 Well thank you. Alright, so we're gonna talk about real incidents and real solutions to these real incidents, but since it's the last talk, we figured we would completely change our talk, so we're actually calling it messing with Laurent's stupid pentester tricks. So who saw that talk? Alright, so one of the things that he talked about was the keys. I don't remember that where he said I keep a spare key of every different type, so if I grab a key that I want to use I just give back the wrong key. So we spent all night looking for a real security solution for that, and it's actually pretty simple. You just gotta go to Home Depot and make sure that all your keys are Disney branded. Alright, thank you. Go for it. Fine now, I can switch. Alright, here's my joke again. Alright, so seriously as you may have noticed there's two of us and that's not just so the other one can drink while the other one talks. We have different perspectives. We both work at Rapid 7, like Pialevid just said, and myself I work more on the defense side, right, so I work with different companies from all sizes, huge enterprise. There's a lot of people I worked with in Montreal also while I was an independent consultant, so I assess security programs, I do security architecture, and that's why I thought it would be a good idea to do a talk with someone that does incident response, because if you say you do defense and you don't know how the actual attacks happen, are you really doing defense or are you doing compliance, right? It would be pretty weird if you didn't know how the actual attacks were done, right? And Jordan? Alright, so Jordan Rogers, I work at Rapid 7 as well, and basically I'm the guy you call when you're SOL and you have no idea what's going on, and Guillem and I had a rage fest and that's actually where this talk came out of is I was complaining about an incident, and Guillem's like well you could do this, you could do this, that's how we came up with this talk, and so I've been doing, I've been working in technology for a long time, and yeah, that's about it. I'm pretty boring. So what we did for this talk is we made a fake scenario based on real events, right? So it's like those movies, there's like 1% of it that is true. So what we're going to do is we're going to go backwards in that incident. So the company we made up is called ASNA, which stands for Acme, Steel, and Anvils. So disclaimer, we don't know anything about steel, so if there's anyone who actually knows, you're probably going to be really angry at us by the end of the talk. If you do incident response, you'll probably find that our timelines are really aggressive. Let's just pretend that we have some really motivated hackers here. So 7pm, ASNA has its chocolate moment. Quick poll, who thought that was a chocolate emoji when iOS started supporting emoji? There's one guy, really positive guy, right? So all their IP was stolen, and by IP we mean intellectual property, of course not IP addresses, because that wouldn't make any sense. And because they make Anvils, we would imagine that the reason why they can make them so cheap and make so much profit is because of the different types of steel composition that they have, the alloys, the contracts that they have with their providers. And a few hours before all their stuff was leaked, their MRP database was breached, so MRP stands for Manufacturing and Resource Planning. Yes, that was the hardest part of the entire talk. So that's where you got all the contracts from all the different providers, the processes to build these Anvils, and pretty much everything someone could copy really easily from them if they had the recipe to that, right? So what just happened right before that, Jordan? So before they got to the MRP database, they grabbed Domain Admin, and Domain Admin and Service Accounts are the easiest things for attackers to move around. We see it all the time, but just get a little closer, there's a camera. Oh, a high camera. And then what they did is before they got Domain Admin, they laterally moved, and before they could lateral over and grab the Domain Admin, they had to get local admin, and before they could get local admin and scrape memory, they dropped some actual malware. It was a rat, remote access Trojan. And just as a disclaimer, a lot of this stuff is taken out of real incidents, hence the name of the talk. So we just have compressed a lot of what we've actually seen in the wild. And right before that malware ran, what we saw was there was a dropper that was executed that went and fetched the malware. And maybe just for people who don't know, can you explain what a dropper is and how it differs from the actual malware they're trying to execute? I hope most of you know it, but if you don't, basically a dropper, it's two-stage malware, so it's a lot less likely to get caught by a lot of the other tools that you have in place. And we see this because it's easy to write a dropper because all it has to do is install itself, not even install itself, just run itself, go out and grab something and pull it down. You're not wasting your actual exploit kit getting caught. You're spending a lot less time on this and it's a lot less likely to be caught by your typical easy defenses. And we see that between the malicious email that was sent and the dropper being executed, there's like 26 minutes or 24. I'm really bad at math. I think it's 24. And the only reason why there's 24 minutes in there is just because the guy who received the email is a slacker and he just didn't click on it until then. And before that, the company thought, you know, everything is fine. This kind of stuff happens to other people. We have a next-gen firewall. We've got AV. This is not going to happen to us and ignorance was bliss, right? So I would say the root cause for that is a lot of the security programs that I see, I could say they're based on next-gen and bourbon. So people just get drunk or they get drunk on Kool-Aid. I say here, having a beer, doing a talk on security. So I don't judge them, but I got to say, if you don't do the basics right, all these products that you're buying, you're probably just expanding your tax surface and not really reducing the risk at all. And then on top of that, you're spending a whole lot of money that you're probably going to need once you do incident response, right? So when I look at the security programs in enterprise, it's extremely rare that I would say the top one thing you need to do right now requires buying anything. And everyone is going out and buying a whole bunch of stuff. Just slow down and fix those things before you start buying these different devices, right? By doing the basics right, well, you're not adding something that expands your tax surface. Like I said, you're not adding something that's going to have another 18% maintenance fee. Take more room in your data centers. You really want to get that right. And in fact, we see people do the opposite. They buy everything and then they don't do much and then we know what happens, right? So when you do incident response, the typical company that you do incident response for, do they have stuff? Do they have nothing? Do they have everything? What does it look like? We see a broad spectrum of things, but a lot of the times somebody will have an extra firewall. They'll have a SIM. They'll have proxies. They'll have AV everywhere. They'll have sandboxing. And that's all great and fine and dandy, but most of the time don't implement everything properly. So you bought a $100,000 firewall that you don't do shit with. You don't sandbox everything. So you're not actually looking at it. You're not actually blocking stuff using your AV because you have hips. And, you know, I come in, I look at it and I say, oh, great. You have AV, but you also have 12 different versions of your AV. So that really didn't fucking help you. And, you know, we see this all the time as you spend all this money and nothing gets done with it. And I know people in the room who work in IR can say that it's extremely frustrating. And then we walk in there and we look like we're like a genius because we're like, oh, hey, maybe we should just turn on your firewall. So, you know, we see that quite often and it's pretty frustrating because you're spending another whole bunch of money on. I just want to remind you like this is film. So all your like useless AV bombs and all that stuff is going to be immortalized, which I think is going to be awesome. In like 62 years, I'll find a video on YouTube. I didn't sign a waiver. I signed it for you. All right. So why don't we just go back to that story? So first step one, there's an email coming in and someone who works in, let's say, accounts payable gets the email, right? And, you know, just like Citizen Lab talked about earlier, we see that phishing is a really easy attack vector. Social engineering, you know, just like we use open source intelligence and we do threat intel gathering and all of that, they do the same thing. They'll send a phishing, they'll send a phishing email. They'll make it look like a conversation that you should have had just like the Citizen Lab guys talked about. And, you know, it's basically like it happens all the time and then you have to pay a whole bunch of money to fix something that was really simple because you should have vetted what you were getting. And, you know, I mean, look at the domain, right? Hey, it's a guy who should have gotten an email from a raw materials company, but really who uses that biz? Well, so that was a joke that we wrote for a different talk where there's no company called infidem.biz in Chicago. So I think that played better. So I don't know. I guess here, other than infidem, does anyone use that biz for legitimate purposes? Have you ever seen that? I'm American. I don't know anything. So, all right. So the typical defenses we see against that in like all the enterprises are very similar. So anti-spam, everyone's got that. It's an appliance. It's a service you point your MX records to. You have a cloud email like 365 or Gmail and it's got that. And it's pretty good against non-targeted stuff, right? Same thing for male antivirus. You know, it's not targeted. It might detect some stuff and block it, but if it's a targeted attack, it's not really going to help you. Endpoint AV, I mean, it's pretty much the same thing. Sandboxing, a little better, but in the case of like droppers that are really simple, there's like ways to bypass that. I know there's some people in the room that actually love bypassing these sandboxes. I won't name names, but you know who you are. And then my favorite one is user awareness. You know, every company has user awareness almost. How many companies in here actually have like some user awareness like phishing training and stuff like that? How many actually think it's effective? How many of them have to keep flash just because of the user awareness thing? Right? So you have this like really boring thing that people just race through. They click next, next, next, next, next and then there's a quiz and the quiz is like, should you leave your password on a post-it on your screen and then you say no and you pass and then you wait for another year. So I'm not saying like all user awareness is bad. I'm not saying you shouldn't train your users, but I'm saying that a lot of awareness that we see is purely compliance driven. Like obviously if you're doing such a bad job, I hope you're doing it to check a box. Then at least you can check your box if you really think you're doing security by having a really bad quiz like that and keeping flash because of it. It probably has a net negative impact on security, right? So in our case, in that situation, it was actually a word attachment, but there's like other ways that malicious email can come in, right? Yeah, I mean like you send Excel document that has flash inside of it and yes Excel can run flash and it's stupid and we're going to pick on flash a little bit. But the other thing is we see the scraping LinkedIn, scraping social media, all of that stuff and they're sending emails with a just slightly tweaked domain. I just worked two of them last week. They're very simple attacks, but it costs people a lot of money. Like I've seen $800,000 get sent by a Comptroller because the CFO sent an email to the Comptroller. Well, it was actually instead of an L, it was an I and they didn't notice it and guess what, now they just sent it to the wrong account. So we see stuff like that. They go after the big fish, you know, whaling, blah, blah, blah, you've all heard of that. The other thing though is it doesn't have to be an attachment and Citizen Lab brought this up too which I kind of wish I would have seen their talk before we had this because it's a lot of reiteration. But we see the same thing that well, hey, we sent you, we shared something on Box or something on a whatever sharing site and that's how they're doing the attacks and you know, it's really, it's funny because like we see like dry decks coming through and macros and macros used to be like really like macro malware. That was like a thing in the 80s, right? Well, now we're seeing it come back again because everybody kind of... I think it was in the 60s actually. Oh really? Okay, yeah. So people are going out and they're buying all that stuff but there's like some super basic free stuff that you should actually do right now if you haven't done it. The first one is block macros and every time I say that, there's always that one guy that says I can't do that because my finance team has basically built a big data solution out of Excel and like our entire company runs. I'm not saying like disabled macros everywhere but what you're using is there a lot of people using Office 2016 yet? So that one guy, it's going to be really easy for you because there's a new feature you can select the zones where it's coming from. So what you want to do is make sure stuff coming in from the internet zone, temp folders, office, off look itself, like anything that's received in emails and the different temp folders where it would put that, don't run macros on that. If you don't have 2016, you can still do it. It's slightly more complicated but the GPOs are actually pretty simple to deploy. Harden Office, I'm going to talk about hardening a lot. I know a lot of people hear hardening, they're like PCI says you should harden your stuff and it's boring and blah, blah, blah. But Office actually has like a billion different features that you probably don't use, right? It can still open WordPerfect files, it can still open like Word95 files and I'm boring Charles to death right now. He's shooting himself, it's amazing. So if there's a vulnerability in one of these that could be exploited, so the malicious file that comes in could use a macro but could also exploit the vulnerability in Office that either is not known yet or you just haven't patched. And that's where Emmett also becomes useful where, I know a few talks talked about Emmett before or Emet or like, how am I supposed to say Emet? You're like you're American, tell me. I say Emet, I don't know. You say Emet, I'll say Emmett then. I probably don't speak American well anyway, so I don't know. So one really interesting feature in it that applies specifically to Office is called ASR or Attack Surface Reduction and it lets you disable extra features that you probably don't need, the main one being Flash in Office. So serious question and I ask this to everyone I see and I still don't have a good answer. Has anyone ever used Flash in Office in a non-malicious way and no append test doesn't count as non-malicious? You're lying. Why did you use? All right, we got our answer. So you can actually turn that off and Jordan, like that's stuff that we see, right? I mean, again, touching on the macro thing in extensions and plugins, it's a super easy attack factor. People are stupid, right? You're protecting dumb people and they have no idea what they're doing. You know, your user awareness training doesn't work and guess what, a major security company got pumped. I love that this is filmed like you're, you douchebaggery will live on forever, man. People are stupid. It's kind of like if you didn't have users, your network would be secure. Seriously, like all of these things, they're very simple attack paths and they're social engineering, email phishing, all of that and just macros. Like, hey, guess what, you just dropped $50,000 to call me in because you clicked a link or you clicked on a file and allowed a macro to run and you thought you were protected because you have all these fancy dancing boxes. And we see that a lot in finance, right? Yeah. So in Montreal, there's a lot of finance organizations. I know a lot of people here work for them, so that's something to be on the lookout for. So for those who haven't used Emmet before, it's just a really quick demo, but I don't want to talk about the fact that Emmet might block an off-the-shelf exploit, everyone knows that. So what you see in red right now is someone without Emmet opening a Word file with a stupid 2007 version of it and as you can see on the left, there's a shell, it's Windows XP, you get system, it's like super easy. The sad thing is that it actually still works on a lot of companies that I see. What you're going to see with the green background is the same thing with Emmet enabled and what I want you to notice is like how fast Word got killed. Now, what you don't see here is in the background, Emmet actually logs why it killed the app. So if you're using it right now and you're not using these logs, you're losing a lot of very, very important, very targeted information where you probably have a lot of security solutions sending you a whole bunch of alerts all the time, but if you see that all of a sudden Internet Explorer.exe or Word, I'm sorry, WinWord.exe starts getting killed more and more and you see what Emmet mitigation killed it, well maybe you just spotted something before they move on to something that's more advanced, right, like Emmet can be bypassed, everything can be bypassed, we know that, but people don't necessarily try the super advanced way first. So if you have that information on your systems and you're not using it well then it's just a waste, right? I mean, there's no reason for an attacker to use an O-Day or something like that that possibly could get caught if they don't need to. Again, you go for the least path of resistance, it's kind of like putting water out, it just finds the least path of resistance and that's what the attackers are going to do. If you stop them one place and they actually care, they're going to come back and they're going to get in. It's more about tracking them and understanding what they're doing and how they're moving through the environment and what their target is. So in our example, it was an attachment but the same thing could have happened with like a malicious link, right? Yeah, I mean like I've worked on cases where it's water-holing so they do super targeted email or not email campaigns, ad campaigns and all they do is they say, okay, this is my target audience and I'm going to drop malware via an advertisement but I'm targeting this user base and so here's where I'm going to pay for this advertisement and it works. I mean, I think it was like 800 companies that got hit by this targeted campaign and it was widespread and they got what they wanted and just like we have in here, well, whitelist sites for plugins, right? You have proxies, use them, right? I mean, again, this touches back on what you're allowed to do. I mean, and I don't want to jump ahead and not talk too much but I mean the denying old plugins, why do you need to run a version of something that's like you're on Chrome version 1000 and this was built for Chrome version 22, you know, because Chrome comes out like every week. I think it's every day. They actually like they push it live at Google. So, again, you know, click to play. Google just announced that they're going to start making Flash really way more restricted except for the top 10 websites that use Flash. Who saw that news? Who was like, yes, this is actually going to have like the biggest impact for consumer security in a long time so that's going to be great. You can already do that in the enterprise. So we see more and more clients and we help more and more clients to do that where they just whitelist that stupid user awareness site that we just talked about and everything else is click to play. So at least you force people to do that. Jordan mentioned ads. Blocking ads, we've seen a few clients do it and from the moment they block ads at the proxy or web firewall level, not web firewall but web filtering part of their firewall, we see a huge reduction on like off the shelf non-targeted malware. It's actually pretty impressive for something that is almost free because everyone has these tools already. Except for don't write a recommendation in a report to a company that bases their profit on advertising. Block advertising. Yeah, it does get awkward if your client is a newspaper. I don't know anybody who ever has done that, right? No, no one would be stupid enough to do that. And with Chrome, Edge, Internet Explorer and I guess Firefox, everything can be configured via GPO. It's free. It's super easy. And you should do Emet on it also. And we mentioned Flash a few times. It's not just Flash. Companies have Silverlight. Still a lot of companies that we see have Silverlight. So Angler and things like that will exploit Silverlight if it's not batched well. So on top of these things you can do for free that you should be doing, there's just some extra config you should be doing to the stuff you probably already own. My favorite one is just unclassified sites, right? I see a lot of people, they spend so much money on PCs or next-gen firewalls that can do web filtering and then the unclassified sites, they don't block them because that would require effort because there might be sites that get blocked that they need to use. Well, first thing, we're in Montreal, so I know there's some databases that are not as good with the franchise as others. So if you have questions about that, just come and see me later. Now, if you're spending all that money for a database that will let you decide what you'd go through or not, why would you be saying, oh, if it's not in the database, it's obviously fine, right? It doesn't make any sense. The only reason people are doing that is just because there's too many false positives or it sucks. So if you can't block unclassified sites, I would say you probably need to shop for a different proxy or database because when you think about it, if someone's going to attack you, they're probably not going to attack like a site that's categorized as porn to try and attack your company, right? I mean, yeah, like we see all the time, like just like with the... Instead of the email attachment from the wrong domain, you can still do the same thing where you can prevent similar domains and stuff like that from email, but also you're going to prevent C2 traffic. So if you do catch commodity malware, you can block C2 traffic because most of the sites are unclassified. And if you really have users who are hitting that many unclassified sites, okay, maybe that's an issue, but it's easy enough to say, okay, I shouldn't go to this website, I need it, there's no real business purpose for it, and you know, if somebody's using a dot biz that was registered five minutes ago, really do you think you need to work with that company? I don't know. Yeah, so you got to use that to the maximum. Then the other one, which sounds really stupid, you know, file blocking. I cannot count, like it's probably 75% of the companies that I see allow either or vote like any user to download EXCs, like that can mean like a customer service or an agent in a bank. Why does that person need to download an EXC or MSI or a PIF or a batch file or whatever, you know what I mean. Then it's the same thing with email AV, you know, a lot of people still allow like encrypted zip files and then they don't scan them. You're scanning everything and then something comes in that you can't scan and you just let it through. And one of the reasons why that happens is when people do pen tests, they frequently set the scope so that end users are out of scope. So all these things don't get tested even when they do a pen test. So I see that still really, really often. Then link rewriting, depending on what you're using for email antispam and anti malware, you want to rewrite those links. So remember at the beginning I said there were some amount of minutes between when a guy got the email and when he clicked on it. So those 24 to 26 minutes might actually be enough for those definitions to catch up if it's not something that's targeted. And in fact, that's something that I've seen that I've done that actually really works well, where someone who's in a different time zone where it's earlier in the morning was getting a lot of like off the shelf malware their AV would not detect. We just slowed down delivery of some types of attachments by 20 minutes and that made a almost like a 90% difference in the amount of malware that was caught because they were not targeted campaigns. It was just like off the shelf malware that was sent to millions of people, but they were the first ones to receive it. I don't know why exactly they would be the first ones to receive it but also people would show up really early because it's a different time zone and just doing that reduced it a lot. So then if you're doing link rewriting when your people show up and click on these links you get the advantage of scanning them again when they click on it, which might buy you a few hours, which might be the other nice thing about having link rewriting is you instead of saying, okay, well, we're you know, have to go and search. Well, everybody got this email there. Who all got this email. You actually understand, you know, you don't have to go back through and go to your proxy. You can say, okay, well, whatever my email filter is, I can actually go and say, okay, these are the people who actually click the link and this is what we report it back and then you can say, okay, well, we know that this is something we need to work on stuff like that and it also helps get rid of you know, some of the times like you send the bitty links and stuff like that people, you know, you train people to say, oh, hover over the link it'll tell you where it's going. If it's going to that are you don't do it, right? Well, that kind of gets screwed up with the bitty links, but that's a different story with the code. I will scan any QR code anyone shows me. That's what security conferences are for. If anyone has a USB stick, I'll plug it in also. No, I won't. So then the next step is the dropper that got executed by that macro will get the actual malware. So let's say e-mail.plumbing. If you have the worst attacker and we just explained what what the difference was between a dropper and a malware but basically you'll have the same typical defenses except maybe, you know, your next gen firewall is supposed to catch it because you think that URL is gonna be malicious or maybe it's gonna scan the actual code when it comes in and say this is malware, your endpoint AV, your proxy, your sandboxing. But the problem is people have all of that but the rules are really permissive. So we just said, you know, most people can download EXCs. By the way, if you do start blocking that right now make sure you don't have like the Adobe auto-updater relying on getting an EXC straight from Adobe because then you're gonna end up with a whole bunch of outdated Adobe readers. So be careful with your whitelists. So most people don't block that. They don't really look at DNS. And one of the big ones is HTTPS decryption, right? So that's in every company that I see that I can start a flame war in like five seconds just by saying like, oh, HTTPS decryption, what do you think about that? Like it works every time it's gonna be a crazy flame war. There's always people in a company that say we should do it, people that say we shouldn't do it. There's never anyone that says we should do it, but maybe not on these sides because like people get really, you know, worked up and they just wanna punch each other kind of like Jordan and I. Yeah. But I gotta say, you know, if you're spending hundreds of thousands of dollars on like next-gen firewalls and sandboxes and things like that, the attackers have access to free certificates now. So you're spending all that money on these things that should be able to see this stuff. So I'm gonna say if you're against HTTPS decryption for the traffic on your corporate network, why don't you save yourself the money? Cause in two years, you're not gonna see anything anyways. So why not just like remove one device and save a few hundred thousand dollars, right? I mean, I've had clients where they've had sandboxes that are actually pretty decent and they can't see half the traffic because, hey, well, guess what? I bought this really expensive toy, but now I can't see half of what I need to see. I'm not doing anything with it. I've deployed full packet capture in environments, a huge amount of full packet capture and they didn't do any SSL decryption. So it was basically like, hey, guess what, we're scanning port 80. So that's one of the things that drives me nuts, especially because attackers are smart. They know that they can use SSL to exfiltrate data and you're not gonna see it cause you got in an argument with compliance or legal about this. And you know, with WordPress, with Let's Encrypt, with everything now supporting HTTPS, you gotta be ready for it. You know, it's like we see more and more that's encrypted and soon. You even see advertisements encrypted. Yeah, so soon it's all going to be encrypted. So you need to decide what you're gonna do with that. I understand the downsides of doing it and maybe some people wanna have a more endpoint focused technique. That's fine if you understand what the downsides are. So I would say in most cases, you actually wanna do SSL decryption in an enterprise but there's some stuff you really don't wanna see, right? When people are logging into their bank, you don't wanna see that. You don't wanna see it. Well, you probably do wanna see it but you're probably not allowed to. So you wanna have a white list of stuff you don't wanna see. In some cases, maybe your company could be targeted by someone who's gonna hack like Bank of America to target you after that could happen but for most companies, that's not really a realistic type of attack, right? So here's what it looks like in real attack, right Jordan? So that's something that we took. It's a little bit modified though. No, it's not modified at all, it's legit. So basically like this is what we're looking for, right? Is you have the proxy. Guess what guys, the data is there. And that's something that companies when we deal with incident response is that they think that, oh my God, we have no idea what's going on, how they're moving through our network, where the infection came in, what they were doing. Well, guess what, it's right in front of you. You've got a proxy, you've got DNS logs. Go look at them. Go look at anything anomalous and then hey, you know what, also make sure you monitor your DNS. Like DNS tunneling is super easy to get data out and it's old but guess what, macros are old and that was the way that people were, you know, popping you now and they were popping in the past. Same stuff, everything gets reused in security. So June 32 and 555 in IPs, I think we hired some people from CSI Cyber to make our slides. Then the third step was the credentials got harvested by that malware or as I say, you just got Mimi cats, right? So actually, that's a verb, that's a verb. How many people have actually seen Mimi cats in any of the attacks that they've dealt with? Anybody, anybody? Yeah, so, and I know you have, raise your hand, come on. So we see Mimi cats and people are like, well, oh, my AV catches Mimi cats. Well, guess what, it's open source, you can recompile it or you can write the same thing very easily. And then I've actually heard of an internal pentest team requesting that their AV whitelist Mimi cats, so. Because it's a legitimate pentesting tool. And so they actually had a breach and they were pulling creds out using stock Mimi cats. It was a really unsophisticated attack so don't do something stupid like that, please. And then, or you can just pay me money and I'll come and fix it for you and tell you you did something stupid. I mean, not that I would tell you. Why would I pay for you to insult me? I get that for free. So, you know, same defenses again, people have like endpoint AV or advanced endpoint things, TM or next gen firewalls, it should be scanning this stuff as it comes in. But as we said, you know, it's targeted, it's going to be modified, it's most probably not going to be a stock version of it unless you whitelisted it, which would not be a really good thing to do. So what you actually should do to defend against that for free? The first one, I know everyone is super sick of hearing about that but you really want to run as regular users on Windows. And there's still way too many people running as local admin or power users which is basically local admin with a different name. But you also got to watch out for effective permissions. Because we see people with regular users on old images that they built a while ago and then they upgraded from like old versions of Windows and they carry over scripts and things like that. And if you're running as a regular user but you can change the EXCs that some services use that are running as local system, you're kind of an admin. It's just like one step removed. So you really got to watch out for that. And you know, obviously Microsoft says that like 70% of the vulnerabilities on Windows have a higher impact if you target someone that's running as local admin. So I know that doesn't surprise any of you but it's something you really can't avoid. In some cases, you might have exceptions, you might have people with two different accounts, they log in as admin only when they need it or whatever, but you got to do it. Vulnerability management is still really important. And what I see is a lot of companies will focus on fixing the remote code execution. They will see that and it's like CVSS 1000 and RCE and everything, we fix that. But the truth is the RCE is just the first part and sometimes there's not even an exploit that's involved in the first part. It might be a macro that the user is actually going to run. The privileged escalation bugs are really important because that's how you'll move to that local admin. Even more important in the terminal services environment or Citrix environment. So you have to focus on those. I'm not saying you should freak out every time there's a privileged escalation, especially on OSN because you would be freaking out every day. But they're still important, you got to fix them. Domain admins on the workstations, you shouldn't do that not even once. You should really limit that and we're going to talk about that a little bit more later. And if you're using more modern versions of Windows, there's stuff like Windows Device Guard, there's a whole bunch of stuff around credential security and Windows 7, 8, 10 really improved. It's really different from the Windows XP days. I mean, even Vista was way better than XP for that. So you really should use these settings and what we see is a lot of people started using Windows a lot and AD a lot in 2000 to 2004. AD got released. So they're bringing over old configurations, right? It's still the same domain. They just move a whole bunch of stuff to new versions of Windows and they just bring the old bad configurations with them. So then our fourth step was the local admin privileges are finally obtained. So in our story, we assume that a company that makes anvils actually doesn't let users run as local admin, which would surprise me a lot, having worked in manufacturing, but let's just say, right? So what's a typical defense to do that? Does anyone have like a good example of stuff that a lot of companies do to prevent privileged escalation and issues with local admins? Let's see, now I'm really concerned. But I agree with you because I don't see stuff being used really often, right? I just mentioned removing local admins. Here's a tip. There's probably someone in a room who worked with me when we did that. I'm sorry. In a previous place. It wasn't you. I'm just saying I'm sorry for them. No, I'm amazing to work with. Don't you know that? Yeah. Wow. So moving on. So I was just saying, actually I'm pretty pissed that they gave you the mic that you can just put on your head so I can't make that joke about Jordan having a hard time keeping it up. So thank you, AV guys. So the trick is the stick works, but the carrot can also work. So instead of just telling like a thousand people, you lose local admin, which is not gonna work out really well. You wanna say, oh, here's your brand new laptop that's got like a thousand gigs of RAM and you got the new version of Office. Oh, and by the way, you don't have local admin anymore. That actually works. If you have 5,000 employees and you try to strip local admins all at once, you're probably gonna have people with pitchforks right next to your office in like 17 minutes. So everything that we said before, randomizing the local admin accounts, so you can do it with commercial products. You can do it with labs also, which we'll talk about. Be really careful with your deployment scripts and log-in scripts and group policy preference. So I know that for those who have seen Lauren's talk, that's still something that we see. So for those who don't know, with group policy preference, you used to be able to set the local admin password in a group policy and it was encrypted with air quotes. It was more encoded. It was the same key for everyone who used AD. So what Microsoft did was they released a patch to prevent you from creating new policies using that because it was probably the stupidest idea they ever had since Bob, right? So they just removed that. The problem is if you already had GPOs using that, that's not gonna go and delete them, right? So we still see those in use by a lot of people who haven't even noticed that this is a thing that was deprecated. And then hardening again. And when I say hardening, specifically look at user-write assignments in Windows. So Windows is actually really good at delegation and then the user-write assignments are really powerful for doing things like saying, Jordan is a person, or so I've heard. Therefore, he shouldn't be logging in as a batch or as a service account. But the same thing works for service accounts where this is a service account, it should never be able to log in as an interactive log on or via RDP or over. Yeah, I mean, these things. I see service accounts in domain, admin accounts in local, admin accounts abused every time in an incident. If it's a Windows environment, they're going after it. They're going after the admins. What they wanna do is most people don't monitor their service accounts very well. I go into environments and I say, give me all of your service accounts that you know you have. And then they say, okay. Because most of them don't break them out per OU. They don't do things like that. And then the service accounts, sometimes they're domain admin accounts or they have a GPO push that actually gives them a bunch of access across the machines as local admins. So you basically are a domain admin. We see that with the service accounts, the other thing is, like Jim was just talking about, we see that you have no idea of when you're monitoring of is this a service account that should have login rights or is this a service account that should just run as a service? Because the point of a service account is to run as a service most of the time. But we see them all the time used to lateral through IPC shares, et cetera, blah, blah, blah. We'll touch on that a little bit later. And if you're doing great hardening, it's just like what we were saying about Amit before where if you're monitoring your environment, there's probably a whole bunch of failed logins, right? Like everyone, if you look at your AD, you're gonna have a ton of failed logins. It could be a user. Failed logins don't really help, by the way. Well, exactly. I think that's a compliance thing. If someone is logging in with a service account and gets denied, because it's a log-on type that you've blocked, you know they have the password to that service account and try to use it in a way that doesn't make any sense. So that's a much higher value type of alert for you to look at. So it's either something malicious or maybe it's an admin that was trying to log in as that service to troubleshoot something which you probably shouldn't do. So that's the type of monitoring that actually is going to help you without creating like a thousand alert a day. So this is another example. That was just like someone using Mimicats in a real attack, right? I mean, so this is the same sort of thing. If you pull out, they'll rename it, they'll reuse it, they'll dump everything and you're gonna get everything you need. And actually, Guillem, thanks for putting that password in there, that's super awesome. I don't know, you said it's from a real attack. Whoa. Yeah, wait, wait, I'll protect the innocent. And you know what I love about Mimicats is that it's in French, so I'm sure when Jordan sees that, he's like super confused, but. Yeah, you know, because dumb Americans, we can't figure anything out. I didn't say that, he did. So I think it, but I wouldn't say it in front of a camera. Now, we just talked about laps before. So just a quick history lesson, Windows NT 3.1 was released in 93. I heard it was pretty bad, but I was like eight, so I didn't care. But then AD was released in 99 as a preview and then with Windows, 2000 was a real product that Microsoft was selling. And for 15 years after that, people didn't have an easy way to randomize the local admin passwords on the workstations and it became a huge problem. Because in Windows, depending on the version of Windows, if you disable the local admin, it's going to have a different behavior if there are other admins on the machine, it's going to have different behavior if you reboot in safe mode, there's all these different things. So even if you think you're disabling the account, you should still randomize it, but there was no easy free way to do it. So Microsoft released laps last year, which stands for local administrator password solution, which is really cool because it's free as in beer, which is an expression that I never really got, but I guess it's true at NorthSec. It's really easy to delegate as well because all it does is it creates, you just extend your schema, create two new attributes in Active Directory, and from that point, it's going to manage these local admin passwords the same way that computer accounts are managed in Windows, right? Like no one ever had to really worry about computer accounts in Windows because they get reset, you know, the default is like 30 days or whatever. But what that means is if your OU structure is already pretty clean where you got, I don't know, like different offices or different functional units, you can say these two attributes, well, my help desk in Montreal can see them for the Montreal computers. And then the domain admins, maybe you can see them for everyone. And then, you know, every 30 days they change. So if you have a local guy in your Montreal office who leaves, you don't have to rush and reset all the local admin passwords on all your Windows machines, you know, in like 10 days they're going to be reset or whatever, and it's free. And so tying back to the local admin, we see local admin passwords abused all the time. We see it in pentests, you know, which I don't really care about pentests because they don't make me money. But, and then we see it all the time where organizations, they just don't, they can't, they don't have any solution. They don't have any management where they can get rid of local admin passwords. They have no way of rolling them. And basically it's a gold mine. You go, you scrape memory, you grab the local admin password and you start moving through the network. And it's very easy and most people don't log workstation login events when it's a local admin. So it's something that even if you are trying to do a lot of monitoring with your SIM for lateral movement or you have another tool, it makes it very easy for them to move through your network and not be detected. And again, typical defenses against lateral movement in most companies, there's very few things that we see often. And by the way, great job insulting like everyone looking at us Jordan. I'm really proud of you. Really happy. I didn't swear this time. Oh, you didn't swear. I just told them that you're stupid again. Wow. I don't know why there's anyone left. So again, for local lateral movement, hardening, user write assignments, just like we said, right? If someone can log into a machine, steal a service account and tries to do a network logon, remote desktop logon, any of that stuff that you just blocked, you're gonna be able to detect it. Of course, there's a thousand things it can do with that valid credential eventually, but you can detect it faster. Windows now has a special SID for local accounts. I think that was released in at some point in Windows 8, but that's been back ported to Windows 7 also. So what you can do is in your policies, there's something that looks like a group that's called local accounts. So you can actually put that in all these different deny permissions. So even if you had the same local admin password on all these machines, you can make it unusable for things like remote desktop or network logon and so on. But the last one I think is the most important. Why don't anyone, why doesn't anyone firewall, WMI, SMB, and like net bias and all the built-in Windows stuff between workstations, right? Because when you think about it, if Jordan has his laptop, I have my laptop, the only reasons they should ever connect to one another is probably if we have some type of video conferencing thing that's peer-to-peer that maybe we can whitelist. But there's no reason why my machine should connect to a share on his machine, like unless he's sharing pirated games or something like that on it, which is not a business thing to do. So you should really do that. And when you think about it, you got it for free in Windows. You can do it with GPOs. You can do it like, hey, everyone's got endpoint security, that's got some AV with firewall built into it. If your IP addressing is actually logical, that's not going to be too hard. In some cases where you have like random IPs, it might be a little harder, but that is extremely effective. And like, if you're pentesting something and then you can't do PS exec, you can do any of that stuff, that's actually going to make your job much harder because then you have to target the servers which are probably more monitored, right? So again, that's something from a real attack. People are using legitimate pentesting tools. I mean, it's something that we see all the time. Attackers also like to imitate lazy admins and maybe not necessarily even lazy admins, but it's really easy for an attacker to move through your environment if you're not preventing little things like this. Like this one was the IPC share, right? So they're, boom, they move over, they're executing and everything is going to be just as easy as they want it to be for them to move through your network and they're using your credentials so you're not going to get failed logins. They're not going to have anything that's going to pop up in alarm or any of that. And guess what? They just lateral, we saw this used actually programmatically. They were laterally six machines at a time and they would do it over a certain period of time and boom, now they've just infected 42 machines on your network and then those 42 machines could all then also reach out and touch other machines, not even have to actually infect them but you get a huge amount of visibility within the victim network very quickly and it's because you guys weren't doing simple things like preventing machines to talk over like that. So I guess one thing you want to test is just do PS exec between two machines that are regular end user machines and if that works, well that just means your lateral movement is going to be pretty easy. Responder, if you haven't disabled LLMNR that's something that pentesters really like to use but attackers also and then SMB relay might be something that is leaking credentials. So try these things, especially PS exec I think is one of my favorite ones because systems administrators and management tools have a reason for managing computers but from one user to another there definitely isn't and in fact if you were to install a brand new domain today with the latest version of Windows Server and you use Windows 10, the default GPOs on that are actually way more restrictive than what we see in most companies but the truth is like everyone already has AD so no one benefits from these stricter defaults. So after we got that, obviously the person just walked around until they managed to get domain admin. So I got a little story time on this. We actually had somebody who said that because they monitor whether or not the domain admin group is modified or added to that they thought that they were actually securing their domain admins, that's completely ridiculous. Well, I mean someone could create an account and call it, this is really legit and add it to domain admin, right? That could happen. Yeah, I mean if you're like an idiot attacker, yeah, absolutely. It does happen, but it's pretty rare. Yeah, I mean the likelihood that an attacker is actually gonna go and create its own domain admin account within your network, they don't need to. If they can create an account, they already have domain admin, why do they need to do it again? Hello, come on, let's think about this, right? So they're gonna use your real credentials. That's like when I say failed login attempts, it's not worth anything because they're already taking your credentials. I mean even commodity and like even script kitties, they're not going and doing these things, they're just using what they have available to them. And the other one that I hear pretty often, which I actually blame Microsoft for is, oh, but we use like multiple domains for separation. You know, we have a domain for this, we have a domain for that. Domains are not security boundaries, right? So if you have a different domain in your DMZ than internal and you have a different domain somewhere else, the forest is actually the boundary. And back in 2000, 2001, Microsoft actually used to say that you should use domains for security purposes. But the truth is, if someone can take over a single domain controller in your forest, they can take over everything. And that also goes for read-only domain controllers, by the way, which is a whole different topic, but the read-only domain controller has as many privileges to the domain as the regular ones do. So that's also not really going to help you. And for most companies, I would say, having fewer forests and domains is probably simpler and therefore more secure. So that's something that you probably want to avoid. But separate your service accounts, right? Everyone talks about network segmentation and things like that, but account segmentation is also really, really important, right? If you have, let's say 10,000 PCs, I know a lot of people here work for really big companies. And you have, I don't know, a tool that's used to scan for vulnerabilities, let's say. If you use a single service account to scan all of these, what you're doing is you're basically leaking the credentials to that service account to 10,000 workstations. So you actually want to break it down per criticality of systems, right? So the worst thing you could do is scan your domain controllers and your workstations with the same service account. Because then as soon as someone breaks into one of these machines with the first malware that we saw, they're going to get those credentials, which are either domain admin or equivalent. Then you really have to patch your domain controllers like Chuck Norris would if he had an AD domain, right? So who remembers the Kerberos issue that was fixed by Microsoft before Christmas like two years ago? All right, so there's some people. Everyone else is fired if you were responsible for a domain. What that issue did was that anyone go from regular user to domain admin in like zero steps. It was like zero to 60 in no seconds, like boom, I'm a domain admin. The first public exploits for it were actually detectable because of the weird stuff that it would do in the logs, but then there's ways to exploit that you won't really be able to detect. And there's no excuse for not patching that when there's exploits in a while. I mean, like 10 days after that was fixed, there were different exploits in a while for it. And six months later, I would still see clients that haven't patched it, including clients that are like universities. Oh, you think like no one in a university might be interested in getting domain admin on your domain? Well, you probably didn't go to the same school I did. So that's actually really, really important. But the great thing is Active Directory is actually pretty redundant. It's pretty easy to patch that stuff really quickly. But most of all, AD is really great at delegation. Everything is super granular in there. I've seen domains with tens of thousands of users with no domain admins. Well, actually, I'm like one domain admin, which was the default one locked in a vault and just to be used if all your domain admins got kidnapped by aliens or something like that. So I think what Steve Ballmer should have been yelling is delegate, delegate, delegate. I mean, the developers are important, but delegation to me is even more important. And what goes with that is privileged access workstations. So I just skipped ahead by way too many slides. We said you should never log in as domain admin on a workstation, so what are you gonna do? Well, you're gonna need workstations dedicated for that. So Microsoft calls them privileged access workstations. People call them jump hosts sometimes. There's many ways you can use that. And I mean, this is a really easy one. You don't have to go and buy a really expensive tool that's gonna do all this monitoring and all that and take the credentials. Really, you push a GPO out. We did this during an attack because it was just, they were very, very integrated in the network. And all we did is said, okay, these six virtual machines are the only ones that you can use domain admin accounts from. And if it's not from that, the GPO said, nope, can't do it. Well, immediately we saw everywhere that any of the machines that had anything on there were failing at. And so I said failed logins don't count. Well, when you purposely make something fail, that's where you get it. But that's something that's very easy for you to push out. And it's something that you should never, I mean, really, you don't need to use your DA account except for when you're actually doing something that requires it. Otherwise, why aren't you just using your standard account? And again, it's an easy thing. And we see IT and security targeted all the time because you guys have more access and you think that you're secure. So there's many different ways you can do that. You can have like dedicated hardware. If you have a really high threat profile, you can do it with VMs and so on. And you see there's like a super stupid small link you can't read. At the end of the talk, we're gonna have one URL that's got like all the links and the different resources. But what's important to remember is if you do implement that, you also need to work on these GPOs that will prevent domain admins from logging in. Because the thing that's gonna happen is you can tell people to use these privileged access workstations and then something is gonna break somewhere and it's gonna be easier for someone to just log in or to just do like a run as or something like that. And you don't wanna turn your sys admins into pen testers so they can do their job and then the credentials still end up in memory. And that's also going to help you a lot if you wanna do things like two factor authentication on your domain admins because you know they're not gonna log in from anywhere else. So after they got the domain admin, the next thing that it did was they went to the SQL server that hosted that MRP database. And I would say for databases, the picture is not really great when it comes to the typical defense, the enterprise has. I mean, some people have like really good logging and they grab P caps and they look at like traffic volumes but for a lot of people, they realize that something is wrong just because there's so many deadlocks that their daily reports are crashing and then they realize that someone is dumping the database and that's why it's so slow. And some of them have some network segmentation. You know, SQL servers are not reachable from every workstation. Even though like that's actually something that I see less and less frequently for people who have all of their IT on-prem, a whole lot of flat networks nowadays. So you know, obviously you really wanna firewall that if your network zoning doesn't allow you to, why don't you do it with host-based firewalls? It's not the best, it's still way better than nothing. Your connection strings, right? A lot of people have connection strings even with IIS that are not encrypted. And the reason I hear for that is but an admin can still read the password even if it's encrypted because they got access to the keys and so on. But remember that there might be many cases where the malware doesn't have local admin on these machines yet. And you need to monitor the events. So SQL actually has like a lot of different events that you wanna catch, but there's also some really obvious stuff. Like someone does like select star. Like does your app ever do that? It probably shouldn't from a performance perspective. So if you see like crazy queries like that or just long running queries, the performance monitoring tools of something like SQL Server actually let you grab that. Well then if you see someone selecting everything and piping it to a file well then you probably have a pretty big problem because I think all your data are belong to them, right? Yeah. I don't know who that guy is but that's a pretty awesome Halloween costume. So when it comes to data, like what do people have? Yeah, so people also talk about like, oh, I have DLP. I'm gonna, this is gonna prevent stuff from leaving my network. I'm monitoring all these things. I'm doing all this logging, blah, blah, blah. DLP really, one, does anybody think DLP is an actual security tool? Okay, good. So the way I view DLP is protect stupid people from themselves. It's so that you don't send out data that is going to get you in some sort of compliance issue. Now that's more of an issue in the US and Europe than it is in Canada because I've looked at some of the compliance stuff and you guys don't. He says with authority as a Canadian. Yeah, you know, because I'm a lawyer. But the fact of the matter is people also depend on DLP. Now you can't do some cool things with DLP but it's not going to catch somebody dropping a CSV file with all of your data in it that they're going to then X fill out over a DNS tunnel, right? It's not gonna do it because you're not monitoring all those things. So don't depend on DLP. DLP is just a tool that you can use as for some assistance, but it's not something that you should actually count on detecting an incident or data exfiltration, et cetera. And then like egress filtering. I mean, we see so often that if I go onto a machine and I change it to 8.8.8.8.8, I can use that to get outbound instead of actually having to. And we just talked about like using your DNS logs, right? Yeah, I mean. If you don't enforce people to use your own DNS servers, that's pointless. But more so, why can your servers reach the internet? What you're trying to do is, if the guy is on your database server, you want to force him to dump that file on maybe an admin's workstation and move it out from there. If they can connect straight from that database server to the internet, like they're just gonna encrypt it, your DLP is not gonna catch anything. Maybe if you're looking for a huge volumes of data, you're gonna catch it, but a lot of people have valuable data that is not terabytes or even gigabytes. I mean, and it's easy enough to siphon off data and make it pretty quiet. But it's, I mean, we're running up on time, but there's quite a. Your phone is ringing? I know, I know. Dude, come on. But yeah, I mean, really like we see all the time that a server can reach outbound and there's no real need for it. You have WSUS, you have SCCM, you have something like that. Or you know what, only allow it to go get Windows updates. But I've seen where people actually were using the server to exfiltrate the data and it was inside their network. It was not in the DMZ and they're sending data out. It should not be able to initiate a connection outbound. And I get confused because I'm looking to see like how is egress controlled from servers and you talk to someone and they're like, no, we're not doing anything. So my first reaction is I'm not speaking to the right guy. If I speak to the network guys, they're gonna tell me what they're doing. And then you speak to like 25 different people and you realize that only SMTP outbound is blocked and nothing else. So that's really important. But then once you're doing egress filtering properly, there's still some servers that are going to be accessed from the internet. So like your WW roots, right? If you have some web servers that are available on the internet, you should probably monitor that, right? Maybe, it might be a good idea. But that's something that we see in a tax where people will find like whatever IIS server is available over the internet and they will copy this stuff to those so they can just fetch them. So I guess everything that we've been saying is just like check privileges and segment systems. And when we say segment systems, it's not just from a network perspective, but think about the credentials also, probably even more important than the network perspective right now. Delegate as much as you can. There's no reason for your help desk to have local admin on the print server. If all they do is restart the print spooler, you can actually delegate that really precisely. It's annoying at first, but once you're done, it's actually pretty easy to maintain. Local admin passwords, it's cheap, it's free to randomize them. It's actually pretty easy. Use your web filtering to the most, but do egress filtering and harden the hell out of your systems, which is all stuff you can do for free. So what we would want you to do for like 2016, 2017 is buy fewer silver bullets, but grab a shovel and make sure that everything that you own, own in a sense, not like you hacked it, but you actually bought it, right? Everything you own is configured as well as you can, and you're gonna see huge impact. And the next time you buy something, then you're gonna be able to make the most out of it and you won't just be expending your tax surface and reducing the wallet surface, I guess. So thank you guys, appreciate it. So final note. Compliments and complaints and the slides, they're not up to date, but there's also, there's already a version there which I will update and all the links that we had in the slides are also on that website. Thank you. Thank you, thank you.