Briefly Briefed: Newsletter 18# (10/01/24)
“Welcome to our Family, loyal friends and associates.”
This is week #18 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.
My ‘if you only read two’ recommendations for the week are:
Why Red Teams Can't Answer Defenders' Most Important Questions by Jared Atkinson
“Goodbye, my sweet friend.”
Meme of the Week:
The article offers a roadmap using a crawl, walk, run approach to boost an organisation's cloud security maturity. It outlines a step-by-step method to automate security in the cloud, focusing on maximising the use of AWS services and features. The guide aims to help organisations understand cloud challenges and opportunities and progress swiftly with AWS.
The crawl, walk, run methodology is broken down into six stages: plan, build, assess, operationalise, mature, and optimise. Each stage represents a phase in enhancing cloud security, from initial planning and building a foundation (crawl), to operationalising and maturing processes (walk), and finally optimising through assessment and automation (run).
There’s a huge amount of information provided by AWS on these pages. I like that it’s iterative and demonstrates understanding of a non-cloud-native adoption path.
Hunting M365 Invaders: Blue Team's Guide to Initial Access Vectors by Mauricio Velazco (Splunk)
The post explains the importance of security in Microsoft 365 (M365) with Entra ID for identity and access management. The article posits that initial access, the first foothold established by attackers, is critical, especially in cloud computing where identity is the new security perimeter. Compromised accounts can lead to further exploitation and data exfiltration.
The Splunk Threat Research Team provides an overview of data sources for M365 monitoring, including the Unified Audit Log (UAL) and Azure AD Logs. These logs are essential for effective threat detection, each serving different purposes and offering distinct insights into user activities and authentication events.
The post also delves into common initial access techniques against M365 tenants, such as password spraying and illicit consent grant. It offers practical strategies for simulating these attacks and details how security teams can detect them using Splunk. Additionally, the article highlights the importance of understanding both UAL and Azure AD logs for building robust detection analytics in M365 environments.
This post may be particularly interesting for CTI analysts, detection engineers or SOC analysts. It’s Splunk-centric (as you’d expect), but does contain lots of useful tips, which are applicable to other SIEM platforms. Effective logging for IAM is absolutely core to an effective monitoring strategy.
NIST is working with various stakeholders to develop voluntary guidance for managing Cybersecurity and privacy risks in genomic data. This involves creating frameworks and guidelines for organisations that handle genomic data. The NIST's National Cybersecurity Center of Excellence (NCCoE) has published the final version of NIST IR 8432, titled "Cybersecurity of Genomic Data." This document outlines current practices, challenges, and solutions for securing genomic data. Additionally, the draft version of NIST IR 8467, "Cybersecurity Framework Profile for Genomic Data," is under review following public feedback. NIST is also developing a Privacy Framework Profile for genomic data, representing its first foray into this specific area of privacy. These profiles aim to enhance, not replace, existing Cybersecurity and privacy standards used by organisations dealing with genomic data.
This post is more of a curiosity than an essential read (unless you work in genomics!). An area in the draft, which I found particularly interesting, was the walk-through of creating a Genomics-specific ‘profile’ within NIST Cyber Security Framework (CSF). If you’ve not looked at profiles before, they’re one of the best features within the NIST CSF, as they provide extensibility. Profiles are a method to create customised instantiations of the CSF, extending the framework to meet individual or sector needs. The profiles for manufacturing and financial services are particularly advanced; you can browse examples here.
Why Red Teams Can't Answer Defenders' Most Important Questions by Jared Atkinson
The post explains that red-team assessments in Cybersecurity are limited in their ability to validate the effectiveness of defenses. Drawing from Alfred Korzybski's philosophy, the article posits that Cybersecurity models, like red-team assessments, do not fully capture the complexity of real-world threats. Red teams typically test specific attack techniques, leaving defenders uncertain about the overall strength of their defenses against untested techniques. This narrow focus provides incomplete information about an organisation's security posture and can create a false sense of security.
Jared highlights the sheer number of attack variants, with some techniques having thousands or even millions of variations, making comprehensive testing impractical. He suggests that security professionals should not solely rely on vendors but verify their claims. The article proposes that testing a representative sample of attack variants could be more effective. It also discusses the potential of purple teams, which combine red and blue team efforts, but notes that even this approach needs to evolve. The challenge lies in building accurate test cases that encompass a broad spectrum of attack possibilities, a task that the cybersecurity industry is still grappling with.
I totally agree with Jared’s points in this short article. The utility of red teaming engagements is limited with respect to establishing the efficacy of your detection efforts. In my view, there are generally only three use cases for a pure red team assessment: a.) regulatory requirements, b.) scare the sh*t out of the exco/board to bring attention to security standards, and c.) you’re REALLY advanced in your security and feel you can mount an active defence. In my experience, purple teaming engagements (utilising some form of automation) offer far more value for this purpose.
The Artemis security scanner by CERT Polska
“Artemis is an open-source security vulnerability scanner developed by CERT PL. It is built to look for website misconfigurations and vulnerabilities on a large number of sites. It automatically prepares reports that can be sent to the affected institutions. Thanks to its modular architecture, it can be used to combine the results of various other tools in a single dashboard.”
Direct link to the repo: https://github.com/CERT-Polska/Artemis/
This is a really great tool and super handy if you do these types of tasks and don’t have a huge budget.
Plan a Better Meeting with Design Thinking by Maya Bernstein and Rae Ringel
The article posits that applying design thinking principles can vastly improve the productivity and engagement of meetings. Citing statistics on the ineffectiveness of most meetings, the authors suggest a four-step process: starting with empathy to understand participants' needs, setting a clear purpose and desired outcomes for the meeting, creatively designing the meeting agenda, and prototyping the plan by seeking feedback from participants.
This approach places the focus on the participants' experience, ensuring meetings are not just held for the sake of it but have clear, achievable goals. The authors highlight the importance of making meetings more engaging and effective, suggesting that even though the process may seem time-consuming initially, it ultimately leads to fewer, more productive meetings. The method involves understanding participant needs, defining goals, designing an engaging agenda, and iterating based on feedback, transforming both the efficacy of meetings and attitudes towards them.
Not cyber. I really like productivity hacks and trying new things with teams I collaborate with, so I thought I’d share this one. I was lucky enough to work with a couple of amazing product managers from Northern Ireland who had a deep understanding of design thinking. We ran a number of ideas through the process when I was leading the innovation accelerator at NCC Group. I’d highly recommend you give it a try if you need to create something new. I tried the approach (per the above) for building meetings, and it works pretty well. Meetings can be the death of productivity (and morale), so doing fewer, high quality confabs can really make the difference. I’d encourage anyone to experiment and see what works.
UK Strategic Suppliers Report by Tussell
The report provides an overview of Strategic Suppliers to the UK government, focusing on companies that do significant business with UK ministerial departments or provide vital services. These companies are designated as 'Strategic Suppliers' by the Cabinet Office and are subject to greater scrutiny to ensure public funds are well spent. The report analyses direct revenue and contracts won by these suppliers from the UK public sector for fiscal years 2018/19 to 2022/23.
Key findings include a decrease in public sector revenue earned directly by these suppliers by 17%, despite an overall 4% growth in public sector procurement. Technology emerged as the largest sector among Strategic Suppliers, with 74% of their revenue coming from the top 20 public sector buyers. Of the 39 Strategic Suppliers, only 11 saw growth in their direct public sector revenue. The report also notes changes in the list of Strategic Suppliers, including new entries and exits.
The article highlights that while overall public sector procurement increased, spending with Strategic Suppliers decreased, suggesting a gradual reduction in public sector reliance on these companies. However, their market share remains significant compared to total procurement expenditure on SMEs. The table below shows revenue by supplier.
I found this quite an interesting report, with some great data points. If you’re UK-based and work with the public sector, you may find this enlightening.
The article explores common misconfigurations and default settings in Active Directory (AD) that pose security risks to organisations. It explains that AD, a service managing users and resources within a network, often comes with default settings that can be exploited by attackers. The author, after auditing about 40 companies, identifies six recurrent misconfigurations that could allow attackers to gain unauthorised access or compromise a domain.
These include allowing delegation on administrator accounts, not enforcing “This account is sensitive and cannot be delegated” setting, not using AES encryption on service accounts, enabling print spooler on domain controllers, allowing users to create machine accounts, and not reprocessing unchanged GPOs on domain controllers. The post details how these vulnerabilities can be exploited and suggests mitigation strategies like enabling specific settings, restricting permissions, and regular password changes, especially for critical accounts like KRBTGT. The importance of regular security reviews and the use of tools like PingCastle, BloodHound, and Testimo for AD environment auditing is also emphasised.
Despite there being nothing new (technically) in the post, it provides a good reminder (or primer) on Active Directory security.
Under the Radar: Your Detections are missing logs — every single run by Alex Teixeira
The article highlights a significant challenge in Cybersecurity detection: the mismanagement of time-sensitive parameters in detection rules. Focusing on SIEM platforms like Splunk and Microsoft Sentinel, he points out that typical detection rules, which query data logs within specific time frames and intervals, often miss late-arriving logs. This results in potential threats going undetected.
The post explains that time inconsistencies in log generation and arrival at SIEM systems are common. To address this, he suggests adjusting detection strategies to cover both the log generation time (_time) and the time it's stored in the SIEM database (_indextime). He recommends extending the look-back period in queries and considering index time constraints to capture logs as soon as they arrive. Additionally, he proposes the use of delayed detections to allow time for late-arriving events to be included in analyses, thereby improving the accuracy and completeness of threat detection.
I’ve seen this problem a number of times in real life. It’s fairly common to hear this mentioned by the SOC on red or purple teaming engagements as a reason why detections failed to trigger. It may be worth giving this some attention (if you work in, or are responsible for, a SOC) and thinking about strategies to reduce the risk of time constraints reducing detection efficacy. Alex makes some great recommendations in the full post.
Hackers discover way to access Google accounts without a password by Anthony Cuthbertson
The article reports on a significant security threat discovered by researchers from CloudSEK, where hackers can access Google accounts without needing passwords. This exploit uses third-party cookies to bypass two-factor authentication and gain unauthorised access to private data. The vulnerability was first noted in October 2023 on a Telegram channel, where a hacker described compromising accounts through cookie manipulation.
Google authentification cookies, which typically allow users to stay logged in without re-entering login details, are being targeted. This method enables continuous access to Google services, even after a user’s password is reset. Google has acknowledged the threat and taken steps to secure compromised accounts, urging users to remove malware from their devices and activate Enhanced Safe Browsing in Chrome. The issue, highlighting the complexity of modern cyber attacks, was detailed in a report by Pavan Karthick M, a threat intelligence researcher at CloudSEK.
An interesting and concerning write-up!
Introducing the Best EDR Of The Market Project by Yazid Benjamaa
“The Best EDR Of The Market (BEOTM) is an open source EDR designed to serve as a testing ground for understanding and bypassing some of the detection mechanisms employed by many well-known EDRs. These methods focus on the dynamic analysis of a process and its states (memory, call stack, heap, API calls, etc.).
The purpose of this article is not to delve too deeply into details of these methods that are fully covered in other articles (which I may not explain any better), but to give a brief overview of how these methods are implemented in BEOTM.”
A more technical project, which will likely only appeal to those involved in red or blue teaming in a hands-on way. This is a great learning tool for people transitioning from pen testing to red teaming. It supports understanding how EDR technology works, without having to rely on trial and error, or getting access to expensive commercial EDRs outside of engagements.
Bitwarden Heist - How to Break into Password Vaults Without Using Passwords by RedTeam Pentesting
A security vulnerability was identified in Bitwarden's Windows Hello integration, allowing unauthorised access to Bitwarden vaults without needing the user's password or biometric authentication. Discovered during a penetration test, the exploit hinged on Bitwarden's use of the Windows Credentials API and Data Protection API (DPAPI) on domain-connected workstations. The method involved decrypting the vault's encryption key remotely using a backup key from the Active Directory domain controllers, effectively circumventing the need for the user's primary password.
The issue lay in Bitwarden's storage of the encrypted 'derived key' through the Windows Credentials API. This key could be decrypted using DPAPI backup keys accessible to anyone with domain controller access. Consequently, Bitwarden's biometric unlock feature unintentionally made the derived key obtainable without the user's main password or biometric input. Bitwarden rectified this flaw in the v2023.4.0 update.
Wasn’t passwordless meant to fix all our password problems? There’s definitely some irony in a passwordless auth mechanism, protecting a password manager, having a security flaw. Joking aside, all software can have bugs, and it’s good to see that Bitwarden fixed the issue swiftly.
Worse Than Solarwinds: Three Steps to Hack Blockchains and ML Through GitHub Actions by John Stawinsk and Adnan Khan
The post explains a vulnerability in GitHub repositories, particularly in Continuous Integration and Continuous Deployment (CI/CD) processes. The method allowed total control of GitHub Actions runner images, earning a $20,000 reward from GitHub's bug bounty program. The vulnerability was widespread, affecting many advanced tech companies, especially those in AI/ML and Web3, despite their strong security measures and bug bounty programs.
The researchers executed a three-step attack strategy: first, by finding and correcting a typo to gain contributor status; second, using this status to execute code on GitHub runners; and third, exploiting self-hosted runners for remote code execution and access to sensitive data. This method enabled them to compromise high-profile systems, including PyTorch and Microsoft Deepspeed releases, and potentially infiltrate major blockchain wallets and nodes. Detailed disclosures of these techniques are expected in future articles and potential conference presentations.
Is it worse than Solarwinds though? Despite the clickbait headline, this is quite an interesting attack chain. If you’re technical and involved in working with GitHub, it’s worth a read through of this post.
2023 CVE Data Review by Jerry Gamblin
The site shares a summary of 2023’s CVEs. Some key snippets are below:
We ended 2023 with 28,902 published CVEs, up over 15% from the 25,081 CVEs published in 2022.
On average, there were 79.18 CVEs published per day.
October was the month with the most CVEs published, with 2,690 or 9.3% of all CVEs for the year.
Tuesdays were the top publishing days, with 6,438 CVEs or 22.3% of all CVEs published. January 26th had the most CVEs published in a single day, with 348.
Some data for your next presentation! There’s a steady YoY growth of CVEs, but that’s to be expected with the birth-rate-death-rate inequality of software life cycles.
The Blind Spots of Automated Web App Assessments by Kevin Joensen
The post highlights the limitations of automated tools in application security assessments, emphasising the necessity of manual code review. While not dismissing the usefulness of automated tools, Kevin stresses that they often miss complex vulnerabilities, especially in critical applications. The article focuses on the challenges in detecting Broken Access Control (BAC), the top vulnerability listed in the OWASP Top 10.
To demonstrate this, Joensen created an application, VulnApp, with three simple BAC vulnerabilities: password reset leading to account takeover, updating another user's email, and retrieving another user's credit card information. Despite their apparent simplicity, these vulnerabilities were not detected by several leading automated scanners, including Acunetix, Burp Suite, Nuclei, AppScan, Wapiti, ZAP, and Netsparker/Invicti.
Thanks for reading ‘Briefly Briefed:’ - To receive the newsletter on a weekly basis, please subscribe below.