbs up. All right, let's continue this malware. All right, let me know if you need to go back. So the first one, job title. So what's your job title? Student talker. You professional? Your senior cybersecurity analyst? I'm I'm I'm just a cyber security analyst. I don't know if I mentioned that, but, I've been working here for for a little while.
Okay. Interesting. Recent grad IT support. Nice. Okay. Principal sales engineer. So mix mix of different different. People here. Interesting. So I'll try to I'll get a little technical. I'll try to do it overview as well. But we'll continue. So in terms of company, is there someone dedicated to some of your company who does cyber security?
Or is it more of like, it's just something that's its responsibility? Oh, it does this. So that's that's their thing. We don't we don't do that. Okay. That's some good ones. Yes. So it looks like we do have quite a bit. So this this is good. All right. Let's continue here.
And then this one is the last one for, for this section is how often are you seeing phishing attacks from compromised business partners. And if you're like a student or you may not have access to some of these types of things or may not know, that's okay. It's it's it's normal. Okay, cool. Okay. Yeah. Well, yeah, hopefully it's up there.
I know for us we have it weekly. We work with a lot. So we're we're a construction company. So we work with probably thousand plus subcontractors that have emails. And it could be big multinational companies or it could be someone working out of his truck. I was an electrician. So it's really small, up to really big. So it's it's pretty cool to see.
Now going into a story. So this is an example of what, what we had one time. So we had one of our project managers on, on their computer. They're working doing their job. Right. They're out there to build buildings. They're not necessarily out there to, you know, be the most cyber safe. Right. So he's checking his email.
He looks he says, oh, wait a minute. Look, I have this email. It's from Brandon. I had a had to take out some of this was like, oh yeah. Look, he sent me a one note file. I need to sign in. He's he's probably trying to send me an invoice or something like that. This is completely legitimate. I'm going to sign right in.
And so he goes to the site. This is the site that's there. You might be able to spot some different things, but if you're in your day to day work and this is some things that as security, especially myself, a security professional was like, well, if you're working every day, you're not necessarily going to look at, every all the signs of like, what could be dangerous, right?
So up here, you may see that maybe it is something, maybe it's not so. And one of the other things too, is it looks exactly like our Microsoft sign, which is pretty scary. Minus the top, right. If you were to tell me if you if I didn't look at the top, I'd say, yeah, this is our Microsoft sign in, like, log right in.
And so, let's continue. After they had signed in, they put in their email password as well as the second factor of authentication. And there was a bunch of different logins, like probably a handful of logins across the US, different data centers, different IPS. Like what the. Okay, that's a little strange. That's weird. I was getting alerts on my side.
This is how I was looking like what? What is this guy doing? Well, using a VPN or something to connect all these different data centers. That's really strange. And this was me. After realizing I'm like, oh, I have the policies. All those signings that were attempted failed. And I'll go over how how we set that up here.
Not too much into the weeds, but, I'll kind of explain a bit on, on what I did because it's, it does take quite a lot, for the experience. Yeah. Just curious if you guys have, experience with session stealing attacks, or, you know, you may not necessarily have I know there was quite a few people that didn't have visibility into that.
But if you know, let's see here, we have a lot that have seen session stealing attacks. It's still okay. Voice. So yeah, it looks like there's quite a bit of people who have seen it targeting a company, some maybe not too. Okay, man, I'm lucky. We get a lot. We get a ton. And then emails report consistently.
That's good process review. Unusual sign. And that one's a big one too. I'll be going over those and the key takeaways. So the problem going forward part of the problem is looking at the attackers lens of, you know, we talked about curiosity and seeing how attackers can get into these different accounts. So the one big thing that I've seen is these guys are just renting out to, the phishing as a service.
So there's a lot more out there where they'll just pay like $350 for like a month and hit a ton of people with these phishing kits. And these phishing kits have a lot of features. They're like, oh, look, we have two for a bypass. We have, you know, password collection. Well, we'll send you, web links to your discord or telegram or whatever you need.
Right. So it's it makes it really easy for these guys to get in and start doing these malicious types of attacks. Continue. Yeah. Okay. Yeah. To do a fake cookie harvesting, the status of their phishing campaigns, you know, what's what's the status that just send. Did it get delivered? Did they steal some? So it's pretty crazy.
30 or $50 a month is not a lot if you're hitting, you know, thousands of people at once. The other part is the defense. So understanding the problem on the defense side, it's it's hard because in my experience with Microsoft, they do have a lot of delayed alerting where Microsoft shop and sometimes they tell us within an hour that, you know, someone is signing in.
Weird. There's a bunch of risky sign in. Sometimes they tell us like a day or two later. Like, I could have known this a day or two later. I don't know what what was going on beforehand. And unfortunately, the third party security is, is kind of the same because they're ingesting the logs. If you ever point it to like a third party SoC or Siem, they might not get all the information.
I kind of dug into the weeds and, you know, it's, it's plus or minus. So really what I want to do is make my own Siem. And we do an outsource today. But, you know, it's it is what it is. There's two of a is really not enough anymore. So this is for a certain second factor.
So for like SMS for voice, for like authenticator apps, it's not enough anymore. I did one yesterday. They're actually doing the authenticator app, like where you do the two codes, where it's like password lists and they're, they're getting through. They're adding new features every day for these phishing kits, which is pretty scary. Another one email security.
Our email security failed to pick up that phishing email. It was coming from a trusted vendor who they had previously contacted. So it's it's hard for emails to to see that nuance. In those situations, the firewall we have, we had the firewall at the job site at the time, it actually didn't have the policy set to enabled, otherwise it would have blocked that domain.
So unfortunately that was another hole. And then lastly, security awareness training. So letting our team members know like, hey, we shouldn't be clicking on these types of emails is pretty important as well. So there's a lot of holes that can go through. And this one just align perfectly where it just hit all of them to where they actually stole or at least tried to steal this person's token.
So now talking about the solution. So there is a feature in Microsoft. It's called hybrid authentication. So or hybrid join our authentication. So there's a lot of prerequisites going forward to enable it. And before you even enable it there's a ton of things. So a few of the prerequisites you need E3 license. You need the on prem.
I didn't put ad where it's on prem ad you need under ID and you also need the hybrid join devices specifically. It can't just be only on Entrer or only ad joint. You do need. I prefer Chrome for higher price in terms of deploying this out, because by default, edge supports returning the hybrid off, devices, but Chrome doesn't.
You have to deploy some certain things, and that actually was a blessing in disguise for us as well. I'll go into that. And then third party support is also good because for some of the under ID apps that you authenticate with, they don't return the hybrid authentication, which I'm not sure why, but that's that's what they do.
Hybrid join policy and then exceptions policy. So you have the your actual policy and then the hybrid the exceptions. So in terms of the scope we're targeting in this conditional access policy, it's kind of like a way to restrict certain things, that they do on the IT side is you're going to want to include windows, Linux, Mac OS, and also unknown devices.
The things that are going to be out of scope for these are going to be Android and iOS devices, because those cannot be hybrid joint. So if you have those within the scope of the policy, it's they're all automatically going to get denied. So that is definitely a gap there. And this is the policy I was mentioning.
So if you're interested in reading more about it, you can look it up. And it's, it's saves me so much time and effort and stress. So that's the the policy there in terms of actually after we implemented this policy, it stopped session stealing pretty much completely. But there's still ways that you can steal sessions. Obviously there's always a way around controls.
But for us specifically, it stopped a lot of these attacks because in the previous example, they were logging into like a Linux VM or windows VM or a mac VM from different locations. But those VMs were not hybrid joined. They were not authorized through us. Essentially join through it first and then given to like, the users and whatnot.
So that's the way how we're filtering and preventing these types of signings, that attackers can't get in. When we implemented the change, a lot of the users didn't really notice it. The ones that did were using personal devices. So unfortunately, if you're using like a personal Windows or Mac OS device or Linux device to log into your, work email after implementing this policy, it won't work.
So we did have a few. So most people didn't didn't mind that change. There were still a few. And another thing that really was eye opening was reducing the risk of info stealers. So something that I didn't necessarily necessarily even think about was, okay, well, if I'm an attacker, why do I have to go and breach the work computer like the corporate device versus instead of just, oh, well, let me just let me just take their personal devices a lot easier.
It doesn't have EDR. It doesn't have any security policies. Nothing that prevents it from being taken over. And if they're signing to their work email on their, oh, I'll just swipe the cookie replayed on another device and and that boom there in so that was another thing that was pretty huge. And even after deploying restrictions to like Chrome for enterprise and things like that, where, the extensions were locked down, we didn't have our extensions locked down before.
Boy, I'll tell you what, there was a lot of things that I was like, whoa, who's doing like deejaying on their off time? Like deejay extension or like, name extension? I'm like, what what what what is this? I don't know, I don't know what's going on. So that was a really big impact. And going forward, in terms of key takeaways, one thing that I like to do monitor a lot of the inter ID risky sign ins.
This is definitely helped. And if you're not a Microsoft shop, then this won't necessarily help. But monitoring those risky sign ins, those are been relatively timely for the most part. Not necessarily relying on third party SoCs, in terms of speed to get back to these, our research, these risky sign ins, I want to do something custom.
I haven't done it today, but, that's something you can do. And these are all in in least effort to most effort you can do the geo and IP restrictions. So like, hey, only this account is logging in from this server or colo or this location. Why does it need to log in and be allowed to log in anywhere across the world or things like that, so you can't do restrictions?
Those will definitely help. At least be a trip wire as well to if someone logs in somewhere else and it's like, wait a minute, how did they get in with the MFA password? But they're logging in from like, I don't know, Russia or some things like, okay, well, we got to look at this real quick. That's that's not that's not right.
Limiting the browser extensions like I mentioned, that was huge. There was a lot of shadow it going on. There was really strange, a lot of weird extensions, I'll tell you that, there are some other alternatives, like risk based reporting, but you do need additional licensing with Microsoft. And then lastly, the hybrid restriction. So having all those pieces in place, that's what I would recommend, long term doing the hybrid restriction.
And unfortunately you can't it depends on your environment. If you are fully cloud, it's a little bit harder to implement the hybrid because you do need on prem, add for this to happen. So if you're both it actually helps you a lot than Marcus. It was already hybrid. We weren't fully ad we weren't fully, in the cloud.
So it definitely helped out. In terms of, yeah, that's pretty much what I had in terms of like alternate. This is my LinkedIn in terms of other alternate methods that you could do, like for fully cloud. You could do like compliance policies, or know compliance, you could move to phishing resistant authentication. So like passkeys, I know they actually the phishing kits don't necessarily support those today because it works different.
You can do, what is it? Phishing resistance. Yeah. Those for another thing about passkeys as well is passkeys are good because it protects against those phishing, services, but they don't protect you against malware. So that's another thing too, is if they if some sort of malware gets on the device, well, I mean, they'll still the session that way too.
And then also when I first deployed this policy and it may be difficult if you want to go this route, I initially thought, well, let me just deploy this to admins or privileged users that we have. And our director at the time I was talking to about this and just bouncing ideas off of them. So he's like, why don't we just do this for everybody?
And like, well, that's possible. It's going to take a lot more work, but it's definitely possible and it'll make us a lot more secure. So today this is for all of our users or it's applied for the hybrid policy, not just admins. But if you are in that bind where it's like, well, man, this is going to take a lot of work.
You can also do some of these, restrictions or some of these policies and maybe just target towards admins or high level users as well. That's pretty much all that I had. Me if I keep going here, we just had some resources. If you're still on the the mentee, you can click on I believe but that's pretty much it.
