April 26, 2019

Money != Security

Money != Security

As a proactive consultant who visits a variety of corporations on a monthly basis, and who has spent considerable time in the bowels of the government, I would like to highlight a few bad trends which are found consistently across the corporate and gov space.

This article is addressing people within an organization which can implement change, such as IT managers, CISO’s, etc.

1.) Too much focus on the perimeter/firewall at the cost of endpoint visibility

This one is very common, and I get it. That doesn’t mean I agree with it. Many organizations are focused on hunting through firewall logs, getting threat Intel on IP addresses that scanned the firewall from Chinese IP space, and are doing sweeps for every domain that DHS listed as “bad” in some indicator threat feed.

I am not saying that there isn’t value in hunting at the perimeter, BUT that is something that should be done by a mature organization that has their shit down internally.

If you are trying to use Maltego to find a third degree relationship to APTXXX from your fancy passive DNS subscription, but can’t even get logs off your workstations, then you are mis-aligning your priorities and resources.

If you are complaining that you are tearing through your XX TB Splunk license and you cannot do a lookup to see who RDP’d to your domain controllers in the past week, or find out what workstations executed a PowerShell one liner, consider rethinking your logging strategy.

2.) Antivirus is set and forget

Antivirus (AV) is not going to catch a lot of bad stuff, and it isn’t a replacement for an advanced EDR solution, but it does catch some stuff.

If you have AV on your endpoints and alerts are not getting ingested into the corporate SIEM, you are missing out on valuable warnings which could be tripped at any stage of an attack. Too many orgs consider an AV alert that has the threat “quarantined” to be a closed deal. This should be the first indicator that a full investigation needs to be kicked off immediately. A stray AV alert on a server should be an all hands on deck red alert, not a closed ticket.

An example of how this can bite you in the ass: On a recent engagement I had a credential dumping utility get caught by AV on a workstation with a valid Enterprise Admin session I was trying to compromise. I had renamed the malicious utility, “putty.exe”, and after my utility got quarantined I soldiered on and used a different utility which got me the Enterprise Admin credentials from memory. When I asked about the AV alert during the outbrief with the IT staff, the admin stated, “I thought it was weird that AV alerted on “putty.exe”, I use that all the time. I just ignored it.”

Don’t do that.

3.) Staff with no interest in security

This one is probably the biggest problem with many smaller companies that don’t have technical staff capable of differentiating solid hires from bullshitters during the hiring process. Companies hire network engineers, sysadmins, and maybe one or two people with the word “security” in their title that took a few certs, and maybe a SANS boot camp that their previous employer paid for. That is fine, and nothing is wrong with either of those classes/exams.

However, if you are hiring “security” people that don’t attend conferences (including on their own dime), don’t read and/or write on blogs, and don’t try to learn on their own, you just hired a security person that will be woefully behind in short order if they aren’t already.

Unlike some other professions, security is a constantly changing field and it is very hard to stay relevant if you are not interested. Generally speaking I have found that If you do not hire someone interested in security, they will not be effective at their job duties.

Interviewing Advice: Ask ANY potential security hire to talk about Mimikatz as a baseline question before continuing. Mimikatz has been around for long enough and is prolific enough that if they do not know at least a brief summary of the tool, then they likely are not interested in security outside of the larger paychecks it can generate.

I repeat. If they say they are a “computer security person” and they do not know about Mimikatz they are either A.)Fresh off a spaceship and you should probably ask for their immigration policy so you can leave with them, or B.) A bullshitter looking to cash in on the lofty security salaries.