Blog Series: Exploitations, Penetration Testing, and Modern Cybersecurity DefensesEvolution of Exploitation, Part 4: Modern Cybersecurity Defenses
By Luke Willadsen
BLUF: This blog series is written to provide an anecdotal history of the evolution of exploitation in cybersecurity, focused largely on network exploitations in an enterprise and couched as Luke’s perspective over his decade-long career in InfoSec.
In cybersecurity, we preach the importance of layered security. And being successful in implementing a layered security strategy is a matter of staying in tune with the white hat community.
A layered security strategy means you need to block high, and block low. You need your endpoint security and your intrusion detection systems (IDS), and you need to protect yourself from the low-tech abuse of misconfigurations, poor patching practices, and weak passwords.
Preventing Low-Tech Abuse
To best protect yourself from low-tech abuse (i.e. malicious attacks low in complexity), it starts with proper cyber hygiene and regular, comprehensive audits of user privileges.
Patching and vulnerability management is still crucial. As I mentioned in my previous post, the hacker community began exploring different routes into networks and through networks because for many organizations, patching and vulnerability management practices greatly improved bettering the defenses for many organizations. Yet better does not mean perfect, and it’s important to remember that many modern breaches are the result of low-tech attacks that leverage human error.
When it comes to auditing user privileges, the most important thing to analyze is the assignment of local administrator privileges to users. As a general rule of thumb, standard users should never have local admin privileges on any system in your network. With local administrative privileges, you can almost always escalate to system, steal credentials, and compromise the integrity of the operating system itself. For example, systems in a conference room or systems that are used for printing, where all domain users have admin privileges on these systems, allow an attacker to compromise an entire domain easily once they have done the work to get in the network.
Fixing these misconfigurations is quite important, and we want to be ready in the event hackers do gain access to your network and do find ways to move laterally. Here are a few suggestions:
Evolved Cyber Defenses
If your security program is already practicing all of the strategies mentioned above, it is likely that hackers may attempt to circumvent your defenses with more complex, high-tech attacks. Here are a few examples:
About the Author: Luke Willadsen, Technical Services Lead, EmberSec, is an InfoSec professional and white hat hacker. After getting his start with the Dept. of Defense in 2010, Luke leveraged his specialization in offensive security and eventually turned to private and public sector consulting. Mr. Willadsen has a bachelor’s degree in cybersecurity, a master’s degree in technology studies, an OSCP certification, and a CISSP certification. Outside of his professional life, Luke is a husband, an animal lover, a fitness enthusiast and a passable guitar player, plays a bard in Dungeons and Dragons, and enjoys playing a few rounds of Battlefield on my PS4 a night or two a week.
About EmberSec: EmberSec, a Division of By Light, serves as a provider of advanced, technical cybersecurity services and solutions. Whether that's testing the maturity and efficiency of your security program through technical assessments, integrating highly customized Managed Detection & Response capabilities, or aligning your infrastructure and security practices around industry frameworks, EmberSec understands the complexities involved in establishing a truly secure enterprise.
The EmberSec team is comprised of senior security researchers, operators, and intelligence professionals, and specializes in the following domains: