Blog Series: Exploitations, Penetration Testing, and Modern Cybersecurity DefensesEvolution of Exploitation, Part 4: Modern Cybersecurity Defenses

By Luke Willadsen

​BLUF: This blog series is written to provide an anecdotal history of the evolution of exploitation in cybersecurity, focused largely on network exploitations in an enterprise and couched as Luke’s perspective over his decade-long career in InfoSec.
 
In cybersecurity, we preach the importance of layered security. And being successful in implementing a layered security strategy is a matter of staying in tune with the white hat community.
A layered security strategy means you need to block high, and block low. You need your endpoint security and your intrusion detection systems (IDS), and you need to protect yourself from the low-tech abuse of misconfigurations, poor patching practices, and weak passwords.

Preventing Low-Tech Abuse
To best protect yourself from low-tech abuse (i.e. malicious attacks low in complexity), it starts with proper cyber hygiene and regular, comprehensive audits of user privileges.
​
Patching and vulnerability management is still crucial. As I mentioned in my previous post, the  hacker community began exploring different routes into networks and through networks because for many organizations, patching and vulnerability management practices greatly improved bettering the defenses for many organizations. Yet better does not mean perfect, and it’s important to remember that many modern breaches are the result of low-tech attacks that leverage human error.

When it comes to auditing user privileges, the most important thing to analyze is the assignment of local administrator privileges to users. As a general rule of thumb, standard users should never have local admin privileges on any system in your network. With local administrative privileges, you can almost always escalate to system, steal credentials, and compromise the integrity of the operating system itself. For example, systems in a conference room or systems that are used for printing, where all domain users have admin privileges on these systems, allow an attacker to compromise an entire domain easily once they have done the work to get in the network.

Fixing these misconfigurations is quite important, and we want to be ready in the event hackers do gain access to your network and do find ways to move laterally. Here are a few suggestions:

• Collect and monitor operating system event logs. Use a SIEM and write rules to identify anomalies. Dave shouldn’t be logging into Joe’s system. Susan never logs in to her system outside of her 9:00a-5:00p hours. If something like this happens, you should be alerted. You need to call them and make sure that the observed activity was them.
• Perform network monitoring. Use a good firewall that receives threat intelligence updates and knows when an organizational system attempts to connect to a known malicious host.
• Perform application whitelisting. Only approved software should be run on org systems, period. This prevents gutsy hackers from launching executables on their system and forces them into leveraging other techniques.
• Use an endpoint detection and response (EDR) tool such as Carbon Black’s or FireEye’s. EDR allows you to conduct investigations on any suspect systems. They also use analytics to search for maliciousness and anomalies on the operating system-level and alert you to findings.
• Heavily monitor the use of PowerShell.

 
Evolved Cyber Defenses
If your security program is already practicing all of the strategies mentioned above, it is likely that hackers may attempt to circumvent your defenses with more complex, high-tech attacks. Here are a few examples:

• Knowing that defenders are getting better at using their SIEMs and monitoring for unusual activity, hackers often try to conduct their attacks during business hours and try to blend into normal traffic as best as possible.
• Knowing that you are performing network monitoring, hackers are using a technique called domain fronting. Doing so allows hackers to generate traffic that appears to be routed to content distribution network (CDN) providers, and CDN providers route the traffic to the malicious host. You need TLS decryption in your network to find this well, which can be tough to do without violating the privacy of your users.
• Application whitelisting is a tough one. Typically, when I encounter it, I try to inject my malware into whitelisted processes. You might be able to see this injection if you use a good EDR tool.
• If the client is using high quality EDR, I honestly attempt to disable it, or I just don’t use malware at all. I call that going native, and simply use Windows to conduct the attack.

 
About the Author: Luke Willadsen, Technical Services Lead, EmberSec, is an InfoSec professional and white hat hacker. After getting his start with the Dept. of Defense in 2010, Luke leveraged his specialization in offensive security and eventually turned to private and public sector consulting. Mr. Willadsen has a bachelor’s degree in cybersecurity, a master’s degree in technology studies, an OSCP certification, and a CISSP certification. Outside of his professional life, Luke is a husband, an animal lover, a fitness enthusiast and a passable guitar player, plays a bard in Dungeons and Dragons, and enjoys playing a few rounds of Battlefield on my PS4 a night or two a week.

About EmberSec: EmberSec, a Division of By Light, serves as a provider of advanced, technical cybersecurity services and solutions. Whether that's testing the maturity and efficiency of your security program through technical assessments, integrating highly customized Managed Detection & Response capabilities, or aligning your infrastructure and security practices around industry frameworks, EmberSec understands the complexities involved in establishing a truly secure enterprise.
The EmberSec team is comprised of senior security researchers, operators, and intelligence professionals, and specializes in the following domains: 

• Managed Detection & Response
• Technical Services
• Governance, Risk & Compliance