Regular Security Operations Activities – Small Business Edition

Introduction

Barely a day goes by without reading about a new breach, organisations both large and small are under constant thread from cyber criminals and most organisations are either living in ignorant bliss or are one mistake away from being pwn3d. To this end I wanted to publish a list of activities that small businesses can conduct on a regular basis to help improve their security posture. The focus here is on organisations that operate an active directory domain environment but some of the areas can apply to many systems/architectures.

Company News

API Security Testing

Introduction

I sometimes wonder in the security industry if part of the issue with adoption of good practises is sometimes partly a self-created problem, don’t get me wrong I’m not saying people go out of their way to make it harder to secure things but I think that getting the right information to the right people in the right format is important.

An area I find that general/common knowledge is lacking is around security testing (penetration testing, adversary simulations and red teaming). In today’s blog I’m going to talk through the high-level steps that are conducted when testing APIs to try and remove some of the veil that I think surrounds this space. In this blog I’m going to talk through our approach to API testing to help you not only understand how we do it but also to help you scope your testing requirements, regardless of who does the testing! After all, sharing is caring!

Defense

Cyber Incident Response – Have you planned to fail?

Drill, drill more and drill again

I’ve worked with hundreds of companies over the years and one area I consistently see them struggle with is incident response drills. Sure I see some board level table top simulations but nothing says i’m ready more than practising actual responses.

In table tops people mainly assume the log files exist, they assume the resources are there, they assume the best. I’m not a pessimist but I assume breach and assume things will go wrong (even with preperation).

So to help people I put together an Incident Response planning toolkit workbook. This excel document is a rough guide of different types of incidents and different horror levels (there’s a cool D00M flavoured easter egg in there too). Now one thing, you will need to tailor this. BEC for example can be very simple to repel and remediate, however the cost and impact of BEC can be huge (even if it’s a single mailbox) so take the numbers in here with a pinch of salt and tailor it to suit your needs.

Fail to Plan, Plan to Fail

Failing to plan for a cyber incident both large or small is a sure fire way to ensure you are planning to fail! So with this in mind we thought we’d share a quick workbook to try and kick start your mind into NOT planning to fail!

Guides

mRr3b00t’s pentest 101 draft notebook

I love sharing content, ideas, thoughts, theories and hopefully some of the things i’ve picked up along my career so far! I imagine most people wouldn’t say I had a traditional approach to consulting and my content sharing approach is generally quite simmilar, so in a mad moment a week ago I decided to see if I could go through the Comptia Pentest+ course. Why did I decide to do this you ask! Well that’s a bit more complex…

CTF

Learn all the things!

Many of you will know I’m a massive fan of learning all the things, but also I’m a huge fan of sharing intel, knowledge and experiances because I know when you are starting in a field, the world can seem too big to know things! So to this end, I’ve put together a quick list of tools that I believe are required you have some knowledge of for the PenTest+.

Where possible links to tools and download locations have been provided. Clearly you can deploy a security testing distro such as Kali Linux, Parrot etc. buy you may want to simply install Ubunt or use Windows and WSL 2. Read more “Learn all the things!” →

Defense

17 Remote Code Execution Vulnerabilities in this month’s patch…

Windows DNS Server

This is really a major issues for Active Directory Domain Controllers.
CVE-2020-1350 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

We can see there are 2,133 servers on Shodan that are exposed however this exploit doesn’t rely on exposure, a client request from inside the network to a malicious DNS server could be used to exploit the domain controller. Read more “17 Remote Code Execution Vulnerabilities in this month’s patch Tuesday release!” →

Defense

Perimeter Security Vendor Hell – Unauthenticated RCE’s and other…

Disclaimer

If your can’t take an honest view on real challegnes we face you probably want to click the back button now!
The three laws of IT apply:

Software has bugs
Hardware breaks
Humans Make Mistakes

It doens’t mean however we shoulnd’t strive to do better! so now that’s out of the way here’s a fast blog on shit you should care about and patch (if you haven’t already!)

Also please note these are not ALL the vulnerabilities you should care about, just some choice ones that are enough to make you cry!

Introduction

“Don’t worry, we’ve got that behind a firewall or VPN!” is something I’ve heard a lot over the years, which to be honest is starting to look more and more worrying. Think that’s just me giving my opinion? Well think again, here we have collated SOME of the vulnerabilities in security products which if unpatched/mitigated really leave you. well quite insecure!

Defense

Configuring SYSLOG integration with F5 BIG-IP

CVE-2020-5902 Defensive Guidance (FAST publish)

This week’s been a whirlwind, once again teams of people scrambled to help defend networks from criminals trying to abuse CVE-2020-5902.

If you want to see this in action check out my video on youtube!

The main issue (other than the vulnerability itself (path traversal and unauthenticated remote code execution) is exposing management interfaces to the internet (or other insecure/untrusted networks). Yesterday we looked at IOCs in the “/var/log/audit” file.

Now a sensible attacker who has ROOT level access would have likely cleared their tracks! However, a good sysadmin would have the logs shipped off the device!

Defense

Hunting a breach… CVE-2020-5902

I’ve spent the last 24 hours (including a sleeps) gathering intel, testing in the lab and looking at what the path traversal and RCE for the F5 BIG-IP as outlined in CVE-2020-5902 looks like.
Well I’ll be honest.. the whole scenario is a bit of a bloody mess! We’ve got people leaving management interfaces exposed to the internet, we’ve got a vulnerability that’s incredibly old in a security appliance (it’s not exactly uber 1337 either) and we’ve had the release scenario that’s probably ruined peoples weekends and weeks (I’m not going into an Offensive Securitry Tools debate/argument, if you want that go talk to a brick wall or someone else!)

Guides

If I had to go and find a job

Some background

I’m in a very fortunate position (currently) whereby I have not had to look for a ‘job’ since I was much younger. I do however remember what a soul crushing experience that used to be. I’d send emails, I’d write letters, eventually after stone walls of silence and rejections because of not enough experience or qualifications. I just remember job hunting as a depressing experience and I can’t really imagine that’s changed a great deal over time!

When I was younger, I was a year ahead of myself in school (due to the event of not dying and going to a very lovely first school). I was never very academic when I was younger, but I loved games and I learnt very quickly (this was with our first Amstrad) that I loved computers and wasn’t too shabby with them.