the past present future of enterprise security
play

THE PAST, PRESENT & FUTURE OF ENTERPRISE SECURITY THE GOLDEN - PowerPoint PPT Presentation

Jan 29, 2023 •257 likes •657 views

THE PAST, PRESENT & FUTURE OF ENTERPRISE SECURITY THE GOLDEN AGE OF ATTACK AUTOMATION Marcello Salvati - @byt3bl33d3r - https://github.com/byt3bl33d3r - Lead researcher @coalfirelabs - Years of experience building open source security

  1. THE PAST, PRESENT & FUTURE OF ENTERPRISE SECURITY THE ‘GOLDEN AGE’ OF ATTACK AUTOMATION

  2. Marcello Salvati - @byt3bl33d3r - https://github.com/byt3bl33d3r - Lead researcher @coalfirelabs - Years of experience building open source security tools

  3. Enterprise Security 0x0 It’s big. It’s a thing. It’s a problem. It’s complicated.

  4. Challenges ◦ Huge networks o A lot of times ‘inherited’ from acquisitions o Lack of visibility, inventory, patch management, documentation ◦ Security vs. business continuity o Limited budgets for security o Non-effective communication o Often investing in products, not people o Legacy system(s), application(s) We can be here all week talking about this…

  5. The typical corporate network

  6. Realistically… .

  7. The Past 0x1 Pre-PowerShell Era

  8. Lack of tooling and tradecraft... … especially for very large networks ◦ Usually, most post-exploitation tools were just wrappers ◦ In dire need of automated situational awareness ◦ Implants usually all touched disk

  9. The Game Changers ◦ Mimikatz o https://github.com/gentilkiwi/mimikatz ◦ SMBExec o https://github.com/brav0hax/smbexec ◦ Responder o https://github.com/lgandx/Responder

  10. Icing on the cake ◦ PowerShell… omfg o Defcon 18 o David Kennedy, Josh Kelly

  11. The Present 0x2 PowerShell Era

  12. PowerShell, PowerShell, PowerShell… o Built into every Windows OS by default o Extremely powerful as it allows full dynamic access to .NET o PowerShell < V4.0 had no protections in place for in-memory script execution o Has built in features that can be abused by attackers Needless to say, this was the dream (or nightmare) …

  13. The Game Changers V2.0 ◦ Powerview & PowerSploit o https://github.com/PowerShellMafia/PowerSploit ◦ Empire o https://github.com/EmpireProject/Empire ◦ BloodHound/Sharphound o https://github.com/BloodHoundAD/BloodHound o https://github.com/BloodHoundAD/SharpHound

  14. Big networks & limited time? Not an issue! ◦ CrackMapExec o https://github.com/byt3bl33d3r/CrackMapExec Own an entire subnet in minutes !

  16. Why not automate the entire process ? ◦ DeathStar o https://github.com/byt3bl33d3r/DeathStar o GoFetch o https://github.com/GoFetchAD/GoFetch Need to automate getting a foothold? o IceBreaker o https://github.com/DanMcInerney/icebreaker

  18. This sounds familiar… https://byt3bl33d3r.github.io/autom ating-the-em pire-with-the-death-star-getting-dom ain-adm in-with-a-push-of-a-button.htm l

  20. Called it? https://www.crowdstrike.com /blog/fast-spreading-petrwrap-ransom ware-attack-com bines-eternalblue-exploit-credential-stealing/

  21. The Very Near Future 0x3 (arguably the present) C#/.NET

  22. The attacker’s creed

  23. The Power in PowerShell… …comes from dynamically calling .NET! Can we do this without going through PowerShell?

  24. A perfect example ◦ DotNetToJScript o https://github.com/tyranid/DotNetToJScript

  25. Something may be in the works J

  26. C#/.NET ! ◦ Quick Retooling in .Net for Red Teams o Circle City Con 2018 o @Op_Nomad o https://github.com/dsnezhkov/typhoon

  27. Let’s talk mitigation 0x4 (A.K.A things you can do right after this talk to harden your network)

  28. Start with the basics Don’t have an account lockout policy, segmentation, host isolation and inventory?

  29. SMB Signing One of the most overlooked and underrated AD security settings…

  30. SMB Signing Following key needs to be set EVERYWHERE: o HKLM\System\CurrentControlSet\Services\LanManServer\Parame o ters\RequireSecuritySignature Test in lab before deploying to all systems! o Difficulty: EASY PEASY Breaks Stuff: MAYBE

  31. Situational Awareness Most of this functionality is considered a feature not a bug and is o still there mainly for backwards compatibility reasons (a.k.a. Microsoft's Curse) There are some TechNet PS scripts which allow you to harden o session enumeration and SAMR remote access (shoutout to @ItaiGrady <3): https://gallery.technet.microsoft.com/SAMRi10-Hardening- o Remote-48d94b5b https://gallery.technet.microsoft.com/Net-Cease-Blocking- o Net-1e8dcb5b If anyone has any pro-tips on how to mitigate AD information o gathering on the cheap would love to hear it :) Difficulty: HARD Breaks Stuff: MAYBE

  32. Domain Privesc By far, the most common way I’ve found to escalate privileges is to look for passwords in SYSVOL & GPP

  33. Domain Privesc o Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences. o https://support.microsoft.com/en- us/kb/2962486 o Delete existing GPP xml files in SYSVOL containing passwords. o Don’t put passwords in files that are accessible by all authenticated users. Difficulty: EASY\MODERATE Breaks Stuff: NO

  34. Cleartext Passwords in Memory This attack can’t be performed on Windows 2012R2+ and o Windows 8.1+. On older systems KB2871997 should be installed o EVERYWHERE https://support.microsoft.com/en-us/kb/2871997 o The following registry should be set EVERYWHERE and o monitored: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont rol SecurityProviders\WDigest\UseLogonCredential: Value 0 (REG_DWORD) Your Administrators should have a separate workstation o for their administrative activities! Difficulty: EASY Breaks Stuff: NO/MAYBE

  35. Local Administrator Accounts Here’s a good example of what NOT to do:

  36. Local Administrator Accounts Microsoft LAPS: o https://www.microsoft.com/en-us/download/details.aspx?id=46899 o https://adsecurity.org/?p=1790 o Difficulty: MODERATE Breaks Stuff: NO

  37. Conclusion 0x5

  38. Thanks! ANY QUESTIONS? You can find me at: @byt3bl33d3r byt3bl33d3r@pm.me

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Enterprise Integration: The Past, Present and Future Senaka Fernando Solutions Architect, WSO2

Enterprise Integration: The Past, Present and Future Senaka Fernando Solutions Architect, WSO2

Enterprise Integration: The Past, Present and Future Senaka Fernando Solutions Architect, WSO2 (UK) Agenda o Enterprise Integration from 2006 2026 o State of Integration in 2016 examples from typical organizations o Meeting Challenges

251 views • 24 slides
VA Psychology Leadership Conference y gy p PAST PRESENT &amp; FUTURE FOR VHA: PAST, PRESENT

VA Psychology Leadership Conference y gy p PAST PRESENT &amp; FUTURE FOR VHA: PAST, PRESENT

VA Psychology Leadership Conference y gy p PAST PRESENT &amp; FUTURE FOR VHA: PAST, PRESENT &amp; FUTURE FOR VHA: THE REALIGNMENT IN CENTRAL OFFICE May 18, 2011 y , George W. Arana, MD Acting Assistant Deputy Under Secretary for Health g p

510 views • 32 slides
The Past, Present and Future of Irish Agriculture Brendan Kearney The Past, Present and Future of

The Past, Present and Future of Irish Agriculture Brendan Kearney The Past, Present and Future of

The Past, Present and Future of Irish Agriculture Brendan Kearney The Past, Present and Future of Irish Agriculture Changing role in the economy Main policy developments and output/ income trends Changing structure and performance

852 views • 17 slides
50 Years after Silent Spring : The Past, Present and Future of the Global Chemical Enterprise An

50 Years after Silent Spring : The Past, Present and Future of the Global Chemical Enterprise An

50 Years after Silent Spring : The Past, Present and Future of the Global Chemical Enterprise An Overview of Green Chemistry in the Pharmaceutical Industry: Pfizer and the ACS Green Chemistry Institute Pharmaceutical Roundtable Berkeley W. Cue, Jr.,

559 views • 18 slides
CUPA - RIO GRANDE CHAPTER ACA (PAST, PRESENT AND FUTURE) Agenda 1. ACA Foundations 2. Past -

CUPA - RIO GRANDE CHAPTER ACA (PAST, PRESENT AND FUTURE) Agenda 1. ACA Foundations 2. Past -

CUPA - RIO GRANDE CHAPTER ACA (PAST, PRESENT AND FUTURE) Agenda 1. ACA Foundations 2. Past - The Early Days 3. Present - Current State 4. Future Whats Next 5. Solutions ACA Compliance Tools 6. Question and Answer Jeff Taylor

373 views • 19 slides
Past, Present and Future of IoT Device Prototyping Bjoern Hartmann Intel/NSF CPS-Security Final

Past, Present and Future of IoT Device Prototyping Bjoern Hartmann Intel/NSF CPS-Security Final

Past, Present and Future of IoT Device Prototyping Bjoern Hartmann Intel/NSF CPS-Security Final PI Meeting Stanford, CA July 13, 2018 How Technologies Take Off: The Web Source:Pingdom/Linda Carroll What Made the Web Take Off? Lots of

777 views • 56 slides
20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About

20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About

About Past Present Future 20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland

803 views • 40 slides
Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing gives rest but the sincere search for truth. -Pascal Greetz from Room 101 Kenneth Geers 1984 # Nineteen Eighty-Four (Orwell) # Govt IW vs own

1.03k views • 77 slides
a review of the evidence Maarten Goos The past, present and future The past (1820-1980):

a review of the evidence Maarten Goos The past, present and future The past (1820-1980):

How the world of work is changing: a review of the evidence Maarten Goos The past, present and future The past (1820-1980): Industrial Revolution results in skill-upgrading and decreasing inequality . The present (after 1980):Computer

337 views • 18 slides
Yhc: Past, Present, Future Neil Mitchell The Past Started by Tom, fork of nhc He

Yhc: Past, Present, Future Neil Mitchell The Past Started by Tom, fork of nhc He

Yhc: Past, Present, Future Neil Mitchell The Past Started by Tom, fork of nhc He didnt tell anyone! Some students found out Me, Andrew, Mike, Bob Started helping seemed fun Never an official York project The

266 views • 5 slides
Past, present and future of CSCL Gerry Stahl 3 Parts of Talk Past:TheRootsofCSCL

Past, present and future of CSCL Gerry Stahl 3 Parts of Talk Past:TheRootsofCSCL

Past, present and future of CSCL Gerry Stahl 3 Parts of Talk Past:TheRootsofCSCL (expandingvision) Present:Alternativeapproaches withinCSCL (multiple analytic voices)

625 views • 33 slides
Future of Philanthropy: Trends to Watch Those who only look to the past or present are

Future of Philanthropy: Trends to Watch Those who only look to the past or present are

Future of Philanthropy: Trends to Watch Those who only look to the past or present are certain to miss the future. -John F. Kennedy Huge Leaps in Health Civil Society Freedoms Challenged Growth of Impact Investing Equity as a Superior

424 views • 16 slides
The Past, Present, and Future of the R Project Kurt Hornik Kurt Hornik useR! 2008 The Past,

The Past, Present, and Future of the R Project Kurt Hornik Kurt Hornik useR! 2008 The Past,

The Past, Present, and Future of the R Project The Past, Present, and Future of the R Project Kurt Hornik Kurt Hornik useR! 2008 The Past, Present, and Future of the R Project Prehistory of R: S v1 19761980 Honeywell GCOS,

649 views • 29 slides
Prometheus Histograms Past, Present, and Future Bjrn Beorn Rabenstein PromCon EU,

Prometheus Histograms Past, Present, and Future Bjrn Beorn Rabenstein PromCon EU,

Prometheus Histograms Past, Present, and Future Bjrn Beorn Rabenstein PromCon EU, Munich 2019-11-08 This is not a Howto. Visit https://prometheus.io/docs/practices/histograms/ instead The Past The Past The Present The

562 views • 35 slides
ISOBUSs Past, Present and Future role in Agricultural Robotics and Automation Benjamin

ISOBUSs Past, Present and Future role in Agricultural Robotics and Automation Benjamin

Introduction Precision Farming TIM AgRA Present Future Conclusion References ISOBUSs Past, Present and Future role in Agricultural Robotics and Automation Benjamin Fernandez Universidad Nacional de Educacin a Distancia (UNED)

960 views • 42 slides
Innovation Parks: Past, Present, Future Applied Solutions Coalition Santa Fe Workshop October,

Innovation Parks: Past, Present, Future Applied Solutions Coalition Santa Fe Workshop October,

Innovation Parks: Past, Present, Future Applied Solutions Coalition Santa Fe Workshop October, 2009 Innovation Parks: Past, Present, Future Applied Solutions Coalition Thematic overview: Past: Fixed asset focus Present: Vertical

352 views • 16 slides
Quantifying the Impact of Natural Disasters The case of Typhoon Damrey 2005 in Vietnam Henrik

Quantifying the Impact of Natural Disasters The case of Typhoon Damrey 2005 in Vietnam Henrik

Quantifying the Impact of Natural Disasters The case of Typhoon Damrey 2005 in Vietnam Henrik Hansen Department of Economics Le Dang Trung Independent Consultant, HCMC UNU-WIDER Conference: Responding to Crises 23/09/2016 2 Background

612 views • 17 slides
Panel Discussion 1 Build Back Better for Urban Resilience 1 2 UN

Panel Discussion 1 Build Back Better for Urban Resilience 1 2 UN

Panel Discussion 1 Build Back Better for Urban Resilience 1 2 UN Conference on Housing and Sustainable Urban Development (Habitat III), in Quito Ecuador, in October 2016 Proclaimed We commit ourselves to strengthening

806 views • 10 slides
Climate Change: The Latest Science, Why Its Serious, What We Can Do About It September 8,

Climate Change: The Latest Science, Why Its Serious, What We Can Do About It September 8,

Climate Change: The Latest Science, Why Its Serious, What We Can Do About It September 8, 2015 Chuck Kutscher National Renewable Energy Laboratory Note: Any opinions expressed are my own. Part 1. The Latest Science

1.44k views • 115 slides
Humanitarian Programme Cycle (HPC) Overview. pacifichumanitarian.info #phtpacific Context

Humanitarian Programme Cycle (HPC) Overview. pacifichumanitarian.info #phtpacific Context

Humanitarian Programme Cycle (HPC) Overview. pacifichumanitarian.info #phtpacific Context The State has the primary responsibility to assist and protect people affected by emergencies. The humanitarian community has an essential role to

683 views • 16 slides
Extreme cold start-up validation of wind turbine components by the use of a large climatic test

Extreme cold start-up validation of wind turbine components by the use of a large climatic test

Extreme cold start-up validation of wind turbine components by the use of a large climatic test chamber by pieterjan.jordaens@owi-lab.be www.owi-lab.be Understanding the topic: Why climate chamber testing? Wind turbines are installed word wide

758 views • 39 slides
Head of Secondary Mr Simon Oakley Y7 Meet the Tutor Evening Y7 Meet the Tutor Year Group

Head of Secondary Mr Simon Oakley Y7 Meet the Tutor Evening Y7 Meet the Tutor Year Group

Head of Secondary Mr Simon Oakley Y7 Meet the Tutor Evening Y7 Meet the Tutor Year Group Leader: Morag Armstrong marmstrong@dbis.edu.hk Y7 Meet the Tutor Evening Work Hard, Be Nice Y7 Meet the Tutor Evening Break/Lunch Areas Secondary

471 views • 7 slides
Firms Ed Glaeser and Mike Luca Harvard University based on work with Zoe Cullen, Chris Stanton,

Firms Ed Glaeser and Mike Luca Harvard University based on work with Zoe Cullen, Chris Stanton,

Plagues, Cities and Small Firms Ed Glaeser and Mike Luca Harvard University based on work with Zoe Cullen, Chris Stanton, Marianne Bertrand, Alex Bartik A Staggering Economic Dislocation Farm to Factory to Urban Service Workers: to Extreme

640 views • 24 slides
Generic programming and library development Topics today: Tuples (and type mappings) Sources:

Generic programming and library development Topics today: Tuples (and type mappings) Sources:

Generic programming and library development Topics today: Tuples (and type mappings) Sources: [Vandevoorde and Josuttis 2003] 21 (see also 19, 13.10, and 15.2) [Karlsson 2005] 8 [Jaakko J arvi, Tuple types and

734 views • 34 slides

More recommend