Why Are Hackers Successful?

The Number 1 reason is: “We do not do an adequate job of patching and paying attention to security!”

Again and again we can find reports and stories of entities not doing basic tasks:

Above image is from Protiviti report

 

Why are the basics not being done?

Because a concerted effort to manage IT tasks month after month is not easy, and in fact it is a difficult challenge.  What is difficult about regular every day life in patching hundreds of systems on a monthly basis at minimum?

Well, let’s list a few problems that arise:

  1. Personnel challenges – sickness, vacation, doctor visits, kids, parents, brothers, sisters, and spouse conflicts.
  2. So many things can go wrong with the actual device itself even when used correctly…  Or if this is a laptop, then it has to be plugged into the network with VPN or directly on the network for it to download and get updated.
  3. Above 2 are the normal challenges, how about abnormal challenges? What about somebody installing a new software that conflicts with the patch? Now the patch does not install correctly and the system is vulnerable to attack.

 

So knowing some of these items means management has to schedule and account for potential problems which means it costs more resources sometimes than anticipated.   This may be a problem, and then management  pushes back onto IT to say no more OT this month!

In basic terms – stuff happens and then patches are not applied. If this management process is more broken than fixed there will be plenty of chances for hackers to attack.

It depends on the maturity of management thoughts and actions. Is management more willing to make sure the patches are applied or are they willing to let patches slide for a little while?

The answer is to create processes to fulfill compliance mandates and do not deviate from this method.

I.e. quarterly meetings at minimum with required review and testing of all systems that are important and potential other systems.

Contact Us to discuss this with you

Punch line? Hackers are successful due to the failure of management actions and thoughts in regards to cybersecurity.

Linux Rootkits Hard to Detect

First of all what is a rootkit?

A collection of software that runs and tries to hide from the computer user and administrator while also allowing the attacker access to the computer.

It does this by connecting as ‘root’ to the Operating System kernel.  In Linux ‘root’ is the administrator.

If you can masquerade as root and hijack system calls then there is a way software can be written to get  root access allowing the software to hide itself in the Linux system.

I am not going to tell you how to create rootkits, as there are many a people on the Internet who have done so and show you what they have done.

Marcus Hodges at Thotcon had a 1 hour presentation about how to hide from the operating system. To hijack operating system calls that then are used to create the rootkit.

Once system calls are hijacked the attacker can create hidden areas on the file system to stow and stay quiet until more objectives are to be pursued.

In the Cyber Kill chain the rootkit performs the function of persistence – keeping a presence on the attacked network.

A decent command to find out what different commands do on a system: strace – commands for troubleshooting and debugging Linux

Contact Us to discuss a strategy to defend your computer networks

How About Adversary Based Threat Analysis?

Another Thotcon presentation was very good, unique and moves the industry forward.

Julian Cohen presented This idea:

“Understanding Your Adversaries”

In his talk: “Adversary-Based Threat Analysis”

He explained that in the traditional Threat modeling Process  the following 6 items happen.

  1. Identify Assets
  2. Create Architecture Overview
  3. Decompose an Application
  4. Identity the Threats
  5. Document the Threats
  6. Rate the Threats

 

But his method includes rating the adversaries.

He gave some examples that are well documented (the PLA or Peoples Liberation Army) in Mandiant’s report. The report is now in a “new” mandiant web location with all of their reports.   Here is an updated link: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

This famous report is explained as APT1 (Advanced Persistent Threats), the fame of this report is that Mandiant did a thorough analysis how and who did the attacking from China(PLAUnit61398), down to learning where exactly the attacks came from(which building).  You can search under APT1 in any search engine and the term is attributed to the report.

Julian discusses the adversary as they have a say (or should) in how you defend.

A discussion of the intrusion Kill Chain ensued (by Lockheed Martin) i.e.  below is the action and tools that are used.

  1. Recon: Email harvesting
  2. Weapon: Office Macros
  3. Delivery: Phishing
  4. Exploit: target runs macro
  5. install: Poison Ivy
  6. C2 – Command and Control: Poison Ivy
  7. Actions: Pivot to active directory

Here is where Julian discussed “what” the adversary is using as to how effective they actually are.  The adversary is not going to do ‘everything’ , as they will do stuff that works.

There is another matrix which reviews Attacker Cost (Likelihood) focusing on these

  1. Weapon- office macros
  2. Delivery – phishing
  3. Install – Poison Ivy
  4. C2 – Poison Ivy

We all know Phishing works for them, since we are getting inundated with spam that tries their hardest to trick and get access to their machine.

Then also reviewed what is effective for defenders

  1. Delivery – Phishing
  2. Install – Poison Ivy
  3. C2 – Poison Ivy

He also mentioned this comment:

“Adversaries don’t think about winning once. They build repeatable, scalable playbooks that are cost effective at achieving their objectives over and over again against a series of targets. Adversaries don’t think about winning at all, they think about a steady stream of targets.”

Attacker efficiency: Attackers determine the least costly and most valuable attacks based on

  • Who are the targets
  • Required success rate
  • Speed of conversion

Defenses to APT1 are the following

Detect, Deny, Disrupt, Degrade, Deceive, Destroy.

All attackers are resource constrained and all attackers have a boss and a budget.

Likelihood versus Input   (in a risk calculus)

In most cases issues should be treated on likelihood alone

Do not make impact  High.

Get the most up-to-date research data to drive the likelihood information in your matrix

He is talking about this matrix I have shown in the past(in this graph likelihood = probability):

In the presentation this is the matrix he showed:

Notice the similarities even though the impact and likelihood were switched in axis, which does not actually mean much.

There is a profound meaning in this realization.

The reality is that since the attackers are not just going after you, but templates of defenders, you have to have a profile that makes you more difficult to crack. With a focus on phishing defenses, and defending against Poison Ivy the tool.

You should not just create a threat model of your systems and software, also pay attention to the attackers which are doing specific things, so that you can focus on high risk items and the likelihood of attacks on your infrastructure.

 

 

Windows10 Obsolete already?

Is your Windows10 version obsolete already?  there are many versions of Windows10 and it depends on when it was released, example – the first one version 1507 released July 2015 has a end of service date of May 9, 2017.

The problem is every software manufacturer  Can’t or doesn’t keep releasing  vulnerability updates forever. The reason has to do with structural and other programmatic changes that would make some updates very difficult to incorporate. In fact in some cases it would be a herculean task to make changes, so it is a monetary and feasibility reason as to why there is and end of service date.

Now that you know that there is an “end” date what needs to be done?

Update to new version of Windows10!!!

Here is the lifecycle table for Windows10 versions from support.microsoft.com webpage

So as an IT user or professional we must learn the technical nature of our devices. Microsoft does not want to issue a version update like in years past:

I.e. version 3.0(1990) with first multi-task abilities, then 3.11 with networking. When 4.0  was due that became WindowsNT and 95.  As the marketing team took control of the naming of new Windows Operating systems the version changes(1.0/2.0/3.0/4.0) were not reflected in the names, only as an additional “version” number.

My version is relatively new (released April 2018), so I have until Nov 2019 until I _have_ to make a change.

Now Microsoft is at Windows10 and with a 4 digit version number.  The actual numbers do not have a significance except that it tells you when it was released and when it will have end of service life only if you look it up in a Microsoft End of Service Table.

There is another reason to keep a close eye on this End of service date, as once the version is obsolete, no more updates will be made and you are out of compliance with your systems.

At the Microsoft End of Service webpage there is an interesting sentence:

“Some editions1 can defer semi-annual feature updates at Settings  >Windows Update >Advanced options or via a policy that an organization’s management system may provide to the device. On devices that haven’t been configured for deferral, you’ll need to install the latest feature update to help keep your device secure and have it remain supported by Microsoft. New versions may be automatically installed prior to the end-of-service date of the current version on your device.

1 Home edition does not support the deferral of feature updates and will therefore typically receive a new version of Windows 10 prior to the end-of-service date shown.”

So in theory the windows Update will update the Windows version before it expires and no longer updates on its own. But for those of us in IT that have managed hundreds of systems, not all systems update correctly. You cannot assume all systems will updates on their own.

It is best to have someone review your systems which can be done in an automated fashion by scanning the systems. If an old Operating system is present the scan will reveal a high vulnerability (10 out of 10).

Since the system will not get any more updates, the system has to be initiated to upgrade.

Contact US to help you with this process

Headless OpenVAS install

I needed to run OpenVAS (OpenVAS stands for Open Vulnerability Assessment System) the Linux based vulnerability management software on a virtual machine, which means it does not have its own monitor that one sits at to see this screen:

OpenVAS is made by Greenbone, “which develops OpenVAS as part of their commercial vulnerability management product family “Greenbone Security Manager” (GSM). “(from their main web page:)

OpenVAS was developed out of the Nessus code base since 2005, now at github.  The developer of Nessus decided to make Nessus closed source(proprietary) in October of 2005, so openVAS was created and initially named GNessUs.

Why am I talking OpenVAS today? Because I was tasked to install it on a virtual system.

So, one has to install OpenVAS (or update on some Linux distributions since it is already installed by default).  So I work with Kali Linux,  since I use a lot of other tools that are built into the distribution. I wanted to keep some familiarity and so run OpenVAS on Kali Linux.

What are you installing? Several pieces that will need to run on the virtual machine:

As you can see in the image above the Greenbone Security Assistant is software that connects to the OpenVAS Manager and Scanner to run the scans to the targets. OpenVAS uses NVTs(Network Vulnerability Tests) to run the scans. Up to this point (3/18/2019) there are over 49600 tests. CVEs now number 115906.

So in a standard kali Linux install one has the OpenVAS version that comes with it, so to use OpenVAS you have to upgrade Kali first using the following commands:

apt-get update && apt-get install openvas

So now that you have the latest version on your machine how are you going to access OpenVAS? since you cannot sit at the monitor of a virtual system (or what is called a headless install).

 

After some (actually a lot) of review online and some tinkering I found it useful to know some systemd.  And it just so happens that systemd has several configuration files in a few directories:

/etc/systemd/system/*

/run/systemd/system/*

/lib/systemd/system/*

 

The one that is important and relevant for OpenVAS is the /lib/systemd/system directory.

In here there are 3 files that are of importance:

Openvas-scanner.service

Openvas-manager.service

Greenbone-security-assistant.service

What we have to do to make the installation complete is to replace the ip address of the virtual machine to the greenbone-security-assistant.service file.

Specifically

change it in this manner, run the following command(changing <your ip> to the virtual system ip address):

Sed –e ‘s/mlisten=<your ip>/127.0.0.1/g’  greenbone-security-assistant.service

Example the virtual system ip address is 192.68.0.1  so this is what should be run:

Sed –e ‘s/mlisten=192.168.0.1/127.0.0.1/g’  greenbone-security-assistant.service

After running this command you have to run the following:

Systemctl  daemon-reload

(these commands need to be run with root permissions(sudo))

So once the ip address is entered in command line, and the systemd file .service file reloaded you can restart the gsad  and then log into the web interface assuming you already set up the users.  To access the Greenbone-security-assistant program enter the following in your browser:

https://192.168.0.1:9392

From there you will have to learn how to create scans and more.  But at least it is working remotely.

There is also a small issue with this procedure, it is not supported by Greenbone, they want you to install the Greenbone community edition

The security feed is more stable than the community feed (the free version) and has encrypted transmissions.

Contact us to discuss