In my day job I spend about 90% of my time on the red team, performing vulnerability assessment and penetration testing. The rest is spent on threat research, incident response, and digital forensics. Interacting with clients as a consultant I often hear what I term 'interesting' responses. When a penetration tester calls something interesting you should probably pay attention :)
Cheers, |
Adrien de Beaupre 353 Posts ISC Handler May 22nd 2013 |
Thread locked Subscribe |
May 22nd 2013 7 years ago |
Adrien, could you provide us with some links discussing these other problems you mention in the second paragraph? I know of at least one reader (who could that be?) that currently has some of those issues. It would be useful to see some discussion that would help justify fixing those problems.
|
JimC 17 Posts |
Quote |
May 22nd 2013 7 years ago |
Hi Jim C, they are all interesting in that in my experience each has led to more than one significant breach. Either with me as a pentester, or as incident management lead. In all cases the client had a bad day. Each one is deserving of a diary article and lengthy discussion pro and con. Cheers, Adrien
|
Adrien de Beaupre 353 Posts ISC Handler |
Quote |
May 22nd 2013 7 years ago |
The theme these days is hard exterior soft interior. Not applying priv escalation patches helps ensure you have a soft interior. With a hard exterior what makes a remote XP/Vista/7/8 vulnerability different than a local privilege escalation? No one from the internet can remotely hit the workstations to exploit them. The main attack vectors seem to be client side exploit or via email whether it exploits software or is just a malicious attachment. This leaves the attacker with the same access the user has, if the user is administrator then patching privilege escalation vulnerabilities probably isn't a priority. If the user is restricted then the next step is local priv escalation or exploit other hosts on the network which usually results in priv escalation.
|
Adrien de Beaupre 1 Posts |
Quote |
May 22nd 2013 7 years ago |
Adrien,
Great posting. I think you address something that is at the heart of our challenge as InfoSec professionals: admins and other "IT Professionals" do not think past one dimensional, and single event/step issues. They often fail to see the 'domino effect' of single weaknesses, nor do they see the multiple vectors from which an vulnerability can be exploited. More than half our job is to educate data and system owners of these. InfoSec truly is a collaborative discipline. |
IMFerret 10 Posts |
Quote |
May 22nd 2013 7 years ago |
I think what's not being taken into account is patching and the other risks that are being considered. While it's easy enough to say that it's "interesting" someone would choose to prioritize a PE vulnerability as low, it might be in favour of re-mediating a critical vulnerability on an exposed host. The risk and likelihood of an exposed host being exploited would generally seems to be much higher. If it came down to a choice between fixing a PE vuln or a vuln which may allow something like SQLi. I think I would choose the latter and then follow-up with the PE vuln afterwards. Risk versus reward. All vulnerabilities should be addressed but unfortunately they have to be weighed you have to do what you can to get the most bang for you buck in the enterprise.
If they choose not to flat out not patch or mitigate the vuln at all...now that I would find interesting. |
karttoon 2 Posts |
Quote |
May 22nd 2013 7 years ago |
As a production server sysadmin my response to OS level privilege escalation is why bother. If they can get to the place where they can run code, by attacking the OS or the single application, they have the valuable data within their grasp without using it.
The production servers are isolated and even interior is hard to get at because I went way out of my way to make it so. Compromising the domain controller (which is not under my control) will not easily breach the production servers, and unless the attacker has been here for awhile he won't find out how. I worry more about certain engineers' workstations who haven't learned what it means to pick a strong password and have access to production. |
karttoon 39 Posts |
Quote |
May 22nd 2013 7 years ago |
@joshua: precisely. I gather the credentials/hashes/tokens/data by pillaging workstations. I don't hack the production servers. I just log in.
|
Adrien de Beaupre 353 Posts ISC Handler |
Quote |
May 22nd 2013 7 years ago |
@Noot. Yes, there should be a conversation about risk, mitigation, cost, and level of effort. However in quite a few enterprises the decisions don't always follow a rational pattern when layer 8 gets in the way. Often leading to interesting decisions.
|
Adrien de Beaupre 353 Posts ISC Handler |
Quote |
May 22nd 2013 7 years ago |
@ Ferret. Yes, attackers understand island hopping, good pentesters can demonstrate real risk using creativity. A sysadmin might only understand their little piece of the pie.
|
Adrien de Beaupre 353 Posts ISC Handler |
Quote |
May 22nd 2013 7 years ago |
@Adrien +1 to circumventing all that fancy production security with a legitimate login.
|
Adrien de Beaupre 3 Posts |
Quote |
May 22nd 2013 7 years ago |
One of the worst things a pen tester can do is use that stupid "traffic light" of High (red), Medium (yellow) and Low (green) in the final report.
Too many people think Low (green light) means "Go!" or "I'm green and good to go" and they don't have to do anything. In this business "low" just means it might take a day or two to break in instead of a few minutes to an hour. Another worst thing is to not very explicitly spell out that you only tested a sample of the systems and every vulnerability found needs checked for on all systems. I can't tell you how many times I've heard from people "All we have to do is close the finding. Those other systems aren't part of the finding." And then we have the same finding a year later on different systems, some new and some old. |
Anonymous |
Quote |
May 22nd 2013 7 years ago |
In terms of vulnerability assessments, the most important part of the process is not the one-time patching/hardening of systems to address findings in a report... but instead, having a process in place that assesses and mitigates vulnerabilities on an on-going/routine basis. When I conduct a security assessment and the result is a report full of findings, I focus on implementing a vulnerability management process... not patching/mitigating each individual vulnerability. In theory, once the process is in place, the mitigation of vulnerabilities will become a natural part of the process. Of course, you will want to mitigate any critical findings, but the focus must remain on implementing a vulnerability management/security process.
You can score 100% in a security assessment report (no findings) but then fail 6 months later. This quickly becomes a numbers game and is futile. The most important aspect of this is to manage security on an on-going basis and not a one-time basis. |
da1212 69 Posts |
Quote |
May 22nd 2013 7 years ago |
@JJ 3 words: scope, scope, scope.
@Jacl: Good point! |
Adrien de Beaupre 353 Posts ISC Handler |
Quote |
May 23rd 2013 7 years ago |
Drives me crazy to see priv esc listed as less critical. I think this should be classified as critical or at least important.
|
@Miss_Sudo 12 Posts |
Quote |
May 24th 2013 7 years ago |
@Joshua, re: "Compromising the domain controller (which is not under my control) will not easily breach the production servers"
That's interesting. Compromising the domain controller implies that the password hashes for all users may be known by the attacker. Compromising the domain controller implies that the intruder may tamper with group policy settings to ensure that targetted keylogger malware gets deployed. If you're thinking compromise of the domain does not lead to possible compromise of any machine on that domain, I would hazard a guess that you are insufficiently imaginative. |
Mysid 146 Posts |
Quote |
May 25th 2013 7 years ago |
@Mysid: Agreed.
Even if the production servers weren't joined to the domain the attackers would just move laterally to them anyway. That lateral movement would almost certainly involve privilege escalation at some point. |
Mysid 3 Posts |
Quote |
May 26th 2013 7 years ago |
Anyone who understands "defense in depth" also understands why they should care about vulnerabilities which can lead to a privilege escalation. The reverse is also true ;)
|
beamer 12 Posts |
Quote |
May 27th 2013 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!