Founder of Thinkst, Haroon Meer talks with Kim Carter about network security. Topics include how attackers are gaining footholds into our networks, moving laterally, infilling malware and exfilling our precious data; why we care; and clear advice on what we software engineers can do about it. Areas of information security are merging, network security is now the responsibility of the software engineer, as we create networks via Infrastructure as Code (IaC). Attackers are still using the simplest strategies to gain footholds, such as social engineering and password reuse. Kim and Haroon discuss how most attacks still leverage people inside an organization — whether intentionally or inadvertently assisting – and techniques of post exploitation, and how software engineers can help slow down such attacks.
What’s changed with computer network security over the last five to ten years?
Has this shifted the reliance that your average attacker used to have on network security exploitation skills to other areas such as cloud services, application security, and of course people, and how so?
According to FBI investigators, the likely avenue of infiltration of the Yahoo internal network was with a spear phishing email to a semi-privileged unsuspecting/inadvertent Yahoo employee.
The successful spear phish allowed the attackers direct access to Yahoo’s internal network…
What are your thoughts about the fact that the attacker just about always still needs a network in order to access their target, whether the initial foothold be physical, people, VPSs, network components, cloud resources, mobile or IoT devices?
In high security environments, unlike Yahoo, what I’ve found is that many of the common application security defects and attacks don’t work, and the attacker has to resort to attacking hosts, networks, physical premises and of course people, as in social engineering them. Can you explain your experience around how high security environments differ from the average or low security environments?
What do Software Engineers now need to understanding about computer network technologies in order to mitigate attackers using them as a channel to assist exploiting areas of a business and gaining access to their assets?
Let’s discuss the Fortress or Candy Bar mentality.
This is where organisations believe that all of their attackers are on the outside of the organisation, and those on the inside are trustworthy. What are your thoughts around this?
IBM X-Force - Cyber Security Intelligence Index researches a large number of organisations each year, and they’ve extracted some interesting data:
55% of all attacks were carried out by insiders
31.5% were malicious inside actors
23.5% were inadvertent inside actors
60% of all attacks were carried out by insiders
44.5% were malicious inside actors
15.5% were inadvertent inside actors
30% of all attacks were carried out by insiders
7% were malicious inside actors
23% were inadvertent inside actors
The Yahoo data breach and many others every day confirm that a large percentage of all security breaches come from within the organisations walls…
Do you think that this is an indicator that our workers are succumbing to an increased number of social engineering attacks by outside attackers attempting to get their payloads inside the organisation’s networks?
What are your thoughts around establishing a perimeterless network culture, where all components are treated as though they are directly accessible from the Internet?
How do we go about achieving this
For our listeners, can you define what command and control is?
How do we stop insiders and outsiders connecting to our network access points and proliferating malware, C2 (define C2) clients, etc onto our corporate networks?
How can we stop our transient staff from picking up malware at home or on the road and then propagating it on our corporate networks?
Creating perimeterless networks can be evolutionary. Until we get to that point, segmentation can help us by allowing us to harden sections of our networks at a time. It also provides us with levels of isolation for critical services.
Can you explain what network segmentation is, and what are some of the risks likely to occur if well thought out segmentation is not implemented?
Apparently most of our IoT devices need to have internet access, one of the problems here is that there is little to no thought to building security into the components and the devices as a whole. How would we apply network segmentation to these devices, would it improve the security issues we have with IoT, if so, how?
If you don’t have visibility as to what’s happening on your network at all levels, then chances are things are happening that you don’t want happening. There are known attacks that target each of the network layers. What are some of the attacks that we need visibility on?
What are some of the techniques and practises for creating visibility on the different levels?
Where aboustwhere can we set-up network logging?
How do we make sure those logs are reliable and have not been tampered with?
What are some of the infiltration, exfiltration techniques and tools commonly used?
(Dropbox, physical, mobile phone data, DNS/SSH)
Let’s say you’re hired as a penetration tester to hack a security conscious organisation and steal their data, a bank for example. The organisation has no public internet facing application that has access to the internal organisations data. The only means of egress is via a very restrictive proxy. Assuming we know where the data is, how would we go about exfiltrating the data?
What are some of the countermeasures we could put in place to mitigate the different techniques for infiltration and exfiltration?
What could Yahoo have done to:
Slow down the exfiltration of 1 billion user accounts in 2013 & 500 million user accounts in 2014?
Protect the secrets, namely MD5 passwords that were exfiltrated in 2013?
A very common technique for attackers wishing to get their malicious scripts into the end users browser is by intercepting the request and swapping parts of the response with their malicious scripts. What are some of the evils an attacker may be able to have executed in the end user’s browser?
The most effective targeted attack techniques today are still the simple password stealing, spear phishing (as with Yahoo), web shells, social media and weaponised documents. Most of which have a reliance on network vulnerabilities somewhere. What are the network security vulnerabilities that allow these types of attacks?
Another incident that affected Yahoo involved the attackers forging cookies, rather than requiring passwords as a way to break into user accounts, 32 million user accounts were affected using this technique. This was due to the fact that the attacker had the cookie creation code that didn’t even need a password, so this sounds like defective code? Application security?
What other types of networks do you think we as Software Engineers should be concerned about in order to mitigate attacks via these mediums?
Technologist / Engineer, Information Security Professional
Technologist / Engineer, Information Security Professional, Entrepreneur and the founder of BinaryMist Ltd and PurpleTeam-Labs. Ex OWASP NZ Chapter Leader of eight years. Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 20 years of commercial industry experience across many domains.